From bc4c5ba08a749200ca2aa86ea7dfe5a3dac03f5a Mon Sep 17 00:00:00 2001 From: gabriel-cx Date: Tue, 9 May 2023 16:25:24 +0000 Subject: [PATCH] docs(queries): update queries catalog --- docs/queries/all-queries.md | 3296 ++++++++--------- docs/queries/ansible-queries.md | 438 +-- .../01aec7c2-3e4d-4274-ae47-2b8fea22fd1f.md | 85 + .../050f085f-a8db-4072-9010-2cca235cc02f.md | 96 + .../0956aedf-6a7a-478b-ab56-63e2b19923ad.md | 115 + .../0ed012a4-9199-43d2-b9e4-9bd049a48aa4.md | 117 + .../12a7a7ce-39d6-49dd-923d-aeb4564eb66c.md | 64 + .../133fee21-37ef-45df-a563-4d07edc169f4.md | 60 + .../16732649-4ff6-4cd2-8746-e72c13fae4b8.md | 98 + .../17d5ba1d-7667-4729-b1a6-b11fde3db7f7.md | 72 + .../1d972c56-8ec2-48c1-a578-887adb09c57a.md | 59 + .../1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89.md | 91 + .../2034fb37-bc23-4ca0-8d95-2b9f15829ab5.md | 179 + .../2059155b-27fd-441e-b616-6966c468561f.md | 67 + .../218413a0-c716-4b94-9e08-0bb70d854709.md | 66 + .../22c80725-e390-4055-8d14-a872230f6607.md | 56 + .../265d9725-2fb8-42a2-bc57-3279c5db82d5.md | 57 + .../2cb674f6-32f9-40be-97f2-62c0dc38f0d5.md | 143 + .../2d55ef88-b616-4890-b822-47f280763e89.md | 55 + .../309edc5b-5a59-42b4-a357-d4d098311fd4.md | 50 + .../32d31f1f-0f83-4721-b7ec-1e6948c60145.md | 126 + .../338b6cab-961d-4998-bb49-e5b6a11c9a5c.md | 106 + .../3505094c-f77c-4ba0-95da-f83db712f86c.md | 115 + .../3ab1f27d-52cc-4943-af1d-43c1939e739a.md | 69 + .../3ddf3417-424d-420d-8275-0724dc426520.md | 59 + .../3f2cf811-88fa-4eda-be45-7a191a18aba9.md | 86 + .../445dce51-7e53-4e50-80ef-7f94f14169e4.md | 72 + .../4b6012e7-7176-46e4-8108-e441785eae57.md | 81 + .../4d8681a2-3d30-4c89-8070-08acd142748e.md | 94 + .../5330b503-3319-44ff-9b1c-00ee873f728a.md | 74 + .../53bce6a8-5492-4b1b-81cf-664385f0c4bf.md | 61 + .../5527dcfc-94f9-4bf6-b7d4-1b78850cf41f.md | 62 + .../559439b2-3e9c-4739-ac46-17e3b24ec215.md | 57 + .../57ced4b9-6ba4-487b-8843-b65562b90c77.md | 73 + .../594f54e7-f744-45ab-93e4-c6dbaf6cd571.md | 49 + .../5a443297-19d4-4381-9e5b-24faf947ec22.md | 51 + .../5b9d237a-57d5-4177-be0e-71434b0fef47.md | 58 + .../5ba316a9-c466-4ec1-8d5b-bc6107dc9a92.md | 62 + .../5c6b727b-1382-4629-8ba9-abd1365e5610.md | 87 + .../5e92d816-2177-4083-85b4-f61b4f7176d9.md | 57 + .../5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce.md | 79 + .../60bfbb8a-c72f-467f-a6dd-a46b7d612789.md | 50 + .../61d1a2d0-4db8-405a-913d-5d2ce49dff6f.md | 91 + .../66477506-6abb-49ed-803d-3fa174cd5f6a.md | 101 + .../6a647814-def5-4b85-88f5-897c19f509cd.md | 88 + .../6a6d7e56-c913-4549-b5c5-5221e624d2ec.md | 66 + .../6ad087d7-a509-4b20-b853-9ef6f5ebaa98.md | 67 + .../6f5f5444-1422-495f-81ef-24cefd61ed2c.md | 110 + .../6fa44721-ef21-41c6-8665-330d59461163.md | 61 + .../71397b34-1d50-4ee1-97cb-c96c34676f74.md | 125 + .../71ea648a-d31a-4b5a-a589-5674243f1c33.md | 69 + .../722b0f24-5a64-4cca-aa96-cfc26b7e3a5b.md | 69 + .../727c4fd4-d604-4df6-a179-7713d3c85e20.md | 94 + .../72a931c2-12f5-40d1-93cc-47bff2f7aa2a.md | 50 + .../730a5951-2760-407a-b032-dd629b55c23a.md | 179 + .../75480b31-f349-4b9a-861f-bce19588e674.md | 54 + .../7674a686-e4b1-4a95-83d4-1fd53c623d84.md | 62 + .../7af1c447-c014-4f05-bd8b-ebe3a15734ac.md | 150 + .../7cc6c791-5f68-4816-a564-b9b699f9d26e.md | 89 + .../7db727c1-1720-468e-b80e-06697f71e09e.md | 56 + .../7dfb316c-a6c2-454d-b8a2-97f147b0c0ff.md | 99 + .../7f79f858-fbe8-4186-8a2c-dfd0d958a40f.md | 116 + .../7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892.md | 71 + .../8010e17a-00e9-4635-a692-90d6bcec68bd.md | 150 + .../83957b81-39c1-4191-8e12-671d2ce14354.md | 74 + .../83c5fa4c-e098-48fc-84ee-0a537287ddd2.md | 149 + .../857f8808-e96a-4ba8-a9b7-f2d4ec6cad94.md | 90 + .../86b0efa7-4901-4edd-a37a-c034bec6645a.md | 98 + .../8833f180-96f1-46f4-9147-849aafa56029.md | 73 + .../8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d.md | 101 + .../8d03993b-8384-419b-a681-d1f55149397c.md | 73 + .../8e3063f4-b511-45c3-b030-f3b0c9131951.md | 74 + .../8ed0bfce-f780-46d4-b086-21c3628f09ad.md | 79 + .../905f4741-f965-45c1-98db-f7a00a0e5c73.md | 139 + .../9232306a-f839-40aa-b3ef-b352001da9a5.md | 66 + .../97707503-a22c-4cd7-b7c0-f088fa7cf830.md | 71 + .../9cf25d62-0b96-42c8-b66d-998cd6ee5bb8.md | 73 + .../9f34885e-c08f-4d13-a7d1-cf190c5bd268.md | 55 + .../a0f1bfe0-741e-473f-b3b2-13e66f856fab.md | 61 + .../a1423864-2fbc-4f46-bfe1-fbbf125c71c9.md | 78 + .../a14ad534-acbe-4a8e-9404-2f7e1045646e.md | 233 ++ .../a19b2942-142e-4e2b-93b7-6cf6a6c8d90f.md | 57 + .../a1ef9d2e-4163-40cb-bd92-04f0d602a15d.md | 59 + .../a2fdf451-89dd-451e-af92-bf6c0f4bab96.md | 75 + .../a6d27cf7-61dc-4bde-ae08-3b353b609f76.md | 157 + .../a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1.md | 89 + .../af167837-9636-4086-b815-c239186b9dda.md | 169 + .../af96d737-0818-4162-8c41-40d969bd65d1.md | 62 + .../b16cdb37-ce15-4ab2-8401-d42b05d123fc.md | 201 + .../b25398a2-0625-4e61-8e4d-a1bb23905bf6.md | 103 + .../b47b98ab-e481-4a82-8bb1-1ab39fd36e33.md | 85 + .../b5ed026d-a772-4f07-97f9-664ba0b116f8.md | 61 + .../b8a9852c-9943-4973-b8d5-77dae9352851.md | 56 + .../babdedcf-d859-43da-9a7b-6d72e661a8fd.md | 78 + .../bd77554e-f138-40c5-91b2-2a09f878608e.md | 63 + .../c09e3ca5-f08a-4717-9c87-3919c5e6d209.md | 81 + .../c09f4d3e-27d2-4d46-9453-abbe9687a64e.md | 91 + .../c2f15af3-66a0-4176-a56e-e4711e502e5c.md | 60 + .../c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d.md | 49 + .../c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9.md | 59 + .../d0c13053-d2c8-44a6-95da-d592996e9e67.md | 113 + .../d31cb911-bf5b-4eb6-9fc3-16780c77c7bd.md | 142 + .../d395a950-12ce-4314-a742-ac5a785ab44e.md | 61 + .../d39761d7-94ab-45b0-ab5e-27c44e381d58.md | 69 + .../d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5.md | 49 + .../d5ec2080-340a-4259-b885-f833c4ea6a31.md | 51 + .../d994585f-defb-4b51-b6d2-c70f020ceb10.md | 94 + .../defe5b18-978d-4722-9325-4d1975d3699f.md | 95 + .../e01de151-a7bd-4db4-b49b-3c4775a5e881.md | 55 + .../e1e7b278-2a8b-49bd-a26e-66a7f70b17eb.md | 84 + .../e24e18d9-4c2b-4649-b3d0-18c088145e24.md | 50 + .../e28ceb92-d588-4166-aac5-766c8f5b7472.md | 75 + .../e401d614-8026-4f4b-9af9-75d1197461ba.md | 61 + .../e69890e6-fce5-461d-98ad-cb98318dfc96.md | 66 + .../e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40.md | 61 + .../ea0ed1c7-9aef-4464-b7c7-94c762da3640.md | 101 + .../ea6bc7a6-d696-4dcf-a788-17fa03c17c81.md | 99 + .../eafe4bc3-1042-4f88-b988-1939e64bf060.md | 53 + .../ebb2118a-03bc-4d53-ab43-d8750f5cb8d3.md | 91 + .../ed9b3beb-92cf-44d9-a9d2-171eeba569d4.md | 76 + .../eda7301d-1f3e-47cf-8d4e-976debc64341.md | 233 ++ .../eee107f9-b3d8-45d3-b9c6-43b5a7263ce1.md | 66 + .../f2ea6481-1d31-4d40-946a-520dc6321dd7.md | 101 + .../f34508b9-f574-4330-b42d-88c44cced645.md | 131 + .../f509931b-bbb0-443c-bd9b-10e92ecf2193.md | 62 + .../f5587077-3f57-4370-9b4e-4eb5b1bac85b.md | 60 + .../f5c45127-1d28-4b49-a692-0b97da1c3a84.md | 68 + .../f5f38943-664b-4acc-ab11-f292fa10ed0b.md | 69 + .../f81d63d2-c5d7-43a4-a5b5-66717a41c895.md | 96 + .../fb5a5df7-6d74-4243-ab82-ff779a958bfd.md | 82 + .../fb8f8929-afeb-4c46-99f0-a6cf410f7df4.md | 71 + .../ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9.md | 68 + .../0461b4fd-21ef-4687-929e-484ee4796785.md | 52 + .../054d07b5-941b-4c28-8eef-18989dc62323.md | 112 + .../0632d0db-9190-450a-8bb3-c283bffea445.md | 54 + .../0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc.md | 336 ++ .../0d0c12b9-edce-4510-9065-13f6a758750c.md | 54 + .../149fa56c-4404-4f90-9e25-d34b676d5b39.md | 101 + .../1bc398a8-d274-47de-a4c8-6ac867b353de.md | 134 + .../1e5f5307-3e01-438d-8da6-985307ed25ce.md | 57 + .../23a4dc83-4959-4d99-8056-8e051a82bc1e.md | 61 + .../29f35127-98e6-43af-8ec1-201b79f99604.md | 80 + .../2a901825-0f3b-4655-a0fe-e0470e50f8e6.md | 78 + .../2c99a474-2a3c-4c17-8294-53ffa5ed0522.md | 192 + .../2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255.md | 55 + .../35e2f133-a395-40de-a79d-b260d973d1bd.md | 69 + .../37fafbea-dedb-4e0d-852e-d16ee0589326.md | 106 + .../3f23c96c-f9f5-488d-9b17-605b8da5842f.md | 62 + .../4d3817db-dd35-4de4-a80d-3867157e7f7f.md | 66 + .../530e8291-2f22-4bab-b7ea-306f1bc2a308.md | 65 + .../581dae78-307d-45d5-aae4-fe2b0db267a5.md | 115 + .../5c80db8e-03f5-43a2-b4af-1f3f87018157.md | 74 + .../663062e9-473d-4e87-99bc-6f3684b3df40.md | 69 + .../69f72007-502e-457b-bd2d-5012e31ac049.md | 53 + .../729ebb15-8060-40f7-9017-cb72676a5487.md | 111 + .../7ab33ac0-e4a3-418f-a673-50da4e34df21.md | 112 + .../7b47138f-ec0e-47dc-8516-e7728fe3cc17.md | 112 + .../869e7fb4-30f0-4bdb-b360-ad548f337f2f.md | 53 + .../881696a8-68c5-4073-85bc-7c38a3deb854.md | 84 + .../89f84a1e-75f8-47c5-83b5-bee8e2de4168.md | 90 + .../8c3bedf1-c570-4c3b-b414-d068cd39a00c.md | 122 + .../961ce567-a16d-4d7d-9027-f0ec2628a555.md | 158 + .../a9becca7-892a-4af7-b9e1-44bf20a4cd9a.md | 112 + .../b176e927-bbe2-44a6-a9c3-041417137e5f.md | 55 + .../c62746cf-92d5-4649-9acf-7d48d086f2ee.md | 64 + .../ca4df748-613a-4fbf-9c76-f02cbd580307.md | 99 + .../d5e83b32-56dd-4247-8c2e-074f43b38a5e.md | 158 + .../da4f2739-174f-4cdd-b9ef-dc3f14b5931f.md | 82 + .../e2d834b7-8b25-4935-af53-4a60668dcbe0.md | 61 + .../e8c80448-31d8-4755-85fc-6dbab69c2717.md | 76 + .../eb8c2560-8bee-4248-9d0d-e80c8641dd91.md | 68 + .../f4e9ff70-0f3b-4c50-a713-26cbe7ec4039.md | 68 + .../086031e1-9d4a-4249-acb3-5bfe4c363db2.md | 83 + .../092bae86-6105-4802-99d2-99cd7e7431f3.md | 123 + .../099b4411-d11e-4537-a0fc-146b19762a79.md | 62 + .../0c82eae2-aca0-401f-93e4-fb37a0f9e5e8.md | 96 + .../11bd3554-cd56-4257-8e25-7aaf30cf8f5f.md | 83 + .../18d3a83d-4414-49dc-90ea-f0387b2856cc.md | 235 ++ .../19c9e2a0-fc33-4264-bba1-e3682661e8f7.md | 88 + .../20180133-a0d0-4745-bfe0-94049fbb12a9.md | 102 + .../20dcd953-a8b8-4892-9026-9afa6d05a525.md | 88 + .../2263b286-2fe9-4747-a0ae-8b4768a2bbd2.md | 60 + .../2775e169-e708-42a9-9305-b58aadd2c4dd.md | 185 + .../28a757fc-3d8f-424a-90c0-4233363b2711.md | 67 + .../29b8224a-60e9-4011-8ac2-7916a659841f.md | 83 + .../300a9964-b086-41f7-9378-b6de3ba1c32b.md | 75 + .../344bf8ab-9308-462b-a6b2-697432e40ba1.md | 126 + .../3602d273-3290-47b2-80fa-720162b1a8af.md | 91 + .../3b30e3d6-c99b-4318-b38f-b99db74578b5.md | 142 + .../507df964-ad97-4035-ab14-94a82eabdfdd.md | 57 + .../66dae697-507b-4aef-be18-eec5bd707f33.md | 58 + .../6a4080ae-79bd-42f6-a924-8f534c1c018b.md | 74 + .../6cf4c3a7-ceb0-4475-8892-3745b84be24a.md | 66 + .../6d34aff3-fdd2-460c-8190-756a3b4969e8.md | 67 + .../7289eebd-a477-4064-8ad4-3c044bd70b00.md | 91 + .../75418eb9-39ec-465f-913c-6f2b6a80dc77.md | 96 + .../7814ddda-e758-4a56-8be3-289a81ded929.md | 65 + .../7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b.md | 89 + .../80b15fb1-6207-40f4-a803-6915ae619a03.md | 84 + .../829f1c60-2bab-44c6-8a21-5cd9d39a2c82.md | 61 + .../89afe3f0-4681-4ce3-89ed-896cebd4277c.md | 78 + .../98e04ca0-34f5-4c74-8fec-d2e611ce2790.md | 156 + .../9df7f78f-ebe3-432e-ac3b-b67189c15518.md | 126 + .../9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f.md | 67 + .../a7b520bb-2509-4fb0-be05-bc38f54c7a4c.md | 67 + .../aed98a2a-e680-497a-8886-277cea0f4514.md | 67 + .../b28bcd2f-c309-490e-ab7c-35fc4023eb26.md | 74 + .../b2fbf1df-76dd-4d78-a6c0-e538f4a9b016.md | 75 + .../bc20bbc6-0697-4568-9a73-85af1dd97bdd.md | 56 + .../be41f891-96b1-4b9d-b74f-b922a918c778.md | 64 + .../c6fc6f29-dc04-46b6-99ba-683c01aff350.md | 58 + .../d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md | 102 + .../d43366c5-80b0-45de-bbe8-2338f4ab0a83.md | 76 + .../d58c6f24-3763-4269-9f5b-86b2569a003b.md | 101 + .../d6e10477-2e19-4bcd-b8a8-19c65b89ccdf.md | 88 + .../d6fae5b6-ada9-46c0-8b36-3108a2a2f77b.md | 67 + .../d7a5616f-0a3f-4d43-bc2b-29d1a183e317.md | 78 + .../dc126833-125a-40fb-905a-ce5f2afde240.md | 107 + .../ed672a9f-fbf0-44d8-a47d-779501b0db05.md | 107 + .../f9b7086b-deb8-4034-9330-d7fd38f1b8de.md | 87 + .../fbe9b2d0-a2b7-47a1-a534-03775f3013f7.md | 102 + docs/queries/azureresourcemanager-queries.md | 84 +- .../1367dd13-2c90-4020-80b7-e4339a3dc2c4.md | 341 ++ .../2081c7d6-2851-4cce-bda5-cb49d462da42.md | 533 +++ .../25684eac-daaa-4c2c-94b4-8d2dbb627909.md | 270 ++ .../2583fab1-953b-4fae-bd02-4a136a6c21f9.md | 736 ++++ .../25c0228e-4444-459b-a2df-93c7df40b7ed.md | 327 ++ .../2ade1579-4b2c-4590-bebb-f99bf597f612.md | 578 +++ .../350f3955-b5be-436f-afaa-3d2be2fa6cdd.md | 325 ++ .../3e9fcc67-1f64-405f-b2f9-0a6be17598f0.md | 193 + .../43f6e60c-9cdb-4e77-864d-a66595d26518.md | 858 +++++ .../488847ff-6031-487c-bf42-98fd6ac5c9a0.md | 214 ++ .../4d2cf896-c053-4be5-9c95-8b4771112f29.md | 280 ++ .../4d522e7b-f938-4d51-a3b1-974ada528bd3.md | 189 + .../564b70f8-41cd-4690-aff8-bb53add86bc9.md | 483 +++ .../574e8d82-1db2-4b9c-b526-e320ede9a9ff.md | 278 ++ .../59cb3da7-f206-4ae6-b827-7abf0a9cab9d.md | 578 +++ .../6797f581-0433-4768-ae3e-7ceb2f8b138e.md | 1240 +++++++ .../6a3201a5-1630-494b-b294-3129d06b0eca.md | 293 ++ .../70111098-7f85-48f0-b1b4-e4261cf5f61b.md | 296 ++ .../79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92.md | 554 +++ .../7c25f361-7c66-44bf-9b69-022acd5eb4bd.md | 364 ++ .../83130a07-235b-4a80-918b-a370e53f0bd9.md | 729 ++++ .../89b79fe5-49bd-4d39-84ce-55f5fc6f7764.md | 552 +++ .../8fa9ceea-881f-4ef0-b0b8-728f589699a7.md | 258 ++ .../90120147-f2e7-4fda-bb21-6fa9109afd63.md | 244 ++ .../9073f073-5d60-4b46-b569-0d6baa80ed95.md | 368 ++ .../92302b47-b0cc-46cb-a28f-5610ecda140b.md | 214 ++ .../9307a2ed-35c2-413d-94de-a1a0682c2158.md | 346 ++ .../9b09dee1-f09b-4013-91d2-158fa4695f4b.md | 353 ++ .../a0ab985d-660b-41f7-ac81-70957ee8e627.md | 943 +++++ .../a6d774b6-d9ea-4bf4-8433-217bf15d2fb8.md | 613 +++ .../a8852cc0-fd4b-4fc7-9372-1e43fad0732e.md | 208 ++ .../b5c851d5-00f1-43dc-a8de-3218fd6f71be.md | 175 + .../bf500309-da53-4dd3-bcf7-95f7974545a5.md | 498 +++ .../c09cdac2-7670-458a-bf6c-efad6880973a.md | 442 +++ .../c62d3b92-9a11-4ffd-b7b7-6faaae83faed.md | 353 ++ .../cff9c3f7-e8f0-455f-9fb4-5f72326da96e.md | 446 +++ .../d855ced8-6157-448f-9f1d-f05a41d046f7.md | 158 + .../e055285c-bc01-48b4-8aa5-8a54acdd29df.md | 513 +++ .../e25b56cd-a4d6-498f-ab92-e6296a082097.md | 401 ++ .../e69bda39-e1e2-47ca-b9ee-b6531b23aedd.md | 773 ++++ .../e9c133e5-c2dd-4b7b-8fff-40f2de367b56.md | 377 ++ .../f9112910-c7bb-4864-9f5e-2059ba413bb7.md | 732 ++++ docs/queries/buildah-queries.md | 2 +- .../a1bc27c6-7115-48d8-bf9d-5a7e836845ba.md | 33 + docs/queries/cloudformation-queries.md | 542 +-- .../0104165b-02d5-426f-abc9-91fb48189899.md | 258 ++ .../01986452-bdd8-4aaa-b5df-d6bf61d616ff.md | 635 ++++ .../01d5a458-a6c4-452a-ac50-054d59275b7c.md | 116 + .../027a4b7a-8a59-4938-a04f-ed532512cf45.md | 218 ++ .../03879981-efa2-47a0-a818-c843e1441b88.md | 150 + .../03b38885-8f4e-480c-a0e4-12c1affd15db.md | 313 ++ .../045ddb54-cfc5-4abb-9e05-e427b2bc96fe.md | 246 ++ .../050a9ba8-d1cb-4c61-a5e8-8805a70d3b85.md | 405 ++ .../058ac855-989f-4378-ba4d-52d004020da7.md | 435 +++ .../06933df4-0ea7-461c-b9b5-104d27390e0e.md | 283 ++ .../06adef8c-c284-4de7-aad2-af43b07a8ca1.md | 268 ++ .../06b9f52a-8cd5-459b-bdc6-21a22521e1be.md | 334 ++ .../06ec63e3-9f72-4fe2-a218-2eb9200b8db5.md | 375 ++ .../07dda8de-d90d-469e-9b37-1aca53526ced.md | 442 +++ .../086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md | 464 +++ .../08b81bb3-0985-4023-8602-b606ad81d279.md | 137 + .../08e39832-5e42-4304-98a0-aa5b43393162.md | 259 ++ .../0a994e04-c6dc-471d-817e-d37451d18a3b.md | 104 + .../0b0556ea-9cd9-476f-862e-20679dda752b.md | 186 + .../0ce1ba20-8ba8-4364-836f-40c24b8cb0ab.md | 132 + .../0e5872b4-19a0-4165-8b2f-56d9e14b909f.md | 101 + .../0f0fb06b-0f2f-4374-8588-f2c7c348c7a0.md | 88 + .../0f139403-303f-467c-96bd-e717e6cfd62d.md | 185 + .../1056dfbb-5802-4762-bf2b-8b9b9684b1b0.md | 115 + .../105ba098-1e34-48cd-b0f2-a8a43a51bf9b.md | 180 + .../124b173b-e06d-48a6-8acd-f889443d97a4.md | 70 + .../12726829-93ed-4d51-9cbe-13423f4299e1.md | 101 + .../1819ac03-542b-4026-976b-f37addd59f3b.md | 95 + .../1a427b25-2e9e-4298-9530-0499a55e736b.md | 271 ++ .../1b6322d9-c755-4f8c-b804-32c19250f2d9.md | 105 + .../1c07bfaf-663c-4f6f-b22b-8e2d481e4df5.md | 283 ++ .../1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md | 295 ++ .../1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7.md | 99 + .../1fe9d958-ddce-4228-a124-05265a959a8b.md | 231 ++ .../209189f3-c879-48a7-9703-fbcfa96d0cef.md | 120 + .../219f4c95-aa50-44e0-97de-cf71f4641170.md | 442 +++ .../235ca980-eb71-48f4-9030-df0c371029eb.md | 374 ++ .../24d932e1-91f0-46ea-836f-fdbd81694151.md | 112 + .../2564172f-c92b-4261-9acd-464aed511696.md | 238 ++ .../2623d682-dccb-44cd-99d0-54d9fd62f8f2.md | 195 + .../2730c169-51d7-4ae7-99b5-584379eff1bb.md | 167 + .../275a3217-ca37-40c1-a6cf-bb57d245ab32.md | 171 + .../2844c749-bd78-4cd1-90e8-b179df827602.md | 283 ++ .../2a3560fe-52ca-4443-b34f-bf0ed5eb74c8.md | 441 +++ .../2b1d4935-9acf-48a7-8466-10d18bf51a69.md | 1017 +++++ .../2c161e58-cb52-454f-abea-6470c37b5e6e.md | 350 ++ .../2ff8e83c-90e1-4d68-a300-6d652112e622.md | 581 +++ .../316278b3-87ac-444c-8f8f-a733a28da60f.md | 158 + .../31733ee2-fef0-4e87-9778-65da22a8ecf1.md | 272 ++ .../323db967-c68e-44e6-916c-a777f95af34b.md | 247 ++ .../33f41d31-86b1-46a4-81f7-9c9a671f59ac.md | 215 ++ .../350cd468-0e2c-44ef-9d22-cfb73a62523c.md | 106 + .../3609d27c-3698-483a-9402-13af6ae80583.md | 192 + .../3641d5b4-d339-4bc2-bfb9-208fe8d3477f.md | 188 + .../37cca703-b74c-48ba-ac81-595b53398e9b.md | 136 + .../37fa8188-738b-42c8-bf82-6334ea567738.md | 595 +++ .../38c64e76-c71e-4d92-a337-60174d1de1c9.md | 1096 ++++++ .../39423ce4-9011-46cd-b6b1-009edcd9385d.md | 470 +++ .../3ae83918-7ec7-4cb8-80db-b91ef0f94002.md | 169 + .../3b02569b-fc6f-4153-b3a3-ba91022fed68.md | 314 ++ .../3b316b05-564c-44a7-9c3f-405bb95e211e.md | 255 ++ .../3b3b4411-ad1f-40e7-b257-a78a6bb9673a.md | 108 + .../3c3b7a58-b018-4d07-9444-d9ee7156e111.md | 191 + .../3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6.md | 162 + .../3e09413f-471e-40f3-8626-990c79ae63f3.md | 172 + .../3e293410-d5b8-411f-85fd-7d26294f20c9.md | 145 + .../42e7dca3-8cce-4325-8df0-108888259136.md | 108 + .../43356255-495d-4148-ad8d-f6af5eac09dd.md | 181 + .../44034eda-1c3f-486a-831d-e09a7dd94354.md | 412 +++ .../445020f6-b69e-4484-847f-02d4b7768902.md | 257 ++ .../4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c.md | 540 +++ .../456b00a3-1072-4149-9740-6b8bb60251b0.md | 188 + .../48677914-6fdf-40ec-80c4-2b0e94079f54.md | 124 + .../48af92a5-c89b-4936-bc62-1086fe2bab23.md | 930 +++++ .../48c3bc58-6959-4f27-b647-4fedeace23be.md | 155 + .../48f100d9-f499-4c6d-b2b8-deafe47ffb26.md | 108 + .../493d9591-6249-47bf-8dc0-5c10161cc558.md | 166 + .../494b03d3-bf40-4464-8524-7c56ad0700ed.md | 468 +++ .../4a1e6b34-1008-4e61-a5f2-1f7c276f8d14.md | 295 ++ .../4a8daf95-709d-4a36-9132-d3e19878fa34.md | 103 + .../4a8fc9a2-2b2f-4b3f-aa8d-401425872034.md | 253 ++ .../4ab10c48-bedb-4deb-8f3b-ff12783b61de.md | 289 ++ .../4ae8af91-5108-42cb-9471-3bdbe596eac9.md | 142 + .../4ba74f01-aba5-4be2-83bc-be79ff1a3b92.md | 166 + .../4c137350-7307-4803-8c04-17c09a7a9fcf.md | 79 + .../4d32780f-43a4-424a-a06d-943c543576a5.md | 135 + .../4e67c0ae-38a0-47f4-a50c-f0c9b75826df.md | 194 + .../4e88adee-a8eb-4605-a78d-9fb1096e3091.md | 249 ++ .../4f0908b9-eb66-433f-9145-134274e1e944.md | 379 ++ .../4fbfee74-8186-40d5-a24e-4baa76a855de.md | 135 + .../52790cad-d60d-41d5-8483-146f9f21208d.md | 281 ++ .../568cc372-ca64-420d-9015-ee347d00d288.md | 103 + .../57b12981-3816-4c31-b190-a1e614361dd2.md | 111 + .../5906092d-5f74-490d-9a03-78febe0f65e1.md | 166 + .../59a849c2-1127-4023-85a5-ef906dcd458c.md | 97 + .../5b033ec8-f079-4323-b5c8-99d4620433a9.md | 305 ++ .../5b48c507-0d1f-41b0-a630-76817c6b4189.md | 190 + .../5beacce3-4020-4a3d-9e1d-a36f953df630.md | 320 ++ .../5c0b06d5-b7a4-484c-aeb0-75a836269ff0.md | 441 +++ .../5c666ed9-b586-49ab-9873-c495a833b705.md | 239 ++ .../5d3c1807-acb3-4bb0-be4e-0440230feeaf.md | 246 ++ .../5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md | 277 ++ .../5e7acff5-095b-40ac-9073-ac2e4ad8a512.md | 189 + .../5f700072-b7ce-4e84-b3f3-497bf1c24a4d.md | 523 +++ .../60a05ede-0a68-4d0d-a58f-f538cf55ff79.md | 71 + .../61a94903-3cd3-4780-88ec-fc918819b9c8.md | 208 ++ .../64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md | 169 + .../65844ba3-03a1-40a8-b3dd-919f122e8c95.md | 431 +++ .../65d07da5-9af5-44df-8983-52d2e6f24c44.md | 905 +++++ .../6685d912-d81f-4cfa-95ad-e316ea31c989.md | 353 ++ .../66f2d8f9-a911-4ced-ae27-34f09690bb2c.md | 183 + .../68b6a789-82f8-4cfd-85de-e95332fe6a61.md | 162 + .../6b5b0313-771b-4319-ad7a-122ee78700ef.md | 94 + .../6c131358-c54d-419b-9dd6-1f7dd41d180c.md | 846 +++++ .../6c8d51af-218d-4bfb-94a9-94eabaa0703a.md | 107 + .../6d087495-2a42-4735-abf7-02ef5660a7e6.md | 759 ++++ .../6d64f311-3da6-45f3-80f1-14db9771ea40.md | 157 + .../6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md | 169 + .../6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d.md | 93 + .../6ef03ff6-a2bd-483c-851f-631f248bc0ea.md | 293 ++ .../709e6da6-fa1f-44cc-8f17-7f25f96dadbe.md | 252 ++ .../71493c8b-3014-404c-9802-078b74496fb7.md | 350 ++ .../73980e43-f399-4fcc-a373-658228f7adf7.md | 344 ++ .../73d59e76-a12c-4b74-a3d8-d3e1e19c25b3.md | 169 + .../74a18d1a-cf02-4a31-8791-ed0967ad7fdc.md | 147 + .../75be209d-1948-41f6-a8c8-e22dd0121134.md | 151 + .../76ddf32c-85b1-4808-8935-7eef8030ab36.md | 247 ++ .../7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md | 247 ++ .../77b6f1e2-bde4-4a6a-ae7e-a40659ff1576.md | 345 ++ .../78055456-f670-4d2e-94d5-392d1cf4f5e4.md | 1393 +++++++ .../783860a3-6dca-4c8b-81d0-7b62769ccbca.md | 264 ++ .../79d745f0-d5f3-46db-9504-bef73e9fd528.md | 696 ++++ .../7f384a5f-b5a2-4d84-8ca3-ee0a5247becb.md | 344 ++ .../7f65be75-90ab-4036-8c2a-410aef7bb650.md | 164 + .../7f8843f0-9ea5-42b4-a02b-753055113195.md | 130 + .../7f8f1b60-43df-4c28-aa21-fb836dbd8071.md | 466 +++ .../7fd0d461-5b8c-4815-898c-f2b4b117eb28.md | 343 ++ .../800fa019-49dd-421b-9042-7331fdd83fa2.md | 105 + .../80908a75-586b-4c61-ab04-490f4f4525b8.md | 213 ++ .../809f77f8-d10e-4842-a84f-3be7b6ff1190.md | 208 ++ .../80b7ac3f-d2b7-4577-9b10-df7913497162.md | 155 + .../80d45af4-4920-4236-a56e-b7ef419d1941.md | 135 + .../818f38ed-8446-4132-9c03-474d49e10195.md | 142 + .../8275fab0-68ec-4705-bbf4-86975edb170e.md | 230 ++ .../829ce3b8-065c-41a3-ad57-e0accfea82d2.md | 111 + .../835d5497-a526-4aea-a23f-98a9afd1635f.md | 442 +++ .../837e033c-4717-40bd-807e-6abaa30161b7.md | 98 + .../839f238f-2e3a-4a72-b945-8abdf91af955.md | 257 ++ .../85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7.md | 332 ++ .../860ba89b-b8de-4e72-af54-d6aee4138a69.md | 106 + .../86a248ab-0e01-4564-a82a-878303e253bb.md | 296 ++ .../87482183-a8e7-4e42-a566-7a23ec231c16.md | 289 ++ .../88d55d94-315d-4564-beee-d2d725feab11.md | 91 + .../89827c57-5a8a-49eb-9731-976a606d70db.md | 201 + .../8a6d36cd-0bc6-42b7-92c4-67acc8576861.md | 312 ++ .../8c415f6f-7b90-4a27-a44a-51047e1506f9.md | 123 + .../8d29754a-2a18-460d-a1ba-9509f8d359da.md | 72 + .../8dd0ff1f-0da4-48df-9bb3-7f338ae36a40.md | 288 ++ .../8df8e857-bd59-44fa-9f4c-d77594b95b46.md | 387 ++ .../8f957abd-9703-413d-87d3-c578950a753c.md | 213 ++ .../9025b2b3-e554-4842-ba87-db7aeec36d35.md | 159 + .../90501b1b-cded-4cc1-9e8b-206b85cda317.md | 91 + .../9488c451-074e-4cd3-aee3-7db6104f542c.md | 212 ++ .../953b3cdb-ce13-428a-aa12-318726506661.md | 174 + .../9564406d-e761-4e61-b8d7-5926e3ab8e79.md | 457 +++ .../97e94d17-e2c7-4109-a53b-6536ac1bb64e.md | 217 ++ .../9b6a3f5b-5fd6-40ee-9bc0-ed604911212d.md | 314 ++ .../9b83114b-b2a1-4534-990d-06da015e47aa.md | 91 + .../9c7028d9-04c2-45be-b8b2-1188ccaefb36.md | 219 ++ .../9d13b150-a2ab-42a1-b6f4-142e41f81e52.md | 143 + .../9e8c89b3-7997-4d15-93e4-7911b9db99fd.md | 177 + .../9ecb6b21-18bc-4aa7-bd07-db20f1c746db.md | 317 ++ .../9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d.md | 224 ++ .../9fcd0a0a-9b6f-4670-a215-d94e6bf3f184.md | 268 ++ .../a0ae0a4e-712b-4115-8112-51b9eeed9d69.md | 447 +++ .../a227ec01-f97a-4084-91a4-47b350c1db54.md | 289 ++ .../a25cd877-375c-4121-a640-730929936fac.md | 89 + .../a2f2800e-614b-4bc8-89e6-fec8afd24800.md | 124 + .../a3aa0087-8228-4e7e-b202-dc9036972d02.md | 99 + .../a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd.md | 295 ++ .../a478af30-8c3a-404d-aa64-0b673cee509a.md | 155 + .../a5366a50-932f-4085-896b-41402714a388.md | 241 ++ .../a58d1a2d-4078-4b80-855b-84cc3f7f4540.md | 124 + .../a71ecabe-03b6-456a-b3bc-d1a39aa20c98.md | 73 + .../a7f8ac28-eed1-483d-87c8-4c325f022572.md | 90 + .../a964d6e3-8e1e-4d93-8120-61fa640dd55a.md | 332 ++ .../a976d63f-af0e-46e8-b714-8c1a9c4bf768.md | 594 +++ .../acc78859-765e-4011-a229-a65ea57db252.md | 188 + .../ad21e616-5026-4b9d-990d-5b007bfe679c.md | 439 +++ .../ad7444cf-817a-4765-a79e-2145f7981faf.md | 212 ++ .../adcd0082-e90b-4b63-862b-21899f6e6a48.md | 169 + .../ae03f542-1423-402f-9cef-c834e7ee9583.md | 253 ++ .../ae53ce91-42b5-46bf-a84f-9a13366a4f13.md | 121 + .../b1b20ae3-8fa7-4af5-a74d-a2145920fcb1.md | 257 ++ .../b2e8752c-3497-4255-98d2-e4ae5b46bbf5.md | 108 + .../b3de4e4c-14be-4159-b99d-9ad194365e4c.md | 113 + .../b4d9c12b-bfba-4aeb-9cb8-2358546d8041.md | 159 + .../b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83.md | 132 + .../b7063015-6c31-4658-a8e7-14f98f37fd42.md | 157 + .../ba766c53-fe71-4bbb-be35-b6803f2ef13e.md | 85 + .../bdf8dcb4-75df-4370-92c4-606e4ae6c4d3.md | 150 + .../be5b230d-4371-4a28-a441-85dc760e2aa3.md | 135 + .../be96849c-3df6-49c2-bc16-778a7be2519c.md | 191 + .../bf4473f1-c8a2-4b1b-8134-bd32efabab93.md | 193 + .../bf89373a-be40-4c04-99f5-746742dfd7f3.md | 419 +++ .../c2eae442-d3ba-4cb1-84ca-1db4f80eae3d.md | 123 + .../c333e906-8d8b-4275-b999-78b6318f8dc6.md | 255 ++ .../c3ce69fd-e3df-49c6-be78-1db3f802261c.md | 410 ++ .../c44c95fc-ae92-4bb8-bdf8-bb9bc412004a.md | 382 ++ .../c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621.md | 279 ++ .../c689f51b-9203-43b3-9d8b-caed123f706c.md | 144 + .../c757c6a3-ac87-4b9d-b28d-e5a5add6a315.md | 68 + .../c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22.md | 109 + .../c8dee387-a2e6-4a73-a942-183c975549ac.md | 267 ++ .../c9846969-d066-431f-9b34-8c4abafe422a.md | 111 + .../cb2f612b-ed42-4ff5-9fb9-255c73d39a18.md | 78 + .../cc8b294f-006f-4f8f-b5bb-0a9140c33131.md | 143 + .../cdbb0467-2957-4a77-9992-7b55b29df7b7.md | 169 + .../cfdef2e5-1fe4-4ef4-bea8-c56e08963150.md | 145 + .../d24389b4-b209-4ff0-8345-dc7a4569dcdd.md | 313 ++ .../d53323be-dde6-4457-9a43-42df737e71d2.md | 89 + .../d6653eee-2d4d-4e6a-976f-6794a497999a.md | 265 ++ .../d71b5fd7-9020-4b2d-9ec8-b3839faa2744.md | 213 ++ .../d72a7869-e8b9-4e12-bcd2-e8be10b39fa7.md | 258 ++ .../d7467bb6-3ed1-4c82-8095-5e7a818d0aad.md | 195 + .../d926aa95-0a04-4abc-b20c-acf54afe38a1.md | 299 ++ .../da905474-7454-43c0-b8d2-5756ab951aba.md | 149 + .../dae9c373-8287-462f-8746-6f93dad93610.md | 287 ++ .../dc17ee4b-ddf2-4e23-96e8-7a36abad1303.md | 269 ++ .../dc1ab429-1481-4540-9b1d-280e3f15f1f8.md | 98 + .../dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md | 115 + .../ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md | 111 + .../de38e1d5-54cb-4111-a868-6f7722695007.md | 329 ++ .../de76a0d6-66d5-45c9-9022-f05545b85c78.md | 175 + .../de77cd9f-0e8b-46cc-b4a4-b6b436838642.md | 279 ++ .../dfb56e5d-ee68-446e-b32a-657b62befe69.md | 378 ++ .../e200a6f3-c589-49ec-9143-7421d4a2c845.md | 116 + .../e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md | 2284 ++++++++++++ .../e4239438-e639-44aa-adb8-866e400e3ade.md | 105 + .../e42a3ef0-5325-4667-84bf-075ba1c9d58e.md | 135 + .../e4ee3903-9225-4b6a-bdfb-e62dbadef821.md | 320 ++ .../e4f54ff4-d352-40e8-a096-5141073c37a2.md | 128 + .../e519ed6a-8328-4b69-8eb7-8fa549ac3050.md | 358 ++ .../e52395b4-250b-4c60-81d5-2e58c1d37abc.md | 350 ++ .../e649a218-d099-4550-86a4-1231e1fcb60d.md | 1215 ++++++ .../e835bd0d-65da-49f7-b6d1-b646da8727e6.md | 135 + .../ea33fcf7-394b-4d11-a228-985c5d08f205.md | 161 + .../ed4c48b8-eccc-4881-95c1-09fdae23db25.md | 189 + .../edc95c10-7366-4f30-9b4b-f995c84eceb5.md | 142 + .../ee12ad32-2863-4c0f-b13f-28272d115028.md | 295 ++ .../ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md | 271 ++ .../ef05a925-8568-4054-8ff1-f5ba82631c16.md | 189 + .../f0104061-8bfc-4b45-8a7d-630eb502f281.md | 357 ++ .../f4c9b5f5-68b8-491f-9e48-4f96644a1d51.md | 368 ++ .../f4cf35d6-da92-48de-ab70-57be2b2e6497.md | 257 ++ .../f57f849c-883b-4cb7-85e7-f7b199dff163.md | 220 ++ .../f6049677-ec4a-43af-8779-5190b6d03cba.md | 266 ++ .../f62aa827-4ade-4dc4-89e4-1433d384a368.md | 188 + .../f6397a20-4cf1-4540-a997-1d363c25ef58.md | 188 + .../f6d299d2-21eb-41cc-b1e1-fe12d857500b.md | 321 ++ .../f80e3aa7-7b34-4185-954e-440a6894dde6.md | 137 + .../f914357d-8386-4d56-9ba6-456e5723f9a6.md | 367 ++ .../f97b7d23-568f-4bcc-9ac9-02df0d57fbba.md | 185 + .../f988a17f-1139-46a3-8928-f27eafd8b024.md | 715 ++++ .../f9b10cdb-eaab-4e39-9793-e12b94a582ad.md | 232 ++ .../faa8fddf-c0aa-4b2d-84ff-e993e233ebe9.md | 188 + .../fb2b0ecf-1492-491a-a70d-ba1df579175d.md | 163 + .../fc7c2c15-f5d0-4b80-adb2-c89019f8f62b.md | 333 ++ .../fcbf9019-566c-4832-a65c-af00d8137d2b.md | 209 ++ .../fe974ae9-858e-4991-bbd5-e040a834679f.md | 174 + .../ffee2785-c347-451e-89f3-11aeb08e5c84.md | 626 ++++ docs/queries/common-queries.md | 2 +- .../a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md | 2272 ++++++++++++ docs/queries/crossplane-queries.md | 30 +- .../255b0fcc-9f82-41fe-9229-01b163e3376b.md | 159 + .../6d19ce0f-b3d8-4128-ac3d-1064e0f00494.md | 161 + .../72840c35-3876-48be-900d-f21b2f0c2ea1.md | 119 + .../7b590235-1ff4-421b-b9ff-5227134be9bb.md | 159 + .../83bf5aca-138a-498e-b9cd-ad5bc5e117b4.md | 137 + .../9296f1cc-7a40-45de-bd41-f31745488a0e.md | 137 + .../934613fe-b12c-4e5a-95f5-c1dcdffac1ff.md | 115 + .../a507daa5-0795-4380-960b-dd7bb7c56661.md | 159 + .../bdecd6db-2600-47dd-a10c-72c97cf17ae9.md | 121 + .../dd667399-8d9d-4a8d-bbb4-e49ab53b2f52.md | 151 + .../e50eb68a-a4af-4048-8bbe-8ec324421469.md | 167 + .../6c7cfec3-c686-4ed2-bf58-a1ec054b63fc.md | 82 + .../b2418936-cd47-4ea2-8346-623c0bdb87bd.md | 118 + .../6c2d627c-de0f-45fb-b33d-dad9bffbb421.md | 65 + .../b4f65d13-a609-4dc1-af7c-63d2e08bffe9.md | 98 + docs/queries/dockercompose-queries.md | 42 +- .../071a71ff-f868-47a4-ac0b-3c59e4ab5443.md | 63 + .../1c1325ff-831d-43a1-973e-839ae57dfcc0.md | 205 + .../221e0658-cb2a-44e3-b08a-db96a341d6fa.md | 83 + .../27fcc7d6-c49b-46e0-98f1-6c082a6a2750.md | 90 + .../2fc99041-ddad-49d5-853f-e35e70a48391.md | 153 + .../404fde2c-bc4b-4371-9747-7054132ac953.md | 81 + .../451d79dc-0588-476a-ad03-3c7f0320abb3.md | 216 ++ .../4d9f44c6-2f4a-4317-9bb5-267adbea0232.md | 74 + .../4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md | 97 + .../610e266e-6c12-4bca-9925-1ed0cd29742b.md | 65 + .../698ed579-b239-4f8f-a388-baa4bcb13ef8.md | 120 + .../6b610c50-99fb-4ef0-a5f3-e312fd945bc3.md | 145 + .../8af7162d-6c98-482f-868e-0d33fb675ca8.md | 81 + .../ae5b6871-7f45-42e0-bb4c-ab300c4d2026.md | 92 + .../baa3890f-bed7-46f5-ab8f-1da8fc91c729.md | 96 + .../baa452f0-1f21-4a25-ace5-844e7a5f410d.md | 160 + .../bb9ac4f7-e13b-423d-a010-c74a1bfbe492.md | 144 + .../bc2908f3-f73c-40a9-8793-c1b7d5544f79.md | 475 +++ .../ce14a68b-1668-41a0-ab7d-facd9f784742.md | 102 + .../ce76b7d0-9e77-464d-b86f-c5c48e03e22d.md | 123 + .../d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b.md | 59 + docs/queries/dockerfile-queries.md | 98 +- .../0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md | 112 + .../00481784-25aa-4a55-8633-3136dfcf4f37.md | 66 + .../02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md | 81 + .../22cd11f7-9c6c-4f6e-84c0-02058120b341.md | 64 + .../295acb63-9246-4b21-b441-7c1f1fb62dc0.md | 52 + .../38300d1a-feb2-4a48-936a-d1ef1cd24313.md | 45 + .../41c195f4-fc31-4a5c-8a1b-90605538d49f.md | 62 + .../45e1fca5-f90e-465d-825f-c2cb63fa3944.md | 45 + .../4b410d24-1cbe-4430-a632-62c9a931cf1c.md | 49 + .../562952e4-0348-4dea-9826-44f3a2c6117b.md | 46 + .../5907595b-5b6d-4142-b173-dbb0e73fbff8.md | 47 + .../5fa731ea-e844-47a6-a1e8-abc25e95847e.md | 211 ++ .../6452c424-1d92-4deb-bb18-a03e95d579c4.md | 51 + .../67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae.md | 44 + .../68a51e22-ae5a-4d48-8e87-b01a323605c9.md | 62 + .../6938958b-3f1a-451c-909b-baeee14bdc97.md | 62 + .../6b376af8-cfe8-49ab-a08d-f32de23661a4.md | 66 + .../6db6e0c2-32a3-4a2e-93b5-72c35f4119db.md | 48 + .../6e19193a-8753-436d-8a09-76dcff91bb03.md | 57 + .../71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e.md | 45 + .../7384dfb2-fcd1-4fbf-91cd-6c44c318c33c.md | 45 + .../77783205-c4ca-4f80-bb80-c777f267c547.md | 66 + .../7ebd323c-31b7-4e5b-b26f-de5e9e477af8.md | 53 + .../8a301064-c291-4b20-adcb-403fe7fd95fd.md | 120 + .../8ada6e80-0ade-439e-b176-0b28f6bce35a.md | 57 + .../93d88cf7-f078-46a8-8ddc-178e03aeacf1.md | 51 + .../9513a694-aa0d-41d8-be61-3271e056f36b.md | 58 + .../965a08d7-ef86-4f14-8792-4a3b2098937e.md | 54 + .../99614418-f82b-4852-a9ae-5051402b741c.md | 57 + .../9b6b0f38-92a2-41f9-b881-3a1083d99f1b.md | 53 + .../9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md | 53 + .../9efb0b2d-89c9-41a3-91ca-dcc0aec911fd.md | 58 + .../aa93e17f-b6db-4162-9334-c70334e7ac28.md | 53 + .../ae9c56a6-3ed1-4ac0-9b54-31267f51151d.md | 51 + .../b03a748a-542d-44f4-bb86-9199ab4fd2d5.md | 52 + .../b16e8501-ef3c-44e1-a543-a093238099c9.md | 49 + .../b84a0b47-2e99-4c9f-8933-98bcabe2b94d.md | 45 + .../b86987e1-6397-4619-81d5-8807f2387c79.md | 59 + .../cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md | 53 + .../d3499f6d-1651-41bb-a9a7-de925fea487b.md | 84 + .../df746b39-6564-4fed-bf85-e9c44382303c.md | 68 + .../e36d8880-3f78-4546-b9a1-12f0745ca0d5.md | 55 + .../efbf148a-67e9-42d2-ac47-02fa1c0d0b22.md | 48 + .../f2daed12-c802-49cd-afed-fe41d0b82fed.md | 52 + .../f2f903fb-b977-461e-98d7-b3e2185c6118.md | 58 + .../f45ea400-6bbe-4501-9fc7-1c3d75c32067.md | 55 + .../f4a6bcd3-e231-4acf-993c-aa027be50d2e.md | 60 + .../fc775e75-fcfb-4c98-b2f2-910c5858b359.md | 51 + .../fd54f200-402c-4333-a5a4-36ef6709af2f.md | 59 + .../googledeploymentmanager-queries.md | 70 +- .../1239f54b-33de-482a-8132-faebe288e6a6.md | 61 + .../227c2f58-70c6-4432-8e9a-a89c1a548cf5.md | 61 + .../268c65a8-58ad-43e4-9019-1a9bbc56749f.md | 95 + .../28727987-e398-49b8-aef1-8a3e7789d111.md | 73 + .../313d6deb-3b67-4948-b41d-35b699c2492e.md | 71 + .../48c61fbd-09c9-46cc-a521-012e0c325412.md | 62 + .../50cb6c3b-c878-4b88-b50e-d1421bada9e8.md | 103 + .../62c8cf50-87f0-4295-a974-8184ed78fe02.md | 61 + .../63ae3638-a38c-4ff4-b616-6e1f72a31a6a.md | 77 + .../660360d3-9ca7-46d1-b147-3acc4002953f.md | 76 + .../6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35.md | 57 + .../6e2b1ec1-1eca-4eb7-9d4d-2882680b4811.md | 86 + .../77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc.md | 68 + .../7c98538a-81c6-444b-bf04-e60bc3ceeec0.md | 71 + .../7ef7d141-9fbb-4679-a977-fd0883436906.md | 70 + .../8212e2d7-e683-49bc-bf78-d6799075c5a7.md | 58 + .../83103dff-d57f-42a8-bd81-40abab64c1a7.md | 63 + .../8810968b-4b15-421d-918b-d91eb4bb8d1d.md | 51 + .../9038b526-4c19-4928-bca2-c03d503bdb79.md | 96 + .../95601b9a-7fe8-4aee-9b58-d36fd9382dfc.md | 59 + .../9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8.md | 67 + .../a21b8df3-c840-4b3d-a41a-10fb2afda171.md | 61 + .../a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01.md | 75 + .../ad0875c1-0b39-4890-9149-173158ba3bba.md | 64 + .../bbfc97ab-e92a-4a7b-954c-e88cec815011.md | 59 + .../c47f90e8-4a19-43f0-8413-cc434d286c4e.md | 91 + .../c759d6f2-4dd3-4160-82d3-89202ef10d87.md | 69 + .../c7781feb-a955-4f9f-b9cf-0d7c6f54bb59.md | 116 + .../dbe058d7-b82e-430b-8426-992b2e4677e7.md | 71 + .../dc5c5fee-6c53-43b0-ab11-4c660e064aaf.md | 90 + .../dd690686-2bf9-4012-a821-f61912dd77be.md | 73 + .../dee21308-2a7a-49de-8ff7-c9b87e188575.md | 93 + .../df58d46c-783b-43e0-bdd0-d99164f712ee.md | 61 + .../e66e1b71-c810-4b4e-a737-0ab59e7f5e41.md | 76 + .../fc040fb6-4c23-4c0d-b12a-39edac35debb.md | 171 + docs/queries/grpc-queries.md | 2 +- .../daaace5f-c0dc-4835-b526-7a116b7f4b4e.md | 33 + docs/queries/knative-queries.md | 2 +- .../e8bb41e4-2f24-4e84-8bea-8c7c070cf93d.md | 102 + docs/queries/kubernetes-queries.md | 292 +- .../02323c00-cdc3-4fdc-a310-4f2b3e7a1660.md | 315 ++ .../03aabc8c-35d6-481e-9c85-20139cf72d23.md | 91 + .../0401f71b-9c1e-4821-ab15-a955caa621be.md | 194 + .../056ac60e-fe07-4acc-9b34-8e1d51716ab9.md | 279 ++ .../05fb986f-ac73-4ebb-a5b2-7faafa93d882.md | 81 + .../075ca296-6768-4322-aea2-ba5063b969a9.md | 145 + .../09bb9e96-8da3-4736-b89a-b36814acca60.md | 145 + .../10efce34-5af6-4d83-b414-9e096d5a06a9.md | 75 + .../1123031a-f921-4c5b-bd86-ef354ecfd37a.md | 78 + .../13a49a2e-488e-4309-a7c0-d6b05577a5fb.md | 252 ++ .../14abda69-8e91-4acb-9931-76e2bee90284.md | 81 + .../1828a670-5957-4bc5-9974-47da228f75e2.md | 103 + .../192fe40b-b1c3-448a-aba2-6cc19a300fe3.md | 76 + .../19ebaa28-fc86-4a58-bcfa-015c9e22fe40.md | 168 + .../1a07a446-8e61-4e4d-bc16-b0781fcb8211.md | 158 + .../1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e.md | 97 + .../1acd93f1-5a37-45c0-aaac-82ece818be7d.md | 97 + .../1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md | 189 + .../1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5.md | 113 + .../1de5cc51-f376-4638-a940-20f2e85ae238.md | 220 ++ .../1e749bc9-fde8-471c-af0c-8254efd2dee5.md | 66 + .../1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37.md | 97 + .../2270987f-bb51-479f-b8be-3ca73e5ad648.md | 159 + .../229588ef-8fde-40c8-8756-f4f2b5825ded.md | 171 + .../235236ee-ad78-4065-bd29-61b061f28ce0.md | 98 + .../249328b8-5f0f-409f-b1dd-029f07882e11.md | 64 + .../26763a1c-5dda-4772-b507-5fca7fb5f165.md | 171 + .../268ca686-7fb7-4ae9-b129-955a2a89064e.md | 92 + .../2940d48a-dc5e-4178-a3f8-bfbd80720b41.md | 149 + .../2b1836f1-dcce-416e-8e16-da8c71920633.md | 82 + .../2f1a0619-b12b-48a0-825f-993bb6f01d58.md | 88 + .../2f491173-6375-4a84-b28e-a4e2b9a58a69.md | 278 ++ .../2f652c42-619d-4361-b361-9f599688f8ca.md | 106 + .../302736f4-b16c-41b8-befe-c0baffa0bd9d.md | 81 + .../32ecd76e-7bbf-402e-bf48-8b9485749558.md | 95 + .../33fc6923-6553-4fe6-9d3a-4efa51eb874b.md | 81 + .../35c0a471-f7c8-4993-aa2c-503a3c712a66.md | 157 + .../36a27826-1bf5-49da-aeb0-a60a30c0e834.md | 111 + .../3878dc92-8e5d-47cf-9cdd-7590f71d21b9.md | 160 + .../38fa11ef-dbcc-4da8-9680-7e1fd855b6fb.md | 83 + .../3ca03a61-3249-4c16-8427-6f8e47dda729.md | 348 ++ .../3d24b204-b73d-42cb-b0bf-1a5438c5f71e.md | 81 + .../3d658f8b-d988-41a0-a841-40043121de1e.md | 78 + .../3f5ff8a7-5ad6-4d02-86f5-666307da1b20.md | 81 + .../46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2.md | 203 + .../48471392-d4d0-47c0-b135-cdec95eb3eef.md | 185 + .../48a5beba-e4c0-4584-a2aa-e6894e4cf424.md | 237 ++ .../49113af4-29ca-458e-b8d4-724c01a4a24f.md | 97 + .../4a20ebac-1060-4c81-95d1-1f7f620e983b.md | 231 ++ .../4ac0e2b7-d2d2-4af7-8799-e8de6721ccda.md | 99 + .../4d7ee40f-fc5d-427d-8cac-dffbe22d42d1.md | 97 + .../510d5810-9a30-443a-817d-5c1fa527b110.md | 166 + .../52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md | 127 + .../5308a7a8-06f8-45ac-bf10-791fe21de46e.md | 438 +++ .../5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d.md | 124 + .../5744cbb8-5946-4b75-a196-ade44449525b.md | 105 + .../583053b7-e632-46f0-b989-f81ff8045385.md | 70 + .../591ade62-d6b0-4580-b1ae-209f80ba1cd9.md | 126 + .../592ad21d-ad9b-46c6-8d2d-fad09d62a942.md | 179 + .../5da47109-f8d6-4585-9e2b-96a8958a12f5.md | 95 + .../5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md | 147 + .../611ab018-c4aa-4ba2-b0f6-a448337509a6.md | 190 + .../69bbc5e3-0818-4150-89cc-1e989b48f23b.md | 105 + .../6a68bebe-c021-492e-8ddb-55b0567fb768.md | 97 + .../6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a.md | 80 + .../6b896afb-ca07-467a-b256-1a0077a1c08e.md | 89 + .../6cf42c97-facd-4fda-b8af-ea4529123355.md | 158 + .../6d173be7-545a-46c6-a81d-2ae52ed1605d.md | 93 + .../7307579a-3abb-46ad-9ce5-2a915634d5c8.md | 91 + .../73e251f0-363d-4e53-86e2-0a93592437eb.md | 141 + .../768aab52-2504-4a2f-a3e3-329d5a679848.md | 157 + .../7c81d34c-8e5a-402b-9798-9f442630e678.md | 58 + .../80f93444-b240-4ebb-a4c6-5c40b76c04ea.md | 67 + .../8320826e-7a9c-4b0b-9535-578333193432.md | 58 + .../845acfbe-3e10-4b8e-b656-3b404d36dfb2.md | 66 + .../85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3.md | 153 + .../87554eef-154d-411d-bdce-9dbd91e56851.md | 109 + .../895a5a95-3756-4b04-9924-2f3bc93181bd.md | 97 + .../8b36775e-183d-4d46-b0f7-96a6f34a723f.md | 90 + .../8b862ca9-0fbd-4959-ad72-b6609bdaa22d.md | 65 + .../8cf4671a-cf3d-46fc-8389-21e7405063a2.md | 140 + .../9127f0d9-2310-42e7-866f-5fd9d20dcbad.md | 157 + .../91dacd0e-d189-4a9c-8272-5999a3cc32d9.md | 67 + .../9391103a-d8d7-4671-ac5d-606ba7ccb0ac.md | 117 + .../94b76ea5-e074-4ca2-8a03-c5a606e30645.md | 207 ++ .../9587c890-0524-40c2-9ce2-663af7c2f063.md | 97 + .../98ce8b81-7707-4734-aa39-627c6db3d84b.md | 117 + .../9d43040e-e703-4e16-8bfe-8d4da10fa7e6.md | 94 + .../9f85c3f6-26fd-4007-938a-2e0cb0100980.md | 85 + .../a31b7b82-d994-48c4-bd21-3bab6c31827a.md | 107 + .../a33e9173-b674-4dfb-9d82-cf3754816e4b.md | 91 + .../a5530bd7-225a-48f9-91bb-f40b04200165.md | 81 + .../a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3.md | 78 + .../a6f34658-fdfb-4154-9536-56d516f65828.md | 121 + .../a77f4d07-c6e0-4a48-8b35-0eeb51576f4f.md | 81 + .../a97a340a-0063-418e-b3a1-3028941d0995.md | 97 + .../a9c2f49d-0671-4fc9-9ece-f4e261e128d0.md | 75 + .../aa8f7a35-9923-4cad-bd61-a19b7f6aac91.md | 331 ++ .../aafa7d94-62de-4fbf-8838-b69ee217b0e6.md | 94 + .../ade74944-a674-4e00-859e-c6eab5bde441.md | 95 + .../ae8827e2-4af9-4baa-9998-87539ae0d6f0.md | 117 + .../aee3c7d2-a811-4201-90c7-11c028be9a46.md | 119 + .../afa36afb-39fe-4d94-b9b6-afb236f7a03d.md | 81 + .../b14d1bc4-a208-45db-92f0-e21f8e2588e9.md | 171 + .../b23e9b98-0cb6-4fc9-b257-1f3270442678.md | 101 + .../b7652612-de4e-4466-a0bf-1cd81f0c6063.md | 162 + .../b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14.md | 75 + .../b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff.md | 117 + .../b9380fd3-5ffe-4d10-9290-13e18e71eee1.md | 95 + .../b9c83569-459b-4110-8f79-6305aa33cb37.md | 109 + .../bb241e61-77c3-4b97-9575-c0f8a1e008d0.md | 142 + .../bf36b900-b5ef-4828-adb7-70eb543b7cfb.md | 81 + .../c1032cf7-3628-44e2-bd53-38c17cf31b6b.md | 77 + .../c48e57d3-d642-4e0b-90db-37f807b41b91.md | 71 + .../c589f42c-7924-4871-aee2-1cede9bc7cbc.md | 83 + .../ca469dd4-c736-448f-8ac1-30a642705e0a.md | 135 + .../caa3479d-885d-4882-9aac-95e5e78ef5c2.md | 98 + .../caa93370-791f-4fc6-814b-ba6ce0cb4032.md | 131 + .../cb7e695d-6a85-495c-b15f-23aed2519303.md | 119 + .../cbd2db69-0b21-4c14-8a40-7710a50571a9.md | 81 + .../ccc98ff7-68a7-436e-9218-185cb0b0b780.md | 81 + .../cd290efd-6c82-4e9d-a698-be12ae31d536.md | 81 + .../cdc8b54e-6b16-4538-a1b0-35849dbe29cf.md | 80 + .../ce30e584-b33f-4c7d-b418-a3d7027f8f60.md | 81 + .../cf34805e-3872-4c08-bf92-6ff7bb0cfadb.md | 199 + .../d2ad057f-0928-41ef-a83c-f59203bb855b.md | 116 + .../d45330fd-f58d-45fb-a682-6481477a0f84.md | 85 + .../d740d048-8ed3-49d3-b77b-6f072f3b669e.md | 140 + .../d89a15bb-8dba-4c71-9529-bef6729b9c09.md | 170 + .../da9f3aa8-fbfb-472f-b5a1-576127944218.md | 157 + .../dab4ec72-ce2e-4732-b7c3-1757dcce01a1.md | 65 + .../dbbc6705-d541-43b0-b166-dd4be8208b54.md | 123 + .../dd29336b-fe57-445b-a26e-e6aa867ae609.md | 103 + .../de4421f1-4e35-43b4-9783-737dd4e4a47e.md | 109 + .../e0099af2-fe17-411f-9991-0de28fe15f3c.md | 81 + .../e0e00aba-5f1c-4981-a542-9a9563c0ee20.md | 278 ++ .../e17fa86a-6222-4584-a914-56e8f6c87e06.md | 126 + .../e3aa0612-4351-4a0d-983f-aefea25cf203.md | 124 + .../e84eaf4d-2f45-47b2-abe8-e581b06deb66.md | 101 + .../ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0.md | 80 + .../ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md | 113 + .../f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md | 225 ++ .../f377b83e-bd07-4f48-a591-60c82b14a78b.md | 288 ++ .../f922827f-aab6-447c-832a-e1ff63312bd3.md | 135 + .../fa4def8c-1898-4a35-a139-7b76b1acdef0.md | 95 + .../fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md | 134 + docs/queries/openapi-queries.md | 394 +- .../00b78adf-b83f-419c-8ed8-c6018441dd3a.md | 713 ++++ .../013bdb4b-9246-4248-b0c3-7fb0fee42a29.md | 475 +++ .../015eac96-6313-43c0-84e5-81b1374fa637.md | 158 + .../0220e1c5-65d1-49dd-b7c2-cef6d6cb5283.md | 247 ++ .../03856cb2-e46c-4daf-bfbf-214ec93c882b.md | 485 +++ .../05505192-ba2c-4a81-9b25-dcdbcc973746.md | 751 ++++ .../06764426-3c56-407e-981f-caa25db1c149.md | 233 ++ .../0b76d993-ee52-43e0-8b39-3787d2ddabf1.md | 181 + .../0c79e50e-b3cf-490c-b8f6-587c644d4d0c.md | 116 + .../0de50145-e845-47f4-9a15-23bcf2125710.md | 650 ++++ .../0f6cd0ab-c366-4595-84fc-fbd8b9901e4d.md | 245 ++ .../105e20dd-8449-4d71-95c6-d5dac96639af.md | 201 + .../10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa.md | 758 ++++ .../12a7210b-f4b4-47d0-acac-0a819e2a0ca3.md | 416 +++ .../151331e2-11f4-4bb6-bd35-9a005e695087.md | 251 ++ .../181bd815-767e-4e95-a24d-bb3c87328e19.md | 677 ++++ .../1908a8ee-927d-4166-8f18-241152170cc1.md | 315 ++ .../1a1aea94-745b-40a7-b860-0702ea6ee636.md | 539 +++ .../1bc3205c-0d60-44e6-84f3-44fbf4dac5b3.md | 248 ++ .../20a482d5-c5d9-4a7a-b7a4-60d0805047b4.md | 337 ++ .../20cb3159-b219-496b-8dac-54ae3ab2021a.md | 660 ++++ .../221015a8-aa2a-43f5-b00b-ad7d2b1d47a8.md | 152 + .../237402e2-c2f0-46c9-9cf5-286160cf7bfc.md | 389 ++ .../23a9e2d9-8738-4556-a71c-2802b6ffa022.md | 415 +++ .../2596545e-1757-4ff7-a15a-8a9a180a42f3.md | 231 ++ .../26f06397-36d8-4ce7-b993-17711261d777.md | 285 ++ .../274f910a-0665-4f08-b66d-7058fe927dba.md | 165 + .../281b8071-6226-4a43-911d-fec246d422c2.md | 338 ++ .../2bd608ae-8a1f-457f-b710-c237883cb313.md | 710 ++++ .../2cf35b40-ded3-43d6-9633-c8dcc8bcc822.md | 318 ++ .../2d6646f4-2946-420f-8c14-3232d49ae0cb.md | 549 +++ .../2d8c175a-6d90-412b-8b0e-e034ea49a1fe.md | 260 ++ .../2da46be4-4317-4650-9285-56d7103c4f93.md | 180 + .../2e275f16-b627-4d3f-ae73-a6153a23ae8f.md | 167 + .../2e44e632-d617-43cb-b294-6bfe72a08938.md | 180 + .../2e9b6612-8f69-42e0-a5b8-ed17739c2f3a.md | 801 ++++ .../2ea04bef-c769-409e-9179-ee3a50b5c0ac.md | 681 ++++ .../31dd6fc0-f274-493b-9614-e063086c19fc.md | 564 +++ .../332cf2ad-380d-4b90-b436-46f8e635cf38.md | 297 ++ .../33d96c65-977d-4c33-943f-440baca49185.md | 179 + .../37140f7f-724a-4c87-a536-e9cee1d61533.md | 395 ++ .../376c9390-7e9e-4cb8-a067-fd31c05451fd.md | 232 ++ .../3847280c-9193-40bc-8009-76168e822ce2.md | 173 + .../3979b0a4-532c-4ea7-86e4-34c090eaa4f2.md | 261 ++ .../39cb32f2-3a42-4af0-8037-82a7a9654b6c.md | 261 ++ .../3a01790c-ebee-4da6-8fd3-e78657383b75.md | 395 ++ .../3b066059-f411-4554-ac8d-96f32bff90da.md | 231 ++ .../3b497874-ae59-46dd-8d72-1868a3b8f150.md | 315 ++ .../3b615f00-c443-4ba9-acc4-7c308716917d.md | 447 +++ .../3ba0cca1-b815-47bf-ac62-1e584eb64a05.md | 345 ++ .../3d7d7b6c-fb0a-475e-8a28-c125e30d15f0.md | 268 ++ .../3fb03214-25d4-4bd4-867c-c2d8d708a483.md | 684 ++++ .../40d3df21-c170-4dbe-9c02-4289b51f994f.md | 715 ++++ .../40e1d1bf-11a9-4f63-a3a2-a8b84c602839.md | 251 ++ .../4190dda7-af03-4cf0-a128-70ac1661ca09.md | 515 +++ .../429b2106-ba37-43ba-9727-7f699cc611e1.md | 331 ++ .../462d6a1d-fed9-4d75-bb9e-3de902f35e6e.md | 403 ++ .../46facedc-f243-4108-ab33-583b807d50b0.md | 480 +++ .../48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd.md | 261 ++ .../4a1f3d75-ab73-41b2-83e7-06a93dc3a75a.md | 396 ++ .../4bcbcd52-3028-469f-bc14-02c7dbba2df2.md | 639 ++++ .../4cac7ace-b0fb-477d-830d-65395d9109d9.md | 558 +++ .../4cd8de87-b595-48b6-ab3c-1904567135ab.md | 471 +++ .../500ce696-d501-41dd-86eb-eceb011a386f.md | 677 ++++ .../50de3b5b-6465-4e06-a9b0-b4c2ba34326b.md | 559 +++ .../52c0d841-60d6-4a81-88dd-c35fef36d315.md | 344 ++ .../543e38f4-1eee-479e-8eb0-15257013aa0a.md | 817 ++++ .../561710b1-b845-4562-95ce-2397a05ccef4.md | 700 ++++ .../58f06434-a88c-4f74-826c-db7e10cc7def.md | 507 +++ .../5915c20f-dffa-4cee-b5d4-f457ddc0151a.md | 208 ++ .../59c2f769-7cc2-49c8-a3de-4e211135cfab.md | 624 ++++ .../5aea1d7e-b834-4749-b143-2c7ec3bd5922.md | 358 ++ .../5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275.md | 137 + .../5ea61624-3733-4a3a-8ca4-b96fec9c5aeb.md | 315 ++ .../60b5f56b-66ff-4e1c-9b62-5753e16825bc.md | 325 ++ .../60fb6621-9f02-473b-9424-ba9a825747d3.md | 807 ++++ .../663c442d-f918-4f62-b096-0bf5dcbeb655.md | 763 ++++ .../68e5fcac-390c-4939-a373-6074b7be7c71.md | 248 ++ .../6952a7e0-6e48-4285-bbc1-27c64e60f888.md | 689 ++++ .../698a464e-bb3e-4ba8-ab5e-e6599b7644a0.md | 160 + .../6998389e-66b2-473d-8d05-c8d71ac4d04d.md | 631 ++++ .../69d7aefd-149d-47b8-8d89-1c2181a8067b.md | 495 +++ .../6a2c219f-da5e-4745-941e-5ea8cde23356.md | 225 ++ .../6b76f589-9713-44ab-97f5-59a3dba1a285.md | 200 + .../6c35d2c6-09f2-4e5c-a094-e0e91327071d.md | 617 +++ .../6d2e0790-cc3d-4c74-b973-d4e8b09f4455.md | 211 ++ .../72d259ca-9741-48dd-9f62-eb11f2936b37.md | 663 ++++ .../73c3bc54-3cc6-4c0a-b30a-e19f2abfc951.md | 173 + .../750b40be-4bac-4f59-bdc4-1ca0e6c3450e.md | 267 ++ .../750f6448-27c0-49f8-a153-b81735c1e19c.md | 207 ++ .../77276d82-4f45-4cf1-8e2b-4d345b936228.md | 250 ++ .../773116aa-2e6d-416f-bd85-f0301cc05d76.md | 156 + .../7a01dfbd-da62-4165-aed7-71349ad42ab4.md | 209 ++ .../7f203940-39c4-4ea7-91ee-7aba16bca9e2.md | 505 +++ .../7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a.md | 201 + .../801f0c6a-a834-4467-89c6-ddecffb46b5a.md | 215 ++ .../815021c8-a50c-46d9-b192-24f71072c400.md | 188 + .../84c826c9-1893-4b34-8cdd-db97645b4bf3.md | 215 ++ .../86b1fa30-9790-4980-994d-a27e0f6f27c1.md | 257 ++ .../86e3702f-c868-44b2-b61d-ea5316c18110.md | 377 ++ .../881a6e71-c2a7-4fe2-b9c3-dfcf08895331.md | 1026 +++++ .../8aee4754-970d-4c5f-8142-a49dfe388b1a.md | 367 ++ .../8af270ce-298b-4405-9922-82a10aee7a4f.md | 285 ++ .../8bfed1c6-2d59-4924-bc7f-9b9d793ed0df.md | 633 ++++ .../8c81d6c0-716b-49ec-afa5-2d62da4e3f3c.md | 803 ++++ .../8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md | 712 ++++ .../8c84f75e-5048-4926-a4cb-33e7b3431300.md | 679 ++++ .../8d0921d6-4131-461f-a253-99e873f8f77e.md | 349 ++ .../8db5544e-4874-4baa-9322-e9f75a2d219e.md | 361 ++ .../8fe1846f-52cc-4413-ace9-1933d7d23672.md | 771 ++++ .../9239c289-9e4c-4d92-8be1-9d506057c971.md | 289 ++ .../962fa01e-b791-4dcc-b04a-4a3e7389be5e.md | 175 + .../9670f240-7b4d-4955-bd93-edaa9fa38b58.md | 221 ++ .../96729c6b-7400-4d9e-9807-17f00cdde4d2.md | 558 +++ .../96beb800-566f-49a9-a0ea-dbdf4bc80429.md | 327 ++ .../98295b32-ec09-4b5b-89a9-39853197f914.md | 228 ++ .../990eaf09-d6f1-4c3c-b174-a517b1de8917.md | 372 ++ .../9aa6e95c-d964-4239-a3a8-9f37a3c5a31f.md | 169 + .../9c238c97-1991-4c0b-9c7d-6c7912e1dc7c.md | 408 ++ .../9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae.md | 227 ++ .../9d967a2b-9d64-41a6-abea-dfc4960299bd.md | 659 ++++ .../9f88c88d-824d-4d9a-b985-e22977046042.md | 412 +++ .../a0bf7382-5d5a-4224-924c-3db8466026c9.md | 315 ++ .../a19c3bbd-c056-40d7-9e1c-eeb0634e320d.md | 342 ++ .../a4247b11-890b-45df-bf42-350a7a3af9be.md | 248 ++ .../a46928f1-43d7-4671-94e0-2dd99746f389.md | 119 + .../a4dd69b8-49fa-45d2-a060-c76655405b05.md | 515 +++ .../a5375be3-521c-43bb-9eab-e2432e368ee4.md | 459 +++ .../a599b0d1-ff89-4cb8-9ece-9951854c06f6.md | 391 ++ .../a6847dc6-f4ea-45ac-a81f-93291ae6c573.md | 119 + .../a68da022-e95a-4bc2-97d3-481e0bd6d446.md | 223 ++ .../a8e859da-4a43-4e7f-94b8-25d6e3bf8e90.md | 640 ++++ .../a9228976-10cf-4b5f-b902-9e962aad037a.md | 860 +++++ .../a92be1d5-d762-484a-86d6-8cd0907ba100.md | 719 ++++ .../a96bbc06-8cde-4295-ad3c-ee343a7f658e.md | 684 ++++ .../ab1263c2-81df-46f0-9f2c-0b62fdb68419.md | 337 ++ .../ab2af219-cd08-4233-b5a1-a788aac88b51.md | 909 +++++ .../ae13a37d-943b-47a7-a970-83c8598bcca3.md | 447 +++ .../aecee30b-8ea1-4776-a99c-d6d600f0862f.md | 408 ++ .../b05bb927-2df5-43cc-8d7b-6825c0e71625.md | 217 ++ .../b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7.md | 297 ++ .../b2d9dbf6-539c-4374-a1fd-210ddf5563a8.md | 301 ++ .../b2f275be-7d64-4064-b418-be6b431363a7.md | 231 ++ .../b30981fa-a12e-49c7-a5bb-eeafb61d0f0f.md | 161 + .../b3871dd8-9333-4d6c-bd52-67eb898b71ab.md | 200 + .../b4803607-ed72-4d60-99e2-3fa6edf471c6.md | 187 + .../b481d46c-9c61-480f-86d9-af07146dc4a4.md | 769 ++++ .../b90033cf-ad9f-4fb9-acd1-1b9d6d278c87.md | 175 + .../b9db8a10-020c-49ca-88c6-780e5fdb4328.md | 461 +++ .../ba066cda-e808-450d-92b6-f29109754d45.md | 181 + .../ba239cb9-f342-4c20-812d-7b5a2aa6969e.md | 180 + .../baade968-7467-41e4-bf22-83ca222f5800.md | 766 ++++ .../bac56e3c-1f71-4a74-8ae6-2fba07efcddb.md | 331 ++ .../bccfa089-89e4-47e0-a0e5-185fe6902220.md | 247 ++ .../be0e0df7-f3d9-42a1-9b6f-d425f94872c4.md | 638 ++++ .../be1d8733-3731-40c7-a845-734741c6871d.md | 224 ++ .../be3e170e-1572-461e-a8b6-d963def581ec.md | 226 ++ .../c19779a9-5774-4d2f-a3a1-a99831730375.md | 210 ++ .../c254adc4-ef25-46e1-8270-b7944adb4198.md | 325 ++ .../c38d630d-a415-4e3e-bac2-65475979ba88.md | 193 + .../c3cab8c4-6c52-47a9-942b-c27f26fbd7d2.md | 172 + .../c5bb7461-aa57-470b-a714-3bc3d74f4669.md | 801 ++++ .../c66ebeaa-676c-40dc-a3ff-3e49395dcd5e.md | 266 ++ .../ca02f4e8-d3ae-4832-b7db-bb037516d9e7.md | 205 + .../cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b.md | 459 +++ .../ceefb058-8065-418f-9c4c-584a78c7e104.md | 171 + .../cf4a5f45-a27b-49df-843a-9911dbfe71d4.md | 213 ++ .../d15db953-a553-4b8a-9a14-a3d62ea3d79d.md | 173 + .../d172a060-8569-4412-8045-3560ebd477e8.md | 813 ++++ .../d2361d58-361c-49f0-9e50-b957fd608b29.md | 505 +++ .../d3ea644a-9a5c-4fee-941f-f8a6786c0470.md | 523 +++ .../d40f27e6-15fb-4b56-90f8-fc0ff0291c51.md | 266 ++ .../d47940ca-5970-45cc-bdd1-4d81398cee1f.md | 114 + .../d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd.md | 527 +++ .../d674aea4-ba8b-454b-bb97-88a772ea33f0.md | 424 +++ .../d86655c0-92f6-4ffc-b4d5-5b5775804c27.md | 428 +++ .../d90d4e40-44c1-4125-87a0-e072c3e195b5.md | 338 ++ .../d929c031-078f-4241-b802-e224656ad890.md | 507 +++ .../dadc2f36-1f5a-46c0-8289-75e626583123.md | 841 +++++ .../e2ffa504-d22a-4c94-b6c5-f661849d2db7.md | 701 ++++ .../e3f026e8-fdb4-4d5a-bcfd-bd94452073fe.md | 189 + .../e9817ad8-a8c9-4038-8a2f-db0e6e7b284b.md | 163 + .../e9db5fb4-6a84-4abb-b4af-3b94fbdace6d.md | 195 + .../eb3f9744-d24e-4614-b1ff-2a9514eca21c.md | 198 + .../ed48229d-d43e-4da7-b453-5f98d964a57a.md | 173 + .../f2702af5-6016-46cb-bbc8-84c766032095.md | 665 ++++ .../f29904c8-6041-4bca-b043-dfa0546b8079.md | 171 + .../f30ee711-0082-4480-85ab-31d922d9a2b2.md | 119 + .../f368dd2d-9344-4146-a05b-7c6faa1269ad.md | 315 ++ .../f42dfe7e-787d-4478-a75e-a5f3d8a2269e.md | 182 + .../f525cc92-9050-4c41-a75c-890dc6f64449.md | 248 ++ .../f5b2e6af-76f5-496d-8482-8f898c5fdb4a.md | 281 ++ .../f79b9d26-e945-44e7-98a1-b93f0f7a68a0.md | 465 +++ .../f985a7d2-d404-4a7f-9814-f645f791e46e.md | 137 + .../fb7d81e7-4150-48c4-b914-92fc05da6a2f.md | 478 +++ .../fb889ae9-2d16-40b5-b41f-9da716c5abc1.md | 225 ++ .../fbf699b5-ef74-4542-9cf1-f6eeac379373.md | 685 ++++ docs/queries/pulumi-queries.md | 32 +- .../95588189-1abd-4df1-9588-b0a5034f9e87.md | 109 + .../327b0729-4c5c-4c44-8b5c-e476cd9c7290.md | 71 + .../9850d621-7485-44f7-8bdd-b3cf426315cf.md | 63 + .../9b18fc19-7fb8-49b1-8452-9c757c70f926.md | 80 + .../b6a7e0ae-aed8-4a19-a993-a95760bf8836.md | 66 + .../bf4b48b9-fc1f-4552-984a-4becdb5bf503.md | 58 + .../d991e4ae-42ab-429b-ab43-d5e5fa9ca633.md | 79 + .../daa581ef-731c-4121-832d-cf078f67759d.md | 63 + .../de92dd34-1b88-43e8-b825-6e02d73c4549.md | 63 + .../e93bbe63-a631-4c0f-b6ef-700d48441ff2.md | 75 + .../f27791a5-e2ae-4905-8910-6f995c576d09.md | 56 + .../49e30ac8-f58e-4222-b488-3dcb90158ec1.md | 87 + .../cb8e4bf0-903d-45c6-a278-9a947d82a27b.md | 83 + .../ee305555-6b1d-4055-94cf-e22131143c34.md | 61 + .../48f7e44d-d1d1-44c2-b336-9f11b65c4fb0.md | 57 + .../965e8830-2bec-4b9b-a7f0-24dbc200a68f.md | 63 + docs/queries/serverlessfw-queries.md | 20 +- .../0d7ef70f-e176-44e6-bdba-add3e429788d.md | 33 + .../165aae3b-a56a-48f3-b76d-d2b5083f5b8f.md | 33 + .../434945e5-4dfd-41b1-aba1-47075ccd9265.md | 33 + .../4495bc5d-4d1e-4a26-ae92-152d18195648.md | 33 + .../4d424558-c6d1-453c-be98-9a7f877abd9a.md | 33 + .../59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd.md | 33 + .../a4d32883-aac7-42e1-b403-9415af0f3846.md | 33 + .../d5d1fe08-89db-440c-8725-b93223387309.md | 33 + .../dec7bc85-d156-4f64-9a33-96ed3d9f3fed.md | 33 + .../f99d3482-fa8c-4f79-bad9-35212dded164.md | 33 + docs/queries/terraform-queries.md | 1246 +++---- .../07fc3413-e572-42f7-9877-5c8fc6fccfb5.md | 218 ++ .../0ad60203-c050-4115-83b6-b94bde92541d.md | 129 + .../15d8a7fd-465a-4d15-a868-add86552f17b.md | 84 + .../17172bc2-56fb-4f17-916f-a014147706cd.md | 89 + .../17e52ca3-ddd0-4610-9d56-ce107442e110.md | 131 + .../21719347-d02b-497d-bda4-04a03c8e5b61.md | 368 ++ .../21cef75f-289f-470e-8038-c7cee0664164.md | 426 +++ .../228c4c19-feeb-4c18-848c-800ac70fdfb7.md | 251 ++ .../24b132df-5cc7-4823-8029-f898e1c50b72.md | 213 ++ .../26b047a9-0329-48fd-8fb7-05bbe5ba80ee.md | 624 ++++ .../2a52567c-abb8-4651-a038-52fa27c77aed.md | 227 ++ .../2acb555f-f4ad-4b1b-b984-84e6588f4b05.md | 128 + .../2bff9906-4e9b-4f71-9346-8ebedfdf43ef.md | 172 + .../3360c01e-c8c0-4812-96a2-a6329b9b7f9f.md | 91 + .../3f55386d-75cd-4e9a-ac47-167b26c04724.md | 339 ++ .../420e6360-47bb-46f6-9072-b20ed22c842d.md | 447 +++ .../455f2e0c-686d-4fcb-8b5f-3f953f12c43c.md | 642 ++++ .../461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3.md | 418 +++ .../48388bd2-7201-4dcc-b56d-e8a9efa58fad.md | 128 + .../4950837c-0ce5-4e42-9bee-a25eae73740b.md | 129 + .../4c415497-7410-4559-90e8-f2c8ac64ee38.md | 125 + .../4e203a65-c8d8-49a2-b749-b124d43c9dc1.md | 429 +++ .../4e74cf4f-ff65-4c1a-885c-67ab608206ce.md | 277 ++ .../51bed0ac-a8ae-407a-895e-90c6cb0610ce.md | 129 + .../522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba.md | 192 + .../577ac19c-6a77-46d7-9f14-e049cdd15ec2.md | 368 ++ .../587d5d82-70cf-449b-9817-f60f9bccb88c.md | 215 ++ .../58876b44-a690-4e9f-9214-7735fa0dd15d.md | 96 + .../5b6d53dd-3ba3-4269-b4d7-f82e880e43c3.md | 239 ++ .../5c281bf8-d9bb-47f2-b909-3f6bb11874ad.md | 73 + .../5f4735ce-b9ba-4d95-a089-a37a767b716f.md | 367 ++ .../60af03ff-a421-45c8-b214-6741035476fa.md | 483 +++ .../6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8.md | 151 + .../7249e3b0-9231-4af3-bc5f-5daf4988ecbf.md | 620 ++++ .../737a0dd9-0aaa-4145-8118-f01778262b8a.md | 59 + .../826abb30-3cd5-4e0b-a93b-67729b4f7e63.md | 139 + .../8657197e-3f87-4694-892b-8144701d83c1.md | 147 + .../86a947ea-f577-4efb-a8b0-5fc00257d521.md | 383 ++ .../87065ef8-de9b-40d8-9753-f4a4303e27a4.md | 345 ++ .../9aa32890-ac1a-45ee-81ca-5164e2098556.md | 134 + .../a05331ee-1653-45cb-91e6-13637a76e4f0.md | 249 ++ .../a62a99d1-8196-432f-8f80-3c100b05d62a.md | 280 ++ .../a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9.md | 127 + .../a737be28-37d8-4bff-aa6d-1be8aa0a0015.md | 263 ++ .../a9174d31-d526-4ad9-ace4-ce7ddbf52e03.md | 258 ++ .../a9a13d4f-f17a-491b-b074-f54bffffcb4a.md | 457 +++ .../aa737abf-6b1d-4aba-95aa-5c160bd7f96e.md | 122 + .../abcb818b-5af7-4d72-aba9-6dd84956b451.md | 64 + .../ac1564a3-c324-4747-9fa1-9dfc234dace0.md | 145 + .../ad69e38a-d92e-4357-a8da-f2f29d545883.md | 344 ++ .../05db341e-de7d-4972-a106-3e2bd5ee53e1.md | 63 + .../063234c0-91c0-4ab5-bbd0-47ddb5f23786.md | 74 + .../140869ea-25f2-40d4-a595-0c0da135114e.md | 96 + .../1455cb21-1d48-46d6-8ae3-cef911b71fd5.md | 212 ++ .../1b4565c0-4877-49ac-ab03-adebbccd42ae.md | 108 + .../1bcdf9f0-b1aa-40a4-b8c6-cd7785836843.md | 178 + .../2ae9d554-23fb-4065-bfd1-fe43d5f7c419.md | 118 + .../2b13c6ff-b87a-484d-86fd-21ef6e97d426.md | 51 + .../2bb13841-7575-439e-8e0a-cccd9ede2fa8.md | 88 + .../39750e32-3fe9-453b-8c33-dd277acdb2cc.md | 80 + .../41a38329-d81b-4be4-aef4-55b2615d3282.md | 61 + .../44d434ca-a9bf-4203-8828-4c81a8d5a598.md | 162 + .../4bb06fa1-2114-4a00-b7b5-6aeab8b896f0.md | 61 + .../5e0fb613-ba9b-44c3-88f0-b44188466bfd.md | 74 + .../5f670f9d-b1b4-4c90-8618-2288f1ab9676.md | 51 + .../60587dbd-6b67-432e-90f7-a8cf1892d968.md | 118 + .../6107c530-7178-464a-88bc-df9cdd364ac8.md | 151 + .../62232513-b16f-4010-83d7-51d0e1d45426.md | 69 + .../66505003-7aba-45a1-8d83-5162d5706ef5.md | 170 + .../67bfdff1-31ce-4525-b564-e94368735360.md | 51 + .../69b5d7da-a5db-4db9-a42e-90b65d0efb0b.md | 93 + .../70919c0b-2548-4e6b-8d7a-3d84ab6dabba.md | 62 + .../72ceb736-0aee-43ea-a191-3a69ab135681.md | 76 + .../7a1ee8a9-71be-4b11-bb70-efb62d16863b.md | 100 + .../7db8bd7e-9772-478c-9ec5-4bc202c5686f.md | 96 + .../81ce9394-013d-4731-8fcc-9d229b474073.md | 126 + .../88541597-6f88-42c8-bac6-7e0b855e8ff6.md | 158 + .../89143358-cec6-49f5-9392-920c591c669c.md | 74 + .../8c0695d8-2378-4cd6-8243-7fd5894fa574.md | 133 + .../8f98334a-99aa-4d85-b72a-1399ca010413.md | 59 + .../9ef08939-ea40-489c-8851-667870b2ef50.md | 77 + .../a597e05a-c065-44e7-9cc8-742f572a504a.md | 96 + .../a8128dd2-89b0-464b-98e9-5d629041dfe0.md | 74 + .../a9dfec39-a740-4105-bbd6-721ba163c053.md | 74 + .../b9b7ada8-3868-4a35-854e-6100a2bb863d.md | 143 + .../b9c524a4-fe76-4021-a6a2-cb978fb4fde1.md | 361 ++ .../c01d10de-c468-4790-b3a0-fc887a56f289.md | 207 ++ .../c065b98e-1515-4991-9dca-b602bd6a2fbb.md | 147 + .../cb319d87-b90f-485e-a7e7-f2408380f309.md | 83 + .../d2731f3d-a992-44ed-812e-f4f1c2747d71.md | 69 + .../d53f4123-f8d8-4224-8cb3-f920b151cc98.md | 96 + .../dbfc834a-56e5-4750-b5da-73fda8e73f70.md | 49 + .../dc158941-28ce-481d-a7fa-dc80761edf46.md | 137 + .../dcda2d32-e482-43ee-a926-75eaabeaa4e0.md | 100 + .../dd706080-b7a8-47dc-81fb-3e8184430ec0.md | 101 + .../e76fd7ab-7333-40c6-a2d8-ea28af4a319e.md | 74 + .../e8e62026-da63-4904-b402-65adfe3ca975.md | 304 ++ .../ec62a32c-a297-41ca-a850-cab40b42094a.md | 108 + .../ed6cf6ff-9a1f-491c-9f88-e03c0807f390.md | 83 + .../ed6e3ba0-278f-47b6-a1f5-173576b40b7e.md | 59 + .../ee3b1557-9fb5-4685-a95d-93f1edf2a0d7.md | 85 + .../f20e97f9-4919-43f1-9be9-f203cd339cdd.md | 63 + .../f262118c-1ac6-4bb3-8495-cc48f1775b85.md | 66 + .../faaefc15-51a5-419e-bb5e-51a4b5ab3485.md | 74 + .../fe286195-e75c-4359-bd58-00847c4f855a.md | 158 + .../00e5e55e-c2ff-46b3-a757-a7a1cd802456.md | 243 ++ .../01d50b14-e933-4c99-b314-6d08cd37ad35.md | 114 + .../034d0aee-620f-4bf7-b7fb-efdf661fdb9e.md | 108 + .../04c686f1-e0cd-4812-88e1-4e038410074c.md | 82 + .../051f2063-2517-4295-ad8e-ba88c1bf5cfc.md | 330 ++ .../081069cb-588b-4ce1-884c-2a1ce3029fe5.md | 69 + .../084c6686-2a70-4710-91b1-000393e54c12.md | 101 + .../08bd0760-8752-44e1-9779-7bb369b2b4e4.md | 320 ++ .../09c35abf-5852-4622-ac7a-b987b331232e.md | 184 + .../0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3.md | 67 + .../0a592060-8166-49f5-8e65-99ac6dce9871.md | 107 + .../0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0.md | 150 + .../0a96ce49-4163-4ee6-8169-eb3b0797d694.md | 59 + .../0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md | 59 + .../0afbcfe9-d341-4b92-a64c-7e6de0543879.md | 60 + .../0b4869fc-a842-4597-aa00-1294df425440.md | 54 + .../0b530315-0ea4-497f-b34c-4ff86268f59d.md | 66 + .../0b93729a-d882-4803-bdc3-ac429a21f158.md | 567 +++ .../0bc534c5-13d1-4353-a7fe-b8665d5c1d7d.md | 258 ++ .../0c10d7da-85c4-4d62-b2a8-d6c104f1bd77.md | 91 + .../0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md | 239 ++ .../0e32d561-4b5a-4664-a6e3-a3fa85649157.md | 73 + .../0e59d33e-bba2-4037-8f88-9765647ca7ad.md | 95 + .../0f6cbf69-41bb-47dc-93f3-3844640bf480.md | 145 + .../0fd7d920-4711-46bd-aff2-d307d82cd8b7.md | 90 + .../113208f2-a886-4526-9ecc-f3218600e12c.md | 90 + .../118281d0-6471-422e-a7c5-051bc667926e.md | 82 + .../126c1788-23c2-4a10-906c-ef179f4f96ec.md | 166 + .../12933609-c5bf-44b4-9a41-a6467c3b685b.md | 99 + .../12b7e704-37f0-4d1e-911a-44bf60c48c21.md | 173 + .../132a8c31-9837-4203-9fd1-15ca210c7b73.md | 98 + .../1402afd8-a95c-4e84-8b0b-6fb43758e6ce.md | 137 + .../1419b4c6-6d5c-4534-9cf6-6a5266085333.md | 328 ++ .../151187cb-0efc-481c-babd-ad24e3c9bc22.md | 98 + .../15ccec05-5476-4890-ad19-53991eba1db8.md | 61 + .../15e6ad8c-f420-49a6-bafb-074f5eb1ec74.md | 107 + .../15ffbacc-fa42-4f6f-a57d-2feac7365caa.md | 69 + .../16c4216a-50d3-4785-bfb2-4adb5144a8ba.md | 97 + .../1743f5f1-0bb0-4934-acef-c80baa5dadfa.md | 89 + .../17b30f8f-8dfb-4597-adf6-57600b6cf25e.md | 186 + .../19ffbe31-9d72-4379-9768-431195eae328.md | 109 + .../1a4bc881-9f69-4d44-8c9a-d37d08f54c50.md | 175 + .../1afbb3fa-cf6c-4a3d-b730-95e9f4df343e.md | 72 + .../1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2.md | 381 ++ .../1b6799eb-4a7a-4b04-9001-8cceb9999326.md | 66 + .../1bc1c685-e593-450e-88fb-19db4c82aa1d.md | 63 + .../1bc367f6-901d-4870-ad0c-71d79762ef52.md | 208 ++ .../1dc73fb4-5b51-430c-8c5f-25dcf9090b02.md | 319 ++ .../1df37f4b-7197-45ce-83f8-9994d2fcf885.md | 198 + .../1e0ef61b-ad85-4518-a3d3-85eaad164885.md | 51 + .../1ec253ab-c220-4d63-b2de-5b40e0af9293.md | 168 + .../20018359-6fd7-4d05-ab26-d4dffccbdf79.md | 423 +++ .../2134641d-30a4-4b16-8ffc-2cd4c4ffd15d.md | 73 + .../2285e608-ddbc-47f3-ba54-ce7121e31216.md | 142 + .../22fbfeac-7b5a-421a-8a27-7a2178bb910b.md | 121 + .../23b70e32-032e-4fa6-ba5c-82f56b9980e6.md | 283 ++ .../23edf35f-7c22-4ff9-87e6-0ca74261cfbf.md | 307 ++ .../24e16922-4330-4e9d-be8a-caa90299466a.md | 58 + .../254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4.md | 57 + .../25d251f3-f348-4f95-845c-1090e41a615c.md | 54 + .../25db74bf-fa3b-44da-934e-8c3e005c0453.md | 62 + .../27c6a499-895a-4dc7-9617-5c485218db13.md | 229 ++ .../28545147-2fc6-42d5-a1f9-cf226658e591.md | 61 + .../2b3c8a6d-9856-43e6-ab1d-d651094f03b4.md | 48 + .../2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045.md | 535 +++ .../2f01fb2d-828a-499d-b98e-b83747305052.md | 71 + .../2f37c4a3-58b9-4afe-8a87-d7f1d2286f84.md | 98 + .../2f56b7ab-7fba-4e93-82f0-247e5ddeb239.md | 65 + .../2f737336-b18a-4602-8ea0-b200312e1ac1.md | 138 + .../30b88745-eebe-4ecb-a3a9-5cf886e96204.md | 107 + .../31245f98-a6a9-4182-9fc1-45482b9d030a.md | 81 + .../3199c26c-7871-4cb3-99c2-10a59244ce7f.md | 89 + .../3206240f-2e87-4e58-8d24-3e19e7c83d7c.md | 87 + .../33627268-1445-4385-988a-318fd9d1a512.md | 109 + .../34b921bd-90a0-402e-a0a5-dc73371fd963.md | 79 + .../35113e6f-2c6b-414d-beec-7a9482d3b2d1.md | 216 ++ .../3561130e-9c5f-485b-9e16-2764c82763e5.md | 68 + .../35ccf766-0e4d-41ed-9ec4-2dab155082b4.md | 83 + .../37304d3f-f852-40b8-ae3f-725e87a7cedf.md | 59 + .../381c3f2a-ef6f-4eff-99f7-b169cda3422c.md | 244 ++ .../38b85c45-e772-4de8-a247-69619ca137b3.md | 150 + .../38c5ee0d-7f22-4260-ab72-5073048df100.md | 242 ++ .../3a1e94df-6847-4c0e-a3b6-6c6af4e128ef.md | 227 ++ .../3af7f2fd-06e6-4dab-b996-2912bea19ba4.md | 378 ++ .../3b6d777b-76e3-4133-80a3-0d6f667ade7f.md | 221 ++ .../3d3f6270-546b-443c-adb4-bb6fb2187ca6.md | 47 + .../3db3f534-e3a3-487f-88c7-0a9fbf64b702.md | 102 + .../3dd96caa-0b5f-4a85-b929-acfac4646cc2.md | 82 + .../3ddfa124-6407-4845-a501-179f90c65097.md | 153 + .../3deec14b-03d2-4d27-9670-7d79322e3340.md | 165 + .../3ef8696c-e4ae-4872-92c7-520bb44dfe77.md | 79 + .../4003118b-046b-4640-b200-b8c7a4c8b89f.md | 86 + .../41abc6cc-dde1-4217-83d3-fb5f0cc09d8f.md | 71 + .../42bb6b7f-6d54-4428-b707-666f669d94fb.md | 182 + .../42f4b905-3736-4213-bfe9-c0660518cda8.md | 83 + .../43a41523-386a-4cb1-becb-42af6b414433.md | 90 + .../443488f5-c734-460b-a36d-5b3f330174dc.md | 196 + .../44ceb4fa-0897-4fd2-b676-30e7a58f2933.md | 227 ++ .../45cff7b6-3b80-40c1-ba7b-2cf480678bb8.md | 95 + .../46883ce1-dc3e-4b17-9195-c6a601624c73.md | 98 + .../4728cd65-a20c-49da-8b31-9c08b423e4db.md | 313 ++ .../4766d3ea-241c-4ee6-93ff-c380c996bd1a.md | 59 + .../48207659-729f-4b5c-9402-f884257d794f.md | 61 + .../482b7d26-0bdb-4b5f-bf6f-545826c0a3dd.md | 51 + .../4849211b-ac39-479e-ae78-5694d506cb24.md | 524 +++ .../4a800e14-c94a-442d-9067-5a2e9f6c0a4c.md | 229 ++ .../4bb76f17-3d63-4529-bdca-2b454529d774.md | 53 + .../4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9.md | 494 +++ .../4bd15dd9-8d5e-4008-8532-27eb0c3706d3.md | 56 + .../4beaf898-9f8b-4237-89e2-5ffdc7ee6006.md | 142 + .../4c18a45b-4ab1-4790-9f83-399ac695f1e5.md | 228 ++ .../4d46ff3b-7160-41d1-a310-71d6d370b08f.md | 98 + .../4de9de27-254e-424f-bd70-4c1e95790838.md | 315 ++ .../4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b.md | 53 + .../4eb5f791-c861-4afd-9f94-f2a6a3fe49cb.md | 75 + .../4f615f3e-fb9c-4fad-8b70-2e9f781806ce.md | 51 + .../4fa66806-0dd9-4f8d-9480-3174d39c7c91.md | 121 + .../52f04a44-6bfa-4c41-b1d3-4ae99a2de05c.md | 147 + .../52ffcfa6-6c70-4ea6-8376-d828d3961669.md | 54 + .../54229498-850b-4f78-b3a7-218d24ef2c37.md | 262 ++ .../54378d69-dd7c-4b08-a43e-80d563396857.md | 124 + .../54c417bf-c762-48b9-9d31-b3d87047e3f0.md | 86 + .../55af1353-2f62-4fa0-a8e1-a210ca2708f5.md | 191 + .../568a4d22-3517-44a6-a7ad-6a7eed88722c.md | 308 ++ .../56a585f5-555c-48b2-8395-e64e4740a9cf.md | 189 + .../56f6a008-1b14-4af4-b9b2-ab7cf7e27641.md | 104 + .../571254d8-aa6a-432e-9725-535d3ef04d69.md | 81 + .../575a2155-6af1-4026-b1af-d5bc8fe2a904.md | 191 + .../57b9893d-33b1-4419-bcea-a717ea87e139.md | 159 + .../5813ef56-fa94-406a-b35d-977d4a56ff2b.md | 55 + .../5864d189-ee9a-4009-ac0c-8a582e6b7919.md | 225 ++ .../58b35504-0287-4154-bf69-02c0573deab8.md | 69 + .../590d878b-abdc-428f-895a-e2b68a0e1998.md | 112 + .../5a2486aa-facf-477d-a5c1-b010789459ce.md | 199 + .../5b4d4aee-ac94-4810-9611-833636e5916d.md | 82 + .../5b8d7527-de8e-4114-b9dd-9d988f1f418f.md | 172 + .../5ba6229c-8057-433e-91d0-21cf13569ca9.md | 55 + .../5c0003fb-9aa0-42c1-9da3-eb0e332bef21.md | 171 + .../5c6dd5e7-1fe0-4cae-8f81-4c122717cef3.md | 110 + .../5d89db57-8b51-4b38-bb76-b9bd42bd40f0.md | 100 + .../5d9e3164-9265-470c-9a10-57ae454ac0c7.md | 48 + .../5ea624e4-c8b1-4bb3-87a4-4235a776adcc.md | 159 + .../5fb49a69-8d46-4495-a2f8-9c8c622b2b6e.md | 76 + .../60224630-175a-472a-9e23-133827040766.md | 296 ++ .../60263b4a-6801-4587-911d-919c37ed733b.md | 83 + .../61cf9883-1752-4768-b18c-0d57f2737709.md | 101 + .../625abc0e-f980-4ac9-a775-f7519ee34296.md | 109 + .../63ebcb19-2739-4d3f-aa5c-e8bbb9b85281.md | 83 + .../64a222aa-7793-4e40-915f-4b302c76e4d4.md | 125 + .../656880aa-1388-488f-a6d4-8f73c23149b2.md | 83 + .../65905cec-d691-4320-b320-2000436cb696.md | 204 + .../66c6f96f-2d9e-417e-a998-9058aeeecd44.md | 176 + .../66cd88ac-9ddf-424a-b77e-e55e17630bee.md | 156 + .../66f130d9-b81d-4e8e-9b08-da74b9c891df.md | 79 + .../671211c5-5d2a-4e97-8867-30fc28b02216.md | 62 + .../6726dcc0-5ff5-459d-b473-a780bef7665c.md | 449 +++ .../68eb4bf3-f9bf-463d-b5cf-e029bb446d2e.md | 208 ++ .../69e7c320-b65d-41bb-be02-d63ecc0bcc9d.md | 119 + .../6b2739db-9c49-4db7-b980-7816e0c248c1.md | 53 + .../6b6874fe-4c2f-4eea-8b90-7cceaa4a125e.md | 143 + .../6d23d87e-1c5b-4308-b224-92624300f29b.md | 91 + .../6db03a91-f933-4f13-ab38-a8b87a7de54d.md | 58 + .../6db52fa6-d4da-4608-908a-89f0c59e743e.md | 112 + .../6deb34e2-5d9c-499a-801b-ea6d9eda894f.md | 90 + .../6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97.md | 55 + .../6e3fd2ed-5c83-4c68-9679-7700d224d379.md | 435 +++ .../6e8849c1-3aa7-40e3-9063-b85ee300f29f.md | 155 + .../704dadd3-54fc-48ac-b6a0-02f170011473.md | 46 + .../7081f85c-b94d-40fd-8b45-a4f1cac75e46.md | 60 + .../70b42736-efee-4bce-80d5-50358ed94990.md | 83 + .../70cb518c-d990-46f6-bc05-44a5041493d6.md | 89 + .../730675f9-52ed-49b6-8ead-0acb5dd7df7f.md | 148 + .../7350fa23-dcf7-4938-916d-6a60b0c73b50.md | 47 + .../741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md | 179 + .../75ec6890-83af-4bf1-9f16-e83726df0bd0.md | 51 + .../76976de7-c7b1-4f64-a94f-90c1345914c2.md | 71 + .../7782d4b3-e23e-432b-9742-d9528432e771.md | 82 + .../78f1ec6f-5659-41ea-bd48-d0a142dce4f2.md | 107 + .../7a70eed6-de3a-4da2-94da-a2bbc8fe2a48.md | 61 + .../7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2.md | 54 + .../7af43613-6bb9-4a0e-8c4d-1314b799425e.md | 151 + .../7c96920c-6fd0-449d-9a52-0aa431b6beaf.md | 81 + .../7d544dad-8a6c-431c-84c1-5f07fe9afc0e.md | 107 + .../7dbba512-e244-42dc-98bb-422339827967.md | 58 + .../7e4a6e76-568d-43ef-8c4e-36dea481bff1.md | 73 + .../7ebc9038-0bde-479a-acc4-6ed7b6758899.md | 114 + .../8055dec2-efb8-4fe6-8837-d9bed6ff202a.md | 110 + .../8152e0cf-d2f0-47ad-96d5-d003a76eabd1.md | 146 + .../816ea8cf-d589-442d-a917-2dd0ce0e45e3.md | 181 + .../8173d5eb-96b5-4aa6-a71b-ecfa153c123d.md | 67 + .../846646e3-2af1-428c-ac5d-271eccfa6faf.md | 83 + .../862fe4bf-3eec-4767-a517-40f378886b88.md | 118 + .../86571149-eef3-4280-a645-01e60df854b0.md | 76 + .../874d68a3-bfbe-4a4b-aaa0-9e74d7da634b.md | 72 + .../88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6.md | 355 ++ .../89561b03-cb35-44a9-a7e9-8356e71606f4.md | 109 + .../89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a.md | 65 + .../8b1b1e67-6248-4dca-bbad-93486bb181c0.md | 229 ++ .../8bbb242f-6e38-4127-86d4-d8f0b2687ae2.md | 84 + .../8bfbf7ab-d5e8-4100-8618-798956e101e0.md | 90 + .../8c849af7-a399-46f7-a34c-32d3dc96f1fc.md | 56 + .../8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56.md | 390 ++ .../8e94dced-9bcc-4203-8eb7-7e41202b2505.md | 633 ++++ .../8f3c16b3-354d-45db-8ad5-5066778a9485.md | 81 + .../8f75840d-9ee7-42f3-b203-b40e3979eb12.md | 82 + .../8fdb08a0-a868-4fdf-9c27-ccab0237f1ab.md | 95 + .../91bea7b8-0c31-4863-adc9-93f6177266c4.md | 71 + .../91f16d09-689e-4926-aca7-155157f634ed.md | 72 + .../92d65c51-5d82-4507-a2a1-d252e9706855.md | 71 + .../92fe237e-074c-4262-81a4-2077acb928c1.md | 329 ++ .../94690d79-b3b0-43de-b656-84ebef5753e5.md | 76 + .../94fbe150-27e3-4eba-9ca6-af32865e4503.md | 109 + .../9630336b-3fed-4096-8173-b9afdfe346a7.md | 58 + .../967eb3e6-26fc-497d-8895-6428beb6e8e2.md | 98 + .../96e8183b-e985-457b-90cd-61c0503a3369.md | 80 + .../96ed3526-0179-4c73-b1b2-372fde2e0d13.md | 99 + .../970d224d-b42a-416b-81f9-8f4dfe70c4bc.md | 144 + .../970ed7a2-0aca-4425-acf1-0453c9ecbca1.md | 81 + .../97cb0688-369a-4d26-b1f7-86c4c91231bc.md | 55 + .../982aa526-6970-4c59-8b9b-2ce7e019fe36.md | 85 + .../98a8f708-121b-455b-ae2f-da3fb59d17e1.md | 288 ++ .../98d59056-f745-4ef5-8613-32bca8d40b7e.md | 67 + .../9a205ba3-0dd1-42eb-8d54-2ffec836b51a.md | 83 + .../9a4ef195-74b9-4c58-b8ed-2b2fe4353a75.md | 99 + .../9b0ffadc-a61f-4c2a-b1e6-68fab60f6267.md | 107 + .../9b877bd8-94b4-4c10-a060-8e0436cc09fa.md | 88 + .../9ba198e0-fef4-464a-8a4d-75ea55300de7.md | 55 + .../9cf718ce-46f9-430e-89ec-c456f8b469ee.md | 375 ++ .../9d0d4512-1959-43a2-a17f-72360ff06d1b.md | 142 + .../9ec311bf-dfd9-421f-8498-0b063c8bc552.md | 54 + .../9ef7d25d-9764-4224-9968-fa321c56ef76.md | 63 + .../9f40c07e-699e-4410-8856-3ba0f2e3a2dd.md | 221 ++ .../9f4a9409-9c60-4671-be96-9716dbf63db1.md | 65 + .../a186e82c-1078-4a7b-85d8-579561fde884.md | 207 ++ .../a20be318-cac7-457b-911d-04cc6e812c25.md | 378 ++ .../a2f548f2-188c-4fff-b172-e9a6acb216bd.md | 46 + .../a31a5a29-718a-4ff4-8001-a69e5e4d029e.md | 93 + .../a4966c4f-9141-48b8-a564-ffe9959945bc.md | 143 + .../a8fc2180-b3ac-4c93-bd0d-a55b974e4b07.md | 203 + .../abb06e5f-ef9a-4a99-98c6-376d396bfcdf.md | 158 + .../abdb29d4-5ca1-4e91-800b-b3569bbd788c.md | 71 + .../ac5a0bc0-a54c-45aa-90c3-15f7703b9132.md | 76 + .../acb6b4e2-a086-4f35-aefd-4db6ea51ada2.md | 74 + .../ad296c0d-8131-4d6b-b030-1b0e73a99ad3.md | 82 + .../ad5b4e97-2850-4adf-be17-1d293e0b85ee.md | 123 + .../ad9dabc7-7839-4bae-a957-aa9120013f39.md | 131 + .../af173fde-95ea-4584-b904-bb3923ac4bda.md | 64 + .../afecd1f1-6378-4f7e-bb3b-60c35801fdd4.md | 310 ++ .../b0d3ef3f-845d-4b1b-83d6-63a5a380375f.md | 63 + .../b161c11b-a59b-4431-9a29-4e19f63e6b27.md | 152 + .../b1a72f66-2236-4f3b-87ba-0da1b366956f.md | 66 + .../b1ffa705-19a3-4b73-b9d0-0c97d0663842.md | 110 + .../b2315cae-b110-4426-81e0-80bb8640cdd3.md | 60 + .../b26d2b7e-60f6-413d-a3a1-a57db24aa2b3.md | 74 + .../b3a41501-f712-4c4f-81e5-db9a7dc0e34e.md | 951 +++++ .../b3a59b8e-94a3-403e-b6e2-527abaf12034.md | 520 +++ .../b4378389-a9aa-44ee-91e7-ef183f11079e.md | 211 ++ .../b5681959-6c09-4f55-b42b-c40fa12d03ec.md | 126 + .../b592ffd4-0577-44b6-bd35-8c5ee81b5918.md | 78 + .../b69247e5-7e73-464e-ba74-ec9b715c6e12.md | 90 + .../b72d0026-f649-4c91-a9ea-15d8f681ac09.md | 59 + .../b7c9a40c-23e4-4a2d-8d39-a3352f10f288.md | 157 + .../b8a31292-509d-4b61-bc40-13b167db7e9c.md | 82 + .../b9033580-6886-401a-8631-5f19f5bb24c7.md | 152 + .../ba40ace1-a047-483c-8a8d-bc2d3a67a82d.md | 88 + .../ba48df05-eaa1-4d64-905e-4a4b051e7587.md | 543 +++ .../ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698.md | 62 + .../baecd2da-492a-4d59-b9dc-29540a1398e0.md | 229 ++ .../bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9.md | 60 + .../bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54.md | 194 + .../bc1f9009-84a0-490f-ae09-3e0ea6d74ad6.md | 69 + .../bca7cc4d-b3a4-4345-9461-eb69c68fcd26.md | 153 + .../bcdcbdc6-a350-4855-ae7c-d1e6436f7c97.md | 188 + .../bd0088a5-c133-4b20-b129-ec9968b16ef3.md | 203 + .../be2aa235-bd93-4b68-978a-1cc65d49082f.md | 107 + .../bf878b1a-7418-4de3-b13c-3a86cf894920.md | 194 + .../bf9d42c7-c2f9-4dfe-942c-c8cc8249a081.md | 89 + .../c0c1e744-0f37-445e-924a-1846f0839f69.md | 83 + .../c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6.md | 67 + .../c53c7a89-f9d7-4c7b-8b66-8a555be99593.md | 412 +++ .../c583f0f9-7dfd-476b-a056-f47c62b47b46.md | 83 + .../c5b31ab9-0f26-4a49-b8aa-4cc064392f4d.md | 425 +++ .../c5ff7bc9-d8ea-46dd-81cb-8286f3222249.md | 60 + .../c91d7ea0-d4d1-403b-8fe1-c9961ac082c5.md | 69 + .../c999cf62-0920-40f8-8dda-0caccd66ed7e.md | 80 + .../cb3f5ed6-0d18-40de-a93d-b3538db31e8c.md | 74 + .../cc997676-481b-4e93-aa81-d19f8c5e9b12.md | 68 + .../ce089fd4-1406-47bd-8aad-c259772bb294.md | 108 + .../ce60cc6b-6831-4bd7-84a2-cc7f8ee71433.md | 88 + .../ce60d060-efb8-4bfd-9cf7-ff8945d00d90.md | 65 + .../ce9dfce0-5fc8-433b-944a-3b16153111a8.md | 69 + .../cfdcabb0-fc06-427c-865b-c59f13e898ce.md | 66 + .../d0cc8694-fcad-43ff-ac86-32331d7e867f.md | 172 + .../d1846b12-20c5-4d45-8798-fc35b79268eb.md | 63 + .../d24c0755-c028-44b1-b503-8e719c898832.md | 177 + .../d25edb51-07fb-4a73-97d4-41cecdc53a22.md | 71 + .../d364984a-a222-4b5f-a8b0-e23ab19ebff3.md | 81 + .../d40210ea-64b9-4cce-a4fb-e8604f3c062c.md | 145 + .../d6047119-a0b2-4b59-a4f2-127a36fb685b.md | 82 + .../d7b9d850-3e06-4a75-852f-c46c2e92240b.md | 103 + .../db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8.md | 88 + .../db78d14b-10e5-4e6e-84b1-dace6327b1ec.md | 81 + .../de7f5e83-da88-4046-871f-ea18504b1d43.md | 312 ++ .../e08ed7eb-f3ef-494d-9d22-2e3db756a347.md | 55 + .../e227091e-2228-4b40-b046-fc13650d8e88.md | 90 + .../e35c16a2-d54e-419d-8546-a804d8e024d0.md | 244 ++ .../e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10.md | 77 + .../e39bee8c-fe54-4a3f-824d-e5e2d1cca40a.md | 81 + .../e542bd46-58c4-4e0f-a52a-1fb4f9548e02.md | 59 + .../e592a0c5-5bdb-414c-9066-5dba7cdea370.md | 53 + .../e6b4b943-6883-47a9-9739-7ada9568f8ca.md | 89 + .../e7530c3c-b7cf-4149-8db9-d037a0b5268e.md | 121 + .../e77c89f6-9c85-49ea-b95b-5f960fe5be92.md | 82 + .../e86e26fc-489e-44f0-9bcd-97305e4ba69a.md | 113 + .../e979fcbc-df6c-422d-9458-c33d65e71c45.md | 54 + .../e9b7acf9-9ba0-4837-a744-31e7df1e434d.md | 206 ++ .../eaaba502-2f94-411a-a3c2-83d63cc1776d.md | 150 + .../eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7.md | 83 + .../ec28bf61-a474-4dbe-b414-6dd3a067d6f0.md | 98 + .../ec49cbfd-fae4-45f3-81b1-860526d66e3f.md | 82 + .../eccc4d59-74b9-4974-86f1-74386e0c7f33.md | 172 + .../ed35928e-195c-4405-a252-98ccb664ab7b.md | 75 + .../eda48c88-2b7d-4e34-b6ca-04c0194aee17.md | 81 + .../ee49557d-750c-4cc1-aa95-94ab36cbefde.md | 81 + .../ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4.md | 267 ++ .../eeb4d37a-3c59-4789-a00c-1509bc3af1e5.md | 91 + .../ef0b316a-211e-42f1-888e-64efe172b755.md | 68 + .../f0d8781f-99bf-4958-9917-d39283b168a0.md | 67 + .../f1173d8c-3264-4148-9fdb-61181e031b51.md | 107 + .../f11aec39-858f-4b6f-b946-0a1bf46c0c87.md | 76 + .../f1adc521-f79a-4d71-b55b-a68294687432.md | 79 + .../f3674e0c-f6be-43fa-b71c-bf346d1aed99.md | 58 + .../f465fff1-0a0f-457d-aa4d-1bddb6f204ff.md | 81 + .../f53f16d6-46a9-4277-9fbe-617b1e24cdca.md | 102 + .../f83121ea-03da-434f-9277-9cd247ab3047.md | 162 + .../f861041c-8c9f-4156-acfc-5e6e524f5884.md | 172 + .../f906113d-cdc0-415a-ba60-609cc6daaf4d.md | 84 + .../fa00ce45-386d-4718-8392-fb485e1f3c5b.md | 91 + .../fa62ac4f-f5b9-45b9-97c1-625c8b6253ca.md | 108 + .../fae52418-bb8b-4ac2-b287-0b9082d6a3fd.md | 106 + .../fc101ca7-c9dd-4198-a1eb-0fbe92e80044.md | 96 + .../fcb1b388-f558-4b7f-9b6e-f4e98abb7380.md | 109 + .../fd632aaf-b8a1-424d-a4d1-0de22fd3247a.md | 59 + .../ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md | 95 + .../ffdf4b37-7703-4dfe-a682-9d2e99bc6c09.md | 174 + .../0437633b-daa6-4bbc-8526-c0d2443b946e.md | 97 + .../07f7134f-9f37-476e-8664-670c218e4702.md | 77 + .../0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1.md | 95 + .../11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe.md | 127 + .../12944ec4-1fa0-47be-8b17-42a034f937c2.md | 61 + .../16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f.md | 79 + .../17f75827-0684-48f4-8747-61129c7e4198.md | 154 + .../25c0ea09-f1c5-4380-b055-3b83863f2bb8.md | 51 + .../261a83f8-dd72-4e8c-b5e1-ebf06e8fe606.md | 49 + .../2ab6de9a-0136-415c-be92-79d2e4fd750f.md | 124 + .../2b3c671f-1b76-4741-8789-ed1fe0785dc4.md | 77 + .../2b856bf9-8e8c-4005-875f-303a8cba3918.md | 150 + .../2bc626a8-0751-446f-975d-8139214fc790.md | 47 + .../2e48d91c-50e4-45c8-9312-27b625868a72.md | 61 + .../34664094-59e0-4524-b69f-deaa1a68cce3.md | 52 + .../3790d386-be81-4dcf-9850-eaa7df6c10d9.md | 77 + .../38c71c00-c177-4cd7-8d36-cd1007cdb190.md | 167 + .../3ac3e75c-6374-4a32-8ba0-6ed69bda404e.md | 63 + .../3e3c175e-aadf-4e2b-a464-3fdac5748d24.md | 337 ++ .../3fa5900f-9aac-4982-96b2-a6143d9c99fb.md | 72 + .../4216ebac-d74c-4423-b437-35025cb88af5.md | 79 + .../43789711-161b-4708-b5bb-9d1c626f7492.md | 116 + .../45fc717a-bd86-415c-bdd8-677901be1aa6.md | 94 + .../48bbe0fd-57e4-4678-a4a1-119e79c90fc3.md | 72 + .../4a9e0f00-0765-4f72-a0d4-d31110b78279.md | 62 + .../4d080822-5ee2-49a4-8984-68f3d4c890fc.md | 68 + .../5089d055-53ff-421b-9482-a5267bdce629.md | 85 + .../525b53be-62ed-4244-b4df-41aecfcb4071.md | 129 + .../5400f379-a347-4bdd-a032-446465fdcc6f.md | 95 + .../55975007-f6e7-4134-83c3-298f1fe4b519.md | 81 + .../56dad03e-e94f-4dd6-93a4-c253a03ff7a0.md | 52 + .../594c198b-4d79-41b8-9b36-fde13348b619.md | 331 ++ .../599318f2-6653-4569-9e21-041d06c63a89.md | 65 + .../59acb56b-2b10-4c2c-ba38-f2223c3f5cfc.md | 194 + .../5c822443-e1ea-46b8-84eb-758ec602e844.md | 72 + .../609839ae-bd81-4375-9910-5bce72ae7b92.md | 60 + .../61c3cb8b-0715-47e4-b788-86dde40dd2db.md | 110 + .../6425c98b-ca4e-41fe-896a-c78772c131f8.md | 106 + .../73e42469-3a86-4f39-ad78-098f325b4e9f.md | 75 + .../7750fcca-dd03-4d38-b663-4b70289bcfd4.md | 108 + .../7f0a8696-7159-4337-ad0d-8a3ab4a78195.md | 75 + .../819d50fd-1cdf-45c3-9936-be408aaad93e.md | 43 + .../8263f146-5e03-43e0-9cfe-db960d56d1e7.md | 63 + .../835a4f2f-df43-437d-9943-545ccfc55961.md | 124 + .../83a229ba-483e-47c6-8db7-dc96969bce5a.md | 152 + .../85da374f-b00f-4832-9d44-84a1ca1e89f8.md | 78 + .../86f92117-eed8-4614-9c6c-b26da20ff37f.md | 121 + .../8b042c30-e441-453f-b162-7696982ebc58.md | 97 + .../8e75e431-449f-49e9-b56a-c8f1378025cf.md | 83 + .../96fe318e-d631-4156-99fa-9080d57280ae.md | 210 ++ .../9bb3c639-5edf-458c-8ee5-30c17c7d671d.md | 70 + .../9c301481-e6ec-44f7-8a49-8ec63e2969ea.md | 193 + .../9dab0179-433d-4dff-af8f-0091025691df.md | 94 + .../9db38e87-f6aa-4b5e-a1ec-7266df259409.md | 47 + .../a187ac47-8163-42ce-8a63-c115236be6fb.md | 70 + .../a21c8da9-41bf-40cf-941d-330cf0d11fc7.md | 107 + .../a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b.md | 80 + .../a5613650-32ec-4975-a305-31af783153ea.md | 256 ++ .../a81573f9-3691-4d83-88a0-7d4af63e17a3.md | 110 + .../a829b715-cf75-4e92-b645-54c9b739edfb.md | 51 + .../a99130ab-4c0e-43aa-97f8-78d4fcb30024.md | 83 + .../ace823d1-4432-4dee-945b-cdf11a5a6bd0.md | 97 + .../ade36cf4-329f-4830-a83d-9db72c800507.md | 91 + .../b17d8bb8-4c08-4785-867e-cb9e62a622aa.md | 80 + .../b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a.md | 184 + .../b61cce4b-0cc4-472b-8096-15617a6d769b.md | 93 + .../b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643.md | 86 + .../b897dfbf-322c-45a8-b67c-1e698beeaa51.md | 63 + .../b90842e5-6779-44d4-9760-972f4c03ba1c.md | 63 + .../b947809d-dd2f-4de9-b724-04d101c515aa.md | 80 + .../bbf6b3df-4b65-4f87-82cc-da9f30f8c033.md | 71 + .../bcd3fc01-5902-4f2a-b05a-227f9bbf5450.md | 93 + .../c1573577-e494-4417-8854-7e119368dc8b.md | 62 + .../c2a3efb6-8a58-481c-82f2-bfddf34bb4b7.md | 51 + .../c407c3cf-c409-4b29-b590-db5f4138d332.md | 110 + .../c640d783-10c5-4071-b6c1-23507300d333.md | 77 + .../c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e.md | 331 ++ .../c7fc1481-2899-4490-bbd8-544a3a61a2f3.md | 113 + .../c87749b3-ff10-41f5-9df2-c421e8151759.md | 59 + .../cc4aaa9d-1070-461a-b519-04e00f42db8a.md | 238 ++ .../d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md | 89 + .../dafe30ec-325d-4516-85d1-e8e6776f012c.md | 92 + .../dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299.md | 53 + .../dfa20ffa-f476-428f-a490-424b41e91c7f.md | 56 + .../e29a75e6-aba3-4896-b42d-b87818c16b58.md | 77 + .../e65a0733-94a0-4826-82f4-df529f4c593f.md | 74 + .../e9dee01f-2505-4df2-b9bf-7804d1fd9082.md | 331 ++ .../efbf6449-5ec5-4cfe-8f15-acc51e0d787c.md | 337 ++ .../f118890b-2468-42b1-9ce9-af35146b425b.md | 101 + .../f5342045-b935-402d-adf1-8dbbd09c0eef.md | 157 + .../f7e296b0-6660-4bc5-8f87-22ac4a815edf.md | 60 + .../f8e08a38-fc6e-4915-abbe-a7aadf1d59ef.md | 50 + .../fd8da341-6760-4450-b26c-9f6d8850575e.md | 85 + .../ffb02aca-0d12-475e-b77c-a726f7aeff4b.md | 77 + .../b80b14c6-aaa2-4876-b651-8a48b6c32fbf.md | 257 ++ .../bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e.md | 151 + .../bd6bd46c-57db-4887-956d-d372f21291b6.md | 202 + .../c878abb4-cca5-4724-92b9-289be68bd47c.md | 345 ++ .../ca2fba76-c1a7-4afd-be67-5249f861cb0e.md | 455 +++ .../ce7c874e-1b88-450b-a5e4-cb76ada3c8a9.md | 63 + .../1e434b25-8763-4b00-a5ca-ca03b7abbb66.md | 114 + .../2a153952-2544-4687-bcc9-cc8fea814a9b.md | 86 + .../3a81fc06-566f-492a-91dd-7448e409e2cd.md | 87 + .../59312e8a-a64e-41e7-a252-618533dd1ea8.md | 78 + .../fc5109bf-01fd-49fb-8bde-4492b543c34a.md | 86 + .../d532566b-8d9d-4f3b-80bd-361fe802f9c2.md | 341 ++ .../e2c83c1f-84d7-4467-966c-ed41fd015bb9.md | 324 ++ .../e5587d53-a673-4a6b-b3f2-ba07ec274def.md | 384 ++ .../e76cca7c-c3f9-4fc9-884c-b2831168ebd8.md | 251 ++ .../e94d3121-c2d1-4e34-a295-139bfeb73ea3.md | 154 + .../f74b9c43-161a-4799-bc95-0b0ec81801b9.md | 212 ++ .../fcc2612a-1dfe-46e4-8ce6-0320959f0040.md | 405 ++ .../fd097ed0-7fe6-4f58-8b71-fef9f0820a21.md | 367 ++ .../fe771ff7-ba15-4f8f-ad7a-8aa232b49a28.md | 339 ++ .../02474449-71aa-40a1-87ae-e14497747b00.md | 101 + .../11e7550e-c4b6-472e-adff-c698f157cdd7.md | 151 + .../128df7ec-f185-48bc-8913-ce756a3ccb85.md | 154 + .../14a457f0-473d-4d1d-9e37-6d99b355b336.md | 55 + .../16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5.md | 119 + .../1b44e234-3d73-41a8-9954-0b154135280e.md | 109 + .../1c8eef02-17b1-4a3e-b01d-dcc3292d2c38.md | 104 + .../22ef1d26-80f8-4a6c-8c15-f35aab3cac78.md | 77 + .../2f06d22c-56bd-4f73-8a51-db001fcf2150.md | 99 + .../30e8dfd2-3591-4d19-8d11-79e93106c93d.md | 85 + .../32ecd6eb-0711-421f-9627-1a28d9eff217.md | 55 + .../3cb4af0b-056d-4fb1-8b95-fdc4593625ff.md | 199 + .../3e4d5ce6-3280-4027-8010-c26eeea1ec01.md | 148 + .../40430747-442d-450a-a34f-dc57149f4609.md | 55 + .../40abce54-95b1-478c-8e5f-ea0bf0bb0e33.md | 66 + .../4b82202a-b18e-4891-a1eb-a0989850bbb3.md | 123 + .../4c7ebcb2-eae2-461e-bc83-456ee2d4f694.md | 85 + .../59571246-3f62-4965-a96f-c7d97e269351.md | 57 + .../5baa92d2-d8ee-4c75-88a4-52d9d8bb8067.md | 61 + .../5ef61c88-bbb4-4725-b1df-55d23c9676bb.md | 59 + .../617ef6ff-711e-4bd7-94ae-e965911b1b40.md | 76 + .../65c1bc7a-4835-4ac4-a2b6-13d310b0648d.md | 65 + .../678fd659-96f2-454a-a2a0-c2571f83a4a3.md | 95 + .../6ccb85d7-0420-4907-9380-50313f80946b.md | 150 + .../704fcc44-a58f-4af5-82e2-93f2a58ef918.md | 80 + .../73fb21a1-b19a-45b1-b648-b47b1678681e.md | 99 + .../84d36481-fd63-48cb-838e-635c44806ec2.md | 54 + .../895ed0d9-6fec-4567-8614-d7a74b599a53.md | 94 + .../89fe890f-b480-460c-8b6b-7d8b1468adb4.md | 74 + .../8a893e46-e267-485a-8690-51f39951de58.md | 91 + .../9192e0f9-eca5-4056-9282-ae2a736a4088.md | 78 + .../92e4464a-4139-4d57-8742-b5acc0347680.md | 83 + .../9356962e-4a4f-4d06-ac59-dc8008775eaa.md | 53 + .../97fa667a-d05b-4f16-9071-58b939f34751.md | 129 + .../a6cd52a1-3056-4910-96a5-894de9f3f3b3.md | 63 + .../acfdbec6-4a17-471f-b412-169d77553332.md | 79 + .../b139213e-7d24-49c2-8025-c18faa21ecaa.md | 96 + .../b187edca-b81e-4fdc-aff4-aab57db45edb.md | 136 + .../b1d51728-7270-4991-ac2f-fc26e2695b38.md | 133 + .../bb0db090-5509-4853-a827-75ced0b3caa0.md | 90 + .../bc280331-27b9-4acb-a010-018e8098aa5d.md | 81 + .../bc75ce52-a60a-4660-b533-bce837a5019b.md | 115 + .../c010082c-76e0-4b91-91d9-6e8439e455dd.md | 67 + .../c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0.md | 105 + .../c606ba1d-d736-43eb-ac24-e16108f3a9e0.md | 91 + .../c68b4e6d-4e01-4ca1-b256-1e18e875785c.md | 53 + .../c9d81239-c818-4869-9917-1570c62b81fd.md | 141 + .../ccc3100c-0fdd-4a5e-9908-c10107291860.md | 68 + .../cefdad16-0dd5-4ac5-8ed2-a37502c78672.md | 123 + .../cf3c7631-cd1e-42f3-8801-a561214a6e79.md | 85 + .../d0b4d550-c001-46c3-bbdb-d5d75d33f05f.md | 116 + .../d6cabc3a-d57e-48c2-b341-bf3dd4f4a120.md | 70 + .../d8c57c4e-bf6f-4e32-a2bf-8643532de77b.md | 63 + .../dd7d70aa-a6ec-460d-b5d2-38b40253b16f.md | 152 + .../e576ce44-dd03-4022-a8c0-3906acca2ab4.md | 76 + .../e6f61c37-106b-449f-a5bb-81bfcaceb8b4.md | 77 + .../e7e961ac-d17e-4413-84bc-8a1fbe242944.md | 58 + .../ee7b93c1-b3f8-4a3b-9588-146d481814f5.md | 89 + .../f34c0c25-47b4-41eb-9c79-249b4dd47b89.md | 69 + 1665 files changed, 307245 insertions(+), 3296 deletions(-) create mode 100644 docs/queries/ansible-queries/aws/01aec7c2-3e4d-4274-ae47-2b8fea22fd1f.md create mode 100644 docs/queries/ansible-queries/aws/050f085f-a8db-4072-9010-2cca235cc02f.md create mode 100644 docs/queries/ansible-queries/aws/0956aedf-6a7a-478b-ab56-63e2b19923ad.md create mode 100644 docs/queries/ansible-queries/aws/0ed012a4-9199-43d2-b9e4-9bd049a48aa4.md create mode 100644 docs/queries/ansible-queries/aws/12a7a7ce-39d6-49dd-923d-aeb4564eb66c.md create mode 100644 docs/queries/ansible-queries/aws/133fee21-37ef-45df-a563-4d07edc169f4.md create mode 100644 docs/queries/ansible-queries/aws/16732649-4ff6-4cd2-8746-e72c13fae4b8.md create mode 100644 docs/queries/ansible-queries/aws/17d5ba1d-7667-4729-b1a6-b11fde3db7f7.md create mode 100644 docs/queries/ansible-queries/aws/1d972c56-8ec2-48c1-a578-887adb09c57a.md create mode 100644 docs/queries/ansible-queries/aws/1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89.md create mode 100644 docs/queries/ansible-queries/aws/2034fb37-bc23-4ca0-8d95-2b9f15829ab5.md create mode 100644 docs/queries/ansible-queries/aws/2059155b-27fd-441e-b616-6966c468561f.md create mode 100644 docs/queries/ansible-queries/aws/218413a0-c716-4b94-9e08-0bb70d854709.md create mode 100644 docs/queries/ansible-queries/aws/22c80725-e390-4055-8d14-a872230f6607.md create mode 100644 docs/queries/ansible-queries/aws/265d9725-2fb8-42a2-bc57-3279c5db82d5.md create mode 100644 docs/queries/ansible-queries/aws/2cb674f6-32f9-40be-97f2-62c0dc38f0d5.md create mode 100644 docs/queries/ansible-queries/aws/2d55ef88-b616-4890-b822-47f280763e89.md create mode 100644 docs/queries/ansible-queries/aws/309edc5b-5a59-42b4-a357-d4d098311fd4.md create mode 100644 docs/queries/ansible-queries/aws/32d31f1f-0f83-4721-b7ec-1e6948c60145.md create mode 100644 docs/queries/ansible-queries/aws/338b6cab-961d-4998-bb49-e5b6a11c9a5c.md create mode 100644 docs/queries/ansible-queries/aws/3505094c-f77c-4ba0-95da-f83db712f86c.md create mode 100644 docs/queries/ansible-queries/aws/3ab1f27d-52cc-4943-af1d-43c1939e739a.md create mode 100644 docs/queries/ansible-queries/aws/3ddf3417-424d-420d-8275-0724dc426520.md create mode 100644 docs/queries/ansible-queries/aws/3f2cf811-88fa-4eda-be45-7a191a18aba9.md create mode 100644 docs/queries/ansible-queries/aws/445dce51-7e53-4e50-80ef-7f94f14169e4.md create mode 100644 docs/queries/ansible-queries/aws/4b6012e7-7176-46e4-8108-e441785eae57.md create mode 100644 docs/queries/ansible-queries/aws/4d8681a2-3d30-4c89-8070-08acd142748e.md create mode 100644 docs/queries/ansible-queries/aws/5330b503-3319-44ff-9b1c-00ee873f728a.md create mode 100644 docs/queries/ansible-queries/aws/53bce6a8-5492-4b1b-81cf-664385f0c4bf.md create mode 100644 docs/queries/ansible-queries/aws/5527dcfc-94f9-4bf6-b7d4-1b78850cf41f.md create mode 100644 docs/queries/ansible-queries/aws/559439b2-3e9c-4739-ac46-17e3b24ec215.md create mode 100644 docs/queries/ansible-queries/aws/57ced4b9-6ba4-487b-8843-b65562b90c77.md create mode 100644 docs/queries/ansible-queries/aws/594f54e7-f744-45ab-93e4-c6dbaf6cd571.md create mode 100644 docs/queries/ansible-queries/aws/5a443297-19d4-4381-9e5b-24faf947ec22.md create mode 100644 docs/queries/ansible-queries/aws/5b9d237a-57d5-4177-be0e-71434b0fef47.md create mode 100644 docs/queries/ansible-queries/aws/5ba316a9-c466-4ec1-8d5b-bc6107dc9a92.md create mode 100644 docs/queries/ansible-queries/aws/5c6b727b-1382-4629-8ba9-abd1365e5610.md create mode 100644 docs/queries/ansible-queries/aws/5e92d816-2177-4083-85b4-f61b4f7176d9.md create mode 100644 docs/queries/ansible-queries/aws/5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce.md create mode 100644 docs/queries/ansible-queries/aws/60bfbb8a-c72f-467f-a6dd-a46b7d612789.md create mode 100644 docs/queries/ansible-queries/aws/61d1a2d0-4db8-405a-913d-5d2ce49dff6f.md create mode 100644 docs/queries/ansible-queries/aws/66477506-6abb-49ed-803d-3fa174cd5f6a.md create mode 100644 docs/queries/ansible-queries/aws/6a647814-def5-4b85-88f5-897c19f509cd.md create mode 100644 docs/queries/ansible-queries/aws/6a6d7e56-c913-4549-b5c5-5221e624d2ec.md create mode 100644 docs/queries/ansible-queries/aws/6ad087d7-a509-4b20-b853-9ef6f5ebaa98.md create mode 100644 docs/queries/ansible-queries/aws/6f5f5444-1422-495f-81ef-24cefd61ed2c.md create mode 100644 docs/queries/ansible-queries/aws/6fa44721-ef21-41c6-8665-330d59461163.md create mode 100644 docs/queries/ansible-queries/aws/71397b34-1d50-4ee1-97cb-c96c34676f74.md create mode 100644 docs/queries/ansible-queries/aws/71ea648a-d31a-4b5a-a589-5674243f1c33.md create mode 100644 docs/queries/ansible-queries/aws/722b0f24-5a64-4cca-aa96-cfc26b7e3a5b.md create mode 100644 docs/queries/ansible-queries/aws/727c4fd4-d604-4df6-a179-7713d3c85e20.md create mode 100644 docs/queries/ansible-queries/aws/72a931c2-12f5-40d1-93cc-47bff2f7aa2a.md create mode 100644 docs/queries/ansible-queries/aws/730a5951-2760-407a-b032-dd629b55c23a.md create mode 100644 docs/queries/ansible-queries/aws/75480b31-f349-4b9a-861f-bce19588e674.md create mode 100644 docs/queries/ansible-queries/aws/7674a686-e4b1-4a95-83d4-1fd53c623d84.md create mode 100644 docs/queries/ansible-queries/aws/7af1c447-c014-4f05-bd8b-ebe3a15734ac.md create mode 100644 docs/queries/ansible-queries/aws/7cc6c791-5f68-4816-a564-b9b699f9d26e.md create mode 100644 docs/queries/ansible-queries/aws/7db727c1-1720-468e-b80e-06697f71e09e.md create mode 100644 docs/queries/ansible-queries/aws/7dfb316c-a6c2-454d-b8a2-97f147b0c0ff.md create mode 100644 docs/queries/ansible-queries/aws/7f79f858-fbe8-4186-8a2c-dfd0d958a40f.md create mode 100644 docs/queries/ansible-queries/aws/7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892.md create mode 100644 docs/queries/ansible-queries/aws/8010e17a-00e9-4635-a692-90d6bcec68bd.md create mode 100644 docs/queries/ansible-queries/aws/83957b81-39c1-4191-8e12-671d2ce14354.md create mode 100644 docs/queries/ansible-queries/aws/83c5fa4c-e098-48fc-84ee-0a537287ddd2.md create mode 100644 docs/queries/ansible-queries/aws/857f8808-e96a-4ba8-a9b7-f2d4ec6cad94.md create mode 100644 docs/queries/ansible-queries/aws/86b0efa7-4901-4edd-a37a-c034bec6645a.md create mode 100644 docs/queries/ansible-queries/aws/8833f180-96f1-46f4-9147-849aafa56029.md create mode 100644 docs/queries/ansible-queries/aws/8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d.md create mode 100644 docs/queries/ansible-queries/aws/8d03993b-8384-419b-a681-d1f55149397c.md create mode 100644 docs/queries/ansible-queries/aws/8e3063f4-b511-45c3-b030-f3b0c9131951.md create mode 100644 docs/queries/ansible-queries/aws/8ed0bfce-f780-46d4-b086-21c3628f09ad.md create mode 100644 docs/queries/ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73.md create mode 100644 docs/queries/ansible-queries/aws/9232306a-f839-40aa-b3ef-b352001da9a5.md create mode 100644 docs/queries/ansible-queries/aws/97707503-a22c-4cd7-b7c0-f088fa7cf830.md create mode 100644 docs/queries/ansible-queries/aws/9cf25d62-0b96-42c8-b66d-998cd6ee5bb8.md create mode 100644 docs/queries/ansible-queries/aws/9f34885e-c08f-4d13-a7d1-cf190c5bd268.md create mode 100644 docs/queries/ansible-queries/aws/a0f1bfe0-741e-473f-b3b2-13e66f856fab.md create mode 100644 docs/queries/ansible-queries/aws/a1423864-2fbc-4f46-bfe1-fbbf125c71c9.md create mode 100644 docs/queries/ansible-queries/aws/a14ad534-acbe-4a8e-9404-2f7e1045646e.md create mode 100644 docs/queries/ansible-queries/aws/a19b2942-142e-4e2b-93b7-6cf6a6c8d90f.md create mode 100644 docs/queries/ansible-queries/aws/a1ef9d2e-4163-40cb-bd92-04f0d602a15d.md create mode 100644 docs/queries/ansible-queries/aws/a2fdf451-89dd-451e-af92-bf6c0f4bab96.md create mode 100644 docs/queries/ansible-queries/aws/a6d27cf7-61dc-4bde-ae08-3b353b609f76.md create mode 100644 docs/queries/ansible-queries/aws/a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1.md create mode 100644 docs/queries/ansible-queries/aws/af167837-9636-4086-b815-c239186b9dda.md create mode 100644 docs/queries/ansible-queries/aws/af96d737-0818-4162-8c41-40d969bd65d1.md create mode 100644 docs/queries/ansible-queries/aws/b16cdb37-ce15-4ab2-8401-d42b05d123fc.md create mode 100644 docs/queries/ansible-queries/aws/b25398a2-0625-4e61-8e4d-a1bb23905bf6.md create mode 100644 docs/queries/ansible-queries/aws/b47b98ab-e481-4a82-8bb1-1ab39fd36e33.md create mode 100644 docs/queries/ansible-queries/aws/b5ed026d-a772-4f07-97f9-664ba0b116f8.md create mode 100644 docs/queries/ansible-queries/aws/b8a9852c-9943-4973-b8d5-77dae9352851.md create mode 100644 docs/queries/ansible-queries/aws/babdedcf-d859-43da-9a7b-6d72e661a8fd.md create mode 100644 docs/queries/ansible-queries/aws/bd77554e-f138-40c5-91b2-2a09f878608e.md create mode 100644 docs/queries/ansible-queries/aws/c09e3ca5-f08a-4717-9c87-3919c5e6d209.md create mode 100644 docs/queries/ansible-queries/aws/c09f4d3e-27d2-4d46-9453-abbe9687a64e.md create mode 100644 docs/queries/ansible-queries/aws/c2f15af3-66a0-4176-a56e-e4711e502e5c.md create mode 100644 docs/queries/ansible-queries/aws/c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d.md create mode 100644 docs/queries/ansible-queries/aws/c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9.md create mode 100644 docs/queries/ansible-queries/aws/d0c13053-d2c8-44a6-95da-d592996e9e67.md create mode 100644 docs/queries/ansible-queries/aws/d31cb911-bf5b-4eb6-9fc3-16780c77c7bd.md create mode 100644 docs/queries/ansible-queries/aws/d395a950-12ce-4314-a742-ac5a785ab44e.md create mode 100644 docs/queries/ansible-queries/aws/d39761d7-94ab-45b0-ab5e-27c44e381d58.md create mode 100644 docs/queries/ansible-queries/aws/d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5.md create mode 100644 docs/queries/ansible-queries/aws/d5ec2080-340a-4259-b885-f833c4ea6a31.md create mode 100644 docs/queries/ansible-queries/aws/d994585f-defb-4b51-b6d2-c70f020ceb10.md create mode 100644 docs/queries/ansible-queries/aws/defe5b18-978d-4722-9325-4d1975d3699f.md create mode 100644 docs/queries/ansible-queries/aws/e01de151-a7bd-4db4-b49b-3c4775a5e881.md create mode 100644 docs/queries/ansible-queries/aws/e1e7b278-2a8b-49bd-a26e-66a7f70b17eb.md create mode 100644 docs/queries/ansible-queries/aws/e24e18d9-4c2b-4649-b3d0-18c088145e24.md create mode 100644 docs/queries/ansible-queries/aws/e28ceb92-d588-4166-aac5-766c8f5b7472.md create mode 100644 docs/queries/ansible-queries/aws/e401d614-8026-4f4b-9af9-75d1197461ba.md create mode 100644 docs/queries/ansible-queries/aws/e69890e6-fce5-461d-98ad-cb98318dfc96.md create mode 100644 docs/queries/ansible-queries/aws/e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40.md create mode 100644 docs/queries/ansible-queries/aws/ea0ed1c7-9aef-4464-b7c7-94c762da3640.md create mode 100644 docs/queries/ansible-queries/aws/ea6bc7a6-d696-4dcf-a788-17fa03c17c81.md create mode 100644 docs/queries/ansible-queries/aws/eafe4bc3-1042-4f88-b988-1939e64bf060.md create mode 100644 docs/queries/ansible-queries/aws/ebb2118a-03bc-4d53-ab43-d8750f5cb8d3.md create mode 100644 docs/queries/ansible-queries/aws/ed9b3beb-92cf-44d9-a9d2-171eeba569d4.md create mode 100644 docs/queries/ansible-queries/aws/eda7301d-1f3e-47cf-8d4e-976debc64341.md create mode 100644 docs/queries/ansible-queries/aws/eee107f9-b3d8-45d3-b9c6-43b5a7263ce1.md create mode 100644 docs/queries/ansible-queries/aws/f2ea6481-1d31-4d40-946a-520dc6321dd7.md create mode 100644 docs/queries/ansible-queries/aws/f34508b9-f574-4330-b42d-88c44cced645.md create mode 100644 docs/queries/ansible-queries/aws/f509931b-bbb0-443c-bd9b-10e92ecf2193.md create mode 100644 docs/queries/ansible-queries/aws/f5587077-3f57-4370-9b4e-4eb5b1bac85b.md create mode 100644 docs/queries/ansible-queries/aws/f5c45127-1d28-4b49-a692-0b97da1c3a84.md create mode 100644 docs/queries/ansible-queries/aws/f5f38943-664b-4acc-ab11-f292fa10ed0b.md create mode 100644 docs/queries/ansible-queries/aws/f81d63d2-c5d7-43a4-a5b5-66717a41c895.md create mode 100644 docs/queries/ansible-queries/aws/fb5a5df7-6d74-4243-ab82-ff779a958bfd.md create mode 100644 docs/queries/ansible-queries/aws/fb8f8929-afeb-4c46-99f0-a6cf410f7df4.md create mode 100644 docs/queries/ansible-queries/aws/ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9.md create mode 100644 docs/queries/ansible-queries/azure/0461b4fd-21ef-4687-929e-484ee4796785.md create mode 100644 docs/queries/ansible-queries/azure/054d07b5-941b-4c28-8eef-18989dc62323.md create mode 100644 docs/queries/ansible-queries/azure/0632d0db-9190-450a-8bb3-c283bffea445.md create mode 100644 docs/queries/ansible-queries/azure/0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc.md create mode 100644 docs/queries/ansible-queries/azure/0d0c12b9-edce-4510-9065-13f6a758750c.md create mode 100644 docs/queries/ansible-queries/azure/149fa56c-4404-4f90-9e25-d34b676d5b39.md create mode 100644 docs/queries/ansible-queries/azure/1bc398a8-d274-47de-a4c8-6ac867b353de.md create mode 100644 docs/queries/ansible-queries/azure/1e5f5307-3e01-438d-8da6-985307ed25ce.md create mode 100644 docs/queries/ansible-queries/azure/23a4dc83-4959-4d99-8056-8e051a82bc1e.md create mode 100644 docs/queries/ansible-queries/azure/29f35127-98e6-43af-8ec1-201b79f99604.md create mode 100644 docs/queries/ansible-queries/azure/2a901825-0f3b-4655-a0fe-e0470e50f8e6.md create mode 100644 docs/queries/ansible-queries/azure/2c99a474-2a3c-4c17-8294-53ffa5ed0522.md create mode 100644 docs/queries/ansible-queries/azure/2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255.md create mode 100644 docs/queries/ansible-queries/azure/35e2f133-a395-40de-a79d-b260d973d1bd.md create mode 100644 docs/queries/ansible-queries/azure/37fafbea-dedb-4e0d-852e-d16ee0589326.md create mode 100644 docs/queries/ansible-queries/azure/3f23c96c-f9f5-488d-9b17-605b8da5842f.md create mode 100644 docs/queries/ansible-queries/azure/4d3817db-dd35-4de4-a80d-3867157e7f7f.md create mode 100644 docs/queries/ansible-queries/azure/530e8291-2f22-4bab-b7ea-306f1bc2a308.md create mode 100644 docs/queries/ansible-queries/azure/581dae78-307d-45d5-aae4-fe2b0db267a5.md create mode 100644 docs/queries/ansible-queries/azure/5c80db8e-03f5-43a2-b4af-1f3f87018157.md create mode 100644 docs/queries/ansible-queries/azure/663062e9-473d-4e87-99bc-6f3684b3df40.md create mode 100644 docs/queries/ansible-queries/azure/69f72007-502e-457b-bd2d-5012e31ac049.md create mode 100644 docs/queries/ansible-queries/azure/729ebb15-8060-40f7-9017-cb72676a5487.md create mode 100644 docs/queries/ansible-queries/azure/7ab33ac0-e4a3-418f-a673-50da4e34df21.md create mode 100644 docs/queries/ansible-queries/azure/7b47138f-ec0e-47dc-8516-e7728fe3cc17.md create mode 100644 docs/queries/ansible-queries/azure/869e7fb4-30f0-4bdb-b360-ad548f337f2f.md create mode 100644 docs/queries/ansible-queries/azure/881696a8-68c5-4073-85bc-7c38a3deb854.md create mode 100644 docs/queries/ansible-queries/azure/89f84a1e-75f8-47c5-83b5-bee8e2de4168.md create mode 100644 docs/queries/ansible-queries/azure/8c3bedf1-c570-4c3b-b414-d068cd39a00c.md create mode 100644 docs/queries/ansible-queries/azure/961ce567-a16d-4d7d-9027-f0ec2628a555.md create mode 100644 docs/queries/ansible-queries/azure/a9becca7-892a-4af7-b9e1-44bf20a4cd9a.md create mode 100644 docs/queries/ansible-queries/azure/b176e927-bbe2-44a6-a9c3-041417137e5f.md create mode 100644 docs/queries/ansible-queries/azure/c62746cf-92d5-4649-9acf-7d48d086f2ee.md create mode 100644 docs/queries/ansible-queries/azure/ca4df748-613a-4fbf-9c76-f02cbd580307.md create mode 100644 docs/queries/ansible-queries/azure/d5e83b32-56dd-4247-8c2e-074f43b38a5e.md create mode 100644 docs/queries/ansible-queries/azure/da4f2739-174f-4cdd-b9ef-dc3f14b5931f.md create mode 100644 docs/queries/ansible-queries/azure/e2d834b7-8b25-4935-af53-4a60668dcbe0.md create mode 100644 docs/queries/ansible-queries/azure/e8c80448-31d8-4755-85fc-6dbab69c2717.md create mode 100644 docs/queries/ansible-queries/azure/eb8c2560-8bee-4248-9d0d-e80c8641dd91.md create mode 100644 docs/queries/ansible-queries/azure/f4e9ff70-0f3b-4c50-a713-26cbe7ec4039.md create mode 100644 docs/queries/ansible-queries/gcp/086031e1-9d4a-4249-acb3-5bfe4c363db2.md create mode 100644 docs/queries/ansible-queries/gcp/092bae86-6105-4802-99d2-99cd7e7431f3.md create mode 100644 docs/queries/ansible-queries/gcp/099b4411-d11e-4537-a0fc-146b19762a79.md create mode 100644 docs/queries/ansible-queries/gcp/0c82eae2-aca0-401f-93e4-fb37a0f9e5e8.md create mode 100644 docs/queries/ansible-queries/gcp/11bd3554-cd56-4257-8e25-7aaf30cf8f5f.md create mode 100644 docs/queries/ansible-queries/gcp/18d3a83d-4414-49dc-90ea-f0387b2856cc.md create mode 100644 docs/queries/ansible-queries/gcp/19c9e2a0-fc33-4264-bba1-e3682661e8f7.md create mode 100644 docs/queries/ansible-queries/gcp/20180133-a0d0-4745-bfe0-94049fbb12a9.md create mode 100644 docs/queries/ansible-queries/gcp/20dcd953-a8b8-4892-9026-9afa6d05a525.md create mode 100644 docs/queries/ansible-queries/gcp/2263b286-2fe9-4747-a0ae-8b4768a2bbd2.md create mode 100644 docs/queries/ansible-queries/gcp/2775e169-e708-42a9-9305-b58aadd2c4dd.md create mode 100644 docs/queries/ansible-queries/gcp/28a757fc-3d8f-424a-90c0-4233363b2711.md create mode 100644 docs/queries/ansible-queries/gcp/29b8224a-60e9-4011-8ac2-7916a659841f.md create mode 100644 docs/queries/ansible-queries/gcp/300a9964-b086-41f7-9378-b6de3ba1c32b.md create mode 100644 docs/queries/ansible-queries/gcp/344bf8ab-9308-462b-a6b2-697432e40ba1.md create mode 100644 docs/queries/ansible-queries/gcp/3602d273-3290-47b2-80fa-720162b1a8af.md create mode 100644 docs/queries/ansible-queries/gcp/3b30e3d6-c99b-4318-b38f-b99db74578b5.md create mode 100644 docs/queries/ansible-queries/gcp/507df964-ad97-4035-ab14-94a82eabdfdd.md create mode 100644 docs/queries/ansible-queries/gcp/66dae697-507b-4aef-be18-eec5bd707f33.md create mode 100644 docs/queries/ansible-queries/gcp/6a4080ae-79bd-42f6-a924-8f534c1c018b.md create mode 100644 docs/queries/ansible-queries/gcp/6cf4c3a7-ceb0-4475-8892-3745b84be24a.md create mode 100644 docs/queries/ansible-queries/gcp/6d34aff3-fdd2-460c-8190-756a3b4969e8.md create mode 100644 docs/queries/ansible-queries/gcp/7289eebd-a477-4064-8ad4-3c044bd70b00.md create mode 100644 docs/queries/ansible-queries/gcp/75418eb9-39ec-465f-913c-6f2b6a80dc77.md create mode 100644 docs/queries/ansible-queries/gcp/7814ddda-e758-4a56-8be3-289a81ded929.md create mode 100644 docs/queries/ansible-queries/gcp/7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b.md create mode 100644 docs/queries/ansible-queries/gcp/80b15fb1-6207-40f4-a803-6915ae619a03.md create mode 100644 docs/queries/ansible-queries/gcp/829f1c60-2bab-44c6-8a21-5cd9d39a2c82.md create mode 100644 docs/queries/ansible-queries/gcp/89afe3f0-4681-4ce3-89ed-896cebd4277c.md create mode 100644 docs/queries/ansible-queries/gcp/98e04ca0-34f5-4c74-8fec-d2e611ce2790.md create mode 100644 docs/queries/ansible-queries/gcp/9df7f78f-ebe3-432e-ac3b-b67189c15518.md create mode 100644 docs/queries/ansible-queries/gcp/9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f.md create mode 100644 docs/queries/ansible-queries/gcp/a7b520bb-2509-4fb0-be05-bc38f54c7a4c.md create mode 100644 docs/queries/ansible-queries/gcp/aed98a2a-e680-497a-8886-277cea0f4514.md create mode 100644 docs/queries/ansible-queries/gcp/b28bcd2f-c309-490e-ab7c-35fc4023eb26.md create mode 100644 docs/queries/ansible-queries/gcp/b2fbf1df-76dd-4d78-a6c0-e538f4a9b016.md create mode 100644 docs/queries/ansible-queries/gcp/bc20bbc6-0697-4568-9a73-85af1dd97bdd.md create mode 100644 docs/queries/ansible-queries/gcp/be41f891-96b1-4b9d-b74f-b922a918c778.md create mode 100644 docs/queries/ansible-queries/gcp/c6fc6f29-dc04-46b6-99ba-683c01aff350.md create mode 100644 docs/queries/ansible-queries/gcp/d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md create mode 100644 docs/queries/ansible-queries/gcp/d43366c5-80b0-45de-bbe8-2338f4ab0a83.md create mode 100644 docs/queries/ansible-queries/gcp/d58c6f24-3763-4269-9f5b-86b2569a003b.md create mode 100644 docs/queries/ansible-queries/gcp/d6e10477-2e19-4bcd-b8a8-19c65b89ccdf.md create mode 100644 docs/queries/ansible-queries/gcp/d6fae5b6-ada9-46c0-8b36-3108a2a2f77b.md create mode 100644 docs/queries/ansible-queries/gcp/d7a5616f-0a3f-4d43-bc2b-29d1a183e317.md create mode 100644 docs/queries/ansible-queries/gcp/dc126833-125a-40fb-905a-ce5f2afde240.md create mode 100644 docs/queries/ansible-queries/gcp/ed672a9f-fbf0-44d8-a47d-779501b0db05.md create mode 100644 docs/queries/ansible-queries/gcp/f9b7086b-deb8-4034-9330-d7fd38f1b8de.md create mode 100644 docs/queries/ansible-queries/gcp/fbe9b2d0-a2b7-47a1-a534-03775f3013f7.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/1367dd13-2c90-4020-80b7-e4339a3dc2c4.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/2081c7d6-2851-4cce-bda5-cb49d462da42.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/25684eac-daaa-4c2c-94b4-8d2dbb627909.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/2583fab1-953b-4fae-bd02-4a136a6c21f9.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/25c0228e-4444-459b-a2df-93c7df40b7ed.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/2ade1579-4b2c-4590-bebb-f99bf597f612.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/350f3955-b5be-436f-afaa-3d2be2fa6cdd.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/3e9fcc67-1f64-405f-b2f9-0a6be17598f0.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/43f6e60c-9cdb-4e77-864d-a66595d26518.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/488847ff-6031-487c-bf42-98fd6ac5c9a0.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/4d2cf896-c053-4be5-9c95-8b4771112f29.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/4d522e7b-f938-4d51-a3b1-974ada528bd3.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/564b70f8-41cd-4690-aff8-bb53add86bc9.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/574e8d82-1db2-4b9c-b526-e320ede9a9ff.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/59cb3da7-f206-4ae6-b827-7abf0a9cab9d.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/6797f581-0433-4768-ae3e-7ceb2f8b138e.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/6a3201a5-1630-494b-b294-3129d06b0eca.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/70111098-7f85-48f0-b1b4-e4261cf5f61b.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/7c25f361-7c66-44bf-9b69-022acd5eb4bd.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/83130a07-235b-4a80-918b-a370e53f0bd9.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/89b79fe5-49bd-4d39-84ce-55f5fc6f7764.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/8fa9ceea-881f-4ef0-b0b8-728f589699a7.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/90120147-f2e7-4fda-bb21-6fa9109afd63.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/9073f073-5d60-4b46-b569-0d6baa80ed95.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/92302b47-b0cc-46cb-a28f-5610ecda140b.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/9307a2ed-35c2-413d-94de-a1a0682c2158.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/9b09dee1-f09b-4013-91d2-158fa4695f4b.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/a0ab985d-660b-41f7-ac81-70957ee8e627.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/a6d774b6-d9ea-4bf4-8433-217bf15d2fb8.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/a8852cc0-fd4b-4fc7-9372-1e43fad0732e.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/b5c851d5-00f1-43dc-a8de-3218fd6f71be.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/bf500309-da53-4dd3-bcf7-95f7974545a5.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/c09cdac2-7670-458a-bf6c-efad6880973a.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/c62d3b92-9a11-4ffd-b7b7-6faaae83faed.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/cff9c3f7-e8f0-455f-9fb4-5f72326da96e.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/d855ced8-6157-448f-9f1d-f05a41d046f7.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/e055285c-bc01-48b4-8aa5-8a54acdd29df.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/e25b56cd-a4d6-498f-ab92-e6296a082097.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/e69bda39-e1e2-47ca-b9ee-b6531b23aedd.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/e9c133e5-c2dd-4b7b-8fff-40f2de367b56.md create mode 100644 docs/queries/azureresourcemanager-queries/azure/f9112910-c7bb-4864-9f5e-2059ba413bb7.md create mode 100644 docs/queries/buildah-queries/a1bc27c6-7115-48d8-bf9d-5a7e836845ba.md create mode 100644 docs/queries/cloudformation-queries/aws/0104165b-02d5-426f-abc9-91fb48189899.md create mode 100644 docs/queries/cloudformation-queries/aws/01986452-bdd8-4aaa-b5df-d6bf61d616ff.md create mode 100644 docs/queries/cloudformation-queries/aws/01d5a458-a6c4-452a-ac50-054d59275b7c.md create mode 100644 docs/queries/cloudformation-queries/aws/027a4b7a-8a59-4938-a04f-ed532512cf45.md create mode 100644 docs/queries/cloudformation-queries/aws/03879981-efa2-47a0-a818-c843e1441b88.md create mode 100644 docs/queries/cloudformation-queries/aws/03b38885-8f4e-480c-a0e4-12c1affd15db.md create mode 100644 docs/queries/cloudformation-queries/aws/045ddb54-cfc5-4abb-9e05-e427b2bc96fe.md create mode 100644 docs/queries/cloudformation-queries/aws/050a9ba8-d1cb-4c61-a5e8-8805a70d3b85.md create mode 100644 docs/queries/cloudformation-queries/aws/058ac855-989f-4378-ba4d-52d004020da7.md create mode 100644 docs/queries/cloudformation-queries/aws/06933df4-0ea7-461c-b9b5-104d27390e0e.md create mode 100644 docs/queries/cloudformation-queries/aws/06adef8c-c284-4de7-aad2-af43b07a8ca1.md create mode 100644 docs/queries/cloudformation-queries/aws/06b9f52a-8cd5-459b-bdc6-21a22521e1be.md create mode 100644 docs/queries/cloudformation-queries/aws/06ec63e3-9f72-4fe2-a218-2eb9200b8db5.md create mode 100644 docs/queries/cloudformation-queries/aws/07dda8de-d90d-469e-9b37-1aca53526ced.md create mode 100644 docs/queries/cloudformation-queries/aws/086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md create mode 100644 docs/queries/cloudformation-queries/aws/08b81bb3-0985-4023-8602-b606ad81d279.md create mode 100644 docs/queries/cloudformation-queries/aws/08e39832-5e42-4304-98a0-aa5b43393162.md create mode 100644 docs/queries/cloudformation-queries/aws/0a994e04-c6dc-471d-817e-d37451d18a3b.md create mode 100644 docs/queries/cloudformation-queries/aws/0b0556ea-9cd9-476f-862e-20679dda752b.md create mode 100644 docs/queries/cloudformation-queries/aws/0ce1ba20-8ba8-4364-836f-40c24b8cb0ab.md create mode 100644 docs/queries/cloudformation-queries/aws/0e5872b4-19a0-4165-8b2f-56d9e14b909f.md create mode 100644 docs/queries/cloudformation-queries/aws/0f0fb06b-0f2f-4374-8588-f2c7c348c7a0.md create mode 100644 docs/queries/cloudformation-queries/aws/0f139403-303f-467c-96bd-e717e6cfd62d.md create mode 100644 docs/queries/cloudformation-queries/aws/1056dfbb-5802-4762-bf2b-8b9b9684b1b0.md create mode 100644 docs/queries/cloudformation-queries/aws/105ba098-1e34-48cd-b0f2-a8a43a51bf9b.md create mode 100644 docs/queries/cloudformation-queries/aws/124b173b-e06d-48a6-8acd-f889443d97a4.md create mode 100644 docs/queries/cloudformation-queries/aws/12726829-93ed-4d51-9cbe-13423f4299e1.md create mode 100644 docs/queries/cloudformation-queries/aws/1819ac03-542b-4026-976b-f37addd59f3b.md create mode 100644 docs/queries/cloudformation-queries/aws/1a427b25-2e9e-4298-9530-0499a55e736b.md create mode 100644 docs/queries/cloudformation-queries/aws/1b6322d9-c755-4f8c-b804-32c19250f2d9.md create mode 100644 docs/queries/cloudformation-queries/aws/1c07bfaf-663c-4f6f-b22b-8e2d481e4df5.md create mode 100644 docs/queries/cloudformation-queries/aws/1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md create mode 100644 docs/queries/cloudformation-queries/aws/1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7.md create mode 100644 docs/queries/cloudformation-queries/aws/1fe9d958-ddce-4228-a124-05265a959a8b.md create mode 100644 docs/queries/cloudformation-queries/aws/209189f3-c879-48a7-9703-fbcfa96d0cef.md create mode 100644 docs/queries/cloudformation-queries/aws/219f4c95-aa50-44e0-97de-cf71f4641170.md create mode 100644 docs/queries/cloudformation-queries/aws/235ca980-eb71-48f4-9030-df0c371029eb.md create mode 100644 docs/queries/cloudformation-queries/aws/24d932e1-91f0-46ea-836f-fdbd81694151.md create mode 100644 docs/queries/cloudformation-queries/aws/2564172f-c92b-4261-9acd-464aed511696.md create mode 100644 docs/queries/cloudformation-queries/aws/2623d682-dccb-44cd-99d0-54d9fd62f8f2.md create mode 100644 docs/queries/cloudformation-queries/aws/2730c169-51d7-4ae7-99b5-584379eff1bb.md create mode 100644 docs/queries/cloudformation-queries/aws/275a3217-ca37-40c1-a6cf-bb57d245ab32.md create mode 100644 docs/queries/cloudformation-queries/aws/2844c749-bd78-4cd1-90e8-b179df827602.md create mode 100644 docs/queries/cloudformation-queries/aws/2a3560fe-52ca-4443-b34f-bf0ed5eb74c8.md create mode 100644 docs/queries/cloudformation-queries/aws/2b1d4935-9acf-48a7-8466-10d18bf51a69.md create mode 100644 docs/queries/cloudformation-queries/aws/2c161e58-cb52-454f-abea-6470c37b5e6e.md create mode 100644 docs/queries/cloudformation-queries/aws/2ff8e83c-90e1-4d68-a300-6d652112e622.md create mode 100644 docs/queries/cloudformation-queries/aws/316278b3-87ac-444c-8f8f-a733a28da60f.md create mode 100644 docs/queries/cloudformation-queries/aws/31733ee2-fef0-4e87-9778-65da22a8ecf1.md create mode 100644 docs/queries/cloudformation-queries/aws/323db967-c68e-44e6-916c-a777f95af34b.md create mode 100644 docs/queries/cloudformation-queries/aws/33f41d31-86b1-46a4-81f7-9c9a671f59ac.md create mode 100644 docs/queries/cloudformation-queries/aws/350cd468-0e2c-44ef-9d22-cfb73a62523c.md create mode 100644 docs/queries/cloudformation-queries/aws/3609d27c-3698-483a-9402-13af6ae80583.md create mode 100644 docs/queries/cloudformation-queries/aws/3641d5b4-d339-4bc2-bfb9-208fe8d3477f.md create mode 100644 docs/queries/cloudformation-queries/aws/37cca703-b74c-48ba-ac81-595b53398e9b.md create mode 100644 docs/queries/cloudformation-queries/aws/37fa8188-738b-42c8-bf82-6334ea567738.md create mode 100644 docs/queries/cloudformation-queries/aws/38c64e76-c71e-4d92-a337-60174d1de1c9.md create mode 100644 docs/queries/cloudformation-queries/aws/39423ce4-9011-46cd-b6b1-009edcd9385d.md create mode 100644 docs/queries/cloudformation-queries/aws/3ae83918-7ec7-4cb8-80db-b91ef0f94002.md create mode 100644 docs/queries/cloudformation-queries/aws/3b02569b-fc6f-4153-b3a3-ba91022fed68.md create mode 100644 docs/queries/cloudformation-queries/aws/3b316b05-564c-44a7-9c3f-405bb95e211e.md create mode 100644 docs/queries/cloudformation-queries/aws/3b3b4411-ad1f-40e7-b257-a78a6bb9673a.md create mode 100644 docs/queries/cloudformation-queries/aws/3c3b7a58-b018-4d07-9444-d9ee7156e111.md create mode 100644 docs/queries/cloudformation-queries/aws/3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6.md create mode 100644 docs/queries/cloudformation-queries/aws/3e09413f-471e-40f3-8626-990c79ae63f3.md create mode 100644 docs/queries/cloudformation-queries/aws/3e293410-d5b8-411f-85fd-7d26294f20c9.md create mode 100644 docs/queries/cloudformation-queries/aws/42e7dca3-8cce-4325-8df0-108888259136.md create mode 100644 docs/queries/cloudformation-queries/aws/43356255-495d-4148-ad8d-f6af5eac09dd.md create mode 100644 docs/queries/cloudformation-queries/aws/44034eda-1c3f-486a-831d-e09a7dd94354.md create mode 100644 docs/queries/cloudformation-queries/aws/445020f6-b69e-4484-847f-02d4b7768902.md create mode 100644 docs/queries/cloudformation-queries/aws/4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c.md create mode 100644 docs/queries/cloudformation-queries/aws/456b00a3-1072-4149-9740-6b8bb60251b0.md create mode 100644 docs/queries/cloudformation-queries/aws/48677914-6fdf-40ec-80c4-2b0e94079f54.md create mode 100644 docs/queries/cloudformation-queries/aws/48af92a5-c89b-4936-bc62-1086fe2bab23.md create mode 100644 docs/queries/cloudformation-queries/aws/48c3bc58-6959-4f27-b647-4fedeace23be.md create mode 100644 docs/queries/cloudformation-queries/aws/48f100d9-f499-4c6d-b2b8-deafe47ffb26.md create mode 100644 docs/queries/cloudformation-queries/aws/493d9591-6249-47bf-8dc0-5c10161cc558.md create mode 100644 docs/queries/cloudformation-queries/aws/494b03d3-bf40-4464-8524-7c56ad0700ed.md create mode 100644 docs/queries/cloudformation-queries/aws/4a1e6b34-1008-4e61-a5f2-1f7c276f8d14.md create mode 100644 docs/queries/cloudformation-queries/aws/4a8daf95-709d-4a36-9132-d3e19878fa34.md create mode 100644 docs/queries/cloudformation-queries/aws/4a8fc9a2-2b2f-4b3f-aa8d-401425872034.md create mode 100644 docs/queries/cloudformation-queries/aws/4ab10c48-bedb-4deb-8f3b-ff12783b61de.md create mode 100644 docs/queries/cloudformation-queries/aws/4ae8af91-5108-42cb-9471-3bdbe596eac9.md create mode 100644 docs/queries/cloudformation-queries/aws/4ba74f01-aba5-4be2-83bc-be79ff1a3b92.md create mode 100644 docs/queries/cloudformation-queries/aws/4c137350-7307-4803-8c04-17c09a7a9fcf.md create mode 100644 docs/queries/cloudformation-queries/aws/4d32780f-43a4-424a-a06d-943c543576a5.md create mode 100644 docs/queries/cloudformation-queries/aws/4e67c0ae-38a0-47f4-a50c-f0c9b75826df.md create mode 100644 docs/queries/cloudformation-queries/aws/4e88adee-a8eb-4605-a78d-9fb1096e3091.md create mode 100644 docs/queries/cloudformation-queries/aws/4f0908b9-eb66-433f-9145-134274e1e944.md create mode 100644 docs/queries/cloudformation-queries/aws/4fbfee74-8186-40d5-a24e-4baa76a855de.md create mode 100644 docs/queries/cloudformation-queries/aws/52790cad-d60d-41d5-8483-146f9f21208d.md create mode 100644 docs/queries/cloudformation-queries/aws/568cc372-ca64-420d-9015-ee347d00d288.md create mode 100644 docs/queries/cloudformation-queries/aws/57b12981-3816-4c31-b190-a1e614361dd2.md create mode 100644 docs/queries/cloudformation-queries/aws/5906092d-5f74-490d-9a03-78febe0f65e1.md create mode 100644 docs/queries/cloudformation-queries/aws/59a849c2-1127-4023-85a5-ef906dcd458c.md create mode 100644 docs/queries/cloudformation-queries/aws/5b033ec8-f079-4323-b5c8-99d4620433a9.md create mode 100644 docs/queries/cloudformation-queries/aws/5b48c507-0d1f-41b0-a630-76817c6b4189.md create mode 100644 docs/queries/cloudformation-queries/aws/5beacce3-4020-4a3d-9e1d-a36f953df630.md create mode 100644 docs/queries/cloudformation-queries/aws/5c0b06d5-b7a4-484c-aeb0-75a836269ff0.md create mode 100644 docs/queries/cloudformation-queries/aws/5c666ed9-b586-49ab-9873-c495a833b705.md create mode 100644 docs/queries/cloudformation-queries/aws/5d3c1807-acb3-4bb0-be4e-0440230feeaf.md create mode 100644 docs/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md create mode 100644 docs/queries/cloudformation-queries/aws/5e7acff5-095b-40ac-9073-ac2e4ad8a512.md create mode 100644 docs/queries/cloudformation-queries/aws/5f700072-b7ce-4e84-b3f3-497bf1c24a4d.md create mode 100644 docs/queries/cloudformation-queries/aws/60a05ede-0a68-4d0d-a58f-f538cf55ff79.md create mode 100644 docs/queries/cloudformation-queries/aws/61a94903-3cd3-4780-88ec-fc918819b9c8.md create mode 100644 docs/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md create mode 100644 docs/queries/cloudformation-queries/aws/65844ba3-03a1-40a8-b3dd-919f122e8c95.md create mode 100644 docs/queries/cloudformation-queries/aws/65d07da5-9af5-44df-8983-52d2e6f24c44.md create mode 100644 docs/queries/cloudformation-queries/aws/6685d912-d81f-4cfa-95ad-e316ea31c989.md create mode 100644 docs/queries/cloudformation-queries/aws/66f2d8f9-a911-4ced-ae27-34f09690bb2c.md create mode 100644 docs/queries/cloudformation-queries/aws/68b6a789-82f8-4cfd-85de-e95332fe6a61.md create mode 100644 docs/queries/cloudformation-queries/aws/6b5b0313-771b-4319-ad7a-122ee78700ef.md create mode 100644 docs/queries/cloudformation-queries/aws/6c131358-c54d-419b-9dd6-1f7dd41d180c.md create mode 100644 docs/queries/cloudformation-queries/aws/6c8d51af-218d-4bfb-94a9-94eabaa0703a.md create mode 100644 docs/queries/cloudformation-queries/aws/6d087495-2a42-4735-abf7-02ef5660a7e6.md create mode 100644 docs/queries/cloudformation-queries/aws/6d64f311-3da6-45f3-80f1-14db9771ea40.md create mode 100644 docs/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md create mode 100644 docs/queries/cloudformation-queries/aws/6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d.md create mode 100644 docs/queries/cloudformation-queries/aws/6ef03ff6-a2bd-483c-851f-631f248bc0ea.md create mode 100644 docs/queries/cloudformation-queries/aws/709e6da6-fa1f-44cc-8f17-7f25f96dadbe.md create mode 100644 docs/queries/cloudformation-queries/aws/71493c8b-3014-404c-9802-078b74496fb7.md create mode 100644 docs/queries/cloudformation-queries/aws/73980e43-f399-4fcc-a373-658228f7adf7.md create mode 100644 docs/queries/cloudformation-queries/aws/73d59e76-a12c-4b74-a3d8-d3e1e19c25b3.md create mode 100644 docs/queries/cloudformation-queries/aws/74a18d1a-cf02-4a31-8791-ed0967ad7fdc.md create mode 100644 docs/queries/cloudformation-queries/aws/75be209d-1948-41f6-a8c8-e22dd0121134.md create mode 100644 docs/queries/cloudformation-queries/aws/76ddf32c-85b1-4808-8935-7eef8030ab36.md create mode 100644 docs/queries/cloudformation-queries/aws/7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md create mode 100644 docs/queries/cloudformation-queries/aws/77b6f1e2-bde4-4a6a-ae7e-a40659ff1576.md create mode 100644 docs/queries/cloudformation-queries/aws/78055456-f670-4d2e-94d5-392d1cf4f5e4.md create mode 100644 docs/queries/cloudformation-queries/aws/783860a3-6dca-4c8b-81d0-7b62769ccbca.md create mode 100644 docs/queries/cloudformation-queries/aws/79d745f0-d5f3-46db-9504-bef73e9fd528.md create mode 100644 docs/queries/cloudformation-queries/aws/7f384a5f-b5a2-4d84-8ca3-ee0a5247becb.md create mode 100644 docs/queries/cloudformation-queries/aws/7f65be75-90ab-4036-8c2a-410aef7bb650.md create mode 100644 docs/queries/cloudformation-queries/aws/7f8843f0-9ea5-42b4-a02b-753055113195.md create mode 100644 docs/queries/cloudformation-queries/aws/7f8f1b60-43df-4c28-aa21-fb836dbd8071.md create mode 100644 docs/queries/cloudformation-queries/aws/7fd0d461-5b8c-4815-898c-f2b4b117eb28.md create mode 100644 docs/queries/cloudformation-queries/aws/800fa019-49dd-421b-9042-7331fdd83fa2.md create mode 100644 docs/queries/cloudformation-queries/aws/80908a75-586b-4c61-ab04-490f4f4525b8.md create mode 100644 docs/queries/cloudformation-queries/aws/809f77f8-d10e-4842-a84f-3be7b6ff1190.md create mode 100644 docs/queries/cloudformation-queries/aws/80b7ac3f-d2b7-4577-9b10-df7913497162.md create mode 100644 docs/queries/cloudformation-queries/aws/80d45af4-4920-4236-a56e-b7ef419d1941.md create mode 100644 docs/queries/cloudformation-queries/aws/818f38ed-8446-4132-9c03-474d49e10195.md create mode 100644 docs/queries/cloudformation-queries/aws/8275fab0-68ec-4705-bbf4-86975edb170e.md create mode 100644 docs/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2.md create mode 100644 docs/queries/cloudformation-queries/aws/835d5497-a526-4aea-a23f-98a9afd1635f.md create mode 100644 docs/queries/cloudformation-queries/aws/837e033c-4717-40bd-807e-6abaa30161b7.md create mode 100644 docs/queries/cloudformation-queries/aws/839f238f-2e3a-4a72-b945-8abdf91af955.md create mode 100644 docs/queries/cloudformation-queries/aws/85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7.md create mode 100644 docs/queries/cloudformation-queries/aws/860ba89b-b8de-4e72-af54-d6aee4138a69.md create mode 100644 docs/queries/cloudformation-queries/aws/86a248ab-0e01-4564-a82a-878303e253bb.md create mode 100644 docs/queries/cloudformation-queries/aws/87482183-a8e7-4e42-a566-7a23ec231c16.md create mode 100644 docs/queries/cloudformation-queries/aws/88d55d94-315d-4564-beee-d2d725feab11.md create mode 100644 docs/queries/cloudformation-queries/aws/89827c57-5a8a-49eb-9731-976a606d70db.md create mode 100644 docs/queries/cloudformation-queries/aws/8a6d36cd-0bc6-42b7-92c4-67acc8576861.md create mode 100644 docs/queries/cloudformation-queries/aws/8c415f6f-7b90-4a27-a44a-51047e1506f9.md create mode 100644 docs/queries/cloudformation-queries/aws/8d29754a-2a18-460d-a1ba-9509f8d359da.md create mode 100644 docs/queries/cloudformation-queries/aws/8dd0ff1f-0da4-48df-9bb3-7f338ae36a40.md create mode 100644 docs/queries/cloudformation-queries/aws/8df8e857-bd59-44fa-9f4c-d77594b95b46.md create mode 100644 docs/queries/cloudformation-queries/aws/8f957abd-9703-413d-87d3-c578950a753c.md create mode 100644 docs/queries/cloudformation-queries/aws/9025b2b3-e554-4842-ba87-db7aeec36d35.md create mode 100644 docs/queries/cloudformation-queries/aws/90501b1b-cded-4cc1-9e8b-206b85cda317.md create mode 100644 docs/queries/cloudformation-queries/aws/9488c451-074e-4cd3-aee3-7db6104f542c.md create mode 100644 docs/queries/cloudformation-queries/aws/953b3cdb-ce13-428a-aa12-318726506661.md create mode 100644 docs/queries/cloudformation-queries/aws/9564406d-e761-4e61-b8d7-5926e3ab8e79.md create mode 100644 docs/queries/cloudformation-queries/aws/97e94d17-e2c7-4109-a53b-6536ac1bb64e.md create mode 100644 docs/queries/cloudformation-queries/aws/9b6a3f5b-5fd6-40ee-9bc0-ed604911212d.md create mode 100644 docs/queries/cloudformation-queries/aws/9b83114b-b2a1-4534-990d-06da015e47aa.md create mode 100644 docs/queries/cloudformation-queries/aws/9c7028d9-04c2-45be-b8b2-1188ccaefb36.md create mode 100644 docs/queries/cloudformation-queries/aws/9d13b150-a2ab-42a1-b6f4-142e41f81e52.md create mode 100644 docs/queries/cloudformation-queries/aws/9e8c89b3-7997-4d15-93e4-7911b9db99fd.md create mode 100644 docs/queries/cloudformation-queries/aws/9ecb6b21-18bc-4aa7-bd07-db20f1c746db.md create mode 100644 docs/queries/cloudformation-queries/aws/9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d.md create mode 100644 docs/queries/cloudformation-queries/aws/9fcd0a0a-9b6f-4670-a215-d94e6bf3f184.md create mode 100644 docs/queries/cloudformation-queries/aws/a0ae0a4e-712b-4115-8112-51b9eeed9d69.md create mode 100644 docs/queries/cloudformation-queries/aws/a227ec01-f97a-4084-91a4-47b350c1db54.md create mode 100644 docs/queries/cloudformation-queries/aws/a25cd877-375c-4121-a640-730929936fac.md create mode 100644 docs/queries/cloudformation-queries/aws/a2f2800e-614b-4bc8-89e6-fec8afd24800.md create mode 100644 docs/queries/cloudformation-queries/aws/a3aa0087-8228-4e7e-b202-dc9036972d02.md create mode 100644 docs/queries/cloudformation-queries/aws/a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd.md create mode 100644 docs/queries/cloudformation-queries/aws/a478af30-8c3a-404d-aa64-0b673cee509a.md create mode 100644 docs/queries/cloudformation-queries/aws/a5366a50-932f-4085-896b-41402714a388.md create mode 100644 docs/queries/cloudformation-queries/aws/a58d1a2d-4078-4b80-855b-84cc3f7f4540.md create mode 100644 docs/queries/cloudformation-queries/aws/a71ecabe-03b6-456a-b3bc-d1a39aa20c98.md create mode 100644 docs/queries/cloudformation-queries/aws/a7f8ac28-eed1-483d-87c8-4c325f022572.md create mode 100644 docs/queries/cloudformation-queries/aws/a964d6e3-8e1e-4d93-8120-61fa640dd55a.md create mode 100644 docs/queries/cloudformation-queries/aws/a976d63f-af0e-46e8-b714-8c1a9c4bf768.md create mode 100644 docs/queries/cloudformation-queries/aws/acc78859-765e-4011-a229-a65ea57db252.md create mode 100644 docs/queries/cloudformation-queries/aws/ad21e616-5026-4b9d-990d-5b007bfe679c.md create mode 100644 docs/queries/cloudformation-queries/aws/ad7444cf-817a-4765-a79e-2145f7981faf.md create mode 100644 docs/queries/cloudformation-queries/aws/adcd0082-e90b-4b63-862b-21899f6e6a48.md create mode 100644 docs/queries/cloudformation-queries/aws/ae03f542-1423-402f-9cef-c834e7ee9583.md create mode 100644 docs/queries/cloudformation-queries/aws/ae53ce91-42b5-46bf-a84f-9a13366a4f13.md create mode 100644 docs/queries/cloudformation-queries/aws/b1b20ae3-8fa7-4af5-a74d-a2145920fcb1.md create mode 100644 docs/queries/cloudformation-queries/aws/b2e8752c-3497-4255-98d2-e4ae5b46bbf5.md create mode 100644 docs/queries/cloudformation-queries/aws/b3de4e4c-14be-4159-b99d-9ad194365e4c.md create mode 100644 docs/queries/cloudformation-queries/aws/b4d9c12b-bfba-4aeb-9cb8-2358546d8041.md create mode 100644 docs/queries/cloudformation-queries/aws/b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83.md create mode 100644 docs/queries/cloudformation-queries/aws/b7063015-6c31-4658-a8e7-14f98f37fd42.md create mode 100644 docs/queries/cloudformation-queries/aws/ba766c53-fe71-4bbb-be35-b6803f2ef13e.md create mode 100644 docs/queries/cloudformation-queries/aws/bdf8dcb4-75df-4370-92c4-606e4ae6c4d3.md create mode 100644 docs/queries/cloudformation-queries/aws/be5b230d-4371-4a28-a441-85dc760e2aa3.md create mode 100644 docs/queries/cloudformation-queries/aws/be96849c-3df6-49c2-bc16-778a7be2519c.md create mode 100644 docs/queries/cloudformation-queries/aws/bf4473f1-c8a2-4b1b-8134-bd32efabab93.md create mode 100644 docs/queries/cloudformation-queries/aws/bf89373a-be40-4c04-99f5-746742dfd7f3.md create mode 100644 docs/queries/cloudformation-queries/aws/c2eae442-d3ba-4cb1-84ca-1db4f80eae3d.md create mode 100644 docs/queries/cloudformation-queries/aws/c333e906-8d8b-4275-b999-78b6318f8dc6.md create mode 100644 docs/queries/cloudformation-queries/aws/c3ce69fd-e3df-49c6-be78-1db3f802261c.md create mode 100644 docs/queries/cloudformation-queries/aws/c44c95fc-ae92-4bb8-bdf8-bb9bc412004a.md create mode 100644 docs/queries/cloudformation-queries/aws/c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621.md create mode 100644 docs/queries/cloudformation-queries/aws/c689f51b-9203-43b3-9d8b-caed123f706c.md create mode 100644 docs/queries/cloudformation-queries/aws/c757c6a3-ac87-4b9d-b28d-e5a5add6a315.md create mode 100644 docs/queries/cloudformation-queries/aws/c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22.md create mode 100644 docs/queries/cloudformation-queries/aws/c8dee387-a2e6-4a73-a942-183c975549ac.md create mode 100644 docs/queries/cloudformation-queries/aws/c9846969-d066-431f-9b34-8c4abafe422a.md create mode 100644 docs/queries/cloudformation-queries/aws/cb2f612b-ed42-4ff5-9fb9-255c73d39a18.md create mode 100644 docs/queries/cloudformation-queries/aws/cc8b294f-006f-4f8f-b5bb-0a9140c33131.md create mode 100644 docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md create mode 100644 docs/queries/cloudformation-queries/aws/cfdef2e5-1fe4-4ef4-bea8-c56e08963150.md create mode 100644 docs/queries/cloudformation-queries/aws/d24389b4-b209-4ff0-8345-dc7a4569dcdd.md create mode 100644 docs/queries/cloudformation-queries/aws/d53323be-dde6-4457-9a43-42df737e71d2.md create mode 100644 docs/queries/cloudformation-queries/aws/d6653eee-2d4d-4e6a-976f-6794a497999a.md create mode 100644 docs/queries/cloudformation-queries/aws/d71b5fd7-9020-4b2d-9ec8-b3839faa2744.md create mode 100644 docs/queries/cloudformation-queries/aws/d72a7869-e8b9-4e12-bcd2-e8be10b39fa7.md create mode 100644 docs/queries/cloudformation-queries/aws/d7467bb6-3ed1-4c82-8095-5e7a818d0aad.md create mode 100644 docs/queries/cloudformation-queries/aws/d926aa95-0a04-4abc-b20c-acf54afe38a1.md create mode 100644 docs/queries/cloudformation-queries/aws/da905474-7454-43c0-b8d2-5756ab951aba.md create mode 100644 docs/queries/cloudformation-queries/aws/dae9c373-8287-462f-8746-6f93dad93610.md create mode 100644 docs/queries/cloudformation-queries/aws/dc17ee4b-ddf2-4e23-96e8-7a36abad1303.md create mode 100644 docs/queries/cloudformation-queries/aws/dc1ab429-1481-4540-9b1d-280e3f15f1f8.md create mode 100644 docs/queries/cloudformation-queries/aws/dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md create mode 100644 docs/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md create mode 100644 docs/queries/cloudformation-queries/aws/de38e1d5-54cb-4111-a868-6f7722695007.md create mode 100644 docs/queries/cloudformation-queries/aws/de76a0d6-66d5-45c9-9022-f05545b85c78.md create mode 100644 docs/queries/cloudformation-queries/aws/de77cd9f-0e8b-46cc-b4a4-b6b436838642.md create mode 100644 docs/queries/cloudformation-queries/aws/dfb56e5d-ee68-446e-b32a-657b62befe69.md create mode 100644 docs/queries/cloudformation-queries/aws/e200a6f3-c589-49ec-9143-7421d4a2c845.md create mode 100644 docs/queries/cloudformation-queries/aws/e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md create mode 100644 docs/queries/cloudformation-queries/aws/e4239438-e639-44aa-adb8-866e400e3ade.md create mode 100644 docs/queries/cloudformation-queries/aws/e42a3ef0-5325-4667-84bf-075ba1c9d58e.md create mode 100644 docs/queries/cloudformation-queries/aws/e4ee3903-9225-4b6a-bdfb-e62dbadef821.md create mode 100644 docs/queries/cloudformation-queries/aws/e4f54ff4-d352-40e8-a096-5141073c37a2.md create mode 100644 docs/queries/cloudformation-queries/aws/e519ed6a-8328-4b69-8eb7-8fa549ac3050.md create mode 100644 docs/queries/cloudformation-queries/aws/e52395b4-250b-4c60-81d5-2e58c1d37abc.md create mode 100644 docs/queries/cloudformation-queries/aws/e649a218-d099-4550-86a4-1231e1fcb60d.md create mode 100644 docs/queries/cloudformation-queries/aws/e835bd0d-65da-49f7-b6d1-b646da8727e6.md create mode 100644 docs/queries/cloudformation-queries/aws/ea33fcf7-394b-4d11-a228-985c5d08f205.md create mode 100644 docs/queries/cloudformation-queries/aws/ed4c48b8-eccc-4881-95c1-09fdae23db25.md create mode 100644 docs/queries/cloudformation-queries/aws/edc95c10-7366-4f30-9b4b-f995c84eceb5.md create mode 100644 docs/queries/cloudformation-queries/aws/ee12ad32-2863-4c0f-b13f-28272d115028.md create mode 100644 docs/queries/cloudformation-queries/aws/ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md create mode 100644 docs/queries/cloudformation-queries/aws/ef05a925-8568-4054-8ff1-f5ba82631c16.md create mode 100644 docs/queries/cloudformation-queries/aws/f0104061-8bfc-4b45-8a7d-630eb502f281.md create mode 100644 docs/queries/cloudformation-queries/aws/f4c9b5f5-68b8-491f-9e48-4f96644a1d51.md create mode 100644 docs/queries/cloudformation-queries/aws/f4cf35d6-da92-48de-ab70-57be2b2e6497.md create mode 100644 docs/queries/cloudformation-queries/aws/f57f849c-883b-4cb7-85e7-f7b199dff163.md create mode 100644 docs/queries/cloudformation-queries/aws/f6049677-ec4a-43af-8779-5190b6d03cba.md create mode 100644 docs/queries/cloudformation-queries/aws/f62aa827-4ade-4dc4-89e4-1433d384a368.md create mode 100644 docs/queries/cloudformation-queries/aws/f6397a20-4cf1-4540-a997-1d363c25ef58.md create mode 100644 docs/queries/cloudformation-queries/aws/f6d299d2-21eb-41cc-b1e1-fe12d857500b.md create mode 100644 docs/queries/cloudformation-queries/aws/f80e3aa7-7b34-4185-954e-440a6894dde6.md create mode 100644 docs/queries/cloudformation-queries/aws/f914357d-8386-4d56-9ba6-456e5723f9a6.md create mode 100644 docs/queries/cloudformation-queries/aws/f97b7d23-568f-4bcc-9ac9-02df0d57fbba.md create mode 100644 docs/queries/cloudformation-queries/aws/f988a17f-1139-46a3-8928-f27eafd8b024.md create mode 100644 docs/queries/cloudformation-queries/aws/f9b10cdb-eaab-4e39-9793-e12b94a582ad.md create mode 100644 docs/queries/cloudformation-queries/aws/faa8fddf-c0aa-4b2d-84ff-e993e233ebe9.md create mode 100644 docs/queries/cloudformation-queries/aws/fb2b0ecf-1492-491a-a70d-ba1df579175d.md create mode 100644 docs/queries/cloudformation-queries/aws/fc7c2c15-f5d0-4b80-adb2-c89019f8f62b.md create mode 100644 docs/queries/cloudformation-queries/aws/fcbf9019-566c-4832-a65c-af00d8137d2b.md create mode 100644 docs/queries/cloudformation-queries/aws/fe974ae9-858e-4991-bbd5-e040a834679f.md create mode 100644 docs/queries/cloudformation-queries/aws/ffee2785-c347-451e-89f3-11aeb08e5c84.md create mode 100644 docs/queries/common-queries/common/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md create mode 100644 docs/queries/crossplane-queries/aws/255b0fcc-9f82-41fe-9229-01b163e3376b.md create mode 100644 docs/queries/crossplane-queries/aws/6d19ce0f-b3d8-4128-ac3d-1064e0f00494.md create mode 100644 docs/queries/crossplane-queries/aws/72840c35-3876-48be-900d-f21b2f0c2ea1.md create mode 100644 docs/queries/crossplane-queries/aws/7b590235-1ff4-421b-b9ff-5227134be9bb.md create mode 100644 docs/queries/crossplane-queries/aws/83bf5aca-138a-498e-b9cd-ad5bc5e117b4.md create mode 100644 docs/queries/crossplane-queries/aws/9296f1cc-7a40-45de-bd41-f31745488a0e.md create mode 100644 docs/queries/crossplane-queries/aws/934613fe-b12c-4e5a-95f5-c1dcdffac1ff.md create mode 100644 docs/queries/crossplane-queries/aws/a507daa5-0795-4380-960b-dd7bb7c56661.md create mode 100644 docs/queries/crossplane-queries/aws/bdecd6db-2600-47dd-a10c-72c97cf17ae9.md create mode 100644 docs/queries/crossplane-queries/aws/dd667399-8d9d-4a8d-bbb4-e49ab53b2f52.md create mode 100644 docs/queries/crossplane-queries/aws/e50eb68a-a4af-4048-8bbe-8ec324421469.md create mode 100644 docs/queries/crossplane-queries/azure/6c7cfec3-c686-4ed2-bf58-a1ec054b63fc.md create mode 100644 docs/queries/crossplane-queries/azure/b2418936-cd47-4ea2-8346-623c0bdb87bd.md create mode 100644 docs/queries/crossplane-queries/gcp/6c2d627c-de0f-45fb-b33d-dad9bffbb421.md create mode 100644 docs/queries/crossplane-queries/gcp/b4f65d13-a609-4dc1-af7c-63d2e08bffe9.md create mode 100644 docs/queries/dockercompose-queries/071a71ff-f868-47a4-ac0b-3c59e4ab5443.md create mode 100644 docs/queries/dockercompose-queries/1c1325ff-831d-43a1-973e-839ae57dfcc0.md create mode 100644 docs/queries/dockercompose-queries/221e0658-cb2a-44e3-b08a-db96a341d6fa.md create mode 100644 docs/queries/dockercompose-queries/27fcc7d6-c49b-46e0-98f1-6c082a6a2750.md create mode 100644 docs/queries/dockercompose-queries/2fc99041-ddad-49d5-853f-e35e70a48391.md create mode 100644 docs/queries/dockercompose-queries/404fde2c-bc4b-4371-9747-7054132ac953.md create mode 100644 docs/queries/dockercompose-queries/451d79dc-0588-476a-ad03-3c7f0320abb3.md create mode 100644 docs/queries/dockercompose-queries/4d9f44c6-2f4a-4317-9bb5-267adbea0232.md create mode 100644 docs/queries/dockercompose-queries/4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md create mode 100644 docs/queries/dockercompose-queries/610e266e-6c12-4bca-9925-1ed0cd29742b.md create mode 100644 docs/queries/dockercompose-queries/698ed579-b239-4f8f-a388-baa4bcb13ef8.md create mode 100644 docs/queries/dockercompose-queries/6b610c50-99fb-4ef0-a5f3-e312fd945bc3.md create mode 100644 docs/queries/dockercompose-queries/8af7162d-6c98-482f-868e-0d33fb675ca8.md create mode 100644 docs/queries/dockercompose-queries/ae5b6871-7f45-42e0-bb4c-ab300c4d2026.md create mode 100644 docs/queries/dockercompose-queries/baa3890f-bed7-46f5-ab8f-1da8fc91c729.md create mode 100644 docs/queries/dockercompose-queries/baa452f0-1f21-4a25-ace5-844e7a5f410d.md create mode 100644 docs/queries/dockercompose-queries/bb9ac4f7-e13b-423d-a010-c74a1bfbe492.md create mode 100644 docs/queries/dockercompose-queries/bc2908f3-f73c-40a9-8793-c1b7d5544f79.md create mode 100644 docs/queries/dockercompose-queries/ce14a68b-1668-41a0-ab7d-facd9f784742.md create mode 100644 docs/queries/dockercompose-queries/ce76b7d0-9e77-464d-b86f-c5c48e03e22d.md create mode 100644 docs/queries/dockercompose-queries/d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b.md create mode 100644 docs/queries/dockerfile-queries/0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md create mode 100644 docs/queries/dockerfile-queries/00481784-25aa-4a55-8633-3136dfcf4f37.md create mode 100644 docs/queries/dockerfile-queries/02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md create mode 100644 docs/queries/dockerfile-queries/22cd11f7-9c6c-4f6e-84c0-02058120b341.md create mode 100644 docs/queries/dockerfile-queries/295acb63-9246-4b21-b441-7c1f1fb62dc0.md create mode 100644 docs/queries/dockerfile-queries/38300d1a-feb2-4a48-936a-d1ef1cd24313.md create mode 100644 docs/queries/dockerfile-queries/41c195f4-fc31-4a5c-8a1b-90605538d49f.md create mode 100644 docs/queries/dockerfile-queries/45e1fca5-f90e-465d-825f-c2cb63fa3944.md create mode 100644 docs/queries/dockerfile-queries/4b410d24-1cbe-4430-a632-62c9a931cf1c.md create mode 100644 docs/queries/dockerfile-queries/562952e4-0348-4dea-9826-44f3a2c6117b.md create mode 100644 docs/queries/dockerfile-queries/5907595b-5b6d-4142-b173-dbb0e73fbff8.md create mode 100644 docs/queries/dockerfile-queries/5fa731ea-e844-47a6-a1e8-abc25e95847e.md create mode 100644 docs/queries/dockerfile-queries/6452c424-1d92-4deb-bb18-a03e95d579c4.md create mode 100644 docs/queries/dockerfile-queries/67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae.md create mode 100644 docs/queries/dockerfile-queries/68a51e22-ae5a-4d48-8e87-b01a323605c9.md create mode 100644 docs/queries/dockerfile-queries/6938958b-3f1a-451c-909b-baeee14bdc97.md create mode 100644 docs/queries/dockerfile-queries/6b376af8-cfe8-49ab-a08d-f32de23661a4.md create mode 100644 docs/queries/dockerfile-queries/6db6e0c2-32a3-4a2e-93b5-72c35f4119db.md create mode 100644 docs/queries/dockerfile-queries/6e19193a-8753-436d-8a09-76dcff91bb03.md create mode 100644 docs/queries/dockerfile-queries/71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e.md create mode 100644 docs/queries/dockerfile-queries/7384dfb2-fcd1-4fbf-91cd-6c44c318c33c.md create mode 100644 docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md create mode 100644 docs/queries/dockerfile-queries/7ebd323c-31b7-4e5b-b26f-de5e9e477af8.md create mode 100644 docs/queries/dockerfile-queries/8a301064-c291-4b20-adcb-403fe7fd95fd.md create mode 100644 docs/queries/dockerfile-queries/8ada6e80-0ade-439e-b176-0b28f6bce35a.md create mode 100644 docs/queries/dockerfile-queries/93d88cf7-f078-46a8-8ddc-178e03aeacf1.md create mode 100644 docs/queries/dockerfile-queries/9513a694-aa0d-41d8-be61-3271e056f36b.md create mode 100644 docs/queries/dockerfile-queries/965a08d7-ef86-4f14-8792-4a3b2098937e.md create mode 100644 docs/queries/dockerfile-queries/99614418-f82b-4852-a9ae-5051402b741c.md create mode 100644 docs/queries/dockerfile-queries/9b6b0f38-92a2-41f9-b881-3a1083d99f1b.md create mode 100644 docs/queries/dockerfile-queries/9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md create mode 100644 docs/queries/dockerfile-queries/9efb0b2d-89c9-41a3-91ca-dcc0aec911fd.md create mode 100644 docs/queries/dockerfile-queries/aa93e17f-b6db-4162-9334-c70334e7ac28.md create mode 100644 docs/queries/dockerfile-queries/ae9c56a6-3ed1-4ac0-9b54-31267f51151d.md create mode 100644 docs/queries/dockerfile-queries/b03a748a-542d-44f4-bb86-9199ab4fd2d5.md create mode 100644 docs/queries/dockerfile-queries/b16e8501-ef3c-44e1-a543-a093238099c9.md create mode 100644 docs/queries/dockerfile-queries/b84a0b47-2e99-4c9f-8933-98bcabe2b94d.md create mode 100644 docs/queries/dockerfile-queries/b86987e1-6397-4619-81d5-8807f2387c79.md create mode 100644 docs/queries/dockerfile-queries/cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md create mode 100644 docs/queries/dockerfile-queries/d3499f6d-1651-41bb-a9a7-de925fea487b.md create mode 100644 docs/queries/dockerfile-queries/df746b39-6564-4fed-bf85-e9c44382303c.md create mode 100644 docs/queries/dockerfile-queries/e36d8880-3f78-4546-b9a1-12f0745ca0d5.md create mode 100644 docs/queries/dockerfile-queries/efbf148a-67e9-42d2-ac47-02fa1c0d0b22.md create mode 100644 docs/queries/dockerfile-queries/f2daed12-c802-49cd-afed-fe41d0b82fed.md create mode 100644 docs/queries/dockerfile-queries/f2f903fb-b977-461e-98d7-b3e2185c6118.md create mode 100644 docs/queries/dockerfile-queries/f45ea400-6bbe-4501-9fc7-1c3d75c32067.md create mode 100644 docs/queries/dockerfile-queries/f4a6bcd3-e231-4acf-993c-aa027be50d2e.md create mode 100644 docs/queries/dockerfile-queries/fc775e75-fcfb-4c98-b2f2-910c5858b359.md create mode 100644 docs/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/1239f54b-33de-482a-8132-faebe288e6a6.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/227c2f58-70c6-4432-8e9a-a89c1a548cf5.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/268c65a8-58ad-43e4-9019-1a9bbc56749f.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/28727987-e398-49b8-aef1-8a3e7789d111.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/313d6deb-3b67-4948-b41d-35b699c2492e.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/48c61fbd-09c9-46cc-a521-012e0c325412.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/50cb6c3b-c878-4b88-b50e-d1421bada9e8.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/62c8cf50-87f0-4295-a974-8184ed78fe02.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/63ae3638-a38c-4ff4-b616-6e1f72a31a6a.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/660360d3-9ca7-46d1-b147-3acc4002953f.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/6e2b1ec1-1eca-4eb7-9d4d-2882680b4811.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/7c98538a-81c6-444b-bf04-e60bc3ceeec0.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/7ef7d141-9fbb-4679-a977-fd0883436906.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/8212e2d7-e683-49bc-bf78-d6799075c5a7.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/83103dff-d57f-42a8-bd81-40abab64c1a7.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/8810968b-4b15-421d-918b-d91eb4bb8d1d.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/9038b526-4c19-4928-bca2-c03d503bdb79.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/95601b9a-7fe8-4aee-9b58-d36fd9382dfc.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/a21b8df3-c840-4b3d-a41a-10fb2afda171.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/ad0875c1-0b39-4890-9149-173158ba3bba.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/bbfc97ab-e92a-4a7b-954c-e88cec815011.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/c47f90e8-4a19-43f0-8413-cc434d286c4e.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/c759d6f2-4dd3-4160-82d3-89202ef10d87.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/c7781feb-a955-4f9f-b9cf-0d7c6f54bb59.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/dbe058d7-b82e-430b-8426-992b2e4677e7.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/dc5c5fee-6c53-43b0-ab11-4c660e064aaf.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/dd690686-2bf9-4012-a821-f61912dd77be.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/dee21308-2a7a-49de-8ff7-c9b87e188575.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/df58d46c-783b-43e0-bdd0-d99164f712ee.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/e66e1b71-c810-4b4e-a737-0ab59e7f5e41.md create mode 100644 docs/queries/googledeploymentmanager-queries/gcp/fc040fb6-4c23-4c0d-b12a-39edac35debb.md create mode 100644 docs/queries/grpc-queries/daaace5f-c0dc-4835-b526-7a116b7f4b4e.md create mode 100644 docs/queries/knative-queries/e8bb41e4-2f24-4e84-8bea-8c7c070cf93d.md create mode 100644 docs/queries/kubernetes-queries/02323c00-cdc3-4fdc-a310-4f2b3e7a1660.md create mode 100644 docs/queries/kubernetes-queries/03aabc8c-35d6-481e-9c85-20139cf72d23.md create mode 100644 docs/queries/kubernetes-queries/0401f71b-9c1e-4821-ab15-a955caa621be.md create mode 100644 docs/queries/kubernetes-queries/056ac60e-fe07-4acc-9b34-8e1d51716ab9.md create mode 100644 docs/queries/kubernetes-queries/05fb986f-ac73-4ebb-a5b2-7faafa93d882.md create mode 100644 docs/queries/kubernetes-queries/075ca296-6768-4322-aea2-ba5063b969a9.md create mode 100644 docs/queries/kubernetes-queries/09bb9e96-8da3-4736-b89a-b36814acca60.md create mode 100644 docs/queries/kubernetes-queries/10efce34-5af6-4d83-b414-9e096d5a06a9.md create mode 100644 docs/queries/kubernetes-queries/1123031a-f921-4c5b-bd86-ef354ecfd37a.md create mode 100644 docs/queries/kubernetes-queries/13a49a2e-488e-4309-a7c0-d6b05577a5fb.md create mode 100644 docs/queries/kubernetes-queries/14abda69-8e91-4acb-9931-76e2bee90284.md create mode 100644 docs/queries/kubernetes-queries/1828a670-5957-4bc5-9974-47da228f75e2.md create mode 100644 docs/queries/kubernetes-queries/192fe40b-b1c3-448a-aba2-6cc19a300fe3.md create mode 100644 docs/queries/kubernetes-queries/19ebaa28-fc86-4a58-bcfa-015c9e22fe40.md create mode 100644 docs/queries/kubernetes-queries/1a07a446-8e61-4e4d-bc16-b0781fcb8211.md create mode 100644 docs/queries/kubernetes-queries/1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e.md create mode 100644 docs/queries/kubernetes-queries/1acd93f1-5a37-45c0-aaac-82ece818be7d.md create mode 100644 docs/queries/kubernetes-queries/1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md create mode 100644 docs/queries/kubernetes-queries/1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5.md create mode 100644 docs/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238.md create mode 100644 docs/queries/kubernetes-queries/1e749bc9-fde8-471c-af0c-8254efd2dee5.md create mode 100644 docs/queries/kubernetes-queries/1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37.md create mode 100644 docs/queries/kubernetes-queries/2270987f-bb51-479f-b8be-3ca73e5ad648.md create mode 100644 docs/queries/kubernetes-queries/229588ef-8fde-40c8-8756-f4f2b5825ded.md create mode 100644 docs/queries/kubernetes-queries/235236ee-ad78-4065-bd29-61b061f28ce0.md create mode 100644 docs/queries/kubernetes-queries/249328b8-5f0f-409f-b1dd-029f07882e11.md create mode 100644 docs/queries/kubernetes-queries/26763a1c-5dda-4772-b507-5fca7fb5f165.md create mode 100644 docs/queries/kubernetes-queries/268ca686-7fb7-4ae9-b129-955a2a89064e.md create mode 100644 docs/queries/kubernetes-queries/2940d48a-dc5e-4178-a3f8-bfbd80720b41.md create mode 100644 docs/queries/kubernetes-queries/2b1836f1-dcce-416e-8e16-da8c71920633.md create mode 100644 docs/queries/kubernetes-queries/2f1a0619-b12b-48a0-825f-993bb6f01d58.md create mode 100644 docs/queries/kubernetes-queries/2f491173-6375-4a84-b28e-a4e2b9a58a69.md create mode 100644 docs/queries/kubernetes-queries/2f652c42-619d-4361-b361-9f599688f8ca.md create mode 100644 docs/queries/kubernetes-queries/302736f4-b16c-41b8-befe-c0baffa0bd9d.md create mode 100644 docs/queries/kubernetes-queries/32ecd76e-7bbf-402e-bf48-8b9485749558.md create mode 100644 docs/queries/kubernetes-queries/33fc6923-6553-4fe6-9d3a-4efa51eb874b.md create mode 100644 docs/queries/kubernetes-queries/35c0a471-f7c8-4993-aa2c-503a3c712a66.md create mode 100644 docs/queries/kubernetes-queries/36a27826-1bf5-49da-aeb0-a60a30c0e834.md create mode 100644 docs/queries/kubernetes-queries/3878dc92-8e5d-47cf-9cdd-7590f71d21b9.md create mode 100644 docs/queries/kubernetes-queries/38fa11ef-dbcc-4da8-9680-7e1fd855b6fb.md create mode 100644 docs/queries/kubernetes-queries/3ca03a61-3249-4c16-8427-6f8e47dda729.md create mode 100644 docs/queries/kubernetes-queries/3d24b204-b73d-42cb-b0bf-1a5438c5f71e.md create mode 100644 docs/queries/kubernetes-queries/3d658f8b-d988-41a0-a841-40043121de1e.md create mode 100644 docs/queries/kubernetes-queries/3f5ff8a7-5ad6-4d02-86f5-666307da1b20.md create mode 100644 docs/queries/kubernetes-queries/46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2.md create mode 100644 docs/queries/kubernetes-queries/48471392-d4d0-47c0-b135-cdec95eb3eef.md create mode 100644 docs/queries/kubernetes-queries/48a5beba-e4c0-4584-a2aa-e6894e4cf424.md create mode 100644 docs/queries/kubernetes-queries/49113af4-29ca-458e-b8d4-724c01a4a24f.md create mode 100644 docs/queries/kubernetes-queries/4a20ebac-1060-4c81-95d1-1f7f620e983b.md create mode 100644 docs/queries/kubernetes-queries/4ac0e2b7-d2d2-4af7-8799-e8de6721ccda.md create mode 100644 docs/queries/kubernetes-queries/4d7ee40f-fc5d-427d-8cac-dffbe22d42d1.md create mode 100644 docs/queries/kubernetes-queries/510d5810-9a30-443a-817d-5c1fa527b110.md create mode 100644 docs/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md create mode 100644 docs/queries/kubernetes-queries/5308a7a8-06f8-45ac-bf10-791fe21de46e.md create mode 100644 docs/queries/kubernetes-queries/5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d.md create mode 100644 docs/queries/kubernetes-queries/5744cbb8-5946-4b75-a196-ade44449525b.md create mode 100644 docs/queries/kubernetes-queries/583053b7-e632-46f0-b989-f81ff8045385.md create mode 100644 docs/queries/kubernetes-queries/591ade62-d6b0-4580-b1ae-209f80ba1cd9.md create mode 100644 docs/queries/kubernetes-queries/592ad21d-ad9b-46c6-8d2d-fad09d62a942.md create mode 100644 docs/queries/kubernetes-queries/5da47109-f8d6-4585-9e2b-96a8958a12f5.md create mode 100644 docs/queries/kubernetes-queries/5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md create mode 100644 docs/queries/kubernetes-queries/611ab018-c4aa-4ba2-b0f6-a448337509a6.md create mode 100644 docs/queries/kubernetes-queries/69bbc5e3-0818-4150-89cc-1e989b48f23b.md create mode 100644 docs/queries/kubernetes-queries/6a68bebe-c021-492e-8ddb-55b0567fb768.md create mode 100644 docs/queries/kubernetes-queries/6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a.md create mode 100644 docs/queries/kubernetes-queries/6b896afb-ca07-467a-b256-1a0077a1c08e.md create mode 100644 docs/queries/kubernetes-queries/6cf42c97-facd-4fda-b8af-ea4529123355.md create mode 100644 docs/queries/kubernetes-queries/6d173be7-545a-46c6-a81d-2ae52ed1605d.md create mode 100644 docs/queries/kubernetes-queries/7307579a-3abb-46ad-9ce5-2a915634d5c8.md create mode 100644 docs/queries/kubernetes-queries/73e251f0-363d-4e53-86e2-0a93592437eb.md create mode 100644 docs/queries/kubernetes-queries/768aab52-2504-4a2f-a3e3-329d5a679848.md create mode 100644 docs/queries/kubernetes-queries/7c81d34c-8e5a-402b-9798-9f442630e678.md create mode 100644 docs/queries/kubernetes-queries/80f93444-b240-4ebb-a4c6-5c40b76c04ea.md create mode 100644 docs/queries/kubernetes-queries/8320826e-7a9c-4b0b-9535-578333193432.md create mode 100644 docs/queries/kubernetes-queries/845acfbe-3e10-4b8e-b656-3b404d36dfb2.md create mode 100644 docs/queries/kubernetes-queries/85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3.md create mode 100644 docs/queries/kubernetes-queries/87554eef-154d-411d-bdce-9dbd91e56851.md create mode 100644 docs/queries/kubernetes-queries/895a5a95-3756-4b04-9924-2f3bc93181bd.md create mode 100644 docs/queries/kubernetes-queries/8b36775e-183d-4d46-b0f7-96a6f34a723f.md create mode 100644 docs/queries/kubernetes-queries/8b862ca9-0fbd-4959-ad72-b6609bdaa22d.md create mode 100644 docs/queries/kubernetes-queries/8cf4671a-cf3d-46fc-8389-21e7405063a2.md create mode 100644 docs/queries/kubernetes-queries/9127f0d9-2310-42e7-866f-5fd9d20dcbad.md create mode 100644 docs/queries/kubernetes-queries/91dacd0e-d189-4a9c-8272-5999a3cc32d9.md create mode 100644 docs/queries/kubernetes-queries/9391103a-d8d7-4671-ac5d-606ba7ccb0ac.md create mode 100644 docs/queries/kubernetes-queries/94b76ea5-e074-4ca2-8a03-c5a606e30645.md create mode 100644 docs/queries/kubernetes-queries/9587c890-0524-40c2-9ce2-663af7c2f063.md create mode 100644 docs/queries/kubernetes-queries/98ce8b81-7707-4734-aa39-627c6db3d84b.md create mode 100644 docs/queries/kubernetes-queries/9d43040e-e703-4e16-8bfe-8d4da10fa7e6.md create mode 100644 docs/queries/kubernetes-queries/9f85c3f6-26fd-4007-938a-2e0cb0100980.md create mode 100644 docs/queries/kubernetes-queries/a31b7b82-d994-48c4-bd21-3bab6c31827a.md create mode 100644 docs/queries/kubernetes-queries/a33e9173-b674-4dfb-9d82-cf3754816e4b.md create mode 100644 docs/queries/kubernetes-queries/a5530bd7-225a-48f9-91bb-f40b04200165.md create mode 100644 docs/queries/kubernetes-queries/a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3.md create mode 100644 docs/queries/kubernetes-queries/a6f34658-fdfb-4154-9536-56d516f65828.md create mode 100644 docs/queries/kubernetes-queries/a77f4d07-c6e0-4a48-8b35-0eeb51576f4f.md create mode 100644 docs/queries/kubernetes-queries/a97a340a-0063-418e-b3a1-3028941d0995.md create mode 100644 docs/queries/kubernetes-queries/a9c2f49d-0671-4fc9-9ece-f4e261e128d0.md create mode 100644 docs/queries/kubernetes-queries/aa8f7a35-9923-4cad-bd61-a19b7f6aac91.md create mode 100644 docs/queries/kubernetes-queries/aafa7d94-62de-4fbf-8838-b69ee217b0e6.md create mode 100644 docs/queries/kubernetes-queries/ade74944-a674-4e00-859e-c6eab5bde441.md create mode 100644 docs/queries/kubernetes-queries/ae8827e2-4af9-4baa-9998-87539ae0d6f0.md create mode 100644 docs/queries/kubernetes-queries/aee3c7d2-a811-4201-90c7-11c028be9a46.md create mode 100644 docs/queries/kubernetes-queries/afa36afb-39fe-4d94-b9b6-afb236f7a03d.md create mode 100644 docs/queries/kubernetes-queries/b14d1bc4-a208-45db-92f0-e21f8e2588e9.md create mode 100644 docs/queries/kubernetes-queries/b23e9b98-0cb6-4fc9-b257-1f3270442678.md create mode 100644 docs/queries/kubernetes-queries/b7652612-de4e-4466-a0bf-1cd81f0c6063.md create mode 100644 docs/queries/kubernetes-queries/b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14.md create mode 100644 docs/queries/kubernetes-queries/b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff.md create mode 100644 docs/queries/kubernetes-queries/b9380fd3-5ffe-4d10-9290-13e18e71eee1.md create mode 100644 docs/queries/kubernetes-queries/b9c83569-459b-4110-8f79-6305aa33cb37.md create mode 100644 docs/queries/kubernetes-queries/bb241e61-77c3-4b97-9575-c0f8a1e008d0.md create mode 100644 docs/queries/kubernetes-queries/bf36b900-b5ef-4828-adb7-70eb543b7cfb.md create mode 100644 docs/queries/kubernetes-queries/c1032cf7-3628-44e2-bd53-38c17cf31b6b.md create mode 100644 docs/queries/kubernetes-queries/c48e57d3-d642-4e0b-90db-37f807b41b91.md create mode 100644 docs/queries/kubernetes-queries/c589f42c-7924-4871-aee2-1cede9bc7cbc.md create mode 100644 docs/queries/kubernetes-queries/ca469dd4-c736-448f-8ac1-30a642705e0a.md create mode 100644 docs/queries/kubernetes-queries/caa3479d-885d-4882-9aac-95e5e78ef5c2.md create mode 100644 docs/queries/kubernetes-queries/caa93370-791f-4fc6-814b-ba6ce0cb4032.md create mode 100644 docs/queries/kubernetes-queries/cb7e695d-6a85-495c-b15f-23aed2519303.md create mode 100644 docs/queries/kubernetes-queries/cbd2db69-0b21-4c14-8a40-7710a50571a9.md create mode 100644 docs/queries/kubernetes-queries/ccc98ff7-68a7-436e-9218-185cb0b0b780.md create mode 100644 docs/queries/kubernetes-queries/cd290efd-6c82-4e9d-a698-be12ae31d536.md create mode 100644 docs/queries/kubernetes-queries/cdc8b54e-6b16-4538-a1b0-35849dbe29cf.md create mode 100644 docs/queries/kubernetes-queries/ce30e584-b33f-4c7d-b418-a3d7027f8f60.md create mode 100644 docs/queries/kubernetes-queries/cf34805e-3872-4c08-bf92-6ff7bb0cfadb.md create mode 100644 docs/queries/kubernetes-queries/d2ad057f-0928-41ef-a83c-f59203bb855b.md create mode 100644 docs/queries/kubernetes-queries/d45330fd-f58d-45fb-a682-6481477a0f84.md create mode 100644 docs/queries/kubernetes-queries/d740d048-8ed3-49d3-b77b-6f072f3b669e.md create mode 100644 docs/queries/kubernetes-queries/d89a15bb-8dba-4c71-9529-bef6729b9c09.md create mode 100644 docs/queries/kubernetes-queries/da9f3aa8-fbfb-472f-b5a1-576127944218.md create mode 100644 docs/queries/kubernetes-queries/dab4ec72-ce2e-4732-b7c3-1757dcce01a1.md create mode 100644 docs/queries/kubernetes-queries/dbbc6705-d541-43b0-b166-dd4be8208b54.md create mode 100644 docs/queries/kubernetes-queries/dd29336b-fe57-445b-a26e-e6aa867ae609.md create mode 100644 docs/queries/kubernetes-queries/de4421f1-4e35-43b4-9783-737dd4e4a47e.md create mode 100644 docs/queries/kubernetes-queries/e0099af2-fe17-411f-9991-0de28fe15f3c.md create mode 100644 docs/queries/kubernetes-queries/e0e00aba-5f1c-4981-a542-9a9563c0ee20.md create mode 100644 docs/queries/kubernetes-queries/e17fa86a-6222-4584-a914-56e8f6c87e06.md create mode 100644 docs/queries/kubernetes-queries/e3aa0612-4351-4a0d-983f-aefea25cf203.md create mode 100644 docs/queries/kubernetes-queries/e84eaf4d-2f45-47b2-abe8-e581b06deb66.md create mode 100644 docs/queries/kubernetes-queries/ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0.md create mode 100644 docs/queries/kubernetes-queries/ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md create mode 100644 docs/queries/kubernetes-queries/f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md create mode 100644 docs/queries/kubernetes-queries/f377b83e-bd07-4f48-a591-60c82b14a78b.md create mode 100644 docs/queries/kubernetes-queries/f922827f-aab6-447c-832a-e1ff63312bd3.md create mode 100644 docs/queries/kubernetes-queries/fa4def8c-1898-4a35-a139-7b76b1acdef0.md create mode 100644 docs/queries/kubernetes-queries/fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md create mode 100644 docs/queries/openapi-queries/00b78adf-b83f-419c-8ed8-c6018441dd3a.md create mode 100644 docs/queries/openapi-queries/013bdb4b-9246-4248-b0c3-7fb0fee42a29.md create mode 100644 docs/queries/openapi-queries/015eac96-6313-43c0-84e5-81b1374fa637.md create mode 100644 docs/queries/openapi-queries/0220e1c5-65d1-49dd-b7c2-cef6d6cb5283.md create mode 100644 docs/queries/openapi-queries/03856cb2-e46c-4daf-bfbf-214ec93c882b.md create mode 100644 docs/queries/openapi-queries/05505192-ba2c-4a81-9b25-dcdbcc973746.md create mode 100644 docs/queries/openapi-queries/06764426-3c56-407e-981f-caa25db1c149.md create mode 100644 docs/queries/openapi-queries/0b76d993-ee52-43e0-8b39-3787d2ddabf1.md create mode 100644 docs/queries/openapi-queries/0c79e50e-b3cf-490c-b8f6-587c644d4d0c.md create mode 100644 docs/queries/openapi-queries/0de50145-e845-47f4-9a15-23bcf2125710.md create mode 100644 docs/queries/openapi-queries/0f6cd0ab-c366-4595-84fc-fbd8b9901e4d.md create mode 100644 docs/queries/openapi-queries/105e20dd-8449-4d71-95c6-d5dac96639af.md create mode 100644 docs/queries/openapi-queries/10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa.md create mode 100644 docs/queries/openapi-queries/12a7210b-f4b4-47d0-acac-0a819e2a0ca3.md create mode 100644 docs/queries/openapi-queries/151331e2-11f4-4bb6-bd35-9a005e695087.md create mode 100644 docs/queries/openapi-queries/181bd815-767e-4e95-a24d-bb3c87328e19.md create mode 100644 docs/queries/openapi-queries/1908a8ee-927d-4166-8f18-241152170cc1.md create mode 100644 docs/queries/openapi-queries/1a1aea94-745b-40a7-b860-0702ea6ee636.md create mode 100644 docs/queries/openapi-queries/1bc3205c-0d60-44e6-84f3-44fbf4dac5b3.md create mode 100644 docs/queries/openapi-queries/20a482d5-c5d9-4a7a-b7a4-60d0805047b4.md create mode 100644 docs/queries/openapi-queries/20cb3159-b219-496b-8dac-54ae3ab2021a.md create mode 100644 docs/queries/openapi-queries/221015a8-aa2a-43f5-b00b-ad7d2b1d47a8.md create mode 100644 docs/queries/openapi-queries/237402e2-c2f0-46c9-9cf5-286160cf7bfc.md create mode 100644 docs/queries/openapi-queries/23a9e2d9-8738-4556-a71c-2802b6ffa022.md create mode 100644 docs/queries/openapi-queries/2596545e-1757-4ff7-a15a-8a9a180a42f3.md create mode 100644 docs/queries/openapi-queries/26f06397-36d8-4ce7-b993-17711261d777.md create mode 100644 docs/queries/openapi-queries/274f910a-0665-4f08-b66d-7058fe927dba.md create mode 100644 docs/queries/openapi-queries/281b8071-6226-4a43-911d-fec246d422c2.md create mode 100644 docs/queries/openapi-queries/2bd608ae-8a1f-457f-b710-c237883cb313.md create mode 100644 docs/queries/openapi-queries/2cf35b40-ded3-43d6-9633-c8dcc8bcc822.md create mode 100644 docs/queries/openapi-queries/2d6646f4-2946-420f-8c14-3232d49ae0cb.md create mode 100644 docs/queries/openapi-queries/2d8c175a-6d90-412b-8b0e-e034ea49a1fe.md create mode 100644 docs/queries/openapi-queries/2da46be4-4317-4650-9285-56d7103c4f93.md create mode 100644 docs/queries/openapi-queries/2e275f16-b627-4d3f-ae73-a6153a23ae8f.md create mode 100644 docs/queries/openapi-queries/2e44e632-d617-43cb-b294-6bfe72a08938.md create mode 100644 docs/queries/openapi-queries/2e9b6612-8f69-42e0-a5b8-ed17739c2f3a.md create mode 100644 docs/queries/openapi-queries/2ea04bef-c769-409e-9179-ee3a50b5c0ac.md create mode 100644 docs/queries/openapi-queries/31dd6fc0-f274-493b-9614-e063086c19fc.md create mode 100644 docs/queries/openapi-queries/332cf2ad-380d-4b90-b436-46f8e635cf38.md create mode 100644 docs/queries/openapi-queries/33d96c65-977d-4c33-943f-440baca49185.md create mode 100644 docs/queries/openapi-queries/37140f7f-724a-4c87-a536-e9cee1d61533.md create mode 100644 docs/queries/openapi-queries/376c9390-7e9e-4cb8-a067-fd31c05451fd.md create mode 100644 docs/queries/openapi-queries/3847280c-9193-40bc-8009-76168e822ce2.md create mode 100644 docs/queries/openapi-queries/3979b0a4-532c-4ea7-86e4-34c090eaa4f2.md create mode 100644 docs/queries/openapi-queries/39cb32f2-3a42-4af0-8037-82a7a9654b6c.md create mode 100644 docs/queries/openapi-queries/3a01790c-ebee-4da6-8fd3-e78657383b75.md create mode 100644 docs/queries/openapi-queries/3b066059-f411-4554-ac8d-96f32bff90da.md create mode 100644 docs/queries/openapi-queries/3b497874-ae59-46dd-8d72-1868a3b8f150.md create mode 100644 docs/queries/openapi-queries/3b615f00-c443-4ba9-acc4-7c308716917d.md create mode 100644 docs/queries/openapi-queries/3ba0cca1-b815-47bf-ac62-1e584eb64a05.md create mode 100644 docs/queries/openapi-queries/3d7d7b6c-fb0a-475e-8a28-c125e30d15f0.md create mode 100644 docs/queries/openapi-queries/3fb03214-25d4-4bd4-867c-c2d8d708a483.md create mode 100644 docs/queries/openapi-queries/40d3df21-c170-4dbe-9c02-4289b51f994f.md create mode 100644 docs/queries/openapi-queries/40e1d1bf-11a9-4f63-a3a2-a8b84c602839.md create mode 100644 docs/queries/openapi-queries/4190dda7-af03-4cf0-a128-70ac1661ca09.md create mode 100644 docs/queries/openapi-queries/429b2106-ba37-43ba-9727-7f699cc611e1.md create mode 100644 docs/queries/openapi-queries/462d6a1d-fed9-4d75-bb9e-3de902f35e6e.md create mode 100644 docs/queries/openapi-queries/46facedc-f243-4108-ab33-583b807d50b0.md create mode 100644 docs/queries/openapi-queries/48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd.md create mode 100644 docs/queries/openapi-queries/4a1f3d75-ab73-41b2-83e7-06a93dc3a75a.md create mode 100644 docs/queries/openapi-queries/4bcbcd52-3028-469f-bc14-02c7dbba2df2.md create mode 100644 docs/queries/openapi-queries/4cac7ace-b0fb-477d-830d-65395d9109d9.md create mode 100644 docs/queries/openapi-queries/4cd8de87-b595-48b6-ab3c-1904567135ab.md create mode 100644 docs/queries/openapi-queries/500ce696-d501-41dd-86eb-eceb011a386f.md create mode 100644 docs/queries/openapi-queries/50de3b5b-6465-4e06-a9b0-b4c2ba34326b.md create mode 100644 docs/queries/openapi-queries/52c0d841-60d6-4a81-88dd-c35fef36d315.md create mode 100644 docs/queries/openapi-queries/543e38f4-1eee-479e-8eb0-15257013aa0a.md create mode 100644 docs/queries/openapi-queries/561710b1-b845-4562-95ce-2397a05ccef4.md create mode 100644 docs/queries/openapi-queries/58f06434-a88c-4f74-826c-db7e10cc7def.md create mode 100644 docs/queries/openapi-queries/5915c20f-dffa-4cee-b5d4-f457ddc0151a.md create mode 100644 docs/queries/openapi-queries/59c2f769-7cc2-49c8-a3de-4e211135cfab.md create mode 100644 docs/queries/openapi-queries/5aea1d7e-b834-4749-b143-2c7ec3bd5922.md create mode 100644 docs/queries/openapi-queries/5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275.md create mode 100644 docs/queries/openapi-queries/5ea61624-3733-4a3a-8ca4-b96fec9c5aeb.md create mode 100644 docs/queries/openapi-queries/60b5f56b-66ff-4e1c-9b62-5753e16825bc.md create mode 100644 docs/queries/openapi-queries/60fb6621-9f02-473b-9424-ba9a825747d3.md create mode 100644 docs/queries/openapi-queries/663c442d-f918-4f62-b096-0bf5dcbeb655.md create mode 100644 docs/queries/openapi-queries/68e5fcac-390c-4939-a373-6074b7be7c71.md create mode 100644 docs/queries/openapi-queries/6952a7e0-6e48-4285-bbc1-27c64e60f888.md create mode 100644 docs/queries/openapi-queries/698a464e-bb3e-4ba8-ab5e-e6599b7644a0.md create mode 100644 docs/queries/openapi-queries/6998389e-66b2-473d-8d05-c8d71ac4d04d.md create mode 100644 docs/queries/openapi-queries/69d7aefd-149d-47b8-8d89-1c2181a8067b.md create mode 100644 docs/queries/openapi-queries/6a2c219f-da5e-4745-941e-5ea8cde23356.md create mode 100644 docs/queries/openapi-queries/6b76f589-9713-44ab-97f5-59a3dba1a285.md create mode 100644 docs/queries/openapi-queries/6c35d2c6-09f2-4e5c-a094-e0e91327071d.md create mode 100644 docs/queries/openapi-queries/6d2e0790-cc3d-4c74-b973-d4e8b09f4455.md create mode 100644 docs/queries/openapi-queries/72d259ca-9741-48dd-9f62-eb11f2936b37.md create mode 100644 docs/queries/openapi-queries/73c3bc54-3cc6-4c0a-b30a-e19f2abfc951.md create mode 100644 docs/queries/openapi-queries/750b40be-4bac-4f59-bdc4-1ca0e6c3450e.md create mode 100644 docs/queries/openapi-queries/750f6448-27c0-49f8-a153-b81735c1e19c.md create mode 100644 docs/queries/openapi-queries/77276d82-4f45-4cf1-8e2b-4d345b936228.md create mode 100644 docs/queries/openapi-queries/773116aa-2e6d-416f-bd85-f0301cc05d76.md create mode 100644 docs/queries/openapi-queries/7a01dfbd-da62-4165-aed7-71349ad42ab4.md create mode 100644 docs/queries/openapi-queries/7f203940-39c4-4ea7-91ee-7aba16bca9e2.md create mode 100644 docs/queries/openapi-queries/7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a.md create mode 100644 docs/queries/openapi-queries/801f0c6a-a834-4467-89c6-ddecffb46b5a.md create mode 100644 docs/queries/openapi-queries/815021c8-a50c-46d9-b192-24f71072c400.md create mode 100644 docs/queries/openapi-queries/84c826c9-1893-4b34-8cdd-db97645b4bf3.md create mode 100644 docs/queries/openapi-queries/86b1fa30-9790-4980-994d-a27e0f6f27c1.md create mode 100644 docs/queries/openapi-queries/86e3702f-c868-44b2-b61d-ea5316c18110.md create mode 100644 docs/queries/openapi-queries/881a6e71-c2a7-4fe2-b9c3-dfcf08895331.md create mode 100644 docs/queries/openapi-queries/8aee4754-970d-4c5f-8142-a49dfe388b1a.md create mode 100644 docs/queries/openapi-queries/8af270ce-298b-4405-9922-82a10aee7a4f.md create mode 100644 docs/queries/openapi-queries/8bfed1c6-2d59-4924-bc7f-9b9d793ed0df.md create mode 100644 docs/queries/openapi-queries/8c81d6c0-716b-49ec-afa5-2d62da4e3f3c.md create mode 100644 docs/queries/openapi-queries/8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md create mode 100644 docs/queries/openapi-queries/8c84f75e-5048-4926-a4cb-33e7b3431300.md create mode 100644 docs/queries/openapi-queries/8d0921d6-4131-461f-a253-99e873f8f77e.md create mode 100644 docs/queries/openapi-queries/8db5544e-4874-4baa-9322-e9f75a2d219e.md create mode 100644 docs/queries/openapi-queries/8fe1846f-52cc-4413-ace9-1933d7d23672.md create mode 100644 docs/queries/openapi-queries/9239c289-9e4c-4d92-8be1-9d506057c971.md create mode 100644 docs/queries/openapi-queries/962fa01e-b791-4dcc-b04a-4a3e7389be5e.md create mode 100644 docs/queries/openapi-queries/9670f240-7b4d-4955-bd93-edaa9fa38b58.md create mode 100644 docs/queries/openapi-queries/96729c6b-7400-4d9e-9807-17f00cdde4d2.md create mode 100644 docs/queries/openapi-queries/96beb800-566f-49a9-a0ea-dbdf4bc80429.md create mode 100644 docs/queries/openapi-queries/98295b32-ec09-4b5b-89a9-39853197f914.md create mode 100644 docs/queries/openapi-queries/990eaf09-d6f1-4c3c-b174-a517b1de8917.md create mode 100644 docs/queries/openapi-queries/9aa6e95c-d964-4239-a3a8-9f37a3c5a31f.md create mode 100644 docs/queries/openapi-queries/9c238c97-1991-4c0b-9c7d-6c7912e1dc7c.md create mode 100644 docs/queries/openapi-queries/9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae.md create mode 100644 docs/queries/openapi-queries/9d967a2b-9d64-41a6-abea-dfc4960299bd.md create mode 100644 docs/queries/openapi-queries/9f88c88d-824d-4d9a-b985-e22977046042.md create mode 100644 docs/queries/openapi-queries/a0bf7382-5d5a-4224-924c-3db8466026c9.md create mode 100644 docs/queries/openapi-queries/a19c3bbd-c056-40d7-9e1c-eeb0634e320d.md create mode 100644 docs/queries/openapi-queries/a4247b11-890b-45df-bf42-350a7a3af9be.md create mode 100644 docs/queries/openapi-queries/a46928f1-43d7-4671-94e0-2dd99746f389.md create mode 100644 docs/queries/openapi-queries/a4dd69b8-49fa-45d2-a060-c76655405b05.md create mode 100644 docs/queries/openapi-queries/a5375be3-521c-43bb-9eab-e2432e368ee4.md create mode 100644 docs/queries/openapi-queries/a599b0d1-ff89-4cb8-9ece-9951854c06f6.md create mode 100644 docs/queries/openapi-queries/a6847dc6-f4ea-45ac-a81f-93291ae6c573.md create mode 100644 docs/queries/openapi-queries/a68da022-e95a-4bc2-97d3-481e0bd6d446.md create mode 100644 docs/queries/openapi-queries/a8e859da-4a43-4e7f-94b8-25d6e3bf8e90.md create mode 100644 docs/queries/openapi-queries/a9228976-10cf-4b5f-b902-9e962aad037a.md create mode 100644 docs/queries/openapi-queries/a92be1d5-d762-484a-86d6-8cd0907ba100.md create mode 100644 docs/queries/openapi-queries/a96bbc06-8cde-4295-ad3c-ee343a7f658e.md create mode 100644 docs/queries/openapi-queries/ab1263c2-81df-46f0-9f2c-0b62fdb68419.md create mode 100644 docs/queries/openapi-queries/ab2af219-cd08-4233-b5a1-a788aac88b51.md create mode 100644 docs/queries/openapi-queries/ae13a37d-943b-47a7-a970-83c8598bcca3.md create mode 100644 docs/queries/openapi-queries/aecee30b-8ea1-4776-a99c-d6d600f0862f.md create mode 100644 docs/queries/openapi-queries/b05bb927-2df5-43cc-8d7b-6825c0e71625.md create mode 100644 docs/queries/openapi-queries/b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7.md create mode 100644 docs/queries/openapi-queries/b2d9dbf6-539c-4374-a1fd-210ddf5563a8.md create mode 100644 docs/queries/openapi-queries/b2f275be-7d64-4064-b418-be6b431363a7.md create mode 100644 docs/queries/openapi-queries/b30981fa-a12e-49c7-a5bb-eeafb61d0f0f.md create mode 100644 docs/queries/openapi-queries/b3871dd8-9333-4d6c-bd52-67eb898b71ab.md create mode 100644 docs/queries/openapi-queries/b4803607-ed72-4d60-99e2-3fa6edf471c6.md create mode 100644 docs/queries/openapi-queries/b481d46c-9c61-480f-86d9-af07146dc4a4.md create mode 100644 docs/queries/openapi-queries/b90033cf-ad9f-4fb9-acd1-1b9d6d278c87.md create mode 100644 docs/queries/openapi-queries/b9db8a10-020c-49ca-88c6-780e5fdb4328.md create mode 100644 docs/queries/openapi-queries/ba066cda-e808-450d-92b6-f29109754d45.md create mode 100644 docs/queries/openapi-queries/ba239cb9-f342-4c20-812d-7b5a2aa6969e.md create mode 100644 docs/queries/openapi-queries/baade968-7467-41e4-bf22-83ca222f5800.md create mode 100644 docs/queries/openapi-queries/bac56e3c-1f71-4a74-8ae6-2fba07efcddb.md create mode 100644 docs/queries/openapi-queries/bccfa089-89e4-47e0-a0e5-185fe6902220.md create mode 100644 docs/queries/openapi-queries/be0e0df7-f3d9-42a1-9b6f-d425f94872c4.md create mode 100644 docs/queries/openapi-queries/be1d8733-3731-40c7-a845-734741c6871d.md create mode 100644 docs/queries/openapi-queries/be3e170e-1572-461e-a8b6-d963def581ec.md create mode 100644 docs/queries/openapi-queries/c19779a9-5774-4d2f-a3a1-a99831730375.md create mode 100644 docs/queries/openapi-queries/c254adc4-ef25-46e1-8270-b7944adb4198.md create mode 100644 docs/queries/openapi-queries/c38d630d-a415-4e3e-bac2-65475979ba88.md create mode 100644 docs/queries/openapi-queries/c3cab8c4-6c52-47a9-942b-c27f26fbd7d2.md create mode 100644 docs/queries/openapi-queries/c5bb7461-aa57-470b-a714-3bc3d74f4669.md create mode 100644 docs/queries/openapi-queries/c66ebeaa-676c-40dc-a3ff-3e49395dcd5e.md create mode 100644 docs/queries/openapi-queries/ca02f4e8-d3ae-4832-b7db-bb037516d9e7.md create mode 100644 docs/queries/openapi-queries/cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b.md create mode 100644 docs/queries/openapi-queries/ceefb058-8065-418f-9c4c-584a78c7e104.md create mode 100644 docs/queries/openapi-queries/cf4a5f45-a27b-49df-843a-9911dbfe71d4.md create mode 100644 docs/queries/openapi-queries/d15db953-a553-4b8a-9a14-a3d62ea3d79d.md create mode 100644 docs/queries/openapi-queries/d172a060-8569-4412-8045-3560ebd477e8.md create mode 100644 docs/queries/openapi-queries/d2361d58-361c-49f0-9e50-b957fd608b29.md create mode 100644 docs/queries/openapi-queries/d3ea644a-9a5c-4fee-941f-f8a6786c0470.md create mode 100644 docs/queries/openapi-queries/d40f27e6-15fb-4b56-90f8-fc0ff0291c51.md create mode 100644 docs/queries/openapi-queries/d47940ca-5970-45cc-bdd1-4d81398cee1f.md create mode 100644 docs/queries/openapi-queries/d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd.md create mode 100644 docs/queries/openapi-queries/d674aea4-ba8b-454b-bb97-88a772ea33f0.md create mode 100644 docs/queries/openapi-queries/d86655c0-92f6-4ffc-b4d5-5b5775804c27.md create mode 100644 docs/queries/openapi-queries/d90d4e40-44c1-4125-87a0-e072c3e195b5.md create mode 100644 docs/queries/openapi-queries/d929c031-078f-4241-b802-e224656ad890.md create mode 100644 docs/queries/openapi-queries/dadc2f36-1f5a-46c0-8289-75e626583123.md create mode 100644 docs/queries/openapi-queries/e2ffa504-d22a-4c94-b6c5-f661849d2db7.md create mode 100644 docs/queries/openapi-queries/e3f026e8-fdb4-4d5a-bcfd-bd94452073fe.md create mode 100644 docs/queries/openapi-queries/e9817ad8-a8c9-4038-8a2f-db0e6e7b284b.md create mode 100644 docs/queries/openapi-queries/e9db5fb4-6a84-4abb-b4af-3b94fbdace6d.md create mode 100644 docs/queries/openapi-queries/eb3f9744-d24e-4614-b1ff-2a9514eca21c.md create mode 100644 docs/queries/openapi-queries/ed48229d-d43e-4da7-b453-5f98d964a57a.md create mode 100644 docs/queries/openapi-queries/f2702af5-6016-46cb-bbc8-84c766032095.md create mode 100644 docs/queries/openapi-queries/f29904c8-6041-4bca-b043-dfa0546b8079.md create mode 100644 docs/queries/openapi-queries/f30ee711-0082-4480-85ab-31d922d9a2b2.md create mode 100644 docs/queries/openapi-queries/f368dd2d-9344-4146-a05b-7c6faa1269ad.md create mode 100644 docs/queries/openapi-queries/f42dfe7e-787d-4478-a75e-a5f3d8a2269e.md create mode 100644 docs/queries/openapi-queries/f525cc92-9050-4c41-a75c-890dc6f64449.md create mode 100644 docs/queries/openapi-queries/f5b2e6af-76f5-496d-8482-8f898c5fdb4a.md create mode 100644 docs/queries/openapi-queries/f79b9d26-e945-44e7-98a1-b93f0f7a68a0.md create mode 100644 docs/queries/openapi-queries/f985a7d2-d404-4a7f-9814-f645f791e46e.md create mode 100644 docs/queries/openapi-queries/fb7d81e7-4150-48c4-b914-92fc05da6a2f.md create mode 100644 docs/queries/openapi-queries/fb889ae9-2d16-40b5-b41f-9da716c5abc1.md create mode 100644 docs/queries/openapi-queries/fbf699b5-ef74-4542-9cf1-f6eeac379373.md create mode 100644 docs/queries/pulumi-queries/95588189-1abd-4df1-9588-b0a5034f9e87.md create mode 100644 docs/queries/pulumi-queries/aws/327b0729-4c5c-4c44-8b5c-e476cd9c7290.md create mode 100644 docs/queries/pulumi-queries/aws/9850d621-7485-44f7-8bdd-b3cf426315cf.md create mode 100644 docs/queries/pulumi-queries/aws/9b18fc19-7fb8-49b1-8452-9c757c70f926.md create mode 100644 docs/queries/pulumi-queries/aws/b6a7e0ae-aed8-4a19-a993-a95760bf8836.md create mode 100644 docs/queries/pulumi-queries/aws/bf4b48b9-fc1f-4552-984a-4becdb5bf503.md create mode 100644 docs/queries/pulumi-queries/aws/d991e4ae-42ab-429b-ab43-d5e5fa9ca633.md create mode 100644 docs/queries/pulumi-queries/aws/daa581ef-731c-4121-832d-cf078f67759d.md create mode 100644 docs/queries/pulumi-queries/aws/de92dd34-1b88-43e8-b825-6e02d73c4549.md create mode 100644 docs/queries/pulumi-queries/aws/e93bbe63-a631-4c0f-b6ef-700d48441ff2.md create mode 100644 docs/queries/pulumi-queries/aws/f27791a5-e2ae-4905-8910-6f995c576d09.md create mode 100644 docs/queries/pulumi-queries/azure/49e30ac8-f58e-4222-b488-3dcb90158ec1.md create mode 100644 docs/queries/pulumi-queries/azure/cb8e4bf0-903d-45c6-a278-9a947d82a27b.md create mode 100644 docs/queries/pulumi-queries/ee305555-6b1d-4055-94cf-e22131143c34.md create mode 100644 docs/queries/pulumi-queries/gcp/48f7e44d-d1d1-44c2-b336-9f11b65c4fb0.md create mode 100644 docs/queries/pulumi-queries/gcp/965e8830-2bec-4b9b-a7f0-24dbc200a68f.md create mode 100644 docs/queries/serverlessfw-queries/0d7ef70f-e176-44e6-bdba-add3e429788d.md create mode 100644 docs/queries/serverlessfw-queries/165aae3b-a56a-48f3-b76d-d2b5083f5b8f.md create mode 100644 docs/queries/serverlessfw-queries/434945e5-4dfd-41b1-aba1-47075ccd9265.md create mode 100644 docs/queries/serverlessfw-queries/4495bc5d-4d1e-4a26-ae92-152d18195648.md create mode 100644 docs/queries/serverlessfw-queries/4d424558-c6d1-453c-be98-9a7f877abd9a.md create mode 100644 docs/queries/serverlessfw-queries/59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd.md create mode 100644 docs/queries/serverlessfw-queries/a4d32883-aac7-42e1-b403-9415af0f3846.md create mode 100644 docs/queries/serverlessfw-queries/d5d1fe08-89db-440c-8725-b93223387309.md create mode 100644 docs/queries/serverlessfw-queries/dec7bc85-d156-4f64-9a33-96ed3d9f3fed.md create mode 100644 docs/queries/serverlessfw-queries/f99d3482-fa8c-4f79-bad9-35212dded164.md create mode 100644 docs/queries/terraform-queries/07fc3413-e572-42f7-9877-5c8fc6fccfb5.md create mode 100644 docs/queries/terraform-queries/0ad60203-c050-4115-83b6-b94bde92541d.md create mode 100644 docs/queries/terraform-queries/15d8a7fd-465a-4d15-a868-add86552f17b.md create mode 100644 docs/queries/terraform-queries/17172bc2-56fb-4f17-916f-a014147706cd.md create mode 100644 docs/queries/terraform-queries/17e52ca3-ddd0-4610-9d56-ce107442e110.md create mode 100644 docs/queries/terraform-queries/21719347-d02b-497d-bda4-04a03c8e5b61.md create mode 100644 docs/queries/terraform-queries/21cef75f-289f-470e-8038-c7cee0664164.md create mode 100644 docs/queries/terraform-queries/228c4c19-feeb-4c18-848c-800ac70fdfb7.md create mode 100644 docs/queries/terraform-queries/24b132df-5cc7-4823-8029-f898e1c50b72.md create mode 100644 docs/queries/terraform-queries/26b047a9-0329-48fd-8fb7-05bbe5ba80ee.md create mode 100644 docs/queries/terraform-queries/2a52567c-abb8-4651-a038-52fa27c77aed.md create mode 100644 docs/queries/terraform-queries/2acb555f-f4ad-4b1b-b984-84e6588f4b05.md create mode 100644 docs/queries/terraform-queries/2bff9906-4e9b-4f71-9346-8ebedfdf43ef.md create mode 100644 docs/queries/terraform-queries/3360c01e-c8c0-4812-96a2-a6329b9b7f9f.md create mode 100644 docs/queries/terraform-queries/3f55386d-75cd-4e9a-ac47-167b26c04724.md create mode 100644 docs/queries/terraform-queries/420e6360-47bb-46f6-9072-b20ed22c842d.md create mode 100644 docs/queries/terraform-queries/455f2e0c-686d-4fcb-8b5f-3f953f12c43c.md create mode 100644 docs/queries/terraform-queries/461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3.md create mode 100644 docs/queries/terraform-queries/48388bd2-7201-4dcc-b56d-e8a9efa58fad.md create mode 100644 docs/queries/terraform-queries/4950837c-0ce5-4e42-9bee-a25eae73740b.md create mode 100644 docs/queries/terraform-queries/4c415497-7410-4559-90e8-f2c8ac64ee38.md create mode 100644 docs/queries/terraform-queries/4e203a65-c8d8-49a2-b749-b124d43c9dc1.md create mode 100644 docs/queries/terraform-queries/4e74cf4f-ff65-4c1a-885c-67ab608206ce.md create mode 100644 docs/queries/terraform-queries/51bed0ac-a8ae-407a-895e-90c6cb0610ce.md create mode 100644 docs/queries/terraform-queries/522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba.md create mode 100644 docs/queries/terraform-queries/577ac19c-6a77-46d7-9f14-e049cdd15ec2.md create mode 100644 docs/queries/terraform-queries/587d5d82-70cf-449b-9817-f60f9bccb88c.md create mode 100644 docs/queries/terraform-queries/58876b44-a690-4e9f-9214-7735fa0dd15d.md create mode 100644 docs/queries/terraform-queries/5b6d53dd-3ba3-4269-b4d7-f82e880e43c3.md create mode 100644 docs/queries/terraform-queries/5c281bf8-d9bb-47f2-b909-3f6bb11874ad.md create mode 100644 docs/queries/terraform-queries/5f4735ce-b9ba-4d95-a089-a37a767b716f.md create mode 100644 docs/queries/terraform-queries/60af03ff-a421-45c8-b214-6741035476fa.md create mode 100644 docs/queries/terraform-queries/6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8.md create mode 100644 docs/queries/terraform-queries/7249e3b0-9231-4af3-bc5f-5daf4988ecbf.md create mode 100644 docs/queries/terraform-queries/737a0dd9-0aaa-4145-8118-f01778262b8a.md create mode 100644 docs/queries/terraform-queries/826abb30-3cd5-4e0b-a93b-67729b4f7e63.md create mode 100644 docs/queries/terraform-queries/8657197e-3f87-4694-892b-8144701d83c1.md create mode 100644 docs/queries/terraform-queries/86a947ea-f577-4efb-a8b0-5fc00257d521.md create mode 100644 docs/queries/terraform-queries/87065ef8-de9b-40d8-9753-f4a4303e27a4.md create mode 100644 docs/queries/terraform-queries/9aa32890-ac1a-45ee-81ca-5164e2098556.md create mode 100644 docs/queries/terraform-queries/a05331ee-1653-45cb-91e6-13637a76e4f0.md create mode 100644 docs/queries/terraform-queries/a62a99d1-8196-432f-8f80-3c100b05d62a.md create mode 100644 docs/queries/terraform-queries/a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9.md create mode 100644 docs/queries/terraform-queries/a737be28-37d8-4bff-aa6d-1be8aa0a0015.md create mode 100644 docs/queries/terraform-queries/a9174d31-d526-4ad9-ace4-ce7ddbf52e03.md create mode 100644 docs/queries/terraform-queries/a9a13d4f-f17a-491b-b074-f54bffffcb4a.md create mode 100644 docs/queries/terraform-queries/aa737abf-6b1d-4aba-95aa-5c160bd7f96e.md create mode 100644 docs/queries/terraform-queries/abcb818b-5af7-4d72-aba9-6dd84956b451.md create mode 100644 docs/queries/terraform-queries/ac1564a3-c324-4747-9fa1-9dfc234dace0.md create mode 100644 docs/queries/terraform-queries/ad69e38a-d92e-4357-a8da-f2f29d545883.md create mode 100644 docs/queries/terraform-queries/alicloud/05db341e-de7d-4972-a106-3e2bd5ee53e1.md create mode 100644 docs/queries/terraform-queries/alicloud/063234c0-91c0-4ab5-bbd0-47ddb5f23786.md create mode 100644 docs/queries/terraform-queries/alicloud/140869ea-25f2-40d4-a595-0c0da135114e.md create mode 100644 docs/queries/terraform-queries/alicloud/1455cb21-1d48-46d6-8ae3-cef911b71fd5.md create mode 100644 docs/queries/terraform-queries/alicloud/1b4565c0-4877-49ac-ab03-adebbccd42ae.md create mode 100644 docs/queries/terraform-queries/alicloud/1bcdf9f0-b1aa-40a4-b8c6-cd7785836843.md create mode 100644 docs/queries/terraform-queries/alicloud/2ae9d554-23fb-4065-bfd1-fe43d5f7c419.md create mode 100644 docs/queries/terraform-queries/alicloud/2b13c6ff-b87a-484d-86fd-21ef6e97d426.md create mode 100644 docs/queries/terraform-queries/alicloud/2bb13841-7575-439e-8e0a-cccd9ede2fa8.md create mode 100644 docs/queries/terraform-queries/alicloud/39750e32-3fe9-453b-8c33-dd277acdb2cc.md create mode 100644 docs/queries/terraform-queries/alicloud/41a38329-d81b-4be4-aef4-55b2615d3282.md create mode 100644 docs/queries/terraform-queries/alicloud/44d434ca-a9bf-4203-8828-4c81a8d5a598.md create mode 100644 docs/queries/terraform-queries/alicloud/4bb06fa1-2114-4a00-b7b5-6aeab8b896f0.md create mode 100644 docs/queries/terraform-queries/alicloud/5e0fb613-ba9b-44c3-88f0-b44188466bfd.md create mode 100644 docs/queries/terraform-queries/alicloud/5f670f9d-b1b4-4c90-8618-2288f1ab9676.md create mode 100644 docs/queries/terraform-queries/alicloud/60587dbd-6b67-432e-90f7-a8cf1892d968.md create mode 100644 docs/queries/terraform-queries/alicloud/6107c530-7178-464a-88bc-df9cdd364ac8.md create mode 100644 docs/queries/terraform-queries/alicloud/62232513-b16f-4010-83d7-51d0e1d45426.md create mode 100644 docs/queries/terraform-queries/alicloud/66505003-7aba-45a1-8d83-5162d5706ef5.md create mode 100644 docs/queries/terraform-queries/alicloud/67bfdff1-31ce-4525-b564-e94368735360.md create mode 100644 docs/queries/terraform-queries/alicloud/69b5d7da-a5db-4db9-a42e-90b65d0efb0b.md create mode 100644 docs/queries/terraform-queries/alicloud/70919c0b-2548-4e6b-8d7a-3d84ab6dabba.md create mode 100644 docs/queries/terraform-queries/alicloud/72ceb736-0aee-43ea-a191-3a69ab135681.md create mode 100644 docs/queries/terraform-queries/alicloud/7a1ee8a9-71be-4b11-bb70-efb62d16863b.md create mode 100644 docs/queries/terraform-queries/alicloud/7db8bd7e-9772-478c-9ec5-4bc202c5686f.md create mode 100644 docs/queries/terraform-queries/alicloud/81ce9394-013d-4731-8fcc-9d229b474073.md create mode 100644 docs/queries/terraform-queries/alicloud/88541597-6f88-42c8-bac6-7e0b855e8ff6.md create mode 100644 docs/queries/terraform-queries/alicloud/89143358-cec6-49f5-9392-920c591c669c.md create mode 100644 docs/queries/terraform-queries/alicloud/8c0695d8-2378-4cd6-8243-7fd5894fa574.md create mode 100644 docs/queries/terraform-queries/alicloud/8f98334a-99aa-4d85-b72a-1399ca010413.md create mode 100644 docs/queries/terraform-queries/alicloud/9ef08939-ea40-489c-8851-667870b2ef50.md create mode 100644 docs/queries/terraform-queries/alicloud/a597e05a-c065-44e7-9cc8-742f572a504a.md create mode 100644 docs/queries/terraform-queries/alicloud/a8128dd2-89b0-464b-98e9-5d629041dfe0.md create mode 100644 docs/queries/terraform-queries/alicloud/a9dfec39-a740-4105-bbd6-721ba163c053.md create mode 100644 docs/queries/terraform-queries/alicloud/b9b7ada8-3868-4a35-854e-6100a2bb863d.md create mode 100644 docs/queries/terraform-queries/alicloud/b9c524a4-fe76-4021-a6a2-cb978fb4fde1.md create mode 100644 docs/queries/terraform-queries/alicloud/c01d10de-c468-4790-b3a0-fc887a56f289.md create mode 100644 docs/queries/terraform-queries/alicloud/c065b98e-1515-4991-9dca-b602bd6a2fbb.md create mode 100644 docs/queries/terraform-queries/alicloud/cb319d87-b90f-485e-a7e7-f2408380f309.md create mode 100644 docs/queries/terraform-queries/alicloud/d2731f3d-a992-44ed-812e-f4f1c2747d71.md create mode 100644 docs/queries/terraform-queries/alicloud/d53f4123-f8d8-4224-8cb3-f920b151cc98.md create mode 100644 docs/queries/terraform-queries/alicloud/dbfc834a-56e5-4750-b5da-73fda8e73f70.md create mode 100644 docs/queries/terraform-queries/alicloud/dc158941-28ce-481d-a7fa-dc80761edf46.md create mode 100644 docs/queries/terraform-queries/alicloud/dcda2d32-e482-43ee-a926-75eaabeaa4e0.md create mode 100644 docs/queries/terraform-queries/alicloud/dd706080-b7a8-47dc-81fb-3e8184430ec0.md create mode 100644 docs/queries/terraform-queries/alicloud/e76fd7ab-7333-40c6-a2d8-ea28af4a319e.md create mode 100644 docs/queries/terraform-queries/alicloud/e8e62026-da63-4904-b402-65adfe3ca975.md create mode 100644 docs/queries/terraform-queries/alicloud/ec62a32c-a297-41ca-a850-cab40b42094a.md create mode 100644 docs/queries/terraform-queries/alicloud/ed6cf6ff-9a1f-491c-9f88-e03c0807f390.md create mode 100644 docs/queries/terraform-queries/alicloud/ed6e3ba0-278f-47b6-a1f5-173576b40b7e.md create mode 100644 docs/queries/terraform-queries/alicloud/ee3b1557-9fb5-4685-a95d-93f1edf2a0d7.md create mode 100644 docs/queries/terraform-queries/alicloud/f20e97f9-4919-43f1-9be9-f203cd339cdd.md create mode 100644 docs/queries/terraform-queries/alicloud/f262118c-1ac6-4bb3-8495-cc48f1775b85.md create mode 100644 docs/queries/terraform-queries/alicloud/faaefc15-51a5-419e-bb5e-51a4b5ab3485.md create mode 100644 docs/queries/terraform-queries/alicloud/fe286195-e75c-4359-bd58-00847c4f855a.md create mode 100644 docs/queries/terraform-queries/aws/00e5e55e-c2ff-46b3-a757-a7a1cd802456.md create mode 100644 docs/queries/terraform-queries/aws/01d50b14-e933-4c99-b314-6d08cd37ad35.md create mode 100644 docs/queries/terraform-queries/aws/034d0aee-620f-4bf7-b7fb-efdf661fdb9e.md create mode 100644 docs/queries/terraform-queries/aws/04c686f1-e0cd-4812-88e1-4e038410074c.md create mode 100644 docs/queries/terraform-queries/aws/051f2063-2517-4295-ad8e-ba88c1bf5cfc.md create mode 100644 docs/queries/terraform-queries/aws/081069cb-588b-4ce1-884c-2a1ce3029fe5.md create mode 100644 docs/queries/terraform-queries/aws/084c6686-2a70-4710-91b1-000393e54c12.md create mode 100644 docs/queries/terraform-queries/aws/08bd0760-8752-44e1-9779-7bb369b2b4e4.md create mode 100644 docs/queries/terraform-queries/aws/09c35abf-5852-4622-ac7a-b987b331232e.md create mode 100644 docs/queries/terraform-queries/aws/0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3.md create mode 100644 docs/queries/terraform-queries/aws/0a592060-8166-49f5-8e65-99ac6dce9871.md create mode 100644 docs/queries/terraform-queries/aws/0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0.md create mode 100644 docs/queries/terraform-queries/aws/0a96ce49-4163-4ee6-8169-eb3b0797d694.md create mode 100644 docs/queries/terraform-queries/aws/0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md create mode 100644 docs/queries/terraform-queries/aws/0afbcfe9-d341-4b92-a64c-7e6de0543879.md create mode 100644 docs/queries/terraform-queries/aws/0b4869fc-a842-4597-aa00-1294df425440.md create mode 100644 docs/queries/terraform-queries/aws/0b530315-0ea4-497f-b34c-4ff86268f59d.md create mode 100644 docs/queries/terraform-queries/aws/0b93729a-d882-4803-bdc3-ac429a21f158.md create mode 100644 docs/queries/terraform-queries/aws/0bc534c5-13d1-4353-a7fe-b8665d5c1d7d.md create mode 100644 docs/queries/terraform-queries/aws/0c10d7da-85c4-4d62-b2a8-d6c104f1bd77.md create mode 100644 docs/queries/terraform-queries/aws/0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md create mode 100644 docs/queries/terraform-queries/aws/0e32d561-4b5a-4664-a6e3-a3fa85649157.md create mode 100644 docs/queries/terraform-queries/aws/0e59d33e-bba2-4037-8f88-9765647ca7ad.md create mode 100644 docs/queries/terraform-queries/aws/0f6cbf69-41bb-47dc-93f3-3844640bf480.md create mode 100644 docs/queries/terraform-queries/aws/0fd7d920-4711-46bd-aff2-d307d82cd8b7.md create mode 100644 docs/queries/terraform-queries/aws/113208f2-a886-4526-9ecc-f3218600e12c.md create mode 100644 docs/queries/terraform-queries/aws/118281d0-6471-422e-a7c5-051bc667926e.md create mode 100644 docs/queries/terraform-queries/aws/126c1788-23c2-4a10-906c-ef179f4f96ec.md create mode 100644 docs/queries/terraform-queries/aws/12933609-c5bf-44b4-9a41-a6467c3b685b.md create mode 100644 docs/queries/terraform-queries/aws/12b7e704-37f0-4d1e-911a-44bf60c48c21.md create mode 100644 docs/queries/terraform-queries/aws/132a8c31-9837-4203-9fd1-15ca210c7b73.md create mode 100644 docs/queries/terraform-queries/aws/1402afd8-a95c-4e84-8b0b-6fb43758e6ce.md create mode 100644 docs/queries/terraform-queries/aws/1419b4c6-6d5c-4534-9cf6-6a5266085333.md create mode 100644 docs/queries/terraform-queries/aws/151187cb-0efc-481c-babd-ad24e3c9bc22.md create mode 100644 docs/queries/terraform-queries/aws/15ccec05-5476-4890-ad19-53991eba1db8.md create mode 100644 docs/queries/terraform-queries/aws/15e6ad8c-f420-49a6-bafb-074f5eb1ec74.md create mode 100644 docs/queries/terraform-queries/aws/15ffbacc-fa42-4f6f-a57d-2feac7365caa.md create mode 100644 docs/queries/terraform-queries/aws/16c4216a-50d3-4785-bfb2-4adb5144a8ba.md create mode 100644 docs/queries/terraform-queries/aws/1743f5f1-0bb0-4934-acef-c80baa5dadfa.md create mode 100644 docs/queries/terraform-queries/aws/17b30f8f-8dfb-4597-adf6-57600b6cf25e.md create mode 100644 docs/queries/terraform-queries/aws/19ffbe31-9d72-4379-9768-431195eae328.md create mode 100644 docs/queries/terraform-queries/aws/1a4bc881-9f69-4d44-8c9a-d37d08f54c50.md create mode 100644 docs/queries/terraform-queries/aws/1afbb3fa-cf6c-4a3d-b730-95e9f4df343e.md create mode 100644 docs/queries/terraform-queries/aws/1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2.md create mode 100644 docs/queries/terraform-queries/aws/1b6799eb-4a7a-4b04-9001-8cceb9999326.md create mode 100644 docs/queries/terraform-queries/aws/1bc1c685-e593-450e-88fb-19db4c82aa1d.md create mode 100644 docs/queries/terraform-queries/aws/1bc367f6-901d-4870-ad0c-71d79762ef52.md create mode 100644 docs/queries/terraform-queries/aws/1dc73fb4-5b51-430c-8c5f-25dcf9090b02.md create mode 100644 docs/queries/terraform-queries/aws/1df37f4b-7197-45ce-83f8-9994d2fcf885.md create mode 100644 docs/queries/terraform-queries/aws/1e0ef61b-ad85-4518-a3d3-85eaad164885.md create mode 100644 docs/queries/terraform-queries/aws/1ec253ab-c220-4d63-b2de-5b40e0af9293.md create mode 100644 docs/queries/terraform-queries/aws/20018359-6fd7-4d05-ab26-d4dffccbdf79.md create mode 100644 docs/queries/terraform-queries/aws/2134641d-30a4-4b16-8ffc-2cd4c4ffd15d.md create mode 100644 docs/queries/terraform-queries/aws/2285e608-ddbc-47f3-ba54-ce7121e31216.md create mode 100644 docs/queries/terraform-queries/aws/22fbfeac-7b5a-421a-8a27-7a2178bb910b.md create mode 100644 docs/queries/terraform-queries/aws/23b70e32-032e-4fa6-ba5c-82f56b9980e6.md create mode 100644 docs/queries/terraform-queries/aws/23edf35f-7c22-4ff9-87e6-0ca74261cfbf.md create mode 100644 docs/queries/terraform-queries/aws/24e16922-4330-4e9d-be8a-caa90299466a.md create mode 100644 docs/queries/terraform-queries/aws/254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4.md create mode 100644 docs/queries/terraform-queries/aws/25d251f3-f348-4f95-845c-1090e41a615c.md create mode 100644 docs/queries/terraform-queries/aws/25db74bf-fa3b-44da-934e-8c3e005c0453.md create mode 100644 docs/queries/terraform-queries/aws/27c6a499-895a-4dc7-9617-5c485218db13.md create mode 100644 docs/queries/terraform-queries/aws/28545147-2fc6-42d5-a1f9-cf226658e591.md create mode 100644 docs/queries/terraform-queries/aws/2b3c8a6d-9856-43e6-ab1d-d651094f03b4.md create mode 100644 docs/queries/terraform-queries/aws/2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045.md create mode 100644 docs/queries/terraform-queries/aws/2f01fb2d-828a-499d-b98e-b83747305052.md create mode 100644 docs/queries/terraform-queries/aws/2f37c4a3-58b9-4afe-8a87-d7f1d2286f84.md create mode 100644 docs/queries/terraform-queries/aws/2f56b7ab-7fba-4e93-82f0-247e5ddeb239.md create mode 100644 docs/queries/terraform-queries/aws/2f737336-b18a-4602-8ea0-b200312e1ac1.md create mode 100644 docs/queries/terraform-queries/aws/30b88745-eebe-4ecb-a3a9-5cf886e96204.md create mode 100644 docs/queries/terraform-queries/aws/31245f98-a6a9-4182-9fc1-45482b9d030a.md create mode 100644 docs/queries/terraform-queries/aws/3199c26c-7871-4cb3-99c2-10a59244ce7f.md create mode 100644 docs/queries/terraform-queries/aws/3206240f-2e87-4e58-8d24-3e19e7c83d7c.md create mode 100644 docs/queries/terraform-queries/aws/33627268-1445-4385-988a-318fd9d1a512.md create mode 100644 docs/queries/terraform-queries/aws/34b921bd-90a0-402e-a0a5-dc73371fd963.md create mode 100644 docs/queries/terraform-queries/aws/35113e6f-2c6b-414d-beec-7a9482d3b2d1.md create mode 100644 docs/queries/terraform-queries/aws/3561130e-9c5f-485b-9e16-2764c82763e5.md create mode 100644 docs/queries/terraform-queries/aws/35ccf766-0e4d-41ed-9ec4-2dab155082b4.md create mode 100644 docs/queries/terraform-queries/aws/37304d3f-f852-40b8-ae3f-725e87a7cedf.md create mode 100644 docs/queries/terraform-queries/aws/381c3f2a-ef6f-4eff-99f7-b169cda3422c.md create mode 100644 docs/queries/terraform-queries/aws/38b85c45-e772-4de8-a247-69619ca137b3.md create mode 100644 docs/queries/terraform-queries/aws/38c5ee0d-7f22-4260-ab72-5073048df100.md create mode 100644 docs/queries/terraform-queries/aws/3a1e94df-6847-4c0e-a3b6-6c6af4e128ef.md create mode 100644 docs/queries/terraform-queries/aws/3af7f2fd-06e6-4dab-b996-2912bea19ba4.md create mode 100644 docs/queries/terraform-queries/aws/3b6d777b-76e3-4133-80a3-0d6f667ade7f.md create mode 100644 docs/queries/terraform-queries/aws/3d3f6270-546b-443c-adb4-bb6fb2187ca6.md create mode 100644 docs/queries/terraform-queries/aws/3db3f534-e3a3-487f-88c7-0a9fbf64b702.md create mode 100644 docs/queries/terraform-queries/aws/3dd96caa-0b5f-4a85-b929-acfac4646cc2.md create mode 100644 docs/queries/terraform-queries/aws/3ddfa124-6407-4845-a501-179f90c65097.md create mode 100644 docs/queries/terraform-queries/aws/3deec14b-03d2-4d27-9670-7d79322e3340.md create mode 100644 docs/queries/terraform-queries/aws/3ef8696c-e4ae-4872-92c7-520bb44dfe77.md create mode 100644 docs/queries/terraform-queries/aws/4003118b-046b-4640-b200-b8c7a4c8b89f.md create mode 100644 docs/queries/terraform-queries/aws/41abc6cc-dde1-4217-83d3-fb5f0cc09d8f.md create mode 100644 docs/queries/terraform-queries/aws/42bb6b7f-6d54-4428-b707-666f669d94fb.md create mode 100644 docs/queries/terraform-queries/aws/42f4b905-3736-4213-bfe9-c0660518cda8.md create mode 100644 docs/queries/terraform-queries/aws/43a41523-386a-4cb1-becb-42af6b414433.md create mode 100644 docs/queries/terraform-queries/aws/443488f5-c734-460b-a36d-5b3f330174dc.md create mode 100644 docs/queries/terraform-queries/aws/44ceb4fa-0897-4fd2-b676-30e7a58f2933.md create mode 100644 docs/queries/terraform-queries/aws/45cff7b6-3b80-40c1-ba7b-2cf480678bb8.md create mode 100644 docs/queries/terraform-queries/aws/46883ce1-dc3e-4b17-9195-c6a601624c73.md create mode 100644 docs/queries/terraform-queries/aws/4728cd65-a20c-49da-8b31-9c08b423e4db.md create mode 100644 docs/queries/terraform-queries/aws/4766d3ea-241c-4ee6-93ff-c380c996bd1a.md create mode 100644 docs/queries/terraform-queries/aws/48207659-729f-4b5c-9402-f884257d794f.md create mode 100644 docs/queries/terraform-queries/aws/482b7d26-0bdb-4b5f-bf6f-545826c0a3dd.md create mode 100644 docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md create mode 100644 docs/queries/terraform-queries/aws/4a800e14-c94a-442d-9067-5a2e9f6c0a4c.md create mode 100644 docs/queries/terraform-queries/aws/4bb76f17-3d63-4529-bdca-2b454529d774.md create mode 100644 docs/queries/terraform-queries/aws/4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9.md create mode 100644 docs/queries/terraform-queries/aws/4bd15dd9-8d5e-4008-8532-27eb0c3706d3.md create mode 100644 docs/queries/terraform-queries/aws/4beaf898-9f8b-4237-89e2-5ffdc7ee6006.md create mode 100644 docs/queries/terraform-queries/aws/4c18a45b-4ab1-4790-9f83-399ac695f1e5.md create mode 100644 docs/queries/terraform-queries/aws/4d46ff3b-7160-41d1-a310-71d6d370b08f.md create mode 100644 docs/queries/terraform-queries/aws/4de9de27-254e-424f-bd70-4c1e95790838.md create mode 100644 docs/queries/terraform-queries/aws/4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b.md create mode 100644 docs/queries/terraform-queries/aws/4eb5f791-c861-4afd-9f94-f2a6a3fe49cb.md create mode 100644 docs/queries/terraform-queries/aws/4f615f3e-fb9c-4fad-8b70-2e9f781806ce.md create mode 100644 docs/queries/terraform-queries/aws/4fa66806-0dd9-4f8d-9480-3174d39c7c91.md create mode 100644 docs/queries/terraform-queries/aws/52f04a44-6bfa-4c41-b1d3-4ae99a2de05c.md create mode 100644 docs/queries/terraform-queries/aws/52ffcfa6-6c70-4ea6-8376-d828d3961669.md create mode 100644 docs/queries/terraform-queries/aws/54229498-850b-4f78-b3a7-218d24ef2c37.md create mode 100644 docs/queries/terraform-queries/aws/54378d69-dd7c-4b08-a43e-80d563396857.md create mode 100644 docs/queries/terraform-queries/aws/54c417bf-c762-48b9-9d31-b3d87047e3f0.md create mode 100644 docs/queries/terraform-queries/aws/55af1353-2f62-4fa0-a8e1-a210ca2708f5.md create mode 100644 docs/queries/terraform-queries/aws/568a4d22-3517-44a6-a7ad-6a7eed88722c.md create mode 100644 docs/queries/terraform-queries/aws/56a585f5-555c-48b2-8395-e64e4740a9cf.md create mode 100644 docs/queries/terraform-queries/aws/56f6a008-1b14-4af4-b9b2-ab7cf7e27641.md create mode 100644 docs/queries/terraform-queries/aws/571254d8-aa6a-432e-9725-535d3ef04d69.md create mode 100644 docs/queries/terraform-queries/aws/575a2155-6af1-4026-b1af-d5bc8fe2a904.md create mode 100644 docs/queries/terraform-queries/aws/57b9893d-33b1-4419-bcea-a717ea87e139.md create mode 100644 docs/queries/terraform-queries/aws/5813ef56-fa94-406a-b35d-977d4a56ff2b.md create mode 100644 docs/queries/terraform-queries/aws/5864d189-ee9a-4009-ac0c-8a582e6b7919.md create mode 100644 docs/queries/terraform-queries/aws/58b35504-0287-4154-bf69-02c0573deab8.md create mode 100644 docs/queries/terraform-queries/aws/590d878b-abdc-428f-895a-e2b68a0e1998.md create mode 100644 docs/queries/terraform-queries/aws/5a2486aa-facf-477d-a5c1-b010789459ce.md create mode 100644 docs/queries/terraform-queries/aws/5b4d4aee-ac94-4810-9611-833636e5916d.md create mode 100644 docs/queries/terraform-queries/aws/5b8d7527-de8e-4114-b9dd-9d988f1f418f.md create mode 100644 docs/queries/terraform-queries/aws/5ba6229c-8057-433e-91d0-21cf13569ca9.md create mode 100644 docs/queries/terraform-queries/aws/5c0003fb-9aa0-42c1-9da3-eb0e332bef21.md create mode 100644 docs/queries/terraform-queries/aws/5c6dd5e7-1fe0-4cae-8f81-4c122717cef3.md create mode 100644 docs/queries/terraform-queries/aws/5d89db57-8b51-4b38-bb76-b9bd42bd40f0.md create mode 100644 docs/queries/terraform-queries/aws/5d9e3164-9265-470c-9a10-57ae454ac0c7.md create mode 100644 docs/queries/terraform-queries/aws/5ea624e4-c8b1-4bb3-87a4-4235a776adcc.md create mode 100644 docs/queries/terraform-queries/aws/5fb49a69-8d46-4495-a2f8-9c8c622b2b6e.md create mode 100644 docs/queries/terraform-queries/aws/60224630-175a-472a-9e23-133827040766.md create mode 100644 docs/queries/terraform-queries/aws/60263b4a-6801-4587-911d-919c37ed733b.md create mode 100644 docs/queries/terraform-queries/aws/61cf9883-1752-4768-b18c-0d57f2737709.md create mode 100644 docs/queries/terraform-queries/aws/625abc0e-f980-4ac9-a775-f7519ee34296.md create mode 100644 docs/queries/terraform-queries/aws/63ebcb19-2739-4d3f-aa5c-e8bbb9b85281.md create mode 100644 docs/queries/terraform-queries/aws/64a222aa-7793-4e40-915f-4b302c76e4d4.md create mode 100644 docs/queries/terraform-queries/aws/656880aa-1388-488f-a6d4-8f73c23149b2.md create mode 100644 docs/queries/terraform-queries/aws/65905cec-d691-4320-b320-2000436cb696.md create mode 100644 docs/queries/terraform-queries/aws/66c6f96f-2d9e-417e-a998-9058aeeecd44.md create mode 100644 docs/queries/terraform-queries/aws/66cd88ac-9ddf-424a-b77e-e55e17630bee.md create mode 100644 docs/queries/terraform-queries/aws/66f130d9-b81d-4e8e-9b08-da74b9c891df.md create mode 100644 docs/queries/terraform-queries/aws/671211c5-5d2a-4e97-8867-30fc28b02216.md create mode 100644 docs/queries/terraform-queries/aws/6726dcc0-5ff5-459d-b473-a780bef7665c.md create mode 100644 docs/queries/terraform-queries/aws/68eb4bf3-f9bf-463d-b5cf-e029bb446d2e.md create mode 100644 docs/queries/terraform-queries/aws/69e7c320-b65d-41bb-be02-d63ecc0bcc9d.md create mode 100644 docs/queries/terraform-queries/aws/6b2739db-9c49-4db7-b980-7816e0c248c1.md create mode 100644 docs/queries/terraform-queries/aws/6b6874fe-4c2f-4eea-8b90-7cceaa4a125e.md create mode 100644 docs/queries/terraform-queries/aws/6d23d87e-1c5b-4308-b224-92624300f29b.md create mode 100644 docs/queries/terraform-queries/aws/6db03a91-f933-4f13-ab38-a8b87a7de54d.md create mode 100644 docs/queries/terraform-queries/aws/6db52fa6-d4da-4608-908a-89f0c59e743e.md create mode 100644 docs/queries/terraform-queries/aws/6deb34e2-5d9c-499a-801b-ea6d9eda894f.md create mode 100644 docs/queries/terraform-queries/aws/6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97.md create mode 100644 docs/queries/terraform-queries/aws/6e3fd2ed-5c83-4c68-9679-7700d224d379.md create mode 100644 docs/queries/terraform-queries/aws/6e8849c1-3aa7-40e3-9063-b85ee300f29f.md create mode 100644 docs/queries/terraform-queries/aws/704dadd3-54fc-48ac-b6a0-02f170011473.md create mode 100644 docs/queries/terraform-queries/aws/7081f85c-b94d-40fd-8b45-a4f1cac75e46.md create mode 100644 docs/queries/terraform-queries/aws/70b42736-efee-4bce-80d5-50358ed94990.md create mode 100644 docs/queries/terraform-queries/aws/70cb518c-d990-46f6-bc05-44a5041493d6.md create mode 100644 docs/queries/terraform-queries/aws/730675f9-52ed-49b6-8ead-0acb5dd7df7f.md create mode 100644 docs/queries/terraform-queries/aws/7350fa23-dcf7-4938-916d-6a60b0c73b50.md create mode 100644 docs/queries/terraform-queries/aws/741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md create mode 100644 docs/queries/terraform-queries/aws/75ec6890-83af-4bf1-9f16-e83726df0bd0.md create mode 100644 docs/queries/terraform-queries/aws/76976de7-c7b1-4f64-a94f-90c1345914c2.md create mode 100644 docs/queries/terraform-queries/aws/7782d4b3-e23e-432b-9742-d9528432e771.md create mode 100644 docs/queries/terraform-queries/aws/78f1ec6f-5659-41ea-bd48-d0a142dce4f2.md create mode 100644 docs/queries/terraform-queries/aws/7a70eed6-de3a-4da2-94da-a2bbc8fe2a48.md create mode 100644 docs/queries/terraform-queries/aws/7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2.md create mode 100644 docs/queries/terraform-queries/aws/7af43613-6bb9-4a0e-8c4d-1314b799425e.md create mode 100644 docs/queries/terraform-queries/aws/7c96920c-6fd0-449d-9a52-0aa431b6beaf.md create mode 100644 docs/queries/terraform-queries/aws/7d544dad-8a6c-431c-84c1-5f07fe9afc0e.md create mode 100644 docs/queries/terraform-queries/aws/7dbba512-e244-42dc-98bb-422339827967.md create mode 100644 docs/queries/terraform-queries/aws/7e4a6e76-568d-43ef-8c4e-36dea481bff1.md create mode 100644 docs/queries/terraform-queries/aws/7ebc9038-0bde-479a-acc4-6ed7b6758899.md create mode 100644 docs/queries/terraform-queries/aws/8055dec2-efb8-4fe6-8837-d9bed6ff202a.md create mode 100644 docs/queries/terraform-queries/aws/8152e0cf-d2f0-47ad-96d5-d003a76eabd1.md create mode 100644 docs/queries/terraform-queries/aws/816ea8cf-d589-442d-a917-2dd0ce0e45e3.md create mode 100644 docs/queries/terraform-queries/aws/8173d5eb-96b5-4aa6-a71b-ecfa153c123d.md create mode 100644 docs/queries/terraform-queries/aws/846646e3-2af1-428c-ac5d-271eccfa6faf.md create mode 100644 docs/queries/terraform-queries/aws/862fe4bf-3eec-4767-a517-40f378886b88.md create mode 100644 docs/queries/terraform-queries/aws/86571149-eef3-4280-a645-01e60df854b0.md create mode 100644 docs/queries/terraform-queries/aws/874d68a3-bfbe-4a4b-aaa0-9e74d7da634b.md create mode 100644 docs/queries/terraform-queries/aws/88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6.md create mode 100644 docs/queries/terraform-queries/aws/89561b03-cb35-44a9-a7e9-8356e71606f4.md create mode 100644 docs/queries/terraform-queries/aws/89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a.md create mode 100644 docs/queries/terraform-queries/aws/8b1b1e67-6248-4dca-bbad-93486bb181c0.md create mode 100644 docs/queries/terraform-queries/aws/8bbb242f-6e38-4127-86d4-d8f0b2687ae2.md create mode 100644 docs/queries/terraform-queries/aws/8bfbf7ab-d5e8-4100-8618-798956e101e0.md create mode 100644 docs/queries/terraform-queries/aws/8c849af7-a399-46f7-a34c-32d3dc96f1fc.md create mode 100644 docs/queries/terraform-queries/aws/8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56.md create mode 100644 docs/queries/terraform-queries/aws/8e94dced-9bcc-4203-8eb7-7e41202b2505.md create mode 100644 docs/queries/terraform-queries/aws/8f3c16b3-354d-45db-8ad5-5066778a9485.md create mode 100644 docs/queries/terraform-queries/aws/8f75840d-9ee7-42f3-b203-b40e3979eb12.md create mode 100644 docs/queries/terraform-queries/aws/8fdb08a0-a868-4fdf-9c27-ccab0237f1ab.md create mode 100644 docs/queries/terraform-queries/aws/91bea7b8-0c31-4863-adc9-93f6177266c4.md create mode 100644 docs/queries/terraform-queries/aws/91f16d09-689e-4926-aca7-155157f634ed.md create mode 100644 docs/queries/terraform-queries/aws/92d65c51-5d82-4507-a2a1-d252e9706855.md create mode 100644 docs/queries/terraform-queries/aws/92fe237e-074c-4262-81a4-2077acb928c1.md create mode 100644 docs/queries/terraform-queries/aws/94690d79-b3b0-43de-b656-84ebef5753e5.md create mode 100644 docs/queries/terraform-queries/aws/94fbe150-27e3-4eba-9ca6-af32865e4503.md create mode 100644 docs/queries/terraform-queries/aws/9630336b-3fed-4096-8173-b9afdfe346a7.md create mode 100644 docs/queries/terraform-queries/aws/967eb3e6-26fc-497d-8895-6428beb6e8e2.md create mode 100644 docs/queries/terraform-queries/aws/96e8183b-e985-457b-90cd-61c0503a3369.md create mode 100644 docs/queries/terraform-queries/aws/96ed3526-0179-4c73-b1b2-372fde2e0d13.md create mode 100644 docs/queries/terraform-queries/aws/970d224d-b42a-416b-81f9-8f4dfe70c4bc.md create mode 100644 docs/queries/terraform-queries/aws/970ed7a2-0aca-4425-acf1-0453c9ecbca1.md create mode 100644 docs/queries/terraform-queries/aws/97cb0688-369a-4d26-b1f7-86c4c91231bc.md create mode 100644 docs/queries/terraform-queries/aws/982aa526-6970-4c59-8b9b-2ce7e019fe36.md create mode 100644 docs/queries/terraform-queries/aws/98a8f708-121b-455b-ae2f-da3fb59d17e1.md create mode 100644 docs/queries/terraform-queries/aws/98d59056-f745-4ef5-8613-32bca8d40b7e.md create mode 100644 docs/queries/terraform-queries/aws/9a205ba3-0dd1-42eb-8d54-2ffec836b51a.md create mode 100644 docs/queries/terraform-queries/aws/9a4ef195-74b9-4c58-b8ed-2b2fe4353a75.md create mode 100644 docs/queries/terraform-queries/aws/9b0ffadc-a61f-4c2a-b1e6-68fab60f6267.md create mode 100644 docs/queries/terraform-queries/aws/9b877bd8-94b4-4c10-a060-8e0436cc09fa.md create mode 100644 docs/queries/terraform-queries/aws/9ba198e0-fef4-464a-8a4d-75ea55300de7.md create mode 100644 docs/queries/terraform-queries/aws/9cf718ce-46f9-430e-89ec-c456f8b469ee.md create mode 100644 docs/queries/terraform-queries/aws/9d0d4512-1959-43a2-a17f-72360ff06d1b.md create mode 100644 docs/queries/terraform-queries/aws/9ec311bf-dfd9-421f-8498-0b063c8bc552.md create mode 100644 docs/queries/terraform-queries/aws/9ef7d25d-9764-4224-9968-fa321c56ef76.md create mode 100644 docs/queries/terraform-queries/aws/9f40c07e-699e-4410-8856-3ba0f2e3a2dd.md create mode 100644 docs/queries/terraform-queries/aws/9f4a9409-9c60-4671-be96-9716dbf63db1.md create mode 100644 docs/queries/terraform-queries/aws/a186e82c-1078-4a7b-85d8-579561fde884.md create mode 100644 docs/queries/terraform-queries/aws/a20be318-cac7-457b-911d-04cc6e812c25.md create mode 100644 docs/queries/terraform-queries/aws/a2f548f2-188c-4fff-b172-e9a6acb216bd.md create mode 100644 docs/queries/terraform-queries/aws/a31a5a29-718a-4ff4-8001-a69e5e4d029e.md create mode 100644 docs/queries/terraform-queries/aws/a4966c4f-9141-48b8-a564-ffe9959945bc.md create mode 100644 docs/queries/terraform-queries/aws/a8fc2180-b3ac-4c93-bd0d-a55b974e4b07.md create mode 100644 docs/queries/terraform-queries/aws/abb06e5f-ef9a-4a99-98c6-376d396bfcdf.md create mode 100644 docs/queries/terraform-queries/aws/abdb29d4-5ca1-4e91-800b-b3569bbd788c.md create mode 100644 docs/queries/terraform-queries/aws/ac5a0bc0-a54c-45aa-90c3-15f7703b9132.md create mode 100644 docs/queries/terraform-queries/aws/acb6b4e2-a086-4f35-aefd-4db6ea51ada2.md create mode 100644 docs/queries/terraform-queries/aws/ad296c0d-8131-4d6b-b030-1b0e73a99ad3.md create mode 100644 docs/queries/terraform-queries/aws/ad5b4e97-2850-4adf-be17-1d293e0b85ee.md create mode 100644 docs/queries/terraform-queries/aws/ad9dabc7-7839-4bae-a957-aa9120013f39.md create mode 100644 docs/queries/terraform-queries/aws/af173fde-95ea-4584-b904-bb3923ac4bda.md create mode 100644 docs/queries/terraform-queries/aws/afecd1f1-6378-4f7e-bb3b-60c35801fdd4.md create mode 100644 docs/queries/terraform-queries/aws/b0d3ef3f-845d-4b1b-83d6-63a5a380375f.md create mode 100644 docs/queries/terraform-queries/aws/b161c11b-a59b-4431-9a29-4e19f63e6b27.md create mode 100644 docs/queries/terraform-queries/aws/b1a72f66-2236-4f3b-87ba-0da1b366956f.md create mode 100644 docs/queries/terraform-queries/aws/b1ffa705-19a3-4b73-b9d0-0c97d0663842.md create mode 100644 docs/queries/terraform-queries/aws/b2315cae-b110-4426-81e0-80bb8640cdd3.md create mode 100644 docs/queries/terraform-queries/aws/b26d2b7e-60f6-413d-a3a1-a57db24aa2b3.md create mode 100644 docs/queries/terraform-queries/aws/b3a41501-f712-4c4f-81e5-db9a7dc0e34e.md create mode 100644 docs/queries/terraform-queries/aws/b3a59b8e-94a3-403e-b6e2-527abaf12034.md create mode 100644 docs/queries/terraform-queries/aws/b4378389-a9aa-44ee-91e7-ef183f11079e.md create mode 100644 docs/queries/terraform-queries/aws/b5681959-6c09-4f55-b42b-c40fa12d03ec.md create mode 100644 docs/queries/terraform-queries/aws/b592ffd4-0577-44b6-bd35-8c5ee81b5918.md create mode 100644 docs/queries/terraform-queries/aws/b69247e5-7e73-464e-ba74-ec9b715c6e12.md create mode 100644 docs/queries/terraform-queries/aws/b72d0026-f649-4c91-a9ea-15d8f681ac09.md create mode 100644 docs/queries/terraform-queries/aws/b7c9a40c-23e4-4a2d-8d39-a3352f10f288.md create mode 100644 docs/queries/terraform-queries/aws/b8a31292-509d-4b61-bc40-13b167db7e9c.md create mode 100644 docs/queries/terraform-queries/aws/b9033580-6886-401a-8631-5f19f5bb24c7.md create mode 100644 docs/queries/terraform-queries/aws/ba40ace1-a047-483c-8a8d-bc2d3a67a82d.md create mode 100644 docs/queries/terraform-queries/aws/ba48df05-eaa1-4d64-905e-4a4b051e7587.md create mode 100644 docs/queries/terraform-queries/aws/ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698.md create mode 100644 docs/queries/terraform-queries/aws/baecd2da-492a-4d59-b9dc-29540a1398e0.md create mode 100644 docs/queries/terraform-queries/aws/bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9.md create mode 100644 docs/queries/terraform-queries/aws/bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54.md create mode 100644 docs/queries/terraform-queries/aws/bc1f9009-84a0-490f-ae09-3e0ea6d74ad6.md create mode 100644 docs/queries/terraform-queries/aws/bca7cc4d-b3a4-4345-9461-eb69c68fcd26.md create mode 100644 docs/queries/terraform-queries/aws/bcdcbdc6-a350-4855-ae7c-d1e6436f7c97.md create mode 100644 docs/queries/terraform-queries/aws/bd0088a5-c133-4b20-b129-ec9968b16ef3.md create mode 100644 docs/queries/terraform-queries/aws/be2aa235-bd93-4b68-978a-1cc65d49082f.md create mode 100644 docs/queries/terraform-queries/aws/bf878b1a-7418-4de3-b13c-3a86cf894920.md create mode 100644 docs/queries/terraform-queries/aws/bf9d42c7-c2f9-4dfe-942c-c8cc8249a081.md create mode 100644 docs/queries/terraform-queries/aws/c0c1e744-0f37-445e-924a-1846f0839f69.md create mode 100644 docs/queries/terraform-queries/aws/c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6.md create mode 100644 docs/queries/terraform-queries/aws/c53c7a89-f9d7-4c7b-8b66-8a555be99593.md create mode 100644 docs/queries/terraform-queries/aws/c583f0f9-7dfd-476b-a056-f47c62b47b46.md create mode 100644 docs/queries/terraform-queries/aws/c5b31ab9-0f26-4a49-b8aa-4cc064392f4d.md create mode 100644 docs/queries/terraform-queries/aws/c5ff7bc9-d8ea-46dd-81cb-8286f3222249.md create mode 100644 docs/queries/terraform-queries/aws/c91d7ea0-d4d1-403b-8fe1-c9961ac082c5.md create mode 100644 docs/queries/terraform-queries/aws/c999cf62-0920-40f8-8dda-0caccd66ed7e.md create mode 100644 docs/queries/terraform-queries/aws/cb3f5ed6-0d18-40de-a93d-b3538db31e8c.md create mode 100644 docs/queries/terraform-queries/aws/cc997676-481b-4e93-aa81-d19f8c5e9b12.md create mode 100644 docs/queries/terraform-queries/aws/ce089fd4-1406-47bd-8aad-c259772bb294.md create mode 100644 docs/queries/terraform-queries/aws/ce60cc6b-6831-4bd7-84a2-cc7f8ee71433.md create mode 100644 docs/queries/terraform-queries/aws/ce60d060-efb8-4bfd-9cf7-ff8945d00d90.md create mode 100644 docs/queries/terraform-queries/aws/ce9dfce0-5fc8-433b-944a-3b16153111a8.md create mode 100644 docs/queries/terraform-queries/aws/cfdcabb0-fc06-427c-865b-c59f13e898ce.md create mode 100644 docs/queries/terraform-queries/aws/d0cc8694-fcad-43ff-ac86-32331d7e867f.md create mode 100644 docs/queries/terraform-queries/aws/d1846b12-20c5-4d45-8798-fc35b79268eb.md create mode 100644 docs/queries/terraform-queries/aws/d24c0755-c028-44b1-b503-8e719c898832.md create mode 100644 docs/queries/terraform-queries/aws/d25edb51-07fb-4a73-97d4-41cecdc53a22.md create mode 100644 docs/queries/terraform-queries/aws/d364984a-a222-4b5f-a8b0-e23ab19ebff3.md create mode 100644 docs/queries/terraform-queries/aws/d40210ea-64b9-4cce-a4fb-e8604f3c062c.md create mode 100644 docs/queries/terraform-queries/aws/d6047119-a0b2-4b59-a4f2-127a36fb685b.md create mode 100644 docs/queries/terraform-queries/aws/d7b9d850-3e06-4a75-852f-c46c2e92240b.md create mode 100644 docs/queries/terraform-queries/aws/db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8.md create mode 100644 docs/queries/terraform-queries/aws/db78d14b-10e5-4e6e-84b1-dace6327b1ec.md create mode 100644 docs/queries/terraform-queries/aws/de7f5e83-da88-4046-871f-ea18504b1d43.md create mode 100644 docs/queries/terraform-queries/aws/e08ed7eb-f3ef-494d-9d22-2e3db756a347.md create mode 100644 docs/queries/terraform-queries/aws/e227091e-2228-4b40-b046-fc13650d8e88.md create mode 100644 docs/queries/terraform-queries/aws/e35c16a2-d54e-419d-8546-a804d8e024d0.md create mode 100644 docs/queries/terraform-queries/aws/e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10.md create mode 100644 docs/queries/terraform-queries/aws/e39bee8c-fe54-4a3f-824d-e5e2d1cca40a.md create mode 100644 docs/queries/terraform-queries/aws/e542bd46-58c4-4e0f-a52a-1fb4f9548e02.md create mode 100644 docs/queries/terraform-queries/aws/e592a0c5-5bdb-414c-9066-5dba7cdea370.md create mode 100644 docs/queries/terraform-queries/aws/e6b4b943-6883-47a9-9739-7ada9568f8ca.md create mode 100644 docs/queries/terraform-queries/aws/e7530c3c-b7cf-4149-8db9-d037a0b5268e.md create mode 100644 docs/queries/terraform-queries/aws/e77c89f6-9c85-49ea-b95b-5f960fe5be92.md create mode 100644 docs/queries/terraform-queries/aws/e86e26fc-489e-44f0-9bcd-97305e4ba69a.md create mode 100644 docs/queries/terraform-queries/aws/e979fcbc-df6c-422d-9458-c33d65e71c45.md create mode 100644 docs/queries/terraform-queries/aws/e9b7acf9-9ba0-4837-a744-31e7df1e434d.md create mode 100644 docs/queries/terraform-queries/aws/eaaba502-2f94-411a-a3c2-83d63cc1776d.md create mode 100644 docs/queries/terraform-queries/aws/eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7.md create mode 100644 docs/queries/terraform-queries/aws/ec28bf61-a474-4dbe-b414-6dd3a067d6f0.md create mode 100644 docs/queries/terraform-queries/aws/ec49cbfd-fae4-45f3-81b1-860526d66e3f.md create mode 100644 docs/queries/terraform-queries/aws/eccc4d59-74b9-4974-86f1-74386e0c7f33.md create mode 100644 docs/queries/terraform-queries/aws/ed35928e-195c-4405-a252-98ccb664ab7b.md create mode 100644 docs/queries/terraform-queries/aws/eda48c88-2b7d-4e34-b6ca-04c0194aee17.md create mode 100644 docs/queries/terraform-queries/aws/ee49557d-750c-4cc1-aa95-94ab36cbefde.md create mode 100644 docs/queries/terraform-queries/aws/ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4.md create mode 100644 docs/queries/terraform-queries/aws/eeb4d37a-3c59-4789-a00c-1509bc3af1e5.md create mode 100644 docs/queries/terraform-queries/aws/ef0b316a-211e-42f1-888e-64efe172b755.md create mode 100644 docs/queries/terraform-queries/aws/f0d8781f-99bf-4958-9917-d39283b168a0.md create mode 100644 docs/queries/terraform-queries/aws/f1173d8c-3264-4148-9fdb-61181e031b51.md create mode 100644 docs/queries/terraform-queries/aws/f11aec39-858f-4b6f-b946-0a1bf46c0c87.md create mode 100644 docs/queries/terraform-queries/aws/f1adc521-f79a-4d71-b55b-a68294687432.md create mode 100644 docs/queries/terraform-queries/aws/f3674e0c-f6be-43fa-b71c-bf346d1aed99.md create mode 100644 docs/queries/terraform-queries/aws/f465fff1-0a0f-457d-aa4d-1bddb6f204ff.md create mode 100644 docs/queries/terraform-queries/aws/f53f16d6-46a9-4277-9fbe-617b1e24cdca.md create mode 100644 docs/queries/terraform-queries/aws/f83121ea-03da-434f-9277-9cd247ab3047.md create mode 100644 docs/queries/terraform-queries/aws/f861041c-8c9f-4156-acfc-5e6e524f5884.md create mode 100644 docs/queries/terraform-queries/aws/f906113d-cdc0-415a-ba60-609cc6daaf4d.md create mode 100644 docs/queries/terraform-queries/aws/fa00ce45-386d-4718-8392-fb485e1f3c5b.md create mode 100644 docs/queries/terraform-queries/aws/fa62ac4f-f5b9-45b9-97c1-625c8b6253ca.md create mode 100644 docs/queries/terraform-queries/aws/fae52418-bb8b-4ac2-b287-0b9082d6a3fd.md create mode 100644 docs/queries/terraform-queries/aws/fc101ca7-c9dd-4198-a1eb-0fbe92e80044.md create mode 100644 docs/queries/terraform-queries/aws/fcb1b388-f558-4b7f-9b6e-f4e98abb7380.md create mode 100644 docs/queries/terraform-queries/aws/fd632aaf-b8a1-424d-a4d1-0de22fd3247a.md create mode 100644 docs/queries/terraform-queries/aws/ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md create mode 100644 docs/queries/terraform-queries/aws/ffdf4b37-7703-4dfe-a682-9d2e99bc6c09.md create mode 100644 docs/queries/terraform-queries/azure/0437633b-daa6-4bbc-8526-c0d2443b946e.md create mode 100644 docs/queries/terraform-queries/azure/07f7134f-9f37-476e-8664-670c218e4702.md create mode 100644 docs/queries/terraform-queries/azure/0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1.md create mode 100644 docs/queries/terraform-queries/azure/11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe.md create mode 100644 docs/queries/terraform-queries/azure/12944ec4-1fa0-47be-8b17-42a034f937c2.md create mode 100644 docs/queries/terraform-queries/azure/16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f.md create mode 100644 docs/queries/terraform-queries/azure/17f75827-0684-48f4-8747-61129c7e4198.md create mode 100644 docs/queries/terraform-queries/azure/25c0ea09-f1c5-4380-b055-3b83863f2bb8.md create mode 100644 docs/queries/terraform-queries/azure/261a83f8-dd72-4e8c-b5e1-ebf06e8fe606.md create mode 100644 docs/queries/terraform-queries/azure/2ab6de9a-0136-415c-be92-79d2e4fd750f.md create mode 100644 docs/queries/terraform-queries/azure/2b3c671f-1b76-4741-8789-ed1fe0785dc4.md create mode 100644 docs/queries/terraform-queries/azure/2b856bf9-8e8c-4005-875f-303a8cba3918.md create mode 100644 docs/queries/terraform-queries/azure/2bc626a8-0751-446f-975d-8139214fc790.md create mode 100644 docs/queries/terraform-queries/azure/2e48d91c-50e4-45c8-9312-27b625868a72.md create mode 100644 docs/queries/terraform-queries/azure/34664094-59e0-4524-b69f-deaa1a68cce3.md create mode 100644 docs/queries/terraform-queries/azure/3790d386-be81-4dcf-9850-eaa7df6c10d9.md create mode 100644 docs/queries/terraform-queries/azure/38c71c00-c177-4cd7-8d36-cd1007cdb190.md create mode 100644 docs/queries/terraform-queries/azure/3ac3e75c-6374-4a32-8ba0-6ed69bda404e.md create mode 100644 docs/queries/terraform-queries/azure/3e3c175e-aadf-4e2b-a464-3fdac5748d24.md create mode 100644 docs/queries/terraform-queries/azure/3fa5900f-9aac-4982-96b2-a6143d9c99fb.md create mode 100644 docs/queries/terraform-queries/azure/4216ebac-d74c-4423-b437-35025cb88af5.md create mode 100644 docs/queries/terraform-queries/azure/43789711-161b-4708-b5bb-9d1c626f7492.md create mode 100644 docs/queries/terraform-queries/azure/45fc717a-bd86-415c-bdd8-677901be1aa6.md create mode 100644 docs/queries/terraform-queries/azure/48bbe0fd-57e4-4678-a4a1-119e79c90fc3.md create mode 100644 docs/queries/terraform-queries/azure/4a9e0f00-0765-4f72-a0d4-d31110b78279.md create mode 100644 docs/queries/terraform-queries/azure/4d080822-5ee2-49a4-8984-68f3d4c890fc.md create mode 100644 docs/queries/terraform-queries/azure/5089d055-53ff-421b-9482-a5267bdce629.md create mode 100644 docs/queries/terraform-queries/azure/525b53be-62ed-4244-b4df-41aecfcb4071.md create mode 100644 docs/queries/terraform-queries/azure/5400f379-a347-4bdd-a032-446465fdcc6f.md create mode 100644 docs/queries/terraform-queries/azure/55975007-f6e7-4134-83c3-298f1fe4b519.md create mode 100644 docs/queries/terraform-queries/azure/56dad03e-e94f-4dd6-93a4-c253a03ff7a0.md create mode 100644 docs/queries/terraform-queries/azure/594c198b-4d79-41b8-9b36-fde13348b619.md create mode 100644 docs/queries/terraform-queries/azure/599318f2-6653-4569-9e21-041d06c63a89.md create mode 100644 docs/queries/terraform-queries/azure/59acb56b-2b10-4c2c-ba38-f2223c3f5cfc.md create mode 100644 docs/queries/terraform-queries/azure/5c822443-e1ea-46b8-84eb-758ec602e844.md create mode 100644 docs/queries/terraform-queries/azure/609839ae-bd81-4375-9910-5bce72ae7b92.md create mode 100644 docs/queries/terraform-queries/azure/61c3cb8b-0715-47e4-b788-86dde40dd2db.md create mode 100644 docs/queries/terraform-queries/azure/6425c98b-ca4e-41fe-896a-c78772c131f8.md create mode 100644 docs/queries/terraform-queries/azure/73e42469-3a86-4f39-ad78-098f325b4e9f.md create mode 100644 docs/queries/terraform-queries/azure/7750fcca-dd03-4d38-b663-4b70289bcfd4.md create mode 100644 docs/queries/terraform-queries/azure/7f0a8696-7159-4337-ad0d-8a3ab4a78195.md create mode 100644 docs/queries/terraform-queries/azure/819d50fd-1cdf-45c3-9936-be408aaad93e.md create mode 100644 docs/queries/terraform-queries/azure/8263f146-5e03-43e0-9cfe-db960d56d1e7.md create mode 100644 docs/queries/terraform-queries/azure/835a4f2f-df43-437d-9943-545ccfc55961.md create mode 100644 docs/queries/terraform-queries/azure/83a229ba-483e-47c6-8db7-dc96969bce5a.md create mode 100644 docs/queries/terraform-queries/azure/85da374f-b00f-4832-9d44-84a1ca1e89f8.md create mode 100644 docs/queries/terraform-queries/azure/86f92117-eed8-4614-9c6c-b26da20ff37f.md create mode 100644 docs/queries/terraform-queries/azure/8b042c30-e441-453f-b162-7696982ebc58.md create mode 100644 docs/queries/terraform-queries/azure/8e75e431-449f-49e9-b56a-c8f1378025cf.md create mode 100644 docs/queries/terraform-queries/azure/96fe318e-d631-4156-99fa-9080d57280ae.md create mode 100644 docs/queries/terraform-queries/azure/9bb3c639-5edf-458c-8ee5-30c17c7d671d.md create mode 100644 docs/queries/terraform-queries/azure/9c301481-e6ec-44f7-8a49-8ec63e2969ea.md create mode 100644 docs/queries/terraform-queries/azure/9dab0179-433d-4dff-af8f-0091025691df.md create mode 100644 docs/queries/terraform-queries/azure/9db38e87-f6aa-4b5e-a1ec-7266df259409.md create mode 100644 docs/queries/terraform-queries/azure/a187ac47-8163-42ce-8a63-c115236be6fb.md create mode 100644 docs/queries/terraform-queries/azure/a21c8da9-41bf-40cf-941d-330cf0d11fc7.md create mode 100644 docs/queries/terraform-queries/azure/a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b.md create mode 100644 docs/queries/terraform-queries/azure/a5613650-32ec-4975-a305-31af783153ea.md create mode 100644 docs/queries/terraform-queries/azure/a81573f9-3691-4d83-88a0-7d4af63e17a3.md create mode 100644 docs/queries/terraform-queries/azure/a829b715-cf75-4e92-b645-54c9b739edfb.md create mode 100644 docs/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024.md create mode 100644 docs/queries/terraform-queries/azure/ace823d1-4432-4dee-945b-cdf11a5a6bd0.md create mode 100644 docs/queries/terraform-queries/azure/ade36cf4-329f-4830-a83d-9db72c800507.md create mode 100644 docs/queries/terraform-queries/azure/b17d8bb8-4c08-4785-867e-cb9e62a622aa.md create mode 100644 docs/queries/terraform-queries/azure/b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a.md create mode 100644 docs/queries/terraform-queries/azure/b61cce4b-0cc4-472b-8096-15617a6d769b.md create mode 100644 docs/queries/terraform-queries/azure/b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643.md create mode 100644 docs/queries/terraform-queries/azure/b897dfbf-322c-45a8-b67c-1e698beeaa51.md create mode 100644 docs/queries/terraform-queries/azure/b90842e5-6779-44d4-9760-972f4c03ba1c.md create mode 100644 docs/queries/terraform-queries/azure/b947809d-dd2f-4de9-b724-04d101c515aa.md create mode 100644 docs/queries/terraform-queries/azure/bbf6b3df-4b65-4f87-82cc-da9f30f8c033.md create mode 100644 docs/queries/terraform-queries/azure/bcd3fc01-5902-4f2a-b05a-227f9bbf5450.md create mode 100644 docs/queries/terraform-queries/azure/c1573577-e494-4417-8854-7e119368dc8b.md create mode 100644 docs/queries/terraform-queries/azure/c2a3efb6-8a58-481c-82f2-bfddf34bb4b7.md create mode 100644 docs/queries/terraform-queries/azure/c407c3cf-c409-4b29-b590-db5f4138d332.md create mode 100644 docs/queries/terraform-queries/azure/c640d783-10c5-4071-b6c1-23507300d333.md create mode 100644 docs/queries/terraform-queries/azure/c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e.md create mode 100644 docs/queries/terraform-queries/azure/c7fc1481-2899-4490-bbd8-544a3a61a2f3.md create mode 100644 docs/queries/terraform-queries/azure/c87749b3-ff10-41f5-9df2-c421e8151759.md create mode 100644 docs/queries/terraform-queries/azure/cc4aaa9d-1070-461a-b519-04e00f42db8a.md create mode 100644 docs/queries/terraform-queries/azure/d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md create mode 100644 docs/queries/terraform-queries/azure/dafe30ec-325d-4516-85d1-e8e6776f012c.md create mode 100644 docs/queries/terraform-queries/azure/dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299.md create mode 100644 docs/queries/terraform-queries/azure/dfa20ffa-f476-428f-a490-424b41e91c7f.md create mode 100644 docs/queries/terraform-queries/azure/e29a75e6-aba3-4896-b42d-b87818c16b58.md create mode 100644 docs/queries/terraform-queries/azure/e65a0733-94a0-4826-82f4-df529f4c593f.md create mode 100644 docs/queries/terraform-queries/azure/e9dee01f-2505-4df2-b9bf-7804d1fd9082.md create mode 100644 docs/queries/terraform-queries/azure/efbf6449-5ec5-4cfe-8f15-acc51e0d787c.md create mode 100644 docs/queries/terraform-queries/azure/f118890b-2468-42b1-9ce9-af35146b425b.md create mode 100644 docs/queries/terraform-queries/azure/f5342045-b935-402d-adf1-8dbbd09c0eef.md create mode 100644 docs/queries/terraform-queries/azure/f7e296b0-6660-4bc5-8f87-22ac4a815edf.md create mode 100644 docs/queries/terraform-queries/azure/f8e08a38-fc6e-4915-abbe-a7aadf1d59ef.md create mode 100644 docs/queries/terraform-queries/azure/fd8da341-6760-4450-b26c-9f6d8850575e.md create mode 100644 docs/queries/terraform-queries/azure/ffb02aca-0d12-475e-b77c-a726f7aeff4b.md create mode 100644 docs/queries/terraform-queries/b80b14c6-aaa2-4876-b651-8a48b6c32fbf.md create mode 100644 docs/queries/terraform-queries/bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e.md create mode 100644 docs/queries/terraform-queries/bd6bd46c-57db-4887-956d-d372f21291b6.md create mode 100644 docs/queries/terraform-queries/c878abb4-cca5-4724-92b9-289be68bd47c.md create mode 100644 docs/queries/terraform-queries/ca2fba76-c1a7-4afd-be67-5249f861cb0e.md create mode 100644 docs/queries/terraform-queries/ce7c874e-1b88-450b-a5e4-cb76ada3c8a9.md create mode 100644 docs/queries/terraform-queries/common/1e434b25-8763-4b00-a5ca-ca03b7abbb66.md create mode 100644 docs/queries/terraform-queries/common/2a153952-2544-4687-bcc9-cc8fea814a9b.md create mode 100644 docs/queries/terraform-queries/common/3a81fc06-566f-492a-91dd-7448e409e2cd.md create mode 100644 docs/queries/terraform-queries/common/59312e8a-a64e-41e7-a252-618533dd1ea8.md create mode 100644 docs/queries/terraform-queries/common/fc5109bf-01fd-49fb-8bde-4492b543c34a.md create mode 100644 docs/queries/terraform-queries/d532566b-8d9d-4f3b-80bd-361fe802f9c2.md create mode 100644 docs/queries/terraform-queries/e2c83c1f-84d7-4467-966c-ed41fd015bb9.md create mode 100644 docs/queries/terraform-queries/e5587d53-a673-4a6b-b3f2-ba07ec274def.md create mode 100644 docs/queries/terraform-queries/e76cca7c-c3f9-4fc9-884c-b2831168ebd8.md create mode 100644 docs/queries/terraform-queries/e94d3121-c2d1-4e34-a295-139bfeb73ea3.md create mode 100644 docs/queries/terraform-queries/f74b9c43-161a-4799-bc95-0b0ec81801b9.md create mode 100644 docs/queries/terraform-queries/fcc2612a-1dfe-46e4-8ce6-0320959f0040.md create mode 100644 docs/queries/terraform-queries/fd097ed0-7fe6-4f58-8b71-fef9f0820a21.md create mode 100644 docs/queries/terraform-queries/fe771ff7-ba15-4f8f-ad7a-8aa232b49a28.md create mode 100644 docs/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00.md create mode 100644 docs/queries/terraform-queries/gcp/11e7550e-c4b6-472e-adff-c698f157cdd7.md create mode 100644 docs/queries/terraform-queries/gcp/128df7ec-f185-48bc-8913-ce756a3ccb85.md create mode 100644 docs/queries/terraform-queries/gcp/14a457f0-473d-4d1d-9e37-6d99b355b336.md create mode 100644 docs/queries/terraform-queries/gcp/16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5.md create mode 100644 docs/queries/terraform-queries/gcp/1b44e234-3d73-41a8-9954-0b154135280e.md create mode 100644 docs/queries/terraform-queries/gcp/1c8eef02-17b1-4a3e-b01d-dcc3292d2c38.md create mode 100644 docs/queries/terraform-queries/gcp/22ef1d26-80f8-4a6c-8c15-f35aab3cac78.md create mode 100644 docs/queries/terraform-queries/gcp/2f06d22c-56bd-4f73-8a51-db001fcf2150.md create mode 100644 docs/queries/terraform-queries/gcp/30e8dfd2-3591-4d19-8d11-79e93106c93d.md create mode 100644 docs/queries/terraform-queries/gcp/32ecd6eb-0711-421f-9627-1a28d9eff217.md create mode 100644 docs/queries/terraform-queries/gcp/3cb4af0b-056d-4fb1-8b95-fdc4593625ff.md create mode 100644 docs/queries/terraform-queries/gcp/3e4d5ce6-3280-4027-8010-c26eeea1ec01.md create mode 100644 docs/queries/terraform-queries/gcp/40430747-442d-450a-a34f-dc57149f4609.md create mode 100644 docs/queries/terraform-queries/gcp/40abce54-95b1-478c-8e5f-ea0bf0bb0e33.md create mode 100644 docs/queries/terraform-queries/gcp/4b82202a-b18e-4891-a1eb-a0989850bbb3.md create mode 100644 docs/queries/terraform-queries/gcp/4c7ebcb2-eae2-461e-bc83-456ee2d4f694.md create mode 100644 docs/queries/terraform-queries/gcp/59571246-3f62-4965-a96f-c7d97e269351.md create mode 100644 docs/queries/terraform-queries/gcp/5baa92d2-d8ee-4c75-88a4-52d9d8bb8067.md create mode 100644 docs/queries/terraform-queries/gcp/5ef61c88-bbb4-4725-b1df-55d23c9676bb.md create mode 100644 docs/queries/terraform-queries/gcp/617ef6ff-711e-4bd7-94ae-e965911b1b40.md create mode 100644 docs/queries/terraform-queries/gcp/65c1bc7a-4835-4ac4-a2b6-13d310b0648d.md create mode 100644 docs/queries/terraform-queries/gcp/678fd659-96f2-454a-a2a0-c2571f83a4a3.md create mode 100644 docs/queries/terraform-queries/gcp/6ccb85d7-0420-4907-9380-50313f80946b.md create mode 100644 docs/queries/terraform-queries/gcp/704fcc44-a58f-4af5-82e2-93f2a58ef918.md create mode 100644 docs/queries/terraform-queries/gcp/73fb21a1-b19a-45b1-b648-b47b1678681e.md create mode 100644 docs/queries/terraform-queries/gcp/84d36481-fd63-48cb-838e-635c44806ec2.md create mode 100644 docs/queries/terraform-queries/gcp/895ed0d9-6fec-4567-8614-d7a74b599a53.md create mode 100644 docs/queries/terraform-queries/gcp/89fe890f-b480-460c-8b6b-7d8b1468adb4.md create mode 100644 docs/queries/terraform-queries/gcp/8a893e46-e267-485a-8690-51f39951de58.md create mode 100644 docs/queries/terraform-queries/gcp/9192e0f9-eca5-4056-9282-ae2a736a4088.md create mode 100644 docs/queries/terraform-queries/gcp/92e4464a-4139-4d57-8742-b5acc0347680.md create mode 100644 docs/queries/terraform-queries/gcp/9356962e-4a4f-4d06-ac59-dc8008775eaa.md create mode 100644 docs/queries/terraform-queries/gcp/97fa667a-d05b-4f16-9071-58b939f34751.md create mode 100644 docs/queries/terraform-queries/gcp/a6cd52a1-3056-4910-96a5-894de9f3f3b3.md create mode 100644 docs/queries/terraform-queries/gcp/acfdbec6-4a17-471f-b412-169d77553332.md create mode 100644 docs/queries/terraform-queries/gcp/b139213e-7d24-49c2-8025-c18faa21ecaa.md create mode 100644 docs/queries/terraform-queries/gcp/b187edca-b81e-4fdc-aff4-aab57db45edb.md create mode 100644 docs/queries/terraform-queries/gcp/b1d51728-7270-4991-ac2f-fc26e2695b38.md create mode 100644 docs/queries/terraform-queries/gcp/bb0db090-5509-4853-a827-75ced0b3caa0.md create mode 100644 docs/queries/terraform-queries/gcp/bc280331-27b9-4acb-a010-018e8098aa5d.md create mode 100644 docs/queries/terraform-queries/gcp/bc75ce52-a60a-4660-b533-bce837a5019b.md create mode 100644 docs/queries/terraform-queries/gcp/c010082c-76e0-4b91-91d9-6e8439e455dd.md create mode 100644 docs/queries/terraform-queries/gcp/c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0.md create mode 100644 docs/queries/terraform-queries/gcp/c606ba1d-d736-43eb-ac24-e16108f3a9e0.md create mode 100644 docs/queries/terraform-queries/gcp/c68b4e6d-4e01-4ca1-b256-1e18e875785c.md create mode 100644 docs/queries/terraform-queries/gcp/c9d81239-c818-4869-9917-1570c62b81fd.md create mode 100644 docs/queries/terraform-queries/gcp/ccc3100c-0fdd-4a5e-9908-c10107291860.md create mode 100644 docs/queries/terraform-queries/gcp/cefdad16-0dd5-4ac5-8ed2-a37502c78672.md create mode 100644 docs/queries/terraform-queries/gcp/cf3c7631-cd1e-42f3-8801-a561214a6e79.md create mode 100644 docs/queries/terraform-queries/gcp/d0b4d550-c001-46c3-bbdb-d5d75d33f05f.md create mode 100644 docs/queries/terraform-queries/gcp/d6cabc3a-d57e-48c2-b341-bf3dd4f4a120.md create mode 100644 docs/queries/terraform-queries/gcp/d8c57c4e-bf6f-4e32-a2bf-8643532de77b.md create mode 100644 docs/queries/terraform-queries/gcp/dd7d70aa-a6ec-460d-b5d2-38b40253b16f.md create mode 100644 docs/queries/terraform-queries/gcp/e576ce44-dd03-4022-a8c0-3906acca2ab4.md create mode 100644 docs/queries/terraform-queries/gcp/e6f61c37-106b-449f-a5bb-81bfcaceb8b4.md create mode 100644 docs/queries/terraform-queries/gcp/e7e961ac-d17e-4413-84bc-8a1fbe242944.md create mode 100644 docs/queries/terraform-queries/gcp/ee7b93c1-b3f8-4a3b-9588-146d481814f5.md create mode 100644 docs/queries/terraform-queries/gcp/f34c0c25-47b4-41eb-9c79-249b4dd47b89.md diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index 80f834390e7..2a052350720 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -3,1725 +3,1725 @@ This page contains all queries. | Query |Platform|Severity|Category|Description|Help| |-----------------------------|---|---|---|---|---| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| -|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled|Documentation
| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description.|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type.|Documentation
| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| -|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes'|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume|Documentation
| -|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'|Documentation
| -|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.|Documentation
| -|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.|Documentation
| -|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations.|Documentation
| -|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly.|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used.|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.|Documentation
| -|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|Documentation
| -|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared.|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined.|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.|Documentation
| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file|Documentation
| -|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set|Documentation
| -|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set|Documentation
| -|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined|Documentation
| -|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0|Documentation
| -|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| -|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false|Documentation
| -|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| -|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation|Documentation
| -|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501|Documentation
| -|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| -|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined|Documentation
| -|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| -|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions.|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| -|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false|Documentation
| -|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days|Documentation
| -|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| -|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces.|Documentation
| -|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited|Documentation
| -|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled.|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges.|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| -|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation|Documentation
| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http'|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored.|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true}|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes'|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters'|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set.|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links'|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers'|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies'|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses'|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$`|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas'|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks'|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes'|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive.|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL.|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect'|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'.|Documentation
| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|Pulumi|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Pulumi|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Pulumi|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Pulumi|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Pulumi|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Pulumi|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Pulumi|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Pulumi|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Pulumi|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Pulumi|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Pulumi|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Pulumi|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|Pulumi|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Pulumi|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Pulumi|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Pulumi|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|Terraform|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|Terraform|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|Terraform|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|Terraform|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|Terraform|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| +|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|Terraform|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|Terraform|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|Terraform|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|Terraform|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|Terraform|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|Terraform|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|Terraform|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|Terraform|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|Terraform|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|Terraform|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|Terraform|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|Terraform|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|Terraform|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|Terraform|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|Terraform|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|Terraform|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|Terraform|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|Terraform|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|Terraform|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|Terraform|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|Terraform|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|Terraform|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|Terraform|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|Terraform|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Terraform|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Terraform|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Terraform|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Terraform|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Terraform|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Terraform|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Terraform|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Terraform|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Terraform|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Terraform|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Terraform|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Terraform|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Terraform|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Terraform|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Terraform|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Terraform|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Terraform|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Terraform|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Terraform|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Terraform|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Terraform|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Terraform|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Terraform|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Terraform|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Terraform|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Terraform|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Terraform|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Terraform|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Terraform|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Terraform|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Terraform|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Terraform|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Terraform|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|Terraform|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|Terraform|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|Terraform|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|Terraform|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|Terraform|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|Terraform|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|Terraform|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|Terraform|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|Terraform|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|Terraform|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|Terraform|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|Terraform|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|Terraform|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|Terraform|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|Terraform|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|Terraform|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|Terraform|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|Terraform|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|Terraform|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|Terraform|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|Terraform|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|Terraform|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|Terraform|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|Terraform|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|Terraform|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|Terraform|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|Terraform|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|Terraform|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|Terraform|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|Terraform|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|Terraform|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|Terraform|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|Terraform|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|Terraform|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|Terraform|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|Terraform|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|Terraform|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|Terraform|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|Terraform|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|Terraform|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|Terraform|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|Terraform|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|Terraform|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|Terraform|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|Terraform|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|Terraform|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|Terraform|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|Terraform|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|Terraform|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|Terraform|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|Terraform|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|Terraform|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|Terraform|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|Terraform|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|Terraform|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|Terraform|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|Terraform|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|Terraform|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|Terraform|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted (read more)|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|Terraform|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|Terraform|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|Terraform|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|Terraform|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|Terraform|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|Terraform|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating. (read more)|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|Terraform|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|Terraform|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|Terraform|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|Terraform|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|Terraform|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|Terraform|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|Terraform|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|Terraform|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|Terraform|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|Terraform|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|Terraform|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|Terraform|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|Terraform|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|Terraform|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|Terraform|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|Terraform|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|Terraform|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|Terraform|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|Terraform|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|Terraform|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|Terraform|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|Terraform|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|Terraform|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|Terraform|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|Terraform|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|Terraform|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|Terraform|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|Terraform|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|Terraform|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|Terraform|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|Terraform|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|Terraform|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|Terraform|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|Terraform|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|Terraform|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|Terraform|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Terraform|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Terraform|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Terraform|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Terraform|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Terraform|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Terraform|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Terraform|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Terraform|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Terraform|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Terraform|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Terraform|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Terraform|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Terraform|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Terraform|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Terraform|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Terraform|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Terraform|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Terraform|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Terraform|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Terraform|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Terraform|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Terraform|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Terraform|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Terraform|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Terraform|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Terraform|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Terraform|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Terraform|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Terraform|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Terraform|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Terraform|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Terraform|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Terraform|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Terraform|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Terraform|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Terraform|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Terraform|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Terraform|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Terraform|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Terraform|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Terraform|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Terraform|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Terraform|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Terraform|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Terraform|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Terraform|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Terraform|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Terraform|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Terraform|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Terraform|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Terraform|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Terraform|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Terraform|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Terraform|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Terraform|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Terraform|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Terraform|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Terraform|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Terraform|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Terraform|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Terraform|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Terraform|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Terraform|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Terraform|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Terraform|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Terraform|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Terraform|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Terraform|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Terraform|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Terraform|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Terraform|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Terraform|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Terraform|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Terraform|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Terraform|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Terraform|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Terraform|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Terraform|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Terraform|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Terraform|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Terraform|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Terraform|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Terraform|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Terraform|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Terraform|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Terraform|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Terraform|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Terraform|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Terraform|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Terraform|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Terraform|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Terraform|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Terraform|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Terraform|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Terraform|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Terraform|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Terraform|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Terraform|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Terraform|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Terraform|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Terraform|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Terraform|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Terraform|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Terraform|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Terraform|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Terraform|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Terraform|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Terraform|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Terraform|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Terraform|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Terraform|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Terraform|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Terraform|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Terraform|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Terraform|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Terraform|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Terraform|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Terraform|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Terraform|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Terraform|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Terraform|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Terraform|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Terraform|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Terraform|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Terraform|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Terraform|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Terraform|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Terraform|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Terraform|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Terraform|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Terraform|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Terraform|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Terraform|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Terraform|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Terraform|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Terraform|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Terraform|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Terraform|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Terraform|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Terraform|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Terraform|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Terraform|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Terraform|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Terraform|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Terraform|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Terraform|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Terraform|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Terraform|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Terraform|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Terraform|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Terraform|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Terraform|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Terraform|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Terraform|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Terraform|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Terraform|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Terraform|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Terraform|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Terraform|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Terraform|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Terraform|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Terraform|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Terraform|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Terraform|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Terraform|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Terraform|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Terraform|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Terraform|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Terraform|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Terraform|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Terraform|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Terraform|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Terraform|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Terraform|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Terraform|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Terraform|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Terraform|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Terraform|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Terraform|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Terraform|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Terraform|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Terraform|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Terraform|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Terraform|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Terraform|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Terraform|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Terraform|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Terraform|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Terraform|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Terraform|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Terraform|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Terraform|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Terraform|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Terraform|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Terraform|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Terraform|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|Terraform|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|Terraform|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|Terraform|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|Terraform|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|Terraform|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|Terraform|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|Terraform|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|Terraform|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|Terraform|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|Terraform|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|Terraform|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|Terraform|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|Terraform|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|Terraform|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| +|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|Terraform|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|Terraform|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|Terraform|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|Terraform|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|Terraform|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|Terraform|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|Terraform|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|Terraform|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|Terraform|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|Terraform|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|Terraform|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|Terraform|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Terraform|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Terraform|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Terraform|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Terraform|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Terraform|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Terraform|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Terraform|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Terraform|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Terraform|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Terraform|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Terraform|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Terraform|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Terraform|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Terraform|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Terraform|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Terraform|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Terraform|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Terraform|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Terraform|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Terraform|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Terraform|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Terraform|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Terraform|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Terraform|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Terraform|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Terraform|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Terraform|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Terraform|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|Terraform|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|Terraform|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|Terraform|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|Terraform|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|Terraform|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|Terraform|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|Terraform|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|Terraform|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|Terraform|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|Terraform|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|Terraform|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|Terraform|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|Terraform|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|Terraform|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|Terraform|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|Terraform|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|Terraform|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|Terraform|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|Terraform|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|Terraform|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|Terraform|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Terraform|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Terraform|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Terraform|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Terraform|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Terraform|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Terraform|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Terraform|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Terraform|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Terraform|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Terraform|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Terraform|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Terraform|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Terraform|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Terraform|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Terraform|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Terraform|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Terraform|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Terraform|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Terraform|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Terraform|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Terraform|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Terraform|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Terraform|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Terraform|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Terraform|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Terraform|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Terraform|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Terraform|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Terraform|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|Terraform|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|Terraform|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|Terraform|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|Terraform|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|Terraform|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|Terraform|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|Terraform|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Terraform|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Terraform|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Terraform|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Terraform|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Terraform|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Terraform|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Terraform|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Terraform|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Terraform|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Terraform|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Terraform|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Terraform|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Terraform|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Terraform|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Terraform|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Terraform|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Terraform|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Terraform|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Terraform|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Terraform|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Terraform|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Terraform|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Terraform|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Terraform|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Terraform|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Terraform|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Terraform|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Terraform|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Terraform|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Terraform|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Terraform|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Terraform|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Terraform|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Terraform|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Terraform|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Terraform|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Terraform|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Terraform|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Terraform|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Terraform|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Terraform|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Terraform|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Terraform|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Terraform|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Terraform|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Terraform|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Terraform|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Terraform|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Terraform|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Terraform|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Terraform|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Terraform|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Terraform|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Terraform|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Terraform|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|DockerCompose|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| +|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|DockerCompose|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| +|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|DockerCompose|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| +|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|DockerCompose|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| +|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|DockerCompose|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| +|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|DockerCompose|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|DockerCompose|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|DockerCompose|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| +|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|DockerCompose|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|DockerCompose|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| +|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|DockerCompose|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|DockerCompose|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|DockerCompose|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|DockerCompose|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|DockerCompose|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|DockerCompose|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|DockerCompose|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|DockerCompose|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|DockerCompose|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|DockerCompose|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|DockerCompose|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|Kubernetes|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|Kubernetes|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|Kubernetes|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| +|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|Kubernetes|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|Kubernetes|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|Kubernetes|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|Kubernetes|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|Kubernetes|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| +|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|Kubernetes|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|Kubernetes|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|Kubernetes|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|Kubernetes|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|Kubernetes|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|Kubernetes|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|Kubernetes|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|Kubernetes|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|Kubernetes|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|Kubernetes|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|Kubernetes|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|Kubernetes|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|Kubernetes|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| +|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|Kubernetes|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|Kubernetes|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|Kubernetes|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| +|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|Kubernetes|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| +|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|Kubernetes|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| +|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|Kubernetes|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| +|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|Kubernetes|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Kubernetes|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Kubernetes|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| +|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Kubernetes|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Kubernetes|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Kubernetes|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| +|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Kubernetes|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Kubernetes|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Kubernetes|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Kubernetes|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Kubernetes|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Kubernetes|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| +|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Kubernetes|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Kubernetes|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Kubernetes|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Kubernetes|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Kubernetes|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Kubernetes|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Kubernetes|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| +|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Kubernetes|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| +|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Kubernetes|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Kubernetes|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Kubernetes|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Kubernetes|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Kubernetes|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Kubernetes|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Kubernetes|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Kubernetes|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Kubernetes|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Kubernetes|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Kubernetes|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Kubernetes|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Kubernetes|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Kubernetes|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Kubernetes|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Kubernetes|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Kubernetes|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Kubernetes|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Kubernetes|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Kubernetes|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Kubernetes|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Kubernetes|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| +|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Kubernetes|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Kubernetes|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Kubernetes|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Kubernetes|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Kubernetes|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Kubernetes|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Kubernetes|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Kubernetes|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Kubernetes|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Kubernetes|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Kubernetes|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Kubernetes|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Kubernetes|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Kubernetes|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Kubernetes|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Kubernetes|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Kubernetes|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Kubernetes|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Kubernetes|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Kubernetes|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Kubernetes|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Kubernetes|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Kubernetes|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Kubernetes|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Kubernetes|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Kubernetes|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Kubernetes|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Kubernetes|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Kubernetes|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Kubernetes|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Kubernetes|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Kubernetes|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Kubernetes|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Kubernetes|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Kubernetes|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Kubernetes|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Kubernetes|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Kubernetes|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Kubernetes|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Kubernetes|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Kubernetes|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Kubernetes|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| +|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Kubernetes|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Kubernetes|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Kubernetes|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Kubernetes|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Kubernetes|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Kubernetes|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Kubernetes|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Kubernetes|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Kubernetes|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| +|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| +|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Kubernetes|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Kubernetes|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Kubernetes|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Kubernetes|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Kubernetes|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Kubernetes|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Kubernetes|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Kubernetes|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Kubernetes|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| +|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Kubernetes|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| +|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Kubernetes|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| +|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Buildah|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|AzureResourceManager|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|AzureResourceManager|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|AzureResourceManager|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|AzureResourceManager|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|AzureResourceManager|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|AzureResourceManager|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|AzureResourceManager|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|AzureResourceManager|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|AzureResourceManager|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|AzureResourceManager|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|AzureResourceManager|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|AzureResourceManager|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|AzureResourceManager|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|AzureResourceManager|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|AzureResourceManager|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|AzureResourceManager|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|AzureResourceManager|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|AzureResourceManager|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|AzureResourceManager|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|AzureResourceManager|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|AzureResourceManager|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|AzureResourceManager|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|AzureResourceManager|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|AzureResourceManager|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|AzureResourceManager|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|AzureResourceManager|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|AzureResourceManager|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|AzureResourceManager|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|AzureResourceManager|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|AzureResourceManager|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|AzureResourceManager|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|AzureResourceManager|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|AzureResourceManager|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|AzureResourceManager|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|AzureResourceManager|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|AzureResourceManager|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|AzureResourceManager|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|AzureResourceManager|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|AzureResourceManager|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|ServerlessFW|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|ServerlessFW|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|ServerlessFW|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|ServerlessFW|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|ServerlessFW|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|ServerlessFW|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|ServerlessFW|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|ServerlessFW|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|ServerlessFW|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|ServerlessFW|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|Ansible|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|Ansible|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|Ansible|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| +|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|Ansible|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|Ansible|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|Ansible|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|Ansible|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|Ansible|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|Ansible|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|Ansible|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|Ansible|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|Ansible|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|Ansible|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|Ansible|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|Ansible|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|Ansible|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Ansible|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Ansible|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Ansible|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Ansible|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Ansible|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Ansible|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Ansible|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Ansible|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Ansible|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Ansible|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Ansible|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Ansible|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Ansible|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Ansible|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Ansible|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Ansible|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Ansible|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Ansible|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Ansible|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Ansible|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|Ansible|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|Ansible|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|Ansible|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|Ansible|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|Ansible|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|Ansible|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|Ansible|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|Ansible|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|Ansible|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|Ansible|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|Ansible|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|Ansible|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|Ansible|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|Ansible|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|Ansible|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|Ansible|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|Ansible|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|Ansible|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|Ansible|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|Ansible|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|Ansible|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|Ansible|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|Ansible|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|Ansible|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|Ansible|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|Ansible|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|Ansible|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|Ansible|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|Ansible|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|Ansible|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|Ansible|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|Ansible|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|Ansible|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|Ansible|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|Ansible|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|Ansible|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|Ansible|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating. (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|Ansible|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|Ansible|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|Ansible|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|Ansible|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|Ansible|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|Ansible|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|Ansible|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|Ansible|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|Ansible|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|Ansible|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|Ansible|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|Ansible|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|Ansible|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|Ansible|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|Ansible|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|Ansible|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|Ansible|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|Ansible|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|Ansible|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|Ansible|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|Ansible|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Ansible|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Ansible|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Ansible|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Ansible|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Ansible|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Ansible|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Ansible|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Ansible|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Ansible|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Ansible|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Ansible|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Ansible|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Ansible|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Ansible|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Ansible|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| +|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Ansible|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Ansible|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Ansible|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Ansible|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Ansible|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Ansible|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Ansible|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Ansible|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Ansible|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Ansible|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Ansible|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Ansible|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Ansible|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Ansible|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Ansible|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Ansible|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Ansible|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Ansible|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Ansible|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Ansible|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Ansible|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Ansible|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Ansible|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Ansible|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Ansible|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Ansible|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Ansible|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Ansible|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Ansible|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Ansible|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Ansible|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Ansible|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Ansible|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Ansible|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Ansible|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Ansible|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Ansible|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Ansible|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Ansible|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Ansible|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Ansible|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Ansible|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Ansible|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Ansible|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Ansible|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Ansible|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Ansible|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Ansible|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Ansible|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Ansible|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Ansible|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Ansible|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Ansible|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Ansible|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Ansible|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| +|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Ansible|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|Ansible|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|Ansible|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|Ansible|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|Ansible|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|Ansible|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|Ansible|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|Ansible|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|Ansible|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|Ansible|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|Ansible|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|Ansible|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|Ansible|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|Ansible|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|Ansible|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|Ansible|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|Ansible|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|Ansible|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|Ansible|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|Ansible|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|Ansible|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|Ansible|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|Ansible|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|Ansible|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Ansible|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Ansible|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Ansible|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Ansible|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Ansible|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Ansible|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Ansible|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Ansible|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Ansible|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Ansible|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Ansible|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Ansible|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Ansible|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Ansible|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Ansible|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Ansible|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Ansible|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Ansible|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Ansible|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Ansible|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Ansible|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|OpenAPI|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|OpenAPI|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|OpenAPI|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|OpenAPI|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|OpenAPI|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|OpenAPI|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|OpenAPI|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|OpenAPI|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|OpenAPI|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|OpenAPI|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|OpenAPI|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|OpenAPI|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|OpenAPI|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|OpenAPI|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|OpenAPI|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|OpenAPI|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|OpenAPI|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|OpenAPI|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|OpenAPI|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|OpenAPI|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|OpenAPI|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|OpenAPI|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|OpenAPI|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|OpenAPI|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|OpenAPI|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|OpenAPI|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|OpenAPI|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|OpenAPI|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|OpenAPI|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|OpenAPI|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|OpenAPI|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|OpenAPI|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|OpenAPI|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|OpenAPI|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|OpenAPI|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|OpenAPI|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|OpenAPI|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|OpenAPI|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|OpenAPI|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|OpenAPI|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|OpenAPI|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|OpenAPI|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|OpenAPI|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|OpenAPI|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|OpenAPI|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|OpenAPI|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|OpenAPI|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|OpenAPI|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|OpenAPI|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|OpenAPI|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| |Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|OpenAPI|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| |Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|OpenAPI|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| |Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|OpenAPI|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| |Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|OpenAPI|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| |Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| |Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|OpenAPI|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| |No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| |Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|OpenAPI|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined|Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|OpenAPI|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| |Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|OpenAPI|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set|Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|OpenAPI|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| |Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|OpenAPI|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| |API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|OpenAPI|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| |JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| |String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|OpenAPI|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| |Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined.|Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|OpenAPI|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| |Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| |JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|OpenAPI|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| |Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|OpenAPI|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|OpenAPI|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| |Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| |Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|OpenAPI|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| |Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|OpenAPI|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| |Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|OpenAPI|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| |Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|OpenAPI|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| |Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|OpenAPI|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| |Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|OpenAPI|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| |Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|OpenAPI|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| |Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|OpenAPI|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| |Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|OpenAPI|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| |Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| -|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| +|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|OpenAPI|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| |Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| |Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| |JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|OpenAPI|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| |Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|OpenAPI|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| |Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|OpenAPI|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| |Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|OpenAPI|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| |Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|OpenAPI|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| |Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|OpenAPI|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| |Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|OpenAPI|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| |Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|OpenAPI|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| |Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|OpenAPI|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| |Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|OpenAPI|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| |Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|OpenAPI|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| |Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|OpenAPI|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| |Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|OpenAPI|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| |Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| |Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|OpenAPI|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|OpenAPI|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| |Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|OpenAPI|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| |Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|OpenAPI|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| |Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|OpenAPI|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| |Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|OpenAPI|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| |Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|OpenAPI|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| |Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|OpenAPI|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| |Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|OpenAPI|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|OpenAPI|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| |Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|OpenAPI|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| |Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| |Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|OpenAPI|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| |Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|OpenAPI|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| |Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|OpenAPI|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| |Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|OpenAPI|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| |Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|OpenAPI|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| |Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| |OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|OpenAPI|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| |Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|OpenAPI|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| |Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|OpenAPI|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| |Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|OpenAPI|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| |Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| |Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|OpenAPI|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| |Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| |Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|OpenAPI|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| |Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|OpenAPI|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| |Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| -|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags|Documentation
| -|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| -|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| -|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted.|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication|Documentation
| -|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true'|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| -|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| -|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW|Documentation
| -|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| -|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| -|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| -|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| -|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| -|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| -|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as *|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| -|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|AWS RDS backup retention policy should be at least 7 days|Documentation
| -|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| -|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| -|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled|Documentation
| -|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| -|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.|Documentation
| -|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| -|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| -|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| -|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances.|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.|Documentation
| -|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| -|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port|Documentation
| -|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC.|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days.|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|A IAM user should belong to a group|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| -|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC|Documentation
| -|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|RDS DBInstance should have deletion protection set to true|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| -|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| -|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| -|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| -|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| -|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| -|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| -|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared|Documentation
| -|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service|Documentation
| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| -|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter|Documentation
| -|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code.|Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|OpenAPI|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|OpenAPI|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|OpenAPI|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|OpenAPI|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|OpenAPI|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|OpenAPI|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|OpenAPI|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|OpenAPI|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|OpenAPI|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|OpenAPI|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|OpenAPI|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|OpenAPI|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|OpenAPI|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|OpenAPI|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|OpenAPI|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|OpenAPI|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|OpenAPI|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|OpenAPI|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|OpenAPI|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|OpenAPI|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|OpenAPI|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|OpenAPI|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|OpenAPI|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|OpenAPI|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|OpenAPI|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|OpenAPI|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|OpenAPI|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|OpenAPI|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|OpenAPI|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|OpenAPI|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|OpenAPI|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|OpenAPI|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|OpenAPI|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|OpenAPI|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|OpenAPI|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|OpenAPI|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|OpenAPI|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|OpenAPI|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|OpenAPI|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Crossplane|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Crossplane|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|Crossplane|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|Crossplane|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|Crossplane|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|Crossplane|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|Crossplane|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|Crossplane|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Crossplane|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Crossplane|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Crossplane|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Crossplane|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Crossplane|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|Crossplane|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Crossplane|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|Dockerfile|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|Dockerfile|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|Dockerfile|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|Dockerfile|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|Dockerfile|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|Dockerfile|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|Dockerfile|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|Dockerfile|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|Dockerfile|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Dockerfile|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Dockerfile|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Dockerfile|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Dockerfile|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Dockerfile|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Dockerfile|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Dockerfile|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Dockerfile|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Dockerfile|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Dockerfile|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Dockerfile|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Dockerfile|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Dockerfile|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Dockerfile|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Dockerfile|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Dockerfile|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Dockerfile|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Dockerfile|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Dockerfile|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Dockerfile|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Dockerfile|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Dockerfile|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Dockerfile|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Dockerfile|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Dockerfile|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Dockerfile|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Dockerfile|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Dockerfile|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Dockerfile|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Dockerfile|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Dockerfile|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Dockerfile|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Dockerfile|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Dockerfile|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Dockerfile|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Dockerfile|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Dockerfile|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Dockerfile|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| +|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|CloudFormation|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| +|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|CloudFormation|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|CloudFormation|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| +|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|CloudFormation|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| +|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|CloudFormation|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|CloudFormation|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| +|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|CloudFormation|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|CloudFormation|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| +|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|CloudFormation|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|CloudFormation|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|CloudFormation|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|CloudFormation|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|CloudFormation|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|CloudFormation|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|CloudFormation|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|CloudFormation|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|CloudFormation|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|CloudFormation|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|CloudFormation|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|CloudFormation|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|CloudFormation|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|CloudFormation|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|CloudFormation|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|CloudFormation|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|CloudFormation|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|CloudFormation|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|CloudFormation|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|CloudFormation|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|CloudFormation|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|CloudFormation|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|CloudFormation|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|CloudFormation|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|CloudFormation|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|CloudFormation|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|CloudFormation|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| +|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|CloudFormation|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|CloudFormation|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|CloudFormation|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|CloudFormation|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|CloudFormation|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|CloudFormation|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|CloudFormation|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|CloudFormation|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|CloudFormation|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|CloudFormation|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|CloudFormation|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|CloudFormation|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|CloudFormation|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|CloudFormation|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|CloudFormation|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| +|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|CloudFormation|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|CloudFormation|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|CloudFormation|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|CloudFormation|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|CloudFormation|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| +|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|CloudFormation|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating. (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|CloudFormation|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|CloudFormation|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|CloudFormation|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|CloudFormation|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|CloudFormation|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|CloudFormation|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|CloudFormation|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|CloudFormation|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| +|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|CloudFormation|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|CloudFormation|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|CloudFormation|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| +|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|CloudFormation|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|CloudFormation|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|CloudFormation|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|CloudFormation|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|CloudFormation|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|CloudFormation|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|CloudFormation|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|CloudFormation|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|CloudFormation|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|CloudFormation|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|CloudFormation|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|CloudFormation|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|CloudFormation|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|CloudFormation|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|CloudFormation|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|CloudFormation|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|CloudFormation|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|CloudFormation|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|CloudFormation|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|CloudFormation|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| +|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|CloudFormation|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| +|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|CloudFormation|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|CloudFormation|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|CloudFormation|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|CloudFormation|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|CloudFormation|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|CloudFormation|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|CloudFormation|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|CloudFormation|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| +|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|CloudFormation|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|CloudFormation|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|CloudFormation|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|CloudFormation|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|CloudFormation|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|CloudFormation|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|CloudFormation|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|CloudFormation|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|CloudFormation|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|CloudFormation|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|CloudFormation|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|CloudFormation|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|CloudFormation|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|CloudFormation|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|CloudFormation|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|CloudFormation|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|CloudFormation|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|CloudFormation|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|CloudFormation|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|CloudFormation|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|CloudFormation|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| +|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|CloudFormation|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|CloudFormation|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|CloudFormation|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|CloudFormation|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|CloudFormation|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| +|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|CloudFormation|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|CloudFormation|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|CloudFormation|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|CloudFormation|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|CloudFormation|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|CloudFormation|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|CloudFormation|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|CloudFormation|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|CloudFormation|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|CloudFormation|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| +|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|CloudFormation|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| +|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|CloudFormation|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|CloudFormation|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|CloudFormation|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|CloudFormation|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|CloudFormation|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|CloudFormation|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|CloudFormation|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|CloudFormation|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|CloudFormation|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|CloudFormation|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|CloudFormation|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|CloudFormation|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| +|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|CloudFormation|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| +|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|CloudFormation|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|CloudFormation|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| +|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|CloudFormation|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|CloudFormation|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|CloudFormation|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| +|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|CloudFormation|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|CloudFormation|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|CloudFormation|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|CloudFormation|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|CloudFormation|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|CloudFormation|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|CloudFormation|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|CloudFormation|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|CloudFormation|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|CloudFormation|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| +|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|CloudFormation|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|CloudFormation|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| +|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|CloudFormation|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|CloudFormation|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| +|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|CloudFormation|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|CloudFormation|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|CloudFormation|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|CloudFormation|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|CloudFormation|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|CloudFormation|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|CloudFormation|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|CloudFormation|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|CloudFormation|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|CloudFormation|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|CloudFormation|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|CloudFormation|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|CloudFormation|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|CloudFormation|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|CloudFormation|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined. (read more)|Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|CloudFormation|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|CloudFormation|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|CloudFormation|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|CloudFormation|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|CloudFormation|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|CloudFormation|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|CloudFormation|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|CloudFormation|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|CloudFormation|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|CloudFormation|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|CloudFormation|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|CloudFormation|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|CloudFormation|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|CloudFormation|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|CloudFormation|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|CloudFormation|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|CloudFormation|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|CloudFormation|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|CloudFormation|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|CloudFormation|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|CloudFormation|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|CloudFormation|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|CloudFormation|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|CloudFormation|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|CloudFormation|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|CloudFormation|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|CloudFormation|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|CloudFormation|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|CloudFormation|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|CloudFormation|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|CloudFormation|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|CloudFormation|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|CloudFormation|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|CloudFormation|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| +|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|CloudFormation|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| +|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|CloudFormation|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|CloudFormation|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|CloudFormation|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|CloudFormation|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|CloudFormation|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|CloudFormation|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|CloudFormation|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|CloudFormation|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| +|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|CloudFormation|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| +|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|CloudFormation|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|CloudFormation|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|CloudFormation|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|CloudFormation|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| +|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|CloudFormation|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|CloudFormation|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| +|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|CloudFormation|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|CloudFormation|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|CloudFormation|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|CloudFormation|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|CloudFormation|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|CloudFormation|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|CloudFormation|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| +|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|CloudFormation|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|CloudFormation|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|CloudFormation|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|CloudFormation|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|CloudFormation|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|CloudFormation|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|CloudFormation|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| +|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|CloudFormation|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| +|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|CloudFormation|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|CloudFormation|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|CloudFormation|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| +|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|CloudFormation|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|CloudFormation|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|CloudFormation|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|CloudFormation|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|CloudFormation|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|CloudFormation|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|CloudFormation|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|CloudFormation|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|CloudFormation|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|CloudFormation|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|CloudFormation|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|CloudFormation|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|CloudFormation|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|CloudFormation|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Knative|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|GoogleDeploymentManager|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|GoogleDeploymentManager|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|GoogleDeploymentManager|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|GoogleDeploymentManager|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|GoogleDeploymentManager|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|GoogleDeploymentManager|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|GoogleDeploymentManager|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|GoogleDeploymentManager|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|GoogleDeploymentManager|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|GoogleDeploymentManager|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|GoogleDeploymentManager|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|GoogleDeploymentManager|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|GoogleDeploymentManager|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|GoogleDeploymentManager|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|GoogleDeploymentManager|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|GoogleDeploymentManager|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|GoogleDeploymentManager|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|GoogleDeploymentManager|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|GoogleDeploymentManager|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|GoogleDeploymentManager|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|GoogleDeploymentManager|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|GoogleDeploymentManager|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|GoogleDeploymentManager|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|GoogleDeploymentManager|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| +|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|GoogleDeploymentManager|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|GoogleDeploymentManager|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|GRPC|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter (read more)|Documentation
| +|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|Common|High|Secret Management|Query to find passwords and secrets in infrastructure code. (read more)|Documentation
| diff --git a/docs/queries/ansible-queries.md b/docs/queries/ansible-queries.md index 4c8b52289c7..763a7dfc815 100644 --- a/docs/queries/ansible-queries.md +++ b/docs/queries/ansible-queries.md @@ -8,46 +8,46 @@ Bellow are listed queries related with Ansible AZURE: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined|Documentation
| -|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| -|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault|Documentation
| -|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict|Documentation
| -|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache.|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'|Documentation
| -|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete)|Documentation
| -|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring|Documentation
| -|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| +|Public Storage Account
35e2f133-a395-40de-a79d-b260d973d1bd|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Admin User Enabled For Container Registry
29f35127-98e6-43af-8ec1-201b79f99604|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Storage Container Is Publicly Accessible
4d3817db-dd35-4de4-a80d-3867157e7f7f|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| +|Azure Instance Using Basic Authentication
e2d834b7-8b25-4935-af53-4a60668dcbe0|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|MySQL SSL Connection Disabled
2a901825-0f3b-4655-a0fe-e0470e50f8e6|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
2c99a474-2a3c-4c17-8294-53ffa5ed0522|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|SSL Enforce Disabled
961ce567-a16d-4d7d-9027-f0ec2628a555|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
b176e927-bbe2-44a6-a9c3-041417137e5f|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| +|VM Not Attached To Network
1e5f5307-3e01-438d-8da6-985307ed25ce|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
eb8c2560-8bee-4248-9d0d-e80c8641dd91|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|Azure Container Registry With No Locks
581dae78-307d-45d5-aae4-fe2b0db267a5|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
e8c80448-31d8-4755-85fc-6dbab69c2717|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|SQLServer Ingress From Any IP
f4e9ff70-0f3b-4c50-a713-26cbe7ec4039|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Redis Publicly Accessible
0632d0db-9190-450a-8bb3-c283bffea445|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
1bc398a8-d274-47de-a4c8-6ac867b353de|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Redis Entirely Accessible
0d0c12b9-edce-4510-9065-13f6a758750c|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|AKS RBAC Disabled
149fa56c-4404-4f90-9e25-d34b676d5b39|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
5c80db8e-03f5-43a2-b4af-1f3f87018157|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
ca4df748-613a-4fbf-9c76-f02cbd580307|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|Key Vault Soft Delete Is Disabled
881696a8-68c5-4073-85bc-7c38a3deb854|Medium|Backup|Make sure Soft Delete is enabled for Key Vault (read more)|Documentation
| +|SQL Server Predictable Admin Account Name
663062e9-473d-4e87-99bc-6f3684b3df40|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict (read more)|Documentation
| +|SQL Server Predictable Active Directory Account Name
530e8291-2f22-4bab-b7ea-306f1bc2a308|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict (read more)|Documentation
| +|Cosmos DB Account Without Tags
23a4dc83-4959-4d99-8056-8e051a82bc1e|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
c62746cf-92d5-4649-9acf-7d48d086f2ee|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Security Group is Not Configured
da4f2739-174f-4cdd-b9ef-dc3f14b5931f|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
869e7fb4-30f0-4bdb-b360-ad548f337f2f|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| +|AKS Network Policy Misconfigured
8c3bedf1-c570-4c3b-b414-d068cd39a00c|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
69f72007-502e-457b-bd2d-5012e31ac049|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache. (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|Unrestricted SQL Server Access
3f23c96c-f9f5-488d-9b17-605b8da5842f|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0' (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
a9becca7-892a-4af7-b9e1-44bf20a4cd9a|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
054d07b5-941b-4c28-8eef-18989dc62323|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
729ebb15-8060-40f7-9017-cb72676a5487|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
7ab33ac0-e4a3-418f-a673-50da4e34df21|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
7b47138f-ec0e-47dc-8516-e7728fe3cc17|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Monitoring Log Profile Without All Activities
89f84a1e-75f8-47c5-83b5-bee8e2de4168|Medium|Observability|Monitoring log profile captures all the activities (Action, Write, Delete) (read more)|Documentation
| +|Log Retention Is Not Set
0461b4fd-21ef-4687-929e-484ee4796785|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|AKS Monitoring Logging Disabled
d5e83b32-56dd-4247-8c2e-074f43b38a5e|Medium|Observability|Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring (read more)|Documentation
| +|Small Activity Log Retention Period
37fafbea-dedb-4e0d-852e-d16ee0589326|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| ### AWS Bellow are listed queries related with Ansible AWS: @@ -56,136 +56,136 @@ Bellow are listed queries related with Ansible AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| -|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users|Documentation
| -|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption)|Documentation
| -|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)|Documentation
| -|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0|Documentation
| -|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access|Documentation
| -|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide|Documentation
| -|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records|Documentation
| -|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root'|Documentation
| -|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access|Documentation
| -|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.|Documentation
| -|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0|Documentation
| -|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body|Documentation
| -|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted|Documentation
| -|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled|Documentation
| -|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true|Documentation
| -|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true|Documentation
| -|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'|Documentation
| -|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| +|IAM Policies With Full Privileges
e401d614-8026-4f4b-9af9-75d1197461ba|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
d395a950-12ce-4314-a742-ac5a785ab44e|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|Authentication Without MFA
eee107f9-b3d8-45d3-b9c6-43b5a7263ce1|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|IAM Policy Grants Full Permissions
b5ed026d-a772-4f07-97f9-664ba0b116f8|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
a0f1bfe0-741e-473f-b3b2-13e66f856fab|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
a1ef9d2e-4163-40cb-bd92-04f0d602a15d|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|SQS Queue Exposed
86b0efa7-4901-4edd-a37a-c034bec6645a|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
6fa44721-ef21-41c6-8665-330d59461163|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
53bce6a8-5492-4b1b-81cf-664385f0c4bf|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Access to Any Principal
3ab1f27d-52cc-4943-af1d-43c1939e739a|High|Access Control|Checks if the S3 bucket is accessible for all users (read more)|Documentation
| +|S3 Bucket With All Permissions
6a6d7e56-c913-4549-b5c5-5221e624d2ec|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|ECS Service Admin Role Is Present
7db727c1-1720-468e-b80e-06697f71e09e|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
75480b31-f349-4b9a-861f-bce19588e674|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|SNS Topic is Publicly Accessible
905f4741-f965-45c1-98db-f7a00a0e5c73|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|User Data Shell Script Is Encoded
1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|AMI Not Encrypted
97707503-a22c-4cd7-b7c0-f088fa7cf830|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|User Data Contains Encoded Private Key
c09f4d3e-27d2-4d46-9453-abbe9687a64e|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|EFS Not Encrypted
727c4fd4-d604-4df6-a179-7713d3c85e20|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
66477506-6abb-49ed-803d-3fa174cd5f6a|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|ELB Using Insecure Protocols
730a5951-2760-407a-b032-dd629b55c23a|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|Secure Ciphers Disabled
218413a0-c716-4b94-9e08-0bb70d854709|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|EFS Without KMS
bd77554e-f138-40c5-91b2-2a09f878608e|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|IAM Database Auth Not Enabled
0ed012a4-9199-43d2-b9e4-9bd049a48aa4|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|ELB Using Weak Ciphers
2034fb37-bc23-4ca0-8d95-2b9f15829ab5|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
f2ea6481-1d31-4d40-946a-520dc6321dd7|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| +|S3 Bucket SSE Disabled
309edc5b-5a59-42b4-a357-d4d098311fd4|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
a6d27cf7-61dc-4bde-ae08-3b353b609f76|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
594f54e7-f744-45ab-93e4-c6dbaf6cd571|High|Encryption|AWS S3 Storage should be protected with SSE (Server-Side Encryption) (read more)|Documentation
| +|Redis Not Compliant
9f34885e-c08f-4d13-a7d1-cf190c5bd268|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|Redshift Not Encrypted
6a647814-def5-4b85-88f5-897c19f509cd|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|DB Instance Storage Not Encrypted
7dfb316c-a6c2-454d-b8a2-97f147b0c0ff|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|Root Account Has Active Access Keys
e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
3505094c-f77c-4ba0-95da-f83db712f86c|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|Redshift Publicly Accessible
5c6b727b-1382-4629-8ba9-abd1365e5610|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false) (read more)|Documentation
| +|EC2 Group Has Public Interface
5330b503-3319-44ff-9b1c-00ee873f728a|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|KMS Key With Vulnerable Policy
5b9d237a-57d5-4177-be0e-71434b0fef47|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating. (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
01aec7c2-3e4d-4274-ae47-2b8fea22fd1f|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
d0c13053-d2c8-44a6-95da-d592996e9e67|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
defe5b18-978d-4722-9325-4d1975d3699f|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|DB Instance Publicly Accessible
c09e3ca5-f08a-4717-9c87-3919c5e6d209|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|Vulnerable Default SSL Certificate
fb8f8929-afeb-4c46-99f0-a6cf410f7df4|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Unrestricted Security Group Ingress
83c5fa4c-e098-48fc-84ee-0a537287ddd2|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0/0 (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
8010e17a-00e9-4635-a692-90d6bcec68bd|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Security Group Ingress Not Restricted
ea6bc7a6-d696-4dcf-a788-17fa03c17c81|High|Networking and Firewall|AWS Security Group should restrict ingress access (read more)|Documentation
| +|EC2 Instance Has Public IP
a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Public Port Wide
71ea648a-d31a-4b5a-a589-5674243f1c33|High|Networking and Firewall|AWS Security Group should not have public port wide (read more)|Documentation
| +|ALB Listening on HTTP
f81d63d2-c5d7-43a4-a5b5-66717a41c895|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Unknown Port Exposed To Internet
722b0f24-5a64-4cca-aa96-cfc26b7e3a5b|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|Remote Desktop Port Open To Internet
eda7301d-1f3e-47cf-8d4e-976debc64341|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
57ced4b9-6ba4-487b-8843-b65562b90c77|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|DB Security Group With Public Scope
0956aedf-6a7a-478b-ab56-63e2b19923ad|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|HTTP Port Open To Internet
a14ad534-acbe-4a8e-9404-2f7e1045646e|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|DB Security Group Open To Large Scope
ea0ed1c7-9aef-4464-b7c7-94c762da3640|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|RDS Associated with Public Subnet
16732649-4ff6-4cd2-8746-e72c13fae4b8|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Route53 Record Undefined
445dce51-7e53-4e50-80ef-7f94f14169e4|High|Networking and Firewall|Route53 Record should have a list of records (read more)|Documentation
| +|CloudTrail Logging Disabled
d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CMK Rotation Disabled
af96d737-0818-4162-8c41-40d969bd65d1|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
8ed0bfce-f780-46d4-b086-21c3628f09ad|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|API Gateway Without Configured Authorizer
b16cdb37-ce15-4ab2-8401-d42b05d123fc|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
af167837-9636-4086-b815-c239186b9dda|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|IAM Access Key Is Exposed
7f79f858-fbe8-4186-8a2c-dfd0d958a40f|Medium|Access Control|Check if IAM Access Key is active for some user besides 'root' (read more)|Documentation
| +|AMI Shared With Multiple Accounts
a19b2942-142e-4e2b-93b7-6cf6a6c8d90f|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|SQS Policy Allows All Actions
ed9b3beb-92cf-44d9-a9d2-171eeba569d4|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|Public Lambda via API Gateway
5e92d816-2177-4083-85b4-f61b4f7176d9|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|SQS Policy With Public Access
d994585f-defb-4b51-b6d2-c70f020ceb10|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d972c56-8ec2-48c1-a578-887adb09c57a|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|S3 Bucket With Public Access
c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9|Medium|Access Control|S3 Bucket allows public access (read more)|Documentation
| +|IAM Policies Attached To User
eafe4bc3-1042-4f88-b988-1939e64bf060|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Certificate Has Expired
5a443297-19d4-4381-9e5b-24faf947ec22|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
fb5a5df7-6d74-4243-ab82-ff779a958bfd|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|CMK Is Unusable
133fee21-37ef-45df-a563-4d07edc169f4|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined. (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
050f085f-a8db-4072-9010-2cca235cc02f|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| +|ECS Service Without Running Tasks
f5c45127-1d28-4b49-a692-0b97da1c3a84|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Stack Retention Disabled
17d5ba1d-7667-4729-b1a6-b11fde3db7f7|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|RDS With Backup Disabled
e69890e6-fce5-461d-98ad-cb98318dfc96|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|IAM Password Without Lowercase Letter
8e3063f4-b511-45c3-b030-f3b0c9131951|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|Misconfigured Password Policy Expiration
3f2cf811-88fa-4eda-be45-7a191a18aba9|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|IAM Password Without Number
9cf25d62-0b96-42c8-b66d-998cd6ee5bb8|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|IAM Password Without Uppercase Letter
83957b81-39c1-4191-8e12-671d2ce14354|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Password Without Reuse Prevention
6f5f5444-1422-495f-81ef-24cefd61ed2c|Medium|Best Practices|Password policy `password_reuse_prevention` doesn't exist or is equal to 0 (read more)|Documentation
| +|IAM Password Without Minimum Length
8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|Stack Without Template
32d31f1f-0f83-4721-b7ec-1e6948c60145|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body (read more)|Documentation
| +|CodeBuild Not Encrypted
a1423864-2fbc-4f46-bfe1-fbbf125c71c9|Medium|Encryption|CodeBuild Project should be encrypted (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
7674a686-e4b1-4a95-83d4-1fd53c623d84|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|SQS With SSE Disabled
e1e7b278-2a8b-49bd-a26e-66a7f70b17eb|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|EBS Volume Encryption Disabled
4b6012e7-7176-46e4-8108-e441785eae57|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Memcached Disabled
2d55ef88-b616-4890-b822-47f280763e89|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
e28ceb92-d588-4166-aac5-766c8f5b7472|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|Lambda Function Without Tags
265d9725-2fb8-42a2-bc57-3279c5db82d5|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|ECR Image Tag Not Immutable
60bfbb8a-c72f-467f-a6dd-a46b7d612789|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|API Gateway Without SSL Certificate
b47b98ab-e481-4a82-8bb1-1ab39fd36e33|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
d5ec2080-340a-4259-b885-f833c4ea6a31|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| +|Instance With No VPC
61d1a2d0-4db8-405a-913d-5d2ce49dff6f|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
7af1c447-c014-4f05-bd8b-ebe3a15734ac|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
559439b2-3e9c-4739-ac46-17e3b24ec215|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|API Gateway without WAF
f5f38943-664b-4acc-ab11-f292fa10ed0b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|S3 Bucket Without Versioning
9232306a-f839-40aa-b3ef-b352001da9a5|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
72a931c2-12f5-40d1-93cc-47bff2f7aa2a|Medium|Observability|AWS CloudWatch Logs for APIs is not enabled (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
ebb2118a-03bc-4d53-ab43-d8750f5cb8d3|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|S3 Bucket Logging Disabled
c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
a2fdf451-89dd-451e-af92-bf6c0f4bab96|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|Stack Notifications Disabled
d39761d7-94ab-45b0-ab5e-27c44e381d58|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|CloudTrail Multi Region Disabled
6ad087d7-a509-4b20-b853-9ef6f5ebaa98|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
5ba316a9-c466-4ec1-8d5b-bc6107dc9a92|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|CloudFront Logging Disabled
d31cb911-bf5b-4eb6-9fc3-16780c77c7bd|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true (read more)|Documentation
| +|API Gateway X-Ray Disabled
2059155b-27fd-441e-b616-6966c468561f|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
e24e18d9-4c2b-4649-b3d0-18c088145e24|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|No Stack Policy
ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| +|Hardcoded AWS Access Key
c2f15af3-66a0-4176-a56e-e4711e502e5c|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
f34508b9-f574-4330-b42d-88c44cced645|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
babdedcf-d859-43da-9a7b-6d72e661a8fd|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|IAM Group Without Users
f509931b-bbb0-443c-bd9b-10e92ecf2193|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
12a7a7ce-39d6-49dd-923d-aeb4564eb66c|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
8d03993b-8384-419b-a681-d1f55149397c|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|CDN Configuration Is Missing
b25398a2-0625-4e61-8e4d-a1bb23905bf6|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|Lambda Permission Misconfigured
3ddf3417-424d-420d-8275-0724dc426520|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
857f8808-e96a-4ba8-a9b7-f2d4ec6cad94|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|EFS Without Tags
b8a9852c-9943-4973-b8d5-77dae9352851|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
f5587077-3f57-4370-9b4e-4eb5b1bac85b|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|EC2 Instance Using Default VPC
8833f180-96f1-46f4-9147-849aafa56029|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|Redshift Using Default Port
e01de151-a7bd-4db4-b49b-3c4775a5e881|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|ElastiCache Without VPC
5527dcfc-94f9-4bf6-b7d4-1b78850cf41f|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudFront Without WAF
22c80725-e390-4055-8d14-a872230f6607|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|RDS Using Default Port
2cb674f6-32f9-40be-97f2-62c0dc38f0d5|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|ElastiCache Using Default Port
7cc6c791-5f68-4816-a564-b9b699f9d26e|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
4d8681a2-3d30-4c89-8070-08acd142748e|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
71397b34-1d50-4ee1-97cb-c96c34676f74|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active' (read more)|Documentation
| +|EC2 Not EBS Optimized
338b6cab-961d-4998-bb49-e5b6a11c9a5c|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| ### GCP Bellow are listed queries related with Ansible GCP: @@ -194,52 +194,52 @@ Bellow are listed queries related with Ansible GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'|Documentation
| -|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.|Documentation
| -|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On|Documentation
| -|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false|Documentation
| -|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On|Documentation
| -|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.|Documentation
| -|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty|Documentation
| -|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.|Documentation
| -|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true|Documentation
| -|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'|Documentation
| -|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0'|Documentation
| -|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'|Documentation
| -|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value|Documentation
| -|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'|Documentation
| -|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes|Documentation
| +|VM With Full Cloud Access
bc20bbc6-0697-4568-9a73-85af1dd97bdd|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|BigQuery Dataset Is Public
2263b286-2fe9-4747-a0ae-8b4768a2bbd2|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
086031e1-9d4a-4249-acb3-5bfe4c363db2|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|SQL DB Instance Backup Disabled
0c82eae2-aca0-401f-93e4-fb37a0f9e5e8|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|DNSSEC Using RSASHA1
6cf4c3a7-ceb0-4475-8892-3745b84be24a|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|PostgreSQL Misconfigured Logging Duration Flag
aed98a2a-e680-497a-8886-277cea0f4514|High|Insecure Configurations|PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1' (read more)|Documentation
| +|Cluster Labels Disabled
fbe9b2d0-a2b7-47a1-a534-03775f3013f7|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|MySQL Instance With Local Infile On
a7b520bb-2509-4fb0-be05-bc38f54c7a4c|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|GKE Legacy Authorization Enabled
300a9964-b086-41f7-9378-b6de3ba1c32b|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false. (read more)|Documentation
| +|Cloud SQL Instance With Cross DB Ownership Chaining On
9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f|High|Insecure Configurations|GCP SQL Instance should not have Cross DB Ownership Chaining On (read more)|Documentation
| +|Network Policy Disabled
98e04ca0-34f5-4c74-8fec-d2e611ce2790|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Cluster Master Authentication Disabled
9df7f78f-ebe3-432e-ac3b-b67189c15518|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Cloud SQL Instance With Contained Database Authentication On
6d34aff3-fdd2-460c-8190-756a3b4969e8|High|Insecure Configurations|SQL Instance should not have Contained Database Authentication On (read more)|Documentation
| +|Private Cluster Disabled
3b30e3d6-c99b-4318-b38f-b99db74578b5|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true. (read more)|Documentation
| +|GKE Basic Authentication Enabled
344bf8ab-9308-462b-a6b2-697432e40ba1|High|Insecure Configurations|GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty (read more)|Documentation
| +|IP Aliasing Disabled
ed672a9f-fbf0-44d8-a47d-779501b0db05|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'. (read more)|Documentation
| +|Client Certificate Disabled
20180133-a0d0-4745-bfe0-94049fbb12a9|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
829f1c60-2bab-44c6-8a21-5cd9d39a2c82|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
d43366c5-80b0-45de-bbe8-2338f4ab0a83|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
7814ddda-e758-4a56-8be3-289a81ded929|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|PostgreSQL Log Connections Disabled
d7a5616f-0a3f-4d43-bc2b-29d1a183e317|High|Observability|PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on' (read more)|Documentation
| +|PostgreSQL Logging Of Temporary Files Disabled
d6fae5b6-ada9-46c0-8b36-3108a2a2f77b|High|Observability|PostgreSQL database 'log_temp_files' flag isn't set to '0' (read more)|Documentation
| +|Stackdriver Monitoring Disabled
20dcd953-a8b8-4892-9026-9afa6d05a525|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
507df964-ad97-4035-ab14-94a82eabdfdd|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Stackdriver Logging Disabled
19c9e2a0-fc33-4264-bba1-e3682661e8f7|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none' (read more)|Documentation
| +|Node Auto Upgrade Disabled
d6e10477-2e19-4bcd-b8a8-19c65b89ccdf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|Disk Encryption Disabled
092bae86-6105-4802-99d2-99cd7e7431f3|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
b28bcd2f-c309-490e-ab7c-35fc4023eb26|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|Cloud DNS Without DNSSEC
80b15fb1-6207-40f4-a803-6915ae619a03|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|COS Node Image Not Used
be41f891-96b1-4b9d-b74f-b922a918c778|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
66dae697-507b-4aef-be18-eec5bd707f33|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|Shielded VM Disabled
18d3a83d-4414-49dc-90ea-f0387b2856cc|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|Using Default Service Account
2775e169-e708-42a9-9305-b58aadd2c4dd|Medium|Insecure Configurations|Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
d58c6f24-3763-4269-9f5b-86b2569a003b|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|GKE Using Default Service Account
dc126833-125a-40fb-905a-ce5f2afde240|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
3602d273-3290-47b2-80fa-720162b1a8af|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|RDP Access Is Not Restricted
75418eb9-39ec-465f-913c-6f2b6a80dc77|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|SSH Access Is Not Restricted
b2fbf1df-76dd-4d78-a6c0-e538f4a9b016|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
c6fc6f29-dc04-46b6-99ba-683c01aff350|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
29b8224a-60e9-4011-8ac2-7916a659841f|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|IP Forwarding Enabled
11bd3554-cd56-4257-8e25-7aaf30cf8f5f|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|PostgreSQL Misconfigured Log Messages Flag
28a757fc-3d8f-424a-90c0-4233363b2711|Medium|Observability|PostgreSQL database 'log_min_messages' flag isn't set to a valid value (read more)|Documentation
| +|PostgreSQL log_checkpoints Flag Not Set To ON
89afe3f0-4681-4ce3-89ed-896cebd4277c|Medium|Observability|PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on' (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
f9b7086b-deb8-4034-9330-d7fd38f1b8de|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
099b4411-d11e-4537-a0fc-146b19762a79|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
7289eebd-a477-4064-8ad4-3c044bd70b00|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
6a4080ae-79bd-42f6-a924-8f534c1c018b|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes (read more)|Documentation
| diff --git a/docs/queries/ansible-queries/aws/01aec7c2-3e4d-4274-ae47-2b8fea22fd1f.md b/docs/queries/ansible-queries/aws/01aec7c2-3e4d-4274-ae47-2b8fea22fd1f.md new file mode 100644 index 00000000000..b09e774f5f9 --- /dev/null +++ b/docs/queries/ansible-queries/aws/01aec7c2-3e4d-4274-ae47-2b8fea22fd1f.md @@ -0,0 +1,85 @@ +--- +title: ECS Task Definition Network Mode Not Recommended +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 01aec7c2-3e4d-4274-ae47-2b8fea22fd1f +- **Query name:** ECS Task Definition Network Mode Not Recommended +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ecs_task_definition_network_mode_not_recommended) + +### Description +Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_taskdefinition_module.html#parameter-network_mode) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="31 15" +--- +- name: Create task definition + community.aws.ecs_taskdefinition: + family: nginx + containers: + - name: nginx + essential: true + image: "nginx" + portMappings: + - containerPort: 8080 + hostPort: 8080 + cpu: 512 + memory: 1024 + state: present + network_mode: default + +- name: Create task definition2 + community.aws.ecs_taskdefinition: + family: nginx + containers: + - name: nginx + essential: true + image: "nginx" + portMappings: + - containerPort: 8080 + hostPort: 8080 + launch_type: FARGATE + cpu: 512 + memory: 1024 + state: present + network_mode: none + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create task definition + community.aws.ecs_taskdefinition: + family: nginx + containers: + - name: nginx + essential: true + image: nginx + portMappings: + - containerPort: 8080 + hostPort: 8080 + launch_type: FARGATE + cpu: 512 + memory: 1024 + state: present + network_mode: awsvpc + +``` diff --git a/docs/queries/ansible-queries/aws/050f085f-a8db-4072-9010-2cca235cc02f.md b/docs/queries/ansible-queries/aws/050f085f-a8db-4072-9010-2cca235cc02f.md new file mode 100644 index 00000000000..ea3c83393b9 --- /dev/null +++ b/docs/queries/ansible-queries/aws/050f085f-a8db-4072-9010-2cca235cc02f.md @@ -0,0 +1,96 @@ +--- +title: Auto Scaling Group With No Associated ELB +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 050f085f-a8db-4072-9010-2cca235cc02f +- **Query name:** Auto Scaling Group With No Associated ELB +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/auto_scaling_group_with_no_associated_elb) + +### Description +AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_asg_module.html#parameter-load_balancers) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +- name: elb1 + community.aws.ec2_asg: + name: special + load_balancers: [] + availability_zones: [ 'eu-west-1a', 'eu-west-1b' ] + launch_config_name: 'lc-1' + min_size: 1 + max_size: 10 + desired_capacity: 5 + vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ] + tags: + - environment: production + propagate_at_launch: no + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" +- name: elb2 + ec2_asg: + name: special + availability_zones: [ 'eu-west-1a', 'eu-west-1b' ] + launch_config_name: 'lc-1' + min_size: 1 + max_size: 10 + desired_capacity: 5 + vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ] + tags: + - environment: production + propagate_at_launch: no + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: elb12 + community.aws.ec2_asg: + name: special + load_balancers: [ 'lb1', 'lb2' ] + availability_zones: [ 'eu-west-1a', 'eu-west-1b' ] + launch_config_name: 'lc-1' + min_size: 1 + max_size: 10 + desired_capacity: 5 + vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ] + tags: + - environment: production + propagate_at_launch: no + +``` +```yaml title="Negative test num. 2 - yaml file" +- name: elb22 + ec2_asg: + name: special + load_balancers: [ 'lb1', 'lb2' ] + availability_zones: [ 'eu-west-1a', 'eu-west-1b' ] + launch_config_name: 'lc-1' + min_size: 1 + max_size: 10 + desired_capacity: 5 + vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ] + tags: + - environment: production + propagate_at_launch: no + +``` diff --git a/docs/queries/ansible-queries/aws/0956aedf-6a7a-478b-ab56-63e2b19923ad.md b/docs/queries/ansible-queries/aws/0956aedf-6a7a-478b-ab56-63e2b19923ad.md new file mode 100644 index 00000000000..213d33876bc --- /dev/null +++ b/docs/queries/ansible-queries/aws/0956aedf-6a7a-478b-ab56-63e2b19923ad.md @@ -0,0 +1,115 @@ +--- +title: DB Security Group With Public Scope +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0956aedf-6a7a-478b-ab56-63e2b19923ad +- **Query name:** DB Security Group With Public Scope +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/db_security_group_with_public_scope) + +### Description +The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="53 22" +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster + db_security_groups: ["example"] +- name: example ec2 group + ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1a + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ip: 10.0.0.0/8 + - proto: tcp + from_port: 443 + to_port: 443 + group_id: amazon-elb/sg-87654321/amazon-elb-sg + - proto: tcp + from_port: 3306 + to_port: 3306 + group_id: 123412341234/sg-87654321/exact-name-of-sg + - proto: udp + from_port: 10050 + to_port: 10050 + cidr_ip: 10.0.0.0/8 + - proto: udp + from_port: 10051 + to_port: 10051 + group_id: sg-12345678 + - proto: icmp + from_port: 8 # icmp type, -1 = any type + to_port: -1 # icmp subtype, -1 = any subtype + cidr_ip: 192.168.1.0/24 + - proto: all + group_name: example + rules_egress: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 0.0.0.0/0 + group_name: example-other + group_desc: other example EC2 group + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example ec2 group2 + ec2_group: + name: example1 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1a + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 10.1.1.1/32 + rules_egress: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 10.1.1.1/32 + group_name: example-other + # description to use if example-other needs to be created + group_desc: other example EC2 group + +``` diff --git a/docs/queries/ansible-queries/aws/0ed012a4-9199-43d2-b9e4-9bd049a48aa4.md b/docs/queries/ansible-queries/aws/0ed012a4-9199-43d2-b9e4-9bd049a48aa4.md new file mode 100644 index 00000000000..34cbeb3fa9f --- /dev/null +++ b/docs/queries/ansible-queries/aws/0ed012a4-9199-43d2-b9e4-9bd049a48aa4.md @@ -0,0 +1,117 @@ +--- +title: IAM Database Auth Not Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0ed012a4-9199-43d2-b9e4-9bd049a48aa4 +- **Query name:** IAM Database Auth Not Enabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_database_auth_not_enabled) + +### Description +IAM Database Auth Enabled should be configured to true when using compatible engine and version
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 22" +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: mysql + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster + enable_iam_database_authentication: "No" + + +- name: Create a DB instance using the default AWS KMS encryption key + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + storage_encrypted: True + db_instance_class: db.t2.medium + username: "{{ username }}" + password: "{{ password }}" + allocated_storage: "{{ allocated_storage }}" + enable_iam_database_authentication: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: '{{ password }}' + username: '{{ username }}' + cluster_id: ansible-test-cluster + enable_iam_database_authentication: true + + +- name: Create a DB instance using the default AWS KMS encryption key + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + storage_encrypted: true + db_instance_class: db.t2.medium + username: '{{ username }}' + password: '{{ password }}' + allocated_storage: '{{ allocated_storage }}' + enable_iam_database_authentication: true + +- name: remove the DB instance without a final snapshot + community.aws.rds_instance: + id: '{{ instance_id }}' + state: absent + skip_final_snapshot: true + enable_iam_database_authentication: true + +- name: remove the DB instance with a final snapshot + community.aws.rds_instance: + id: '{{ instance_id }}' + state: absent + final_snapshot_identifier: '{{ snapshot_id }}' + enable_iam_database_authentication: true + +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster + enable_iam_database_authentication: "No" + +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: mariadb + engine_version: 10.2.43 + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster + +``` diff --git a/docs/queries/ansible-queries/aws/12a7a7ce-39d6-49dd-923d-aeb4564eb66c.md b/docs/queries/ansible-queries/aws/12a7a7ce-39d6-49dd-923d-aeb4564eb66c.md new file mode 100644 index 00000000000..8124151633a --- /dev/null +++ b/docs/queries/ansible-queries/aws/12a7a7ce-39d6-49dd-923d-aeb4564eb66c.md @@ -0,0 +1,64 @@ +--- +title: IAM Policy Grants 'AssumeRole' Permission Across All Services +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 12a7a7ce-39d6-49dd-923d-aeb4564eb66c +- **Query name:** IAM Policy Grants 'AssumeRole' Permission Across All Services +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services) + +### Description +IAM Policy should not grant 'AssumeRole' permission across all services.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +- name: Create IAM Managed Policy + community.aws.iam_managed_policy: + policy_name: "ManagedPolicy" + policy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "logs:CreateLogGroup" + Resource: "*" + Principal: + Service: "ec2.amazonaws.com" + AWS: "*" + make_default: false + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create IAM Managed Policy + community.aws.iam_managed_policy: + policy_name: ManagedPolicy + policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: logs:CreateLogGroup + Resource: '*' + make_default: false + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/133fee21-37ef-45df-a563-4d07edc169f4.md b/docs/queries/ansible-queries/aws/133fee21-37ef-45df-a563-4d07edc169f4.md new file mode 100644 index 00000000000..e5521eb32d3 --- /dev/null +++ b/docs/queries/ansible-queries/aws/133fee21-37ef-45df-a563-4d07edc169f4.md @@ -0,0 +1,60 @@ +--- +title: CMK Is Unusable +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 133fee21-37ef-45df-a563-4d07edc169f4 +- **Query name:** CMK Is Unusable +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cmk_is_unusable) + +### Description +AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'enabled' set to true and the attribute 'pending_window' must be undefined.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html#parameter-enabled) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +- name: Update IAM policy on an existing KMS key1 + community.aws.aws_kms: + alias: my-kms-key + policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { } ]}' + state: present + enabled: false + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +- name: Update IAM policy on an existing KMS key2 + community.aws.aws_kms: + alias: my-kms-key + policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { } ]}' + state: present + pending_window: 8 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Update IAM policy on an existing KMS key + community.aws.aws_kms: + alias: my-kms-key + policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { } ]}' + state: present + enabled: true + +``` diff --git a/docs/queries/ansible-queries/aws/16732649-4ff6-4cd2-8746-e72c13fae4b8.md b/docs/queries/ansible-queries/aws/16732649-4ff6-4cd2-8746-e72c13fae4b8.md new file mode 100644 index 00000000000..a6d9a283be3 --- /dev/null +++ b/docs/queries/ansible-queries/aws/16732649-4ff6-4cd2-8746-e72c13fae4b8.md @@ -0,0 +1,98 @@ +--- +title: RDS Associated with Public Subnet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 16732649-4ff6-4cd2-8746-e72c13fae4b8 +- **Query name:** RDS Associated with Public Subnet +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/rds_associated_with_public_subnet) + +### Description +RDS should not run in public subnet
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-db_subnet_group_name) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster + db_subnet_group_name: my_subnet_group +- name: Add or change a subnet group + community.aws.rds_subnet_group: + state: present + name: my_subnet_group + description: My Fancy Ex Parrot Subnet Group + subnets: + - "{{ subnet1.subnet.id }}" + - "{{ subnet2.subnet.id }}" + register: my_subnet_group +- name: Create subnet for database servers + amazon.aws.ec2_vpc_subnet: + state: present + vpc_id: vpc-123456 + cidr: 0.0.0.0/0 + tags: + Name: Database Subnet + register: subnet1 +- name: Create subnet for database servers2 + amazon.aws.ec2_vpc_subnet: + state: present + vpc_id: vpc-123456 + cidr: 10.0.1.16/28 + tags: + Name: Database Subnet + register: subnet2 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create minimal aurora instance in default VPC and default subnet group2 + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster + db_subnet_group_name: my_subnet_group2 +- name: Add or change a subnet group2 + community.aws.rds_subnet_group: + state: present + name: my_subnet_group2 + description: My Fancy Ex Parrot Subnet Group + subnets: + - "{{ subnet22.subnet.id }}" + register: my_subnet_group2 +- name: Create subnet for database servers22 + amazon.aws.ec2_vpc_subnet: + state: present + vpc_id: vpc-123456 + cidr: 10.0.1.16/28 + tags: + Name: Database Subnet + register: subnet22 + +``` diff --git a/docs/queries/ansible-queries/aws/17d5ba1d-7667-4729-b1a6-b11fde3db7f7.md b/docs/queries/ansible-queries/aws/17d5ba1d-7667-4729-b1a6-b11fde3db7f7.md new file mode 100644 index 00000000000..97fcbd31bd4 --- /dev/null +++ b/docs/queries/ansible-queries/aws/17d5ba1d-7667-4729-b1a6-b11fde3db7f7.md @@ -0,0 +1,72 @@ +--- +title: Stack Retention Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 17d5ba1d-7667-4729-b1a6-b11fde3db7f7 +- **Query name:** Stack Retention Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/stack_retention_disabled) + +### Description +Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudformation_stack_set_module.html#parameter-purge_stacks) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 23" +- name: Create a stack set with instances in two accounts + community.aws.cloudformation_stack_set: + name: my-stack2 + description: Test stack in two accounts + state: present + template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template + accounts: [1234567890, 2345678901] + regions: + - us-east-1 + +- name: on subsequent calls, templates are optional but parameters and tags can be altered + community.aws.cloudformation_stack_set: + name: my-stack3 + state: present + parameters: + InstanceName: my_stacked_instance + tags: + foo: bar + test: stack + accounts: [1234567890, 2345678901] + regions: + - us-east-1 + purge_stacks: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create a stack set with instances in two accounts + community.aws.cloudformation_stack_set: + name: my-stack + description: Test stack in two accounts + state: present + template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template + accounts: [1234567890, 2345678901] + regions: + - us-east-1 + purge_stacks: false + +``` diff --git a/docs/queries/ansible-queries/aws/1d972c56-8ec2-48c1-a578-887adb09c57a.md b/docs/queries/ansible-queries/aws/1d972c56-8ec2-48c1-a578-887adb09c57a.md new file mode 100644 index 00000000000..0822a7f6ea0 --- /dev/null +++ b/docs/queries/ansible-queries/aws/1d972c56-8ec2-48c1-a578-887adb09c57a.md @@ -0,0 +1,59 @@ +--- +title: Lambda Permission Principal Is Wildcard +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1d972c56-8ec2-48c1-a578-887adb09c57a +- **Query name:** Lambda Permission Principal Is Wildcard +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/lambda_permission_principal_is_wildcard) + +### Description +Lambda Permission Principal should not contain a wildcard.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +- name: Lambda S3 event notification + community.aws.lambda_policy: + state: present + function_name: functionName + alias: Dev + statement_id: lambda-s3-myBucket-create-data-log + action: lambda:AddPermission + principal: "*" + source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName + source_account: 123456789012 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Lambda S3 event notification negative + community.aws.lambda_policy: + state: present + function_name: functionName + alias: Dev + statement_id: lambda-s3-myBucket-create-data-log + action: lambda:AddPermission + principal: s3.amazonaws.com + source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName + source_account: 123456789012 + +``` diff --git a/docs/queries/ansible-queries/aws/1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89.md b/docs/queries/ansible-queries/aws/1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89.md new file mode 100644 index 00000000000..388541bd77f --- /dev/null +++ b/docs/queries/ansible-queries/aws/1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89.md @@ -0,0 +1,91 @@ +--- +title: User Data Shell Script Is Encoded +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1e2341ba-a5cf-4f0a-a5f6-47e90c68ea89 +- **Query name:** User Data Shell Script Is Encoded +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/user_data_shell_script_is_encoded) + +### Description +User Data Shell Script must be encoded
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +--- +- name: note that encrypted volumes are only supported in >= Ansible 2.4 + community.aws.ec2_lc: + name: special + image_id: ami-XXX + key_name: default + security_groups: ['group', 'group2'] + instance_type: t1.micro + user_data: IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg== + volumes: + - device_name: /dev/sda1 + volume_size: 100 + volume_type: io1 + iops: 3000 + delete_on_termination: true + encrypted: true + - device_name: /dev/sdb + ephemeral: ephemeral0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: note that encrypted volumes are only supported in >= Ansible 2.4 + community.aws.ec2_lc: + name: special + image_id: ami-XXX + key_name: default + security_groups: [group, group2] + instance_type: t1.micro + user_data: ZWNobyAiSGVsbG8gd29ybGQi + volumes: + - device_name: /dev/sda1 + volume_size: 100 + volume_type: io1 + iops: 3000 + delete_on_termination: true + encrypted: true + - device_name: /dev/sdb + ephemeral: ephemeral0 +- name: note that encrypted volumes are only supported in >= Ansible 2.4.2 + community.aws.ec2_lc: + name: special2 + image_id: ami-XXX + key_name: default + security_groups: [group, group2] + instance_type: t1.micro + user_data: + volumes: + - device_name: /dev/sda1 + volume_size: 100 + volume_type: io1 + iops: 3000 + delete_on_termination: true + encrypted: true + - device_name: /dev/sdb + ephemeral: ephemeral0 + +``` diff --git a/docs/queries/ansible-queries/aws/2034fb37-bc23-4ca0-8d95-2b9f15829ab5.md b/docs/queries/ansible-queries/aws/2034fb37-bc23-4ca0-8d95-2b9f15829ab5.md new file mode 100644 index 00000000000..3c6942b4ebb --- /dev/null +++ b/docs/queries/ansible-queries/aws/2034fb37-bc23-4ca0-8d95-2b9f15829ab5.md @@ -0,0 +1,179 @@ +--- +title: ELB Using Weak Ciphers +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2034fb37-bc23-4ca0-8d95-2b9f15829ab5 +- **Query name:** ELB Using Weak Ciphers +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/elb_using_weak_ciphers) + +### Description +ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of weak ciphers.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 70 40 52 21 89" +#this is a problematic code where the query should report a result(s) +- name: elb1 + community.aws.elb_application_lb: + name: myelb1 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + state: present +- name: elb2 + community.aws.elb_application_lb: + name: myelb2 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive). + Port: 80 # Required. The port on which the load balancer is listening. + # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. + Certificates: # The ARN of the certificate (only one certficate ARN should be provided) + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward # Required. + TargetGroupName: # Required. The name of the target group + state: present +- name: elb3 + community.aws.elb_application_lb: + name: myelb3 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive). + Port: 80 # Required. The port on which the load balancer is listening. + # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. + SslPolicy: DHE-DSS-DES-CBC3-SHA + Certificates: # The ARN of the certificate (only one certficate ARN should be provided) + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward # Required. + TargetGroupName: # Required. The name of the target group + state: present +- name: elb4 + community.aws.elb_network_lb: + name: myelb4 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + state: present +- name: elb5 + community.aws.elb_network_lb: + name: myelb5 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP + Port: 80 + # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. + Certificates: + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward + TargetGroupName: target + state: present +- name: elb6 + community.aws.elb_network_lb: + name: myelb6 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP + Port: 80 + # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. + SslPolicy: TLS_RSA_NULL_MD5 + Certificates: + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward + TargetGroupName: target + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: elb1 + community.aws.elb_application_lb: + name: myelb1 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive). + Port: 80 # Required. The port on which the load balancer is listening. + # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. + SslPolicy: ELBSecurityPolicy-2015-05 + Certificates: # The ARN of the certificate (only one certficate ARN should be provided) + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward # Required. + TargetGroupName: # Required. The name of the target group + state: present +- name: elb2 + community.aws.elb_network_lb: + name: myelb2 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive). + Port: 80 # Required. The port on which the load balancer is listening. + # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. + SslPolicy: ELBSecurityPolicy-2015-05 + Certificates: # The ARN of the certificate (only one certficate ARN should be provided) + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward # Required. + TargetGroupName: # Required. The name of the target group + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/2059155b-27fd-441e-b616-6966c468561f.md b/docs/queries/ansible-queries/aws/2059155b-27fd-441e-b616-6966c468561f.md new file mode 100644 index 00000000000..8f79f0e3f4b --- /dev/null +++ b/docs/queries/ansible-queries/aws/2059155b-27fd-441e-b616-6966c468561f.md @@ -0,0 +1,67 @@ +--- +title: API Gateway X-Ray Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2059155b-27fd-441e-b616-6966c468561f +- **Query name:** API Gateway X-Ray Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/api_gateway_xray_disabled) + +### Description +API Gateway should have X-Ray Tracing enabled
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html#parameter-tracing_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 12" +--- +- name: Setup AWS API Gateway setup on AWS and deploy API definition + community.aws.aws_api_gateway: + swagger_file: my_api.yml + stage: production + cache_enabled: true + cache_size: '1.6' + tracing_enabled: false + endpoint_type: EDGE + state: present +- name: Update API definition to deploy new version + community.aws.aws_api_gateway: + api_id: 'abc123321cba' + swagger_file: my_api.yml + deploy_desc: Make auth fix available. + cache_enabled: true + cache_size: '1.6' + endpoint_type: EDGE + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Setup AWS API Gateway setup on AWS and deploy API definition + community.aws.aws_api_gateway: + swagger_file: my_api.yml + stage: production + cache_enabled: true + cache_size: '1.6' + tracing_enabled: true + endpoint_type: EDGE + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/218413a0-c716-4b94-9e08-0bb70d854709.md b/docs/queries/ansible-queries/aws/218413a0-c716-4b94-9e08-0bb70d854709.md new file mode 100644 index 00000000000..990ebcc4bba --- /dev/null +++ b/docs/queries/ansible-queries/aws/218413a0-c716-4b94-9e08-0bb70d854709.md @@ -0,0 +1,66 @@ +--- +title: Secure Ciphers Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 218413a0-c716-4b94-9e08-0bb70d854709 +- **Query name:** Secure Ciphers Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/secure_ciphers_disabled) + +### Description +Check if secure ciphers aren't used in CloudFront
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +- name: example + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: 'my test origin-000111' + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + viewer_certificate: + cloudfront_default_certificate: false + minimum_protocol_version: 'SSLv3' + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: my test origin-000111 + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + viewer_certificate: + cloudfront_default_certificate: true + +``` diff --git a/docs/queries/ansible-queries/aws/22c80725-e390-4055-8d14-a872230f6607.md b/docs/queries/ansible-queries/aws/22c80725-e390-4055-8d14-a872230f6607.md new file mode 100644 index 00000000000..db9aa9e189c --- /dev/null +++ b/docs/queries/ansible-queries/aws/22c80725-e390-4055-8d14-a872230f6607.md @@ -0,0 +1,56 @@ +--- +title: CloudFront Without WAF +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 22c80725-e390-4055-8d14-a872230f6607 +- **Query name:** CloudFront Without WAF +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cloudfront_without_waf) + +### Description +All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: create a basic distribution with defaults and tags + community.aws.cloudfront_distribution: + state: present + default_origin_domain_name: www.my-cloudfront-origin.com + tags: + Name: example distribution + Project: example project + Priority: '1' + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a basic distribution with defaults and tags + community.aws.cloudfront_distribution: + state: present + default_origin_domain_name: www.my-cloudfront-origin.com + tags: + Name: example distribution + Project: example project + Priority: '1' + web_acl_id: my-web-acl-id + +``` diff --git a/docs/queries/ansible-queries/aws/265d9725-2fb8-42a2-bc57-3279c5db82d5.md b/docs/queries/ansible-queries/aws/265d9725-2fb8-42a2-bc57-3279c5db82d5.md new file mode 100644 index 00000000000..29702f31228 --- /dev/null +++ b/docs/queries/ansible-queries/aws/265d9725-2fb8-42a2-bc57-3279c5db82d5.md @@ -0,0 +1,57 @@ +--- +title: Lambda Function Without Tags +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 265d9725-2fb8-42a2-bc57-3279c5db82d5 +- **Query name:** Lambda Function Without Tags +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/lambda_function_without_tags) + +### Description +AWS Lambda Functions must have associated tags.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: add tags + community.aws.lambda: + name: 'Lambda function' + state: present + zip_file: 'code.zip' + runtime: 'python2.7' + role: 'arn:aws:iam::987654321012:role/lambda_basic_execution' + handler: 'hello_python.my_handler' + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: add tags + community.aws.lambda: + name: 'Lambda function' + state: present + zip_file: 'code.zip' + runtime: 'python2.7' + role: 'arn:aws:iam::987654321012:role/lambda_basic_execution' + handler: 'hello_python.my_handler' + tags: + key1: 'value1' + +``` diff --git a/docs/queries/ansible-queries/aws/2cb674f6-32f9-40be-97f2-62c0dc38f0d5.md b/docs/queries/ansible-queries/aws/2cb674f6-32f9-40be-97f2-62c0dc38f0d5.md new file mode 100644 index 00000000000..9fad3b4db95 --- /dev/null +++ b/docs/queries/ansible-queries/aws/2cb674f6-32f9-40be-97f2-62c0dc38f0d5.md @@ -0,0 +1,143 @@ +--- +title: RDS Using Default Port +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2cb674f6-32f9-40be-97f2-62c0dc38f0d5 +- **Query name:** RDS Using Default Port +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/rds_using_default_port) + +### Description +RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-port) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster # This cluster must exist - see rds_cluster to manage it + backup_retention_period: 7 + port: 3306 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +- name: create minimal aurora instance in default VPC and default subnet group2 + community.aws.rds_instance: + engine: postgres + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster # This cluster must exist - see rds_cluster to manage it + backup_retention_period: 7 + port: 5432 + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +- name: create minimal aurora instance in default VPC and default subnet group2 + community.aws.rds_instance: + engine: oracle-ee + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster # This cluster must exist - see rds_cluster to manage it + backup_retention_period: 7 + port: 1521 + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="10" +- name: create minimal aurora instance in default VPC and default subnet group2 + community.aws.rds_instance: + engine: sqlserver-ee + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster # This cluster must exist - see rds_cluster to manage it + backup_retention_period: 7 + port: 1433 + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster # This cluster must exist - see rds_cluster to manage it + backup_retention_period: 7 + port: 3307 + +``` +```yaml title="Negative test num. 2 - yaml file" +- name: create minimal aurora instance in default VPC and default subnet group2 + community.aws.rds_instance: + engine: postgres + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster # This cluster must exist - see rds_cluster to manage it + backup_retention_period: 7 + port: 5433 + +``` +```yaml title="Negative test num. 3 - yaml file" +- name: create minimal aurora instance in default VPC and default subnet group2 + community.aws.rds_instance: + engine: oracle-ee + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster # This cluster must exist - see rds_cluster to manage it + backup_retention_period: 7 + port: 1522 + +``` +
Negative test num. 4 - yaml file + +```yaml +- name: create minimal aurora instance in default VPC and default subnet group2 + community.aws.rds_instance: + engine: sqlserver-ee + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster # This cluster must exist - see rds_cluster to manage it + backup_retention_period: 7 + port: 1434 + +``` +
diff --git a/docs/queries/ansible-queries/aws/2d55ef88-b616-4890-b822-47f280763e89.md b/docs/queries/ansible-queries/aws/2d55ef88-b616-4890-b822-47f280763e89.md new file mode 100644 index 00000000000..b3834586275 --- /dev/null +++ b/docs/queries/ansible-queries/aws/2d55ef88-b616-4890-b822-47f280763e89.md @@ -0,0 +1,55 @@ +--- +title: Memcached Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2d55ef88-b616-4890-b822-47f280763e89 +- **Query name:** Memcached Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/memcached_disabled) + +### Description +Check if the Memcached is disabled on the ElastiCache
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-engine) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +- name: Basic example + community.aws.elasticache: + name: "test-please-delete" + state: present + engine: redis + cache_engine_version: 5.1.10 + node_type: cache.m1.small + num_nodes: 1 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Basic example + community.aws.elasticache: + name: test-please-delete + state: present + engine: memcached + cache_engine_version: 5.1.10 + node_type: cache.m1.small + num_nodes: 1 + +``` diff --git a/docs/queries/ansible-queries/aws/309edc5b-5a59-42b4-a357-d4d098311fd4.md b/docs/queries/ansible-queries/aws/309edc5b-5a59-42b4-a357-d4d098311fd4.md new file mode 100644 index 00000000000..e77d342e7e3 --- /dev/null +++ b/docs/queries/ansible-queries/aws/309edc5b-5a59-42b4-a357-d4d098311fd4.md @@ -0,0 +1,50 @@ +--- +title: S3 Bucket SSE Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 309edc5b-5a59-42b4-a357-d4d098311fd4 +- **Query name:** S3 Bucket SSE Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_sse_disabled) + +### Description +If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-encryption_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +--- +- name: mys3Bucket + amazon.aws.s3_bucket: + name: mys3bucket + state: present + encryption: "aws:kms" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: mys3Bucket + amazon.aws.s3_bucket: + name: mys3bucket + state: present + encryption: AES256 + +``` diff --git a/docs/queries/ansible-queries/aws/32d31f1f-0f83-4721-b7ec-1e6948c60145.md b/docs/queries/ansible-queries/aws/32d31f1f-0f83-4721-b7ec-1e6948c60145.md new file mode 100644 index 00000000000..d6829929193 --- /dev/null +++ b/docs/queries/ansible-queries/aws/32d31f1f-0f83-4721-b7ec-1e6948c60145.md @@ -0,0 +1,126 @@ +--- +title: Stack Without Template +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 32d31f1f-0f83-4721-b7ec-1e6948c60145 +- **Query name:** Stack Without Template +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/stack_without_template) + +### Description +AWS CloudFormation should have a template defined through the attribute template, template_url or attribute template_body
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 2 30 15" +- name: create a stack, pass in the template via an URL + amazon.aws.cloudformation: + stack_name: "ansible-cloudformation" + state: present + region: us-east-1 + disable_rollback: true + template_parameters: + KeyName: jmartin + DiskType: ephemeral + InstanceType: m1.small + ClusterSize: 3 + tags: + Stack: ansible-cloudformation +- name: create a stack, pass in the template via an URL v2 + amazon.aws.cloudformation: + stack_name: "ansible-cloudformation" + state: present + region: us-east-1 + disable_rollback: true + template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template + template_body: "{{ lookup('template', 'cloudformation.j2') }}" + template_parameters: + KeyName: jmartin + DiskType: ephemeral + InstanceType: m1.small + ClusterSize: 3 + tags: + Stack: ansible-cloudformation +- name: Create a stack set with instances in two accounts + community.aws.cloudformation_stack_set: + name: my-stack + description: Test stack in two accounts + state: present + template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template + template_body: "{{ lookup('template', 'cloudformation.j2') }}" + accounts: [1234567890, 2345678901] + regions: + - us-east-1 +- name: Create a stack set with instances in two accounts v2 + community.aws.cloudformation_stack_set: + name: my-stack + description: Test stack in two accounts + state: present + accounts: [1234567890, 2345678901] + regions: + - us-east-1 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a stack, pass in the template body via lookup template v3 + amazon.aws.cloudformation: + stack_name: ansible-cloudformation + state: present + region: us-east-1 + disable_rollback: true + template_body: "{{ lookup('template', 'cloudformation.j2') }}" + template_parameters: + KeyName: jmartin + DiskType: ephemeral + InstanceType: m1.small + ClusterSize: 3 + tags: + Stack: ansible-cloudformation + + +- name: create a stack, pass in the template via an URL v4 + amazon.aws.cloudformation: + stack_name: ansible-cloudformation + state: present + region: us-east-1 + disable_rollback: true + template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template + template_parameters: + KeyName: jmartin + DiskType: ephemeral + InstanceType: m1.small + ClusterSize: 3 + tags: + Stack: ansible-cloudformation + + +- name: Create a stack set with instances in two accounts v5 + community.aws.cloudformation_stack_set: + name: my-stack + description: Test stack in two accounts + state: present + template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template + accounts: [1234567890, 2345678901] + regions: + - us-east-1 + +``` diff --git a/docs/queries/ansible-queries/aws/338b6cab-961d-4998-bb49-e5b6a11c9a5c.md b/docs/queries/ansible-queries/aws/338b6cab-961d-4998-bb49-e5b6a11c9a5c.md new file mode 100644 index 00000000000..01ebd0e8e25 --- /dev/null +++ b/docs/queries/ansible-queries/aws/338b6cab-961d-4998-bb49-e5b6a11c9a5c.md @@ -0,0 +1,106 @@ +--- +title: EC2 Not EBS Optimized +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 338b6cab-961d-4998-bb49-e5b6a11c9a5c +- **Query name:** EC2 Not EBS Optimized +- **Platform:** Ansible +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ec2_not_ebs_optimized) + +### Description +It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-ebs_optimized) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: example + amazon.aws.ec2: + key_name: mykey + instance_type: t2.micro + image: ami-123456 + wait: yes + group: default + count: 3 + vpc_subnet_id: subnet-29e63245 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +- name: example2 + amazon.aws.ec2: + key_name: mykey + instance_type: t2.micro + image: ami-123456 + wait: yes + group: default + count: 3 + vpc_subnet_id: subnet-29e63245 + ebs_optimized: false + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="2" +- name: example3 + amazon.aws.ec2: + key_name: mykey + image: ami-123456 + wait: yes + group: default + count: 3 + vpc_subnet_id: subnet-29e63245 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example4 + amazon.aws.ec2: + key_name: mykey + image: ami-123456 + wait: yes + group: my_sg + count: 3 + vpc_subnet_id: subnet-29e63245 + ebs_optimized: true + +``` +```yaml title="Negative test num. 2 - yaml file" +- name: example5 + amazon.aws.ec2: + key_name: mykey + instance_type: t3.nano + image: ami-123456 + wait: yes + group: my_sg + count: 3 + vpc_subnet_id: subnet-29e63245 + +``` +```yaml title="Negative test num. 3 - yaml file" +- name: example5 + amazon.aws.ec2: + key_name: mykey + instance_type: t3.nano + image: ami-123456 + wait: yes + group: my_sg + count: 3 + vpc_subnet_id: subnet-29e63245 + ebs_optimized: false + +``` diff --git a/docs/queries/ansible-queries/aws/3505094c-f77c-4ba0-95da-f83db712f86c.md b/docs/queries/ansible-queries/aws/3505094c-f77c-4ba0-95da-f83db712f86c.md new file mode 100644 index 00000000000..1a34d6df21e --- /dev/null +++ b/docs/queries/ansible-queries/aws/3505094c-f77c-4ba0-95da-f83db712f86c.md @@ -0,0 +1,115 @@ +--- +title: S3 Bucket with Unsecured CORS Rule +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3505094c-f77c-4ba0-95da-f83db712f86c +- **Query name:** S3 Bucket with Unsecured CORS Rule +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_with_unsecured_cors_rule) + +### Description +If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/aws_s3_cors_module.html#parameter-rules) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +- name: Create s3 bucket2 + community.aws.aws_s3_cors: + name: mys3bucket + state: present + rules: + - allowed_origins: + - http://www.example.com/ + allowed_methods: + - GET + - POST + - PUT + - DELETE + - HEAD + allowed_headers: + - Authorization + expose_headers: + - x-amz-server-side-encryption + - x-amz-request-id + max_age_seconds: 30000 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +- name: Create s3 bucket4 + aws_s3_cors: + name: mys3bucket2 + state: present + rules: + - allowed_origins: + - http://www.example.com/ + allowed_methods: + - GET + - POST + - PUT + - DELETE + - HEAD + allowed_headers: + - Authorization + expose_headers: + - x-amz-server-side-encryption + - x-amz-request-id + max_age_seconds: 30000 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create s3 bucket + community.aws.aws_s3_cors: + name: mys3bucket3 + state: present + rules: + - allowed_origins: + - http://www.example.com/ + allowed_methods: + - GET + - POST + allowed_headers: + - Authorization + expose_headers: + - x-amz-server-side-encryption + - x-amz-request-id + max_age_seconds: 30000 + +``` +```yaml title="Negative test num. 2 - yaml file" +- name: Create s3 bucket1 + aws_s3_cors: + name: mys3bucket4 + state: present + rules: + - allowed_origins: + - http://www.example.com/ + allowed_methods: + - GET + - POST + allowed_headers: + - Authorization + expose_headers: + - x-amz-server-side-encryption + - x-amz-request-id + max_age_seconds: 30000 + +``` diff --git a/docs/queries/ansible-queries/aws/3ab1f27d-52cc-4943-af1d-43c1939e739a.md b/docs/queries/ansible-queries/aws/3ab1f27d-52cc-4943-af1d-43c1939e739a.md new file mode 100644 index 00000000000..8c92354d225 --- /dev/null +++ b/docs/queries/ansible-queries/aws/3ab1f27d-52cc-4943-af1d-43c1939e739a.md @@ -0,0 +1,69 @@ +--- +title: S3 Bucket Access to Any Principal +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3ab1f27d-52cc-4943-af1d-43c1939e739a +- **Query name:** S3 Bucket Access to Any Principal +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_access_to_any_principal) + +### Description +Checks if the S3 bucket is accessible for all users
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#ansible-collections-amazon-aws-s3-bucket-module) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +- name: Create a simple s3 bucket with a policy + amazon.aws.s3_bucket: + name: mys3bucket + policy: + Version: "2012-10-17" + Id: "sqspolicy" + Statement: + - Sid: First + Effect: Allow + Principal: "*" + Action: "*" + Resource: ${aws_sqs_queue.q.arn} + Condition: + ArnEquals: + aws:SourceArn: ${aws_sns_topic.example.arn} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create a simple s3 bucket with a policy + amazon.aws.s3_bucket: + name: mys3bucket + policy: + Version: '2012-10-17' + Id: sqspolicy + Statement: + - Sid: First + Effect: Deny + Principal: '*' + Action: '*' + Resource: ${aws_sqs_queue.q.arn} + Condition: + ArnEquals: + aws:SourceArn: ${aws_sns_topic.example.arn} + +``` diff --git a/docs/queries/ansible-queries/aws/3ddf3417-424d-420d-8275-0724dc426520.md b/docs/queries/ansible-queries/aws/3ddf3417-424d-420d-8275-0724dc426520.md new file mode 100644 index 00000000000..cbd51f46aa0 --- /dev/null +++ b/docs/queries/ansible-queries/aws/3ddf3417-424d-420d-8275-0724dc426520.md @@ -0,0 +1,59 @@ +--- +title: Lambda Permission Misconfigured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3ddf3417-424d-420d-8275-0724dc426520 +- **Query name:** Lambda Permission Misconfigured +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/lambda_permission_misconfigured) + +### Description +Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +- name: Lambda S3 notification positive + community.aws.lambda_policy: + state: present + function_name: functionName + alias: Dev + statement_id: lambda-s3-myBucket-create-data-log + action: lambda:CreateFunction + principal: s3.amazonaws.com + source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName + source_account: 123456789012 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Lambda S3 notification negative + community.aws.lambda_policy: + state: present + function_name: functionName + alias: Dev + statement_id: lambda-s3-myBucket-create-data-log + action: lambda:InvokeFunction + principal: s3.amazonaws.com + source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName + source_account: 123456789012 + +``` diff --git a/docs/queries/ansible-queries/aws/3f2cf811-88fa-4eda-be45-7a191a18aba9.md b/docs/queries/ansible-queries/aws/3f2cf811-88fa-4eda-be45-7a191a18aba9.md new file mode 100644 index 00000000000..65e7213e9ec --- /dev/null +++ b/docs/queries/ansible-queries/aws/3f2cf811-88fa-4eda-be45-7a191a18aba9.md @@ -0,0 +1,86 @@ +--- +title: Misconfigured Password Policy Expiration +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3f2cf811-88fa-4eda-be45-7a191a18aba9 +- **Query name:** Misconfigured Password Policy Expiration +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/misconfigured_password_policy_expiration) + +### Description +No password expiration policy
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 2 21" +- name: Missing Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_reuse_prevent: 5 + pw_expire: false +- name: Extreme Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 180 + pw_reuse_prevent: 5 + pw_expire: false +- name: Alias extreme Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + password_max_age: 95 + pw_reuse_prevent: 5 + pw_expire: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Missing Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 20 + pw_reuse_prevent: 5 + pw_expire: false + +``` diff --git a/docs/queries/ansible-queries/aws/445dce51-7e53-4e50-80ef-7f94f14169e4.md b/docs/queries/ansible-queries/aws/445dce51-7e53-4e50-80ef-7f94f14169e4.md new file mode 100644 index 00000000000..85ccf9b60cf --- /dev/null +++ b/docs/queries/ansible-queries/aws/445dce51-7e53-4e50-80ef-7f94f14169e4.md @@ -0,0 +1,72 @@ +--- +title: Route53 Record Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 445dce51-7e53-4e50-80ef-7f94f14169e4 +- **Query name:** Route53 Record Undefined +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/route53_record_undefined) + +### Description +Route53 Record should have a list of records
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/route53_module.html#parameter-value) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 14" +--- +- name: Use a routing policy to distribute traffic02 + community.aws.route53: + state: present + zone: foo.com + record: www.foo.com + type: CNAME + value: + ttl: 30 + identifier: "host1@www" + weight: 100 + health_check: "d994b780-3150-49fd-9205-356abdd42e75" +- name: Use a routing policy to distribute traffic03 + community.aws.route53: + state: present + zone: foo.com + record: www.foo.com + type: CNAME + ttl: 30 + identifier: "host1@www" + weight: 100 + health_check: "d994b780-3150-49fd-9205-356abdd42e75" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Use a routing policy to distribute traffic + community.aws.route53: + state: present + zone: foo.com + record: www.foo.com + type: CNAME + value: host1.foo.com + ttl: 30 + identifier: host1@www + weight: 100 + health_check: d994b780-3150-49fd-9205-356abdd42e75 + +``` diff --git a/docs/queries/ansible-queries/aws/4b6012e7-7176-46e4-8108-e441785eae57.md b/docs/queries/ansible-queries/aws/4b6012e7-7176-46e4-8108-e441785eae57.md new file mode 100644 index 00000000000..bd4c90335b1 --- /dev/null +++ b/docs/queries/ansible-queries/aws/4b6012e7-7176-46e4-8108-e441785eae57.md @@ -0,0 +1,81 @@ +--- +title: EBS Volume Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4b6012e7-7176-46e4-8108-e441785eae57 +- **Query name:** EBS Volume Encryption Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ebs_volume_encryption_disabled) + +### Description +EBS volumes should be encrypted
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_vol_module.html#parameter-encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 19 12 5" +--- +- name: Creating EBS volume01 + amazon.aws.ec2_vol: + instance: XXXXXX + encrypted: no + volume_size: 50 + volume_type: gp2 + device_name: /dev/xvdf +- name: Creating EBS volume02 + amazon.aws.ec2_vol: + instance: XXXXXX + encrypted: false + volume_size: 50 + volume_type: gp2 + device_name: /dev/xvdf +- name: Creating EBS volume03 + amazon.aws.ec2_vol: + instance: XXXXXX + encrypted: "false" + volume_size: 50 + volume_type: gp2 + device_name: /dev/xvdf +- name: Creating EBS volume04 + amazon.aws.ec2_vol: + instance: XXXXXX + volume_size: 50 + volume_type: gp2 + device_name: /dev/xvdf + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Creating EBS volume05 + amazon.aws.ec2_vol: + instance: XXXXXX + encrypted: yes + volume_size: 50 + volume_type: gp2 + device_name: /dev/xvdf +- name: Creating EBS volume06 + amazon.aws.ec2_vol: + instance: XXXXXX + encrypted: 'True' + volume_size: 50 + volume_type: gp2 + device_name: /dev/xvdf + +``` diff --git a/docs/queries/ansible-queries/aws/4d8681a2-3d30-4c89-8070-08acd142748e.md b/docs/queries/ansible-queries/aws/4d8681a2-3d30-4c89-8070-08acd142748e.md new file mode 100644 index 00000000000..18351816781 --- /dev/null +++ b/docs/queries/ansible-queries/aws/4d8681a2-3d30-4c89-8070-08acd142748e.md @@ -0,0 +1,94 @@ +--- +title: CloudTrail Log File Validation Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4d8681a2-3d30-4c89-8070-08acd142748e +- **Query name:** CloudTrail Log File Validation Disabled +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cloudtrail_log_file_validation_disabled) + +### Description +CloudTrail log file validation should be enabled to determine whether a log file has not been tampered
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 21" +- name: create multi-region trail with validation and tags + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + region: us-east-1 + is_multi_region_trail: true + cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role" + cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*" + kms_key_id: "alias/MyAliasName" + tags: + environment: dev + Name: default +- name: create multi-region trail with validation and tags v7 + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + region: us-east-1 + is_multi_region_trail: true + enable_log_file_validation: false + cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role" + cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*" + kms_key_id: "alias/MyAliasName" + tags: + environment: dev + Name: default + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create multi-region trail with validation and tags v2 + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + region: us-east-1 + is_multi_region_trail: true + enable_log_file_validation: true + cloudwatch_logs_role_arn: arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role + cloudwatch_logs_log_group_arn: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:* + kms_key_id: alias/MyAliasName + tags: + environment: dev + Name: default +- name: create multi-region trail with validation and tags v3 + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + region: us-east-1 + is_multi_region_trail: true + log_file_validation_enabled: true + cloudwatch_logs_role_arn: arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role + cloudwatch_logs_log_group_arn: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:* + kms_key_id: alias/MyAliasName + tags: + environment: dev + Name: default + +``` diff --git a/docs/queries/ansible-queries/aws/5330b503-3319-44ff-9b1c-00ee873f728a.md b/docs/queries/ansible-queries/aws/5330b503-3319-44ff-9b1c-00ee873f728a.md new file mode 100644 index 00000000000..f776a57006d --- /dev/null +++ b/docs/queries/ansible-queries/aws/5330b503-3319-44ff-9b1c-00ee873f728a.md @@ -0,0 +1,74 @@ +--- +title: EC2 Group Has Public Interface +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5330b503-3319-44ff-9b1c-00ee873f728a +- **Query name:** EC2 Group Has Public Interface +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ec2_group_has_public_interface) + +### Description +The CIDR IP should not be a public interface
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster + db_security_groups: ["example"] +- name: example ec2 group + ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1a + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 0.0.0.0/0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example ec2 group2 + ec2_group1: + name: example1 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1a + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 10.1.1.1/32 + +``` diff --git a/docs/queries/ansible-queries/aws/53bce6a8-5492-4b1b-81cf-664385f0c4bf.md b/docs/queries/ansible-queries/aws/53bce6a8-5492-4b1b-81cf-664385f0c4bf.md new file mode 100644 index 00000000000..5d86d9bbdfd --- /dev/null +++ b/docs/queries/ansible-queries/aws/53bce6a8-5492-4b1b-81cf-664385f0c4bf.md @@ -0,0 +1,61 @@ +--- +title: S3 Bucket Allows Get Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 53bce6a8-5492-4b1b-81cf-664385f0c4bf +- **Query name:** S3 Bucket Allows Get Action From All Principals +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals) + +### Description +S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +#this is a problematic code where the query should report a result(s) +- name: Bucket + amazon.aws.s3_bucket: + name: mys3bucket + state: present + policy: + Version: "2020-10-07" + Statement: + - Effect: Allow + Action: GetObject + Principal: "*" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: Bucket + amazon.aws.s3_bucket: + name: mys3bucket + state: present + policy: + Version: '2020-10-07' + Statement: + - Effect: Allow + Action: GetObject + Principal: NotAll + +``` diff --git a/docs/queries/ansible-queries/aws/5527dcfc-94f9-4bf6-b7d4-1b78850cf41f.md b/docs/queries/ansible-queries/aws/5527dcfc-94f9-4bf6-b7d4-1b78850cf41f.md new file mode 100644 index 00000000000..0cf75405d25 --- /dev/null +++ b/docs/queries/ansible-queries/aws/5527dcfc-94f9-4bf6-b7d4-1b78850cf41f.md @@ -0,0 +1,62 @@ +--- +title: ElastiCache Without VPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5527dcfc-94f9-4bf6-b7d4-1b78850cf41f +- **Query name:** ElastiCache Without VPC +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/elasticache_without_vpc) + +### Description +ElastiCache should be launched in a Virtual Private Cloud (VPC)
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-cache_subnet_group) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: Basic example + community.aws.elasticache: + name: "test-please-delete" + state: present + engine: memcached + cache_engine_version: 1.4.14 + node_type: cache.m1.small + num_nodes: 1 + cache_port: 11211 + cache_security_groups: + - default + zone: us-east-1d + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Basic example2 + community.aws.elasticache: + name: "test-please-delete" + state: present + engine: memcached + cache_engine_version: 1.4.14 + node_type: cache.m1.small + num_nodes: 1 + cache_port: 11211 + cache_subnet_group: default + zone: us-east-1d + +``` diff --git a/docs/queries/ansible-queries/aws/559439b2-3e9c-4739-ac46-17e3b24ec215.md b/docs/queries/ansible-queries/aws/559439b2-3e9c-4739-ac46-17e3b24ec215.md new file mode 100644 index 00000000000..61f14827632 --- /dev/null +++ b/docs/queries/ansible-queries/aws/559439b2-3e9c-4739-ac46-17e3b24ec215.md @@ -0,0 +1,57 @@ +--- +title: API Gateway Endpoint Config is Not Private +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 559439b2-3e9c-4739-ac46-17e3b24ec215 +- **Query name:** API Gateway Endpoint Config is Not Private +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/api_gateway_endpoint_config_is_not_private) + +### Description +The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +- name: Setup AWS API Gateway setup on AWS and deploy API definition + community.aws.aws_api_gateway: + swagger_file: my_api.yml + stage: production + cache_enabled: true + cache_size: '1.6' + tracing_enabled: true + endpoint_type: EDGE + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Setup AWS API Gateway setup on AWS and deploy API definition + community.aws.aws_api_gateway: + swagger_file: my_api.yml + stage: production + cache_enabled: true + cache_size: '1.6' + tracing_enabled: true + endpoint_type: PRIVATE + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/57ced4b9-6ba4-487b-8843-b65562b90c77.md b/docs/queries/ansible-queries/aws/57ced4b9-6ba4-487b-8843-b65562b90c77.md new file mode 100644 index 00000000000..27c396e6499 --- /dev/null +++ b/docs/queries/ansible-queries/aws/57ced4b9-6ba4-487b-8843-b65562b90c77.md @@ -0,0 +1,73 @@ +--- +title: Security Group With Unrestricted Access To SSH +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 57ced4b9-6ba4-487b-8843-b65562b90c77 +- **Query name:** Security Group With Unrestricted Access To SSH +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh) + +### Description +'SSH' (TCP:22) should not be public in AWS Security Group
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +- name: example ec2 group + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ip: 79.32.0.0/12 + - proto: tcp + from_port: -1 + to_port: -1 + cidr_ip: 79.32.0.0/12 + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ipv6: 2607:F8B0::/24 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example ec2 group v2 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 79.32.0.0/8 + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ipv6: 64:ff9b::/96 + +``` diff --git a/docs/queries/ansible-queries/aws/594f54e7-f744-45ab-93e4-c6dbaf6cd571.md b/docs/queries/ansible-queries/aws/594f54e7-f744-45ab-93e4-c6dbaf6cd571.md new file mode 100644 index 00000000000..ee237922031 --- /dev/null +++ b/docs/queries/ansible-queries/aws/594f54e7-f744-45ab-93e4-c6dbaf6cd571.md @@ -0,0 +1,49 @@ +--- +title: S3 Bucket Without Server-side-encryption +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 594f54e7-f744-45ab-93e4-c6dbaf6cd571 +- **Query name:** S3 Bucket Without Server-side-encryption +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_without_server-side_encryption) + +### Description +AWS S3 Storage should be protected with SSE (Server-Side Encryption)
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +- name: Create a simple s3 bucket + amazon.aws.s3_bucket: + name: mys3bucket + state: present + encryption: "none" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create a simple s3 bucket v2 + amazon.aws.s3_bucket: + name: mys3bucket + state: present + encryption: aws:kms + +``` diff --git a/docs/queries/ansible-queries/aws/5a443297-19d4-4381-9e5b-24faf947ec22.md b/docs/queries/ansible-queries/aws/5a443297-19d4-4381-9e5b-24faf947ec22.md new file mode 100644 index 00000000000..eab5fb73851 --- /dev/null +++ b/docs/queries/ansible-queries/aws/5a443297-19d4-4381-9e5b-24faf947ec22.md @@ -0,0 +1,51 @@ +--- +title: Certificate Has Expired +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5a443297-19d4-4381-9e5b-24faf947ec22 +- **Query name:** Certificate Has Expired +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/certificate_has_expired) + +### Description +Expired SSL/TLS certificates should be removed
+[Documentation](https://docs.ansible.com/ansible/2.10/collections/community/aws/aws_acm_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +- name: upload a self-signed certificate + community.aws.aws_acm: + certificate: "{{ lookup('file', 'expiredCertificate.pem' ) }}" + privateKey: "{{ lookup('file', 'key.pem' ) }}" + name_tag: my_cert + region: ap-southeast-2 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: upload a self-signed certificate2 + community.aws.aws_acm: + certificate: "{{ lookup('file', 'validCertificate.pem' ) }}" + privateKey: "{{ lookup('file', 'key.pem' ) }}" + name_tag: my_cert + region: ap-southeast-2 + +``` diff --git a/docs/queries/ansible-queries/aws/5b9d237a-57d5-4177-be0e-71434b0fef47.md b/docs/queries/ansible-queries/aws/5b9d237a-57d5-4177-be0e-71434b0fef47.md new file mode 100644 index 00000000000..769076317a9 --- /dev/null +++ b/docs/queries/ansible-queries/aws/5b9d237a-57d5-4177-be0e-71434b0fef47.md @@ -0,0 +1,58 @@ +--- +title: KMS Key With Vulnerable Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5b9d237a-57d5-4177-be0e-71434b0fef47 +- **Query name:** KMS Key With Vulnerable Policy +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/kms_key_with_vulnerable_policy) + +### Description +Checks if the policy is vulnerable and needs updating.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 5" +--- +- name: Update IAM policy on an existing KMS key + community.aws.aws_kms: + alias: my-kms-key + policy: {'Id': 'auto-ebs-2', 'Statement': [{'Action': ['kms:*'], 'Effect': 'Allow', 'Principal': {'AWS': '*'}, 'Resource': '*', 'Sid': 'Allow access through EBS for all principals in the account that are authorized to use EBS'}, {'Action': ['kms:Describe*', 'kms:Get*', 'kms:List*', 'kms:RevokeGrant'], 'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::111111111111:root'}, 'Resource': '*', 'Sid': 'Allow direct access to key metadata to the account'}], 'Version': '2012-10-17'} + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Update IAM policy on an existing KMS key + community.aws.aws_kms: + alias: my-kms-key + policy: | + { Id: auto-ebs-2, Statement: [{Action: [kms:Encrypt, kms:Decrypt, kms:ReEncrypt*, + kms:GenerateDataKey*, kms:CreateGrant, kms:DescribeKey], Condition: { + StringEquals: {kms:CallerAccount: '111111111111', kms:ViaService: ec2.ap-southeast-2.amazonaws.com}}, + Effect: Allow, Principal: {AWS: '*'}, Resource: '*', + Sid: Allow access through EBS for all principals in the account that are authorized to use EBS }, + { Action: [kms:Describe*, kms:Get*, kms:List*, kms:RevokeGrant], Effect: Allow, + Principal: {AWS: arn:aws:iam::111111111111:root}, Resource: '*', + Sid: Allow direct access to key metadata to the account}], Version: '2012-10-17' } + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/5ba316a9-c466-4ec1-8d5b-bc6107dc9a92.md b/docs/queries/ansible-queries/aws/5ba316a9-c466-4ec1-8d5b-bc6107dc9a92.md new file mode 100644 index 00000000000..3629f6e67bf --- /dev/null +++ b/docs/queries/ansible-queries/aws/5ba316a9-c466-4ec1-8d5b-bc6107dc9a92.md @@ -0,0 +1,62 @@ +--- +title: CloudTrail SNS Topic Name Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5ba316a9-c466-4ec1-8d5b-bc6107dc9a92 +- **Query name:** CloudTrail SNS Topic Name Undefined +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cloudtrail_sns_topic_name_undefined) + +### Description +Check if SNS topic name is set for CloudTrail
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 15" +- name: no sns topic name + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + s3_key_prefix: cloudtrail + region: us-east-1 +- name: sns topic name defined + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + s3_key_prefix: cloudtrail + region: us-east-1 + sns_topic_name: + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: sns topic name defined + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + s3_key_prefix: cloudtrail + region: us-east-1 + sns_topic_name: some_topic_name + +``` diff --git a/docs/queries/ansible-queries/aws/5c6b727b-1382-4629-8ba9-abd1365e5610.md b/docs/queries/ansible-queries/aws/5c6b727b-1382-4629-8ba9-abd1365e5610.md new file mode 100644 index 00000000000..9041fa7de95 --- /dev/null +++ b/docs/queries/ansible-queries/aws/5c6b727b-1382-4629-8ba9-abd1365e5610.md @@ -0,0 +1,87 @@ +--- +title: Redshift Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5c6b727b-1382-4629-8ba9-abd1365e5610 +- **Query name:** Redshift Publicly Accessible +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/redshift_publicly_accessible) + +### Description +AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true (default is false)
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/redshift_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 17 25" +--- +- name: Basic cluster provisioning example04 + community.aws.redshift: + command: create + node_type: ds1.xlarge + identifier: new_cluster + username: cluster_admin + password: 1nsecur3 + publicly_accessible: yes +- name: Basic cluster provisioning example05 + community.aws.redshift: + command: create + node_type: ds1.xlarge + identifier: new_cluster + username: cluster_admin + password: 1nsecur3 + publicly_accessible: True +- name: Basic cluster provisioning example06 + redshift: + command: create + node_type: ds1.xlarge + identifier: new_cluster + username: cluster_admin + password: 1nsecur3 + publicly_accessible: Yes + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Basic cluster provisioning example01 + community.aws.redshift: + command: create + node_type: ds1.xlarge + identifier: new_cluster + username: cluster_admin + password: 1nsecur3 + publicly_accessible: no +- name: Basic cluster provisioning example02 + community.aws.redshift: + command: create + node_type: ds1.xlarge + identifier: new_cluster + username: cluster_admin + password: 1nsecur3 +- name: Basic cluster provisioning example03 + redshift: + command: create + node_type: ds1.xlarge + identifier: new_cluster + username: cluster_admin + password: 1nsecur3 + publicly_accessible: false + +``` diff --git a/docs/queries/ansible-queries/aws/5e92d816-2177-4083-85b4-f61b4f7176d9.md b/docs/queries/ansible-queries/aws/5e92d816-2177-4083-85b4-f61b4f7176d9.md new file mode 100644 index 00000000000..10069b07842 --- /dev/null +++ b/docs/queries/ansible-queries/aws/5e92d816-2177-4083-85b4-f61b4f7176d9.md @@ -0,0 +1,57 @@ +--- +title: Public Lambda via API Gateway +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5e92d816-2177-4083-85b4-f61b4f7176d9 +- **Query name:** Public Lambda via API Gateway +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/public_lambda_via_api_gateway) + +### Description +Allowing to run lambda function using public API Gateway
+[Documentation](https://docs.ansible.com/ansible/2.4/lambda_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +- name: Lambda S3 event notification + lambda_policy: + state: "{{ state | default('present') }}" + function_name: functionName + alias: Dev + statement_id: lambda-s3-myBucket-create-data-log + action: lambda:InvokeFunction + principal: apigateway.amazonaws.com + source_arn: arn:aws:s3:eu-central-1:123456789012/*/* + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Lambda S3 event notification + lambda_policy: + state: "{{ state | default('present') }}" + function_name: functionName + alias: Dev + statement_id: lambda-s3-myBucket-create-data-log + action: lambda:InvokeFunction + principal: s3.amazonaws.com + source_arn: arn:aws:s3:eu-central-1:123456789012:bucketname + +``` diff --git a/docs/queries/ansible-queries/aws/5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce.md b/docs/queries/ansible-queries/aws/5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce.md new file mode 100644 index 00000000000..4f094edaa24 --- /dev/null +++ b/docs/queries/ansible-queries/aws/5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce.md @@ -0,0 +1,79 @@ +--- +title: CA Certificate Identifier Is Outdated +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5eccd62d-8b4d-46d3-83ea-1879f3cbd3ce +- **Query name:** CA Certificate Identifier Is Outdated +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ca_certificate_identifier_is_outdated) + +### Description +The CA certificate Identifier must be 'rds-ca-2019'.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-ca_certificate_identifier) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 12" +--- +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster + ca_certificate_identifier: rds-ca-2015 +- name: create a DB instance using the default AWS KMS encryption key + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + storage_encrypted: True + db_instance_class: db.t2.medium + username: "{{ username }}" + password: "{{ password }}" + allocated_storage: "{{ allocated_storage }}" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: '{{ password }}' + username: '{{ username }}' + cluster_id: ansible-test-cluster + ca_certificate_identifier: rds-ca-2019 +- name: Create a DB instance using the default AWS KMS encryption key + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + storage_encrypted: true + db_instance_class: db.t2.medium + username: '{{ username }}' + password: '{{ password }}' + allocated_storage: '{{ allocated_storage }}' + ca_certificate_identifier: rds-ca-2019 + +``` diff --git a/docs/queries/ansible-queries/aws/60bfbb8a-c72f-467f-a6dd-a46b7d612789.md b/docs/queries/ansible-queries/aws/60bfbb8a-c72f-467f-a6dd-a46b7d612789.md new file mode 100644 index 00000000000..e52233e8929 --- /dev/null +++ b/docs/queries/ansible-queries/aws/60bfbb8a-c72f-467f-a6dd-a46b7d612789.md @@ -0,0 +1,50 @@ +--- +title: ECR Image Tag Not Immutable +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 60bfbb8a-c72f-467f-a6dd-a46b7d612789 +- **Query name:** ECR Image Tag Not Immutable +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ecr_image_tag_not_immutable) + +### Description +ECR should have an image tag be immutable. This prevents image tags from being overwritten.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_ecr_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 7" +- name: create immutable ecr-repo + community.aws.ecs_ecr: + name: super/cool +- name: create immutable ecr-repo v2 + community.aws.ecs_ecr: + name: super/cool + image_tag_mutability: mutable + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create immutable ecr-repo v4 + community.aws.ecs_ecr: + name: super/cool + image_tag_mutability: immutable + +``` diff --git a/docs/queries/ansible-queries/aws/61d1a2d0-4db8-405a-913d-5d2ce49dff6f.md b/docs/queries/ansible-queries/aws/61d1a2d0-4db8-405a-913d-5d2ce49dff6f.md new file mode 100644 index 00000000000..fc1eb5739bc --- /dev/null +++ b/docs/queries/ansible-queries/aws/61d1a2d0-4db8-405a-913d-5d2ce49dff6f.md @@ -0,0 +1,91 @@ +--- +title: Instance With No VPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 61d1a2d0-4db8-405a-913d-5d2ce49dff6f +- **Query name:** Instance With No VPC +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/instance_with_no_vpc) + +### Description +EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 18" +- name: Start an instance and have it begin a Tower callback on boot + community.aws.ec2_instance: + name: "tower-callback-test" + key_name: "prod-ssh-key" + security_group: default + tower_callback: + # IP or hostname of tower server + tower_address: 1.2.3.4 + job_template_id: 876 + host_config_key: '[secret config key goes here]' + network: + assign_public_ip: true + image_id: ami-123456 + cpu_credit_specification: unlimited + tags: + SomeThing: "A value" +- name: Start an instance and have it begin a Tower callback on boot v2 + amazon.aws.ec2: + key_name: mykey + instance_type: t2.micro + image: ami-123456 + wait: yes + group: webserver + count: 3 + assign_public_ip: yes + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Start an instance and have it begin a Tower callback on boot v3 + community.aws.ec2_instance: + name: tower-callback-test + key_name: prod-ssh-key + vpc_subnet_id: subnet-5ca1ab1e + security_group: default + tower_callback: + # IP or hostname of tower server + tower_address: 1.2.3.4 + job_template_id: 876 + host_config_key: '[secret config key goes here]' + network: + assign_public_ip: true + image_id: ami-123456 + cpu_credit_specification: unlimited + tags: + SomeThing: A value +- name: Start an instance and have it begin a Tower callback on boot v4 + amazon.aws.ec2: + key_name: mykey + instance_type: t2.micro + image: ami-123456 + wait: yes + group: webserver + count: 3 + vpc_subnet_id: subnet-29e63245 + assign_public_ip: yes + +``` diff --git a/docs/queries/ansible-queries/aws/66477506-6abb-49ed-803d-3fa174cd5f6a.md b/docs/queries/ansible-queries/aws/66477506-6abb-49ed-803d-3fa174cd5f6a.md new file mode 100644 index 00000000000..b316e2b8169 --- /dev/null +++ b/docs/queries/ansible-queries/aws/66477506-6abb-49ed-803d-3fa174cd5f6a.md @@ -0,0 +1,101 @@ +--- +title: Launch Configuration Is Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 66477506-6abb-49ed-803d-3fa174cd5f6a +- **Query name:** Launch Configuration Is Not Encrypted +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/launch_configuration_is_not_encrypted) + +### Description +Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 29 22" +- name: note that encrypted volumes are only supported in >= Ansible 2.4 + community.aws.ec2_lc: + name: special + image_id: ami-XXX + key_name: default + security_groups: ['group', 'group2' ] + instance_type: t1.micro + volumes: + - device_name: /dev/sda1 + volume_size: 100 + volume_type: io1 + iops: 3000 + delete_on_termination: true + encrypted: no +- name: note that encrypted volumes are only supported in >= Ansible 2.4 v2 + ec2_lc: + name: special + image_id: ami-XXX + key_name: default + security_groups: ['group', 'group2' ] + instance_type: t1.micro + volumes: + - device_name: /dev/sda1 + volume_size: 100 + volume_type: io1 + iops: 3000 + delete_on_termination: true +- name: note that encrypted volumes are only supported in >= Ansible 2.4 v3 + ec2_lc: + name: special + image_id: ami-XXX + key_name: default + security_groups: ['group', 'group2' ] + instance_type: t1.micro + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: note that encrypted volumes are only supported in >= Ansible 2.4 v4 + ec2_lc: + name: special + image_id: ami-XXX + key_name: default + security_groups: [group, group2] + instance_type: t1.micro + volumes: + - device_name: /dev/sda1 + volume_size: 100 + volume_type: io1 + iops: 3000 + delete_on_termination: true + encrypted: yes +- name: note that encrypted volumes are only supported in >= Ansible 2.4 v5 + community.aws.ec2_lc: + name: special + image_id: ami-XXX + key_name: default + security_groups: [group, group2] + instance_type: t1.micro + volumes: + - device_name: /dev/sda1 + volume_size: 100 + volume_type: io1 + iops: 3000 + delete_on_termination: true + encrypted: yes + +``` diff --git a/docs/queries/ansible-queries/aws/6a647814-def5-4b85-88f5-897c19f509cd.md b/docs/queries/ansible-queries/aws/6a647814-def5-4b85-88f5-897c19f509cd.md new file mode 100644 index 00000000000..35df848636e --- /dev/null +++ b/docs/queries/ansible-queries/aws/6a647814-def5-4b85-88f5-897c19f509cd.md @@ -0,0 +1,88 @@ +--- +title: Redshift Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6a647814-def5-4b85-88f5-897c19f509cd +- **Query name:** Redshift Not Encrypted +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/redshift_not_encrypted) + +### Description +AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 19 29" +- name: Basic cluster provisioning example + community.aws.redshift: + identifier: tf-redshift-cluster + command: create + db_name: mydb + username: foo + password: Mustbe8characters + node_type: dc1.large + cluster_type: single-node +- name: Basic cluster provisioning example2 + community.aws.redshift: + identifier: tf-redshift-cluster + command: create + db_name: mydb + username: foo + password: Mustbe8characters + node_type: dc1.large + cluster_type: single-node + encrypted: false +- name: Basic cluster provisioning example3 + community.aws.redshift: + identifier: tf-redshift-cluster + command: create + db_name: mydb + username: foo + password: Mustbe8characters + node_type: dc1.large + cluster_type: single-node + encrypted: no + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Basic cluster provisioning example + community.aws.redshift: + identifier: tf-redshift-cluster + command: create + db_name: mydb + username: foo + password: Mustbe8characters + node_type: dc1.large + cluster_type: single-node + encrypted: true +- name: Basic cluster provisioning example2 + community.aws.redshift: + identifier: tf-redshift-cluster + command: create + db_name: mydb + username: foo + password: Mustbe8characters + node_type: dc1.large + cluster_type: single-node + encrypted: yes + +``` diff --git a/docs/queries/ansible-queries/aws/6a6d7e56-c913-4549-b5c5-5221e624d2ec.md b/docs/queries/ansible-queries/aws/6a6d7e56-c913-4549-b5c5-5221e624d2ec.md new file mode 100644 index 00000000000..b58821edfa7 --- /dev/null +++ b/docs/queries/ansible-queries/aws/6a6d7e56-c913-4549-b5c5-5221e624d2ec.md @@ -0,0 +1,66 @@ +--- +title: S3 Bucket With All Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6a6d7e56-c913-4549-b5c5-5221e624d2ec +- **Query name:** S3 Bucket With All Permissions +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_with_all_permissions) + +### Description +S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-policy) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +--- +- name: Create s3 bucket + amazon.aws.s3_bucket: + name: mys3bucket + policy: + Id: "id113" + Version: "2012-10-17" + Statement: + - Action: "s3:*" + Effect: "Allow" + Resource: "arn:aws:s3:::S3B_181355/*" + Principal: "*" + requester_pays: yes + versioning: yes + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create s3 bucket + amazon.aws.s3_bucket: + name: mys3bucket + policy: + Id: id113 + Version: '2012-10-17' + Statement: + - Action: s3:put + Effect: Allow + Resource: arn:aws:s3:::S3B_181355/* + Principal: '*' + requester_pays: yes + versioning: yes + +``` diff --git a/docs/queries/ansible-queries/aws/6ad087d7-a509-4b20-b853-9ef6f5ebaa98.md b/docs/queries/ansible-queries/aws/6ad087d7-a509-4b20-b853-9ef6f5ebaa98.md new file mode 100644 index 00000000000..21f9316b189 --- /dev/null +++ b/docs/queries/ansible-queries/aws/6ad087d7-a509-4b20-b853-9ef6f5ebaa98.md @@ -0,0 +1,67 @@ +--- +title: CloudTrail Multi Region Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6ad087d7-a509-4b20-b853-9ef6f5ebaa98 +- **Query name:** CloudTrail Multi Region Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cloudtrail_multi_region_disabled) + +### Description +CloudTrail multi region should be enabled, which means attribute 'is_multi_region_trail' should be set to true
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html#parameter-is_multi_region_trail) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +- name: example1 + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + region: us-east-1 + is_multi_region_trail: false + enable_log_file_validation: true + cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role" + cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*" + kms_key_id: "alias/MyAliasName" + tags: + environment: dev + Name: default + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example1 + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + region: us-east-1 + is_multi_region_trail: true + enable_log_file_validation: true + cloudwatch_logs_role_arn: arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role + cloudwatch_logs_log_group_arn: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:* + kms_key_id: alias/MyAliasName + tags: + environment: dev + Name: default + +``` diff --git a/docs/queries/ansible-queries/aws/6f5f5444-1422-495f-81ef-24cefd61ed2c.md b/docs/queries/ansible-queries/aws/6f5f5444-1422-495f-81ef-24cefd61ed2c.md new file mode 100644 index 00000000000..c7694e6686b --- /dev/null +++ b/docs/queries/ansible-queries/aws/6f5f5444-1422-495f-81ef-24cefd61ed2c.md @@ -0,0 +1,110 @@ +--- +title: Password Without Reuse Prevention +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6f5f5444-1422-495f-81ef-24cefd61ed2c +- **Query name:** Password Without Reuse Prevention +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/password_without_reuse_prevention) + +### Description +Password policy `password_reuse_prevention` doesn't exist or is equal to 0
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html#parameter-pw_reuse_prevent) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 3 23" +--- +- name: Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_expire: false +- name: Password policy for AWS account2 + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + password_reuse_prevent: 0 + pw_expire: false +- name: Password policy for AWS account3 + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_expire: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false +- name: Password policy for AWS account2 + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + password_reuse_prevent: 5 + pw_expire: false +- name: Password policy for AWS account3 + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + prevent_reuse: 5 + pw_expire: false + +``` diff --git a/docs/queries/ansible-queries/aws/6fa44721-ef21-41c6-8665-330d59461163.md b/docs/queries/ansible-queries/aws/6fa44721-ef21-41c6-8665-330d59461163.md new file mode 100644 index 00000000000..2cf8b9c6e88 --- /dev/null +++ b/docs/queries/ansible-queries/aws/6fa44721-ef21-41c6-8665-330d59461163.md @@ -0,0 +1,61 @@ +--- +title: S3 Bucket Allows Delete Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6fa44721-ef21-41c6-8665-330d59461163 +- **Query name:** S3 Bucket Allows Delete Action From All Principals +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals) + +### Description +S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +#this is a problematic code where the query should report a result(s) +- name: Bucket + amazon.aws.s3_bucket: + name: mys3bucket + state: present + policy: + Version: "2020-10-07" + Statement: + - Effect: Allow + Action: DeleteObject + Principal: "*" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: Bucket + amazon.aws.s3_bucket: + name: mys3bucket + state: present + policy: + Version: '2020-10-07' + Statement: + - Effect: Deny + Action: DeleteObject + Principal: '*' + +``` diff --git a/docs/queries/ansible-queries/aws/71397b34-1d50-4ee1-97cb-c96c34676f74.md b/docs/queries/ansible-queries/aws/71397b34-1d50-4ee1-97cb-c96c34676f74.md new file mode 100644 index 00000000000..769c63a24ea --- /dev/null +++ b/docs/queries/ansible-queries/aws/71397b34-1d50-4ee1-97cb-c96c34676f74.md @@ -0,0 +1,125 @@ +--- +title: Lambda Functions Without X-Ray Tracing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 71397b34-1d50-4ee1-97cb-c96c34676f74 +- **Query name:** Lambda Functions Without X-Ray Tracing +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/lambda_functions_without_x-ray_tracing) + +### Description +AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_mode' should have the value 'Active'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 37" +- name: looped creation + community.aws.lambda: + name: '{{ item.name }}' + state: present + zip_file: '{{ item.zip_file }}' + runtime: 'python2.7' + role: 'arn:aws:iam::987654321012:role/lambda_basic_execution' + handler: 'hello_python.my_handler' + vpc_subnet_ids: + - subnet-123abcde + - subnet-edcba321 + vpc_security_group_ids: + - sg-123abcde + - sg-edcba321 + environment_variables: '{{ item.env_vars }}' + tags: + key1: 'value1' + loop: + - name: HelloWorld + zip_file: hello-code.zip + env_vars: + key1: "first" + key2: "second" + - name: ByeBye + zip_file: bye-code.zip + env_vars: + key1: "1" + key2: "2" +- name: looped creation V2 + community.aws.lambda: + name: '{{ item.name }}' + state: present + zip_file: '{{ item.zip_file }}' + runtime: 'python2.7' + role: 'arn:aws:iam::987654321012:role/lambda_basic_execution' + handler: 'hello_python.my_handler' + tracing_mode: "PassThrough" + vpc_subnet_ids: + - subnet-123abcde + - subnet-edcba321 + vpc_security_group_ids: + - sg-123abcde + - sg-edcba321 + environment_variables: '{{ item.env_vars }}' + tags: + key1: 'value1' + loop: + - name: HelloWorld + zip_file: hello-code.zip + env_vars: + key1: "first" + key2: "second" + - name: ByeBye + zip_file: bye-code.zip + env_vars: + key1: "1" + key2: "2" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: looped creation V3 + community.aws.lambda: + name: '{{ item.name }}' + state: present + zip_file: '{{ item.zip_file }}' + runtime: python2.7 + role: arn:aws:iam::987654321012:role/lambda_basic_execution + handler: hello_python.my_handler + tracing_mode: Active + vpc_subnet_ids: + - subnet-123abcde + - subnet-edcba321 + vpc_security_group_ids: + - sg-123abcde + - sg-edcba321 + environment_variables: '{{ item.env_vars }}' + tags: + key1: value1 + loop: + - name: HelloWorld + zip_file: hello-code.zip + env_vars: + key1: first + key2: second + - name: ByeBye + zip_file: bye-code.zip + env_vars: + key1: '1' + key2: '2' + +``` diff --git a/docs/queries/ansible-queries/aws/71ea648a-d31a-4b5a-a589-5674243f1c33.md b/docs/queries/ansible-queries/aws/71ea648a-d31a-4b5a-a589-5674243f1c33.md new file mode 100644 index 00000000000..4708e06f98c --- /dev/null +++ b/docs/queries/ansible-queries/aws/71ea648a-d31a-4b5a-a589-5674243f1c33.md @@ -0,0 +1,69 @@ +--- +title: Public Port Wide +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 71ea648a-d31a-4b5a-a589-5674243f1c33 +- **Query name:** Public Port Wide +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/public_port_wide) + +### Description +AWS Security Group should not have public port wide
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +- name: example ec2 group + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + from_port: 80 + to_port: 82 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 2 + to_port: 22 + cidr_ipv6: ::/0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example ec2 group v2 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ip: 10.0.0.0/8 + +``` diff --git a/docs/queries/ansible-queries/aws/722b0f24-5a64-4cca-aa96-cfc26b7e3a5b.md b/docs/queries/ansible-queries/aws/722b0f24-5a64-4cca-aa96-cfc26b7e3a5b.md new file mode 100644 index 00000000000..2d348a5774d --- /dev/null +++ b/docs/queries/ansible-queries/aws/722b0f24-5a64-4cca-aa96-cfc26b7e3a5b.md @@ -0,0 +1,69 @@ +--- +title: Unknown Port Exposed To Internet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 722b0f24-5a64-4cca-aa96-cfc26b7e3a5b +- **Query name:** Unknown Port Exposed To Internet +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/unknown_port_exposed_to_internet) + +### Description +AWS Security Group should not have an unknown port exposed to the entire Internet
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 13" +- name: example ec2 group + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + from_port: 8001 + to_port: 8002 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 2222 + to_port: 2226 + cidr_ipv6: ::/0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example ec2 group + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ip: 10.0.0.0/8 + +``` diff --git a/docs/queries/ansible-queries/aws/727c4fd4-d604-4df6-a179-7713d3c85e20.md b/docs/queries/ansible-queries/aws/727c4fd4-d604-4df6-a179-7713d3c85e20.md new file mode 100644 index 00000000000..22bd576a3d0 --- /dev/null +++ b/docs/queries/ansible-queries/aws/727c4fd4-d604-4df6-a179-7713d3c85e20.md @@ -0,0 +1,94 @@ +--- +title: EFS Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 727c4fd4-d604-4df6-a179-7713d3c85e20 +- **Query name:** EFS Not Encrypted +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/efs_not_encrypted) + +### Description +Elastic File System (EFS) must be encrypted
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-encrypt) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 6 25" +--- +- name: foo + community.aws.efs: + state: present + name: myTestEFS + encrypt: no + tags: + Name: myTestNameTag + purpose: file-storage + targets: + - subnet_id: subnet-748c5d03 + security_groups: ["sg-1a2b3c4d"] +- name: foo2 + community.aws.efs: + state: present + name: myTestEFS + encrypt: false + tags: + Name: myTestNameTag + purpose: file-storage + targets: + - subnet_id: subnet-748c5d03 + security_groups: ["sg-1a2b3c4d"] +- name: foo3 + community.aws.efs: + state: present + name: myTestEFS + tags: + Name: myTestNameTag + purpose: file-storage + targets: + - subnet_id: subnet-748c5d03 + security_groups: ["sg-1a2b3c4d"] + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: foo + community.aws.efs: + state: present + name: myTestEFS + encrypt: yes + tags: + Name: myTestNameTag + purpose: file-storage + targets: + - subnet_id: subnet-748c5d03 + security_groups: [sg-1a2b3c4d] +- name: foo2 + community.aws.efs: + state: present + name: myTestEFS + encrypt: true + tags: + Name: myTestNameTag + purpose: file-storage + targets: + - subnet_id: subnet-748c5d03 + security_groups: [sg-1a2b3c4d] + +``` diff --git a/docs/queries/ansible-queries/aws/72a931c2-12f5-40d1-93cc-47bff2f7aa2a.md b/docs/queries/ansible-queries/aws/72a931c2-12f5-40d1-93cc-47bff2f7aa2a.md new file mode 100644 index 00000000000..0b3970faf3e --- /dev/null +++ b/docs/queries/ansible-queries/aws/72a931c2-12f5-40d1-93cc-47bff2f7aa2a.md @@ -0,0 +1,50 @@ +--- +title: API Gateway With CloudWatch Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 72a931c2-12f5-40d1-93cc-47bff2f7aa2a +- **Query name:** API Gateway With CloudWatch Logging Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/api_gateway_with_cloudwatch_logging_disabled) + +### Description +AWS CloudWatch Logs for APIs is not enabled
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudwatchlogs_log_group_module.html#ansible-collections-community-aws-cloudwatchlogs-log-group-module) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +--- +- name: Setup AWS API Gateway setup on AWS cloudwatchlogs + community.aws.cloudwatchlogs_log_group: + state: present + kms_key_id: arn:aws:kms:region:account-id:key/key-id + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Setup AWS API Gateway setup on AWS cloudwatchlogs + community.aws.cloudwatchlogs_log_group: + state: present + log_group_name: test-log-group + tags: {Name: test-log-group, Env: QA} + kms_key_id: arn:aws:kms:region:account-id:key/key-id + +``` diff --git a/docs/queries/ansible-queries/aws/730a5951-2760-407a-b032-dd629b55c23a.md b/docs/queries/ansible-queries/aws/730a5951-2760-407a-b032-dd629b55c23a.md new file mode 100644 index 00000000000..64fe6da5eae --- /dev/null +++ b/docs/queries/ansible-queries/aws/730a5951-2760-407a-b032-dd629b55c23a.md @@ -0,0 +1,179 @@ +--- +title: ELB Using Insecure Protocols +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 730a5951-2760-407a-b032-dd629b55c23a +- **Query name:** ELB Using Insecure Protocols +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/elb_using_insecure_protocols) + +### Description +ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'SslPolicy' of 'listeners' must not coincide with any of a predefined list of insecure protocols.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 70 40 52 21 89" +#this is a problematic code where the query should report a result(s) +- name: elb1 + community.aws.elb_application_lb: + name: myelb1 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + state: present +- name: elb2 + community.aws.elb_application_lb: + name: myelb2 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive). + Port: 80 # Required. The port on which the load balancer is listening. + # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. + Certificates: # The ARN of the certificate (only one certficate ARN should be provided) + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward # Required. + TargetGroupName: # Required. The name of the target group + state: present +- name: elb3 + community.aws.elb_application_lb: + name: myelb3 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive). + Port: 80 # Required. The port on which the load balancer is listening. + # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. + SslPolicy: Protocol-SSLv2 + Certificates: # The ARN of the certificate (only one certficate ARN should be provided) + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward # Required. + TargetGroupName: # Required. The name of the target group + state: present +- name: elb4 + community.aws.elb_network_lb: + name: myelb4 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + state: present +- name: elb5 + community.aws.elb_network_lb: + name: myelb5 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive). + Port: 80 # Required. The port on which the load balancer is listening. + # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. + Certificates: # The ARN of the certificate (only one certficate ARN should be provided) + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward # Required. + TargetGroupName: # Required. The name of the target group + state: present +- name: elb6 + community.aws.elb_network_lb: + name: myelb6 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive). + Port: 80 # Required. The port on which the load balancer is listening. + # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. + SslPolicy: Protocol-TLSv1.1 + Certificates: # The ARN of the certificate (only one certficate ARN should be provided) + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward # Required. + TargetGroupName: # Required. The name of the target group + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: elb1 + community.aws.elb_application_lb: + name: myelb1 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive). + Port: 80 # Required. The port on which the load balancer is listening. + # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. + SslPolicy: ELBSecurityPolicy-2015-05 + Certificates: # The ARN of the certificate (only one certficate ARN should be provided) + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward # Required. + TargetGroupName: # Required. The name of the target group + state: present +- name: elb2 + community.aws.elb_network_lb: + name: myelb2 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive). + Port: 80 # Required. The port on which the load balancer is listening. + # The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy. + SslPolicy: ELBSecurityPolicy-2015-05 + Certificates: # The ARN of the certificate (only one certficate ARN should be provided) + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward # Required. + TargetGroupName: # Required. The name of the target group + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/75480b31-f349-4b9a-861f-bce19588e674.md b/docs/queries/ansible-queries/aws/75480b31-f349-4b9a-861f-bce19588e674.md new file mode 100644 index 00000000000..a0a6239ffec --- /dev/null +++ b/docs/queries/ansible-queries/aws/75480b31-f349-4b9a-861f-bce19588e674.md @@ -0,0 +1,54 @@ +--- +title: S3 Bucket ACL Allows Read to Any Authenticated User +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 75480b31-f349-4b9a-861f-bce19588e674 +- **Query name:** S3 Bucket ACL Allows Read to Any Authenticated User +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user) + +### Description +S3 Buckets should not be readable to any authenticated user
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +--- +- name: Create an empty bucket2 + amazon.aws.aws_s3: + bucket: mybucket + mode: create + permission: authenticated-read + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create an empty bucket + amazon.aws.aws_s3: + bucket: mybucket + mode: create +- name: Create an empty bucket2 + amazon.aws.aws_s3: + bucket: mybucket + mode: create + permission: private + +``` diff --git a/docs/queries/ansible-queries/aws/7674a686-e4b1-4a95-83d4-1fd53c623d84.md b/docs/queries/ansible-queries/aws/7674a686-e4b1-4a95-83d4-1fd53c623d84.md new file mode 100644 index 00000000000..d819c7dd9e8 --- /dev/null +++ b/docs/queries/ansible-queries/aws/7674a686-e4b1-4a95-83d4-1fd53c623d84.md @@ -0,0 +1,62 @@ +--- +title: Config Rule For Encrypted Volumes Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7674a686-e4b1-4a95-83d4-1fd53c623d84 +- **Query name:** Config Rule For Encrypted Volumes Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/config_rule_for_encrypted_volumes_is_disabled) + +### Description +Check if AWS config rules do not identify Encrypted Volumes as a source.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/aws_config_rule_module.html#parameter-source/identifier) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +--- +- name: foo + community.aws.aws_config_rule: + name: test_config_rule + state: present + description: 'This AWS Config rule checks for public write access on S3 buckets' + scope: + compliance_types: + - 'AWS::S3::Bucket' + source: + owner: AWS + identifier: 'S3_BUCKET_PUBLIC_WRITE_PROHIBITED' + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: foo + community.aws.aws_config_rule: + name: test_config_rule + state: present + description: This AWS Config rule checks for public write access on S3 buckets + scope: + compliance_types: + - AWS::S3::Bucket + source: + owner: AWS + identifier: ENCRYPTED_VOLUMES + +``` diff --git a/docs/queries/ansible-queries/aws/7af1c447-c014-4f05-bd8b-ebe3a15734ac.md b/docs/queries/ansible-queries/aws/7af1c447-c014-4f05-bd8b-ebe3a15734ac.md new file mode 100644 index 00000000000..0b4bc5aa921 --- /dev/null +++ b/docs/queries/ansible-queries/aws/7af1c447-c014-4f05-bd8b-ebe3a15734ac.md @@ -0,0 +1,150 @@ +--- +title: SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7af1c447-c014-4f05-bd8b-ebe3a15734ac +- **Query name:** SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/sql_analysis_services_port_2383_is_publicly_accessible) + +### Description +Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="65 37 9 51 23" +--- +- name: example using security group rule descriptions + amazon.aws.ec2_group: + name: awsEc2 + description: sg with rule descriptions + vpc_id: vpc-xxxxxxxx + profile: "{{ aws_profile }}" + region: us-east-1 + rules: + - proto: tcp + ports: + - 2383 + cidr_ip: 0.0.0.0/0 + rule_desc: allow all on port 2383 + +- name: example using security group rule descriptions 2 + amazon.aws.ec2_group: + name: awsEc2 + description: sg with rule descriptions + vpc_id: vpc-xxxxxxxx + profile: "{{ aws_profile }}" + region: us-east-1 + rules: + - proto: tcp + ports: + - 2383 + cidr_ip: 0.0.0.0/0 + rule_desc: allow all on port 2383 + +- name: example using security group rule descriptions 3 + amazon.aws.ec2_group: + name: awsEc2 + description: sg with rule descriptions + vpc_id: vpc-xxxxxxxx + profile: "{{ aws_profile }}" + region: us-east-1 + rules: + - proto: tcp + to_port: -1 + from_port: -1 + cidr_ip: 0.0.0.0/0 + rule_desc: allow all on port 2383 + +- name: example using security group rule descriptions 4 + amazon.aws.ec2_group: + name: awsEc2 + description: sg with rule descriptions + vpc_id: vpc-xxxxxxxx + profile: "{{ aws_profile }}" + region: us-east-1 + rules: + - proto: tcp + ports: + - 2000-3000 + cidr_ip: 0.0.0.0/0 + rule_desc: allow all on port 2383 + +- name: example using security group rule descriptions 5 + amazon.aws.ec2_group: + name: awsEc2 + description: sg with rule descriptions + vpc_id: vpc-xxxxxxxx + profile: "{{ aws_profile }}" + region: us-east-1 + rules: + - proto: tcp + to_port: 3000 + from_port: 2000 + cidr_ip: 0.0.0.0/0 + rule_desc: allow all on port 2383 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example using security group rule descriptions + amazon.aws.ec2_group: + name: awsEc2 + description: sg with rule descriptions + vpc_id: vpc-xxxxxxxx + profile: '{{ aws_profile }}' + region: us-east-1 + rules: + - proto: tcp + ports: + - 2383 + cidr_ip: aws_vpc.main.cidr_block + rule_desc: allow all on port 2383 + +- name: example using security group rule descriptions 2 + amazon.aws.ec2_group: + name: awsEc2 + description: sg with rule descriptions + vpc_id: vpc-xxxxxxxx + profile: '{{ aws_profile }}' + region: us-east-1 + rules: + - proto: udp + ports: + - 2383 + cidr_ip: 0.0.0.0/0 + rule_desc: allow all on port 2383 + +- name: example using security group rule descriptions 3 + amazon.aws.ec2_group: + name: awsEc2 + description: sg with rule descriptions + vpc_id: vpc-xxxxxxxx + profile: '{{ aws_profile }}' + region: us-east-1 + rules: + - proto: tcp + to_port: 4000 + from_port: 3000 + cidr_ip: 0.0.0.0/0 + rule_desc: allow all on port 2383 + +``` diff --git a/docs/queries/ansible-queries/aws/7cc6c791-5f68-4816-a564-b9b699f9d26e.md b/docs/queries/ansible-queries/aws/7cc6c791-5f68-4816-a564-b9b699f9d26e.md new file mode 100644 index 00000000000..d5fa1d31066 --- /dev/null +++ b/docs/queries/ansible-queries/aws/7cc6c791-5f68-4816-a564-b9b699f9d26e.md @@ -0,0 +1,89 @@ +--- +title: ElastiCache Using Default Port +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7cc6c791-5f68-4816-a564-b9b699f9d26e +- **Query name:** ElastiCache Using Default Port +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/elasticache_using_default_port) + +### Description +ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-cache_port) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +- name: Basic example + community.aws.elasticache: + name: "test-please-delete" + state: present + engine: memcached + cache_engine_version: 1.4.14 + node_type: cache.m1.small + num_nodes: 1 + cache_port: 11211 + cache_subnet_group: default + zone: us-east-1d + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="9" +- name: Basic example2 + community.aws.elasticache: + name: "test-please-delete" + state: present + engine: redis + cache_engine_version: 1.4.14 + node_type: cache.m1.small + num_nodes: 1 + cache_port: 6379 + cache_subnet_group: default + zone: us-east-1d + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Basic example2 + community.aws.elasticache: + name: "test-please-delete" + state: present + engine: memcached + cache_engine_version: 1.4.14 + node_type: cache.m1.small + num_nodes: 1 + cache_port: 11212 + cache_subnet_group: default + zone: us-east-1d + +``` +```yaml title="Negative test num. 2 - yaml file" +- name: Basic example2 + community.aws.elasticache: + name: "test-please-delete" + state: present + engine: redis + cache_engine_version: 1.4.14 + node_type: cache.m1.small + num_nodes: 1 + cache_port: 6380 + cache_subnet_group: default + zone: us-east-1d + +``` diff --git a/docs/queries/ansible-queries/aws/7db727c1-1720-468e-b80e-06697f71e09e.md b/docs/queries/ansible-queries/aws/7db727c1-1720-468e-b80e-06697f71e09e.md new file mode 100644 index 00000000000..53d15ffa6d6 --- /dev/null +++ b/docs/queries/ansible-queries/aws/7db727c1-1720-468e-b80e-06697f71e09e.md @@ -0,0 +1,56 @@ +--- +title: ECS Service Admin Role Is Present +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7db727c1-1720-468e-b80e-06697f71e09e +- **Query name:** ECS Service Admin Role Is Present +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ecs_service_admin_role_is_present) + +### Description +ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +#this is a problematic code where the query should report a result(s) +- name: ECS Service + community.aws.ecs_service: + state: present + name: console-test-service + cluster: new_cluster + task_definition: 'new_cluster-task:1' + desired_count: 0 + role: admin + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: ECS Service + community.aws.ecs_service: + state: present + name: console-test-service + cluster: new_cluster + task_definition: new_cluster-task:1 + desired_count: 0 + +``` diff --git a/docs/queries/ansible-queries/aws/7dfb316c-a6c2-454d-b8a2-97f147b0c0ff.md b/docs/queries/ansible-queries/aws/7dfb316c-a6c2-454d-b8a2-97f147b0c0ff.md new file mode 100644 index 00000000000..4743ca3e15e --- /dev/null +++ b/docs/queries/ansible-queries/aws/7dfb316c-a6c2-454d-b8a2-97f147b0c0ff.md @@ -0,0 +1,99 @@ +--- +title: DB Instance Storage Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7dfb316c-a6c2-454d-b8a2-97f147b0c0ff +- **Query name:** DB Instance Storage Not Encrypted +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/db_instance_storage_not_encrypted) + +### Description +AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 23 7" +--- +- name: foo + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + storage_encrypted: False + db_instance_class: db.t2.medium + username: "{{ username }}" + password: "{{ password }}" + allocated_storage: "{{ allocated_storage }}" +- name: foo2 + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + storage_encrypted: no + db_instance_class: db.t2.medium + username: "{{ username }}" + password: "{{ password }}" + allocated_storage: "{{ allocated_storage }}" +- name: foo3 + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + db_instance_class: db.t2.medium + username: "{{ username }}" + password: "{{ password }}" + allocated_storage: "{{ allocated_storage }}" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: foo + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + storage_encrypted: true + db_instance_class: db.t2.medium + username: '{{ username }}' + password: '{{ password }}' + allocated_storage: '{{ allocated_storage }}' +- name: foo2 + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + storage_encrypted: yes + db_instance_class: db.t2.medium + username: '{{ username }}' + password: '{{ password }}' + allocated_storage: '{{ allocated_storage }}' +- name: foo3 + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + kms_key_id: sup3rstr0ngK3y + db_instance_class: db.t2.medium + username: '{{ username }}' + password: '{{ password }}' + allocated_storage: '{{ allocated_storage }}' + +``` diff --git a/docs/queries/ansible-queries/aws/7f79f858-fbe8-4186-8a2c-dfd0d958a40f.md b/docs/queries/ansible-queries/aws/7f79f858-fbe8-4186-8a2c-dfd0d958a40f.md new file mode 100644 index 00000000000..98c8e9a3949 --- /dev/null +++ b/docs/queries/ansible-queries/aws/7f79f858-fbe8-4186-8a2c-dfd0d958a40f.md @@ -0,0 +1,116 @@ +--- +title: IAM Access Key Is Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7f79f858-fbe8-4186-8a2c-dfd0d958a40f +- **Query name:** IAM Access Key Is Exposed +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_access_key_is_exposed) + +### Description +Check if IAM Access Key is active for some user besides 'root'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 36 7" +- name: Create two new IAM users with API keys + community.aws.iam: + iam_type: user + name: "{{ item }}" + state: present + password: "{{ temp_pass }}" + access_key_state: active + loop: + - jcleese + - mpython +- name: Create two new IAM users with API keys + community.aws.iam: + iam_type: user + name: "{{ item }}" + state: present + password: "{{ temp_pass }}" + access_key_state: active + loop: + - root + - mpython +- name: Create Two Groups, Mario and Luigi + community.aws.iam: + iam_type: group + name: "{{ item }}" + state: present + access_key_state: active + loop: + - Mario + - Luigi + register: new_groups +- name: Update user + community.aws.iam: + iam_type: user + name: jdavila + state: update + access_key_state: active + groups: "{{ item.created_group.group_name }}" + loop: "{{ new_groups.results }}" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +# Basic user creation example +- name: Create two new IAM users with API keys + community.aws.iam: + iam_type: user + name: '{{ item }}' + state: present + password: '{{ temp_pass }}' + access_key_state: create + loop: + - jcleese + - mpython + +# Basic user creation example +- name: Create two new IAM users with API keys + community.aws.iam: + iam_type: user + name: root + state: present + password: '{{ temp_pass }}' + access_key_state: active + +- name: Create Two Groups, Mario and Luigi + community.aws.iam: + iam_type: group + name: '{{ item }}' + state: present + loop: + - Mario + - Luigi + register: new_groups + +- name: Update user + community.aws.iam: + iam_type: user + name: jdavila + state: update + access_key_state: inactive + groups: '{{ item.created_group.group_name }}' + loop: '{{ new_groups.results }}' + +``` diff --git a/docs/queries/ansible-queries/aws/7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892.md b/docs/queries/ansible-queries/aws/7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892.md new file mode 100644 index 00000000000..50fd1220cf8 --- /dev/null +++ b/docs/queries/ansible-queries/aws/7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892.md @@ -0,0 +1,71 @@ +--- +title: ECS Task Definition Container With Plaintext Password +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7fdc2bf3-6bc0-4cb3-84c5-cfd041c0f892 +- **Query name:** ECS Task Definition Container With Plaintext Password +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ecs_task_definition_with_plaintext_password) + +### Description +It's not recommended to use plaintext environment variables for sensitive information, such as credential data.
+[Documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_environment) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +- name: Create task definition + community.aws.ecs_taskdefinition: + family: nginx + containers: + - name: nginx + essential: true + image: "nginx" + portMappings: + - containerPort: 8080 + hostPort: 8080 + env: + - password: shhh + launch_type: FARGATE + cpu: 512 + memory: 1024 + state: present + network_mode: awsvpc + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create task definition + community.aws.ecs_taskdefinition: + family: nginx + containers: + - name: nginx + essential: true + image: nginx + portMappings: + - containerPort: 8080 + hostPort: 8080 + launch_type: FARGATE + cpu: 512 + memory: 1024 + state: present + network_mode: awsvpc + +``` diff --git a/docs/queries/ansible-queries/aws/8010e17a-00e9-4635-a692-90d6bcec68bd.md b/docs/queries/ansible-queries/aws/8010e17a-00e9-4635-a692-90d6bcec68bd.md new file mode 100644 index 00000000000..5382de6d938 --- /dev/null +++ b/docs/queries/ansible-queries/aws/8010e17a-00e9-4635-a692-90d6bcec68bd.md @@ -0,0 +1,150 @@ +--- +title: Default Security Groups With Unrestricted Traffic +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8010e17a-00e9-4635-a692-90d6bcec68bd +- **Query name:** Default Security Groups With Unrestricted Traffic +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/default_security_groups_with_unrestricted_traffic) + +### Description +Check if default security group does not restrict all inbound and outbound traffic.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="48 17 83 61 30" +--- +- name: example ec2 group + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: all + # in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6), + # traffic on all ports is allowed, regardless of any ports you specify + from_port: 10050 # this value is ignored + to_port: 10050 # this value is ignored + cidr_ip: + - 0.0.0.0/0 +- name: example2 ec2 group + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules_egress: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 0.0.0.0/0 + group_name: example-other + # description to use if example-other needs to be created + group_desc: other example EC2 group +- name: example3 ec2 group + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: all + # in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6), + # traffic on all ports is allowed, regardless of any ports you specify + from_port: 10050 # this value is ignored + to_port: 10050 # this value is ignored + cidr_ipv6: ::/0 +- name: example4 ec2 group + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules_egress: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ipv6: ::/0 + group_name: example-other + # description to use if example-other needs to be created + group_desc: other example EC2 group +- name: example5 ec2 group + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + # 'ports' rule keyword was introduced in version 2.4. It accepts a single port value or a list of values including ranges (from_port-to_port). + - proto: tcp + ports: 22 + group_name: example-vpn + rules_egress: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ipv6: + - ::/0 + group_name: example-other + # description to use if example-other needs to be created + group_desc: other example EC2 group + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example ec2 group + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: all + # in the 'proto' attribute, if you specify -1, all, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6), + # traffic on all ports is allowed, regardless of any ports you specify + from_port: 10050 # this value is ignored + to_port: 10050 # this value is ignored + cidr_ip: 10.1.0.0/16 + cidr_ipv6: 64:ff9b::/96 + rules_egress: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 10.1.0.0/16 + cidr_ipv6: 64:ff9b::/96 + group_name: example-other + # description to use if example-other needs to be created + group_desc: other example EC2 group + +``` diff --git a/docs/queries/ansible-queries/aws/83957b81-39c1-4191-8e12-671d2ce14354.md b/docs/queries/ansible-queries/aws/83957b81-39c1-4191-8e12-671d2ce14354.md new file mode 100644 index 00000000000..41da3bf6edc --- /dev/null +++ b/docs/queries/ansible-queries/aws/83957b81-39c1-4191-8e12-671d2ce14354.md @@ -0,0 +1,74 @@ +--- +title: IAM Password Without Uppercase Letter +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 83957b81-39c1-4191-8e12-671d2ce14354 +- **Query name:** IAM Password Without Uppercase Letter +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_password_without_uppercase_letter) + +### Description +IAM password should have at least one uppercase letter
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="14 7" +- name: Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: false + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false +- name: aws_iam_account_password_policy + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Ok Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false + +``` diff --git a/docs/queries/ansible-queries/aws/83c5fa4c-e098-48fc-84ee-0a537287ddd2.md b/docs/queries/ansible-queries/aws/83c5fa4c-e098-48fc-84ee-0a537287ddd2.md new file mode 100644 index 00000000000..81f69f1862b --- /dev/null +++ b/docs/queries/ansible-queries/aws/83c5fa4c-e098-48fc-84ee-0a537287ddd2.md @@ -0,0 +1,149 @@ +--- +title: Unrestricted Security Group Ingress +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 83c5fa4c-e098-48fc-84ee-0a537287ddd2 +- **Query name:** Unrestricted Security Group Ingress +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/unrestricted_security_group_ingress) + +### Description +Security groups allow ingress from 0.0.0.0/0
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="41 28 14 55" +--- +- name: example1 + amazon.aws.ec2_group: + name: example1 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + ports: + - 80 + - 443 + - 8080-8099 + cidr_ip: 0.0.0.0/0 +- name: example2 + amazon.aws.ec2_group: + name: example2 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + ports: + - 80 + - 443 + - 8080-8099 + cidr_ip: + - 0.0.0.0/0 +- name: example3 + amazon.aws.ec2_group: + name: example3 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + ports: + - 80 + - 443 + - 8080-8099 + cidr_ipv6: ::/0 +- name: example4 + amazon.aws.ec2_group: + name: example4 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + ports: + - 80 + - 443 + - 8080-8099 + cidr_ipv6: + - ::/0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example1 + amazon.aws.ec2_group: + name: example1 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + ports: + - 80 + - 443 + - 8080-8099 + cidr_ip: 172.16.17.0/24 +- name: example2 + amazon.aws.ec2_group: + name: example2 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + ports: + - 80 + - 443 + - 8080-8099 + cidr_ip: + - 172.16.1.0/24 +- name: example3 + amazon.aws.ec2_group: + name: example3 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + ports: + - 80 + - 443 + - 8080-8099 + cidr_ipv6: 2607:F8B0::/32 +- name: example4 + amazon.aws.ec2_group: + name: example4 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + ports: + - 80 + - 443 + - 8080-8099 + cidr_ipv6: + - 64:ff9b::/96 + - 2607:F8B0::/32 + +``` diff --git a/docs/queries/ansible-queries/aws/857f8808-e96a-4ba8-a9b7-f2d4ec6cad94.md b/docs/queries/ansible-queries/aws/857f8808-e96a-4ba8-a9b7-f2d4ec6cad94.md new file mode 100644 index 00000000000..73629297649 --- /dev/null +++ b/docs/queries/ansible-queries/aws/857f8808-e96a-4ba8-a9b7-f2d4ec6cad94.md @@ -0,0 +1,90 @@ +--- +title: Automatic Minor Upgrades Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 857f8808-e96a-4ba8-a9b7-f2d4ec6cad94 +- **Query name:** Automatic Minor Upgrades Disabled +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/automatic_minor_upgrades_disabled) + +### Description +RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 12" +--- +- name: community - create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster + auto_minor_version_upgrade: false +- name: community - Create a DB instance using the default AWS KMS encryption key + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + storage_encrypted: True + db_instance_class: db.t2.medium + username: "{{ username }}" + password: "{{ password }}" + allocated_storage: "{{ allocated_storage }}" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: negative - create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: '{{ password }}' + username: '{{ username }}' + cluster_id: ansible-test-cluster + auto_minor_version_upgrade: true +- name: negative - Create a DB instance using the default AWS KMS encryption key + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + storage_encrypted: true + db_instance_class: db.t2.medium + username: '{{ username }}' + password: '{{ password }}' + allocated_storage: '{{ allocated_storage }}' + auto_minor_version_upgrade: yes +- name: negative - Create a DB instance using the default AWS KMS encryption key + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + storage_encrypted: true + db_instance_class: db.t2.medium + username: '{{ username }}' + password: '{{ password }}' + allocated_storage: '{{ allocated_storage }}' + auto_minor_version_upgrade: true + +``` diff --git a/docs/queries/ansible-queries/aws/86b0efa7-4901-4edd-a37a-c034bec6645a.md b/docs/queries/ansible-queries/aws/86b0efa7-4901-4edd-a37a-c034bec6645a.md new file mode 100644 index 00000000000..626a618470c --- /dev/null +++ b/docs/queries/ansible-queries/aws/86b0efa7-4901-4edd-a37a-c034bec6645a.md @@ -0,0 +1,98 @@ +--- +title: SQS Queue Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 86b0efa7-4901-4edd-a37a-c034bec6645a +- **Query name:** SQS Queue Exposed +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/sqs_queue_exposed) + +### Description +Checks if the SQS Queue is exposed
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#parameter-policy) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 31" +- name: example + community.aws.sqs_queue: + name: my-queue + region: ap-southeast-2 + default_visibility_timeout: 120 + message_retention_period: 86400 + maximum_message_size: 1024 + delivery_delay: 30 + receive_message_wait_time: 20 + policy: + Version: '2012-10-17' + Id: sqspolicy + Statement: + Sid: First + Effect: Allow + Principal: '*' + Action: sqs:SendMessage + Resource: ${aws_sqs_queue.q.arn} + Condition: + ArnEquals: + aws:SourceArn: ${aws_sns_topic.example.arn} +- name: example with list + community.aws.sqs_queue: + name: my-queue12 + region: ap-southeast-1 + default_visibility_timeout: 120 + message_retention_period: 86400 + maximum_message_size: 1024 + delivery_delay: 30 + receive_message_wait_time: 20 + policy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "sqs:*" + Resource: "*" + Principal: "*" + make_default: false + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example + community.aws.sqs_queue: + name: my-queue + region: ap-southeast-2 + default_visibility_timeout: 120 + message_retention_period: 86400 + maximum_message_size: 1024 + delivery_delay: 30 + receive_message_wait_time: 20 + policy: + Version: '2012-10-17' + Id: sqspolicy + Statement: + Sid: First + Effect: Allow + Action: sqs:SendMessage + Resource: ${aws_sqs_queue.q.arn} + Condition: + ArnEquals: + aws:SourceArn: ${aws_sns_topic.example.arn} + +``` diff --git a/docs/queries/ansible-queries/aws/8833f180-96f1-46f4-9147-849aafa56029.md b/docs/queries/ansible-queries/aws/8833f180-96f1-46f4-9147-849aafa56029.md new file mode 100644 index 00000000000..5b581a95543 --- /dev/null +++ b/docs/queries/ansible-queries/aws/8833f180-96f1-46f4-9147-849aafa56029.md @@ -0,0 +1,73 @@ +--- +title: EC2 Instance Using Default VPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8833f180-96f1-46f4-9147-849aafa56029 +- **Query name:** EC2 Instance Using Default VPC +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ec2_instance_using_default_vpc) + +### Description +EC2 Instances should not be configured under a default VPC network
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-vpc_subnet_id) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +- name: example + amazon.aws.ec2: + key_name: mykey + instance_type: t2.micro + image: ami-123456 + wait: yes + count: 3 + vpc_subnet_id: "{{ my_subnet.subnet.id }}" + assign_public_ip: yes +- name: Create subnet for database server + amazon.aws.ec2_vpc_subnet: + state: present + vpc_id: "{{ defaultVPC.vpcs.0.id }}" + cidr: 10.0.1.16/28 + tags: + Name: Database Subnet + register: my_subnet + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example2 + amazon.aws.ec2: + key_name: mykey + instance_type: t2.micro + image: ami-123456 + wait: yes + count: 3 + vpc_subnet_id: "{{ my_subnet2.subnet.id }}" + assign_public_ip: yes +- name: Create subnet for database server2 + amazon.aws.ec2_vpc_subnet: + state: present + vpc_id: "{{ myVPC.vpcs.0.id }}" + cidr: 10.0.1.16/28 + tags: + Name: Database Subnet + register: my_subnet2 + +``` diff --git a/docs/queries/ansible-queries/aws/8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d.md b/docs/queries/ansible-queries/aws/8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d.md new file mode 100644 index 00000000000..e32903086f9 --- /dev/null +++ b/docs/queries/ansible-queries/aws/8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d.md @@ -0,0 +1,101 @@ +--- +title: IAM Password Without Minimum Length +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8bc2168c-1723-4eeb-a6f3-a1ba614b9a6d +- **Query name:** IAM Password Without Minimum Length +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_password_without_minimum_length) + +### Description +IAM password should have the required minimum length
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 2 27" +- name: Password policy for AWS account + community.aws.iam_password_policy: + state: present + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false + +- name: aws_iam_account_password_policy + community.aws.iam_password_policy: + state: present + min_pw_length: 3 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false + +- name: aws_iam_account_password_policy_2 + community.aws.iam_password_policy: + state: present + minimum_password_length: 3 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false + +- name: aws_iam_account_password_policy + community.aws.iam_password_policy: + state: present + minimum_password_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false + +``` diff --git a/docs/queries/ansible-queries/aws/8d03993b-8384-419b-a681-d1f55149397c.md b/docs/queries/ansible-queries/aws/8d03993b-8384-419b-a681-d1f55149397c.md new file mode 100644 index 00000000000..177307342ac --- /dev/null +++ b/docs/queries/ansible-queries/aws/8d03993b-8384-419b-a681-d1f55149397c.md @@ -0,0 +1,73 @@ +--- +title: EC2 Instance Using Default Security Group +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8d03993b-8384-419b-a681-d1f55149397c +- **Query name:** EC2 Instance Using Default Security Group +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ec2_instance_using_default_security_group) + +### Description +EC2 instances should not use default security group(s)
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-group) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +- name: example + amazon.aws.ec2: + key_name: mykey + instance_type: t2.micro + image: ami-123456 + wait: yes + group: default + count: 3 + vpc_subnet_id: subnet-29e63245 + assign_public_ip: yes + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +- name: example2 + amazon.aws.ec2: + key_name: mykey + instance_type: t2.micro + image: ami-123456 + wait: yes + group: + - default + count: 3 + vpc_subnet_id: subnet-29e63245 + assign_public_ip: yes + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example2 + amazon.aws.ec2: + key_name: mykey + instance_type: t2.micro + image: ami-123456 + wait: yes + group: my_sg + count: 3 + vpc_subnet_id: subnet-29e63245 + assign_public_ip: yes + +``` diff --git a/docs/queries/ansible-queries/aws/8e3063f4-b511-45c3-b030-f3b0c9131951.md b/docs/queries/ansible-queries/aws/8e3063f4-b511-45c3-b030-f3b0c9131951.md new file mode 100644 index 00000000000..94a020f15b5 --- /dev/null +++ b/docs/queries/ansible-queries/aws/8e3063f4-b511-45c3-b030-f3b0c9131951.md @@ -0,0 +1,74 @@ +--- +title: IAM Password Without Lowercase Letter +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8e3063f4-b511-45c3-b030-f3b0c9131951 +- **Query name:** IAM Password Without Lowercase Letter +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_password_without_lowercase_letter) + +### Description +IAM Password should have at least one lowercase letter
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 14" +- name: Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: false + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false +- name: aws_iam_account_password_policy + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Ok Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false + +``` diff --git a/docs/queries/ansible-queries/aws/8ed0bfce-f780-46d4-b086-21c3628f09ad.md b/docs/queries/ansible-queries/aws/8ed0bfce-f780-46d4-b086-21c3628f09ad.md new file mode 100644 index 00000000000..1adb338759b --- /dev/null +++ b/docs/queries/ansible-queries/aws/8ed0bfce-f780-46d4-b086-21c3628f09ad.md @@ -0,0 +1,79 @@ +--- +title: SES Policy With Allowed IAM Actions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8ed0bfce-f780-46d4-b086-21c3628f09ad +- **Query name:** SES Policy With Allowed IAM Actions +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ses_policy_with_allowed_iam_actions) + +### Description +SES policy should not allow IAM actions to all principals
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/aws_ses_identity_policy_module.html#parameter-policy) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +- name: add sending authorization policy to email identityyy + community.aws.aws_ses_identity_policy: + identity: example@example.com + policy_name: ExamplePolicy + policy: > + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "*", + "Principal": { + "AWS": "*" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "" + } + ] + } + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: add sending authorization policy to email identity2 + community.aws.aws_ses_identity_policy: + identity: example@example.com + policy_name: ExamplePolicy + policy: > + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "*", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "" + } + ] + } + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73.md b/docs/queries/ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73.md new file mode 100644 index 00000000000..14d0378aec0 --- /dev/null +++ b/docs/queries/ansible-queries/aws/905f4741-f965-45c1-98db-f7a00a0e5c73.md @@ -0,0 +1,139 @@ +--- +title: SNS Topic is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 905f4741-f965-45c1-98db-f7a00a0e5c73 +- **Query name:** SNS Topic is Publicly Accessible +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/sns_topic_is_publicly_accessible) + +### Description +SNS Topic Policy should not allow any principal to access
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/sns_topic_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="50 23" +--- +- name: Create alarm SNS topic community + community.aws.sns_topic: + name: "alarms" + state: present + display_name: "alarm SNS topic" + delivery_policy: + http: + defaultHealthyRetryPolicy: + minDelayTarget: 2 + maxDelayTarget: 4 + numRetries: 3 + numMaxDelayRetries: 5 + backoffFunction: "" + disableSubscriptionOverrides: True + defaultThrottlePolicy: + maxReceivesPerSecond: 10 + subscriptions: + - endpoint: "my_email_address@example.com" + protocol: "email" + - endpoint: "my_mobile_number" + protocol: "sms" + policy: + Version: '2022-05-02' + Statement: + - Action: Publish + Effect: Allow + Principal: "*" +- name: Create alarm SNS topic + sns_topic: + name: "alarms" + state: present + display_name: "alarm SNS topic" + delivery_policy: + http: + defaultHealthyRetryPolicy: + minDelayTarget: 2 + maxDelayTarget: 4 + numRetries: 3 + numMaxDelayRetries: 5 + backoffFunction: "" + disableSubscriptionOverrides: True + defaultThrottlePolicy: + maxReceivesPerSecond: 10 + subscriptions: + - endpoint: "my_email_address@example.com" + protocol: "email" + - endpoint: "my_mobile_number" + protocol: "sms" + policy: + Version: '2022-05-02' + Statement: + - Effect: Allow + Action: Publish + Principal: '*' + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create alarm SNS topic community + community.aws.sns_topic: + name: alarms + state: present + display_name: alarm SNS topic + delivery_policy: + http: + defaultHealthyRetryPolicy: + minDelayTarget: 2 + maxDelayTarget: 4 + numRetries: 3 + numMaxDelayRetries: 5 + backoffFunction: + disableSubscriptionOverrides: true + defaultThrottlePolicy: + maxReceivesPerSecond: 10 + policy: + Version: '2022-05-02' + Statement: + - Effect: Allow + Action: Publish + Principal: NotAll + +- name: Create alarm SNS topic + sns_topic: + name: alarms + state: present + display_name: alarm SNS topic + delivery_policy: + http: + defaultHealthyRetryPolicy: + minDelayTarget: 2 + maxDelayTarget: 4 + numRetries: 3 + numMaxDelayRetries: 5 + backoffFunction: + disableSubscriptionOverrides: true + defaultThrottlePolicy: + maxReceivesPerSecond: 10 + policy: + Version: '2022-05-02' + Statement: + - Effect: Allow + Action: Publish + Principal: NotAll + +``` diff --git a/docs/queries/ansible-queries/aws/9232306a-f839-40aa-b3ef-b352001da9a5.md b/docs/queries/ansible-queries/aws/9232306a-f839-40aa-b3ef-b352001da9a5.md new file mode 100644 index 00000000000..9a1b71ad915 --- /dev/null +++ b/docs/queries/ansible-queries/aws/9232306a-f839-40aa-b3ef-b352001da9a5.md @@ -0,0 +1,66 @@ +--- +title: S3 Bucket Without Versioning +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9232306a-f839-40aa-b3ef-b352001da9a5 +- **Query name:** S3 Bucket Without Versioning +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_without_versioning) + +### Description +S3 bucket should have versioning enabled
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-versioning) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 15" +--- +- name: foo + amazon.aws.s3_bucket: + name: mys3bucket + policy: "{{ lookup('file','policy.json') }}" + requester_pays: yes + tags: + example: tag1 + another: tag2 +- name: foo2 + amazon.aws.s3_bucket: + name: mys3bucket + policy: "{{ lookup('file','policy.json') }}" + requester_pays: yes + versioning: no + tags: + example: tag1 + another: tag2 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: foo + amazon.aws.s3_bucket: + name: mys3bucket + policy: "{{ lookup('file','policy.json') }}" + requester_pays: yes + versioning: yes + tags: + example: tag1 + another: tag2 + +``` diff --git a/docs/queries/ansible-queries/aws/97707503-a22c-4cd7-b7c0-f088fa7cf830.md b/docs/queries/ansible-queries/aws/97707503-a22c-4cd7-b7c0-f088fa7cf830.md new file mode 100644 index 00000000000..379b8de2840 --- /dev/null +++ b/docs/queries/ansible-queries/aws/97707503-a22c-4cd7-b7c0-f088fa7cf830.md @@ -0,0 +1,71 @@ +--- +title: AMI Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 97707503-a22c-4cd7-b7c0-f088fa7cf830 +- **Query name:** AMI Not Encrypted +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ami_not_encrypted) + +### Description +AWS AMI Encryption is not enabled
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_ami_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="13 6" +- name: Basic AMI Creation + amazon.aws.ec2_ami: + instance_id: i-xxxxxx + device_mapping: + device_name: /dev/sda + encrypted: no + wait: yes + name: newtest + tags: + Name: newtest + Service: TestService +- name: Basic AMI Creation2 + amazon.aws.ec2_ami: + instance_id: i-xxxxxx + device_mapping: + device_name: /dev/sda + wait: yes + name: newtest + tags: + Name: newtest + Service: TestService + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Basic AMI Creation + amazon.aws.ec2_ami: + instance_id: i-xxxxxx + device_mapping: + device_name: /dev/sda + encrypted: yes + wait: yes + name: newtest + tags: + Name: newtest + Service: TestService + +``` diff --git a/docs/queries/ansible-queries/aws/9cf25d62-0b96-42c8-b66d-998cd6ee5bb8.md b/docs/queries/ansible-queries/aws/9cf25d62-0b96-42c8-b66d-998cd6ee5bb8.md new file mode 100644 index 00000000000..cbacca0b1c2 --- /dev/null +++ b/docs/queries/ansible-queries/aws/9cf25d62-0b96-42c8-b66d-998cd6ee5bb8.md @@ -0,0 +1,73 @@ +--- +title: IAM Password Without Number +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9cf25d62-0b96-42c8-b66d-998cd6ee5bb8 +- **Query name:** IAM Password Without Number +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_password_without_number) + +### Description +IAM user resource Login Profile Password should have at least one number
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="14 7" +--- +- name: Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: false + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_expire: false +- name: Password policy for AWS account2 + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + password_reuse_prevent: 0 + pw_expire: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Ok Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false + +``` diff --git a/docs/queries/ansible-queries/aws/9f34885e-c08f-4d13-a7d1-cf190c5bd268.md b/docs/queries/ansible-queries/aws/9f34885e-c08f-4d13-a7d1-cf190c5bd268.md new file mode 100644 index 00000000000..1eca8f7be3e --- /dev/null +++ b/docs/queries/ansible-queries/aws/9f34885e-c08f-4d13-a7d1-cf190c5bd268.md @@ -0,0 +1,55 @@ +--- +title: Redis Not Compliant +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9f34885e-c08f-4d13-a7d1-cf190c5bd268 +- **Query name:** Redis Not Compliant +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/redis_not_compliant) + +### Description +Check if the redis version is compliant with the necessary AWS PCI DSS requirements
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/elasticache_module.html#parameter-cache_engine_version) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +- name: Basic example + community.aws.elasticache: + name: "test-please-delete" + state: present + engine: memcached + cache_engine_version: 1.4.14 + node_type: cache.m1.small + num_nodes: 1 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Basic example + community.aws.elasticache: + name: test-please-delete + state: present + engine: memcached + cache_engine_version: 5.1.10 + node_type: cache.m1.small + num_nodes: 1 + +``` diff --git a/docs/queries/ansible-queries/aws/a0f1bfe0-741e-473f-b3b2-13e66f856fab.md b/docs/queries/ansible-queries/aws/a0f1bfe0-741e-473f-b3b2-13e66f856fab.md new file mode 100644 index 00000000000..da61a17767e --- /dev/null +++ b/docs/queries/ansible-queries/aws/a0f1bfe0-741e-473f-b3b2-13e66f856fab.md @@ -0,0 +1,61 @@ +--- +title: S3 Bucket Allows Put Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a0f1bfe0-741e-473f-b3b2-13e66f856fab +- **Query name:** S3 Bucket Allows Put Action From All Principals +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals) + +### Description +S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +#this is a problematic code where the query should report a result(s) +- name: Bucket + amazon.aws.s3_bucket: + name: mys3bucket + state: present + policy: + Version: "2020-10-07" + Statement: + - Effect: Allow + Action: PutObject + Principal: "*" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: Bucket + amazon.aws.s3_bucket: + name: mys3bucket + state: present + policy: + Version: '2020-10-07' + Statement: + - Effect: Allow + Action: PutObject + Principal: NotAll + +``` diff --git a/docs/queries/ansible-queries/aws/a1423864-2fbc-4f46-bfe1-fbbf125c71c9.md b/docs/queries/ansible-queries/aws/a1423864-2fbc-4f46-bfe1-fbbf125c71c9.md new file mode 100644 index 00000000000..31c7a993663 --- /dev/null +++ b/docs/queries/ansible-queries/aws/a1423864-2fbc-4f46-bfe1-fbbf125c71c9.md @@ -0,0 +1,78 @@ +--- +title: CodeBuild Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a1423864-2fbc-4f46-bfe1-fbbf125c71c9 +- **Query name:** CodeBuild Not Encrypted +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/codebuild_not_encrypted) + +### Description +CodeBuild Project should be encrypted
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/aws_codebuild_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: My project + community.aws.aws_codebuild: + description: My nice little project v2 + service_role: "arn:aws:iam::123123:role/service-role/code-build-service-role" + source: + type: CODEPIPELINE + buildspec: '' + artifacts: + namespaceType: NONE + packaging: NONE + type: CODEPIPELINE + name: my_project + environment: + computeType: BUILD_GENERAL1_SMALL + privilegedMode: "true" + image: "aws/codebuild/docker:17.09.0" + type: LINUX_CONTAINER + region: us-east-1 + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: My project v2 + community.aws.aws_codebuild: + description: My nice little project + service_role: arn:aws:iam::123123:role/service-role/code-build-service-role + source: + type: CODEPIPELINE + buildspec: '' + artifacts: + namespaceType: NONE + packaging: NONE + type: CODEPIPELINE + name: my_project + environment: + computeType: BUILD_GENERAL1_SMALL + privilegedMode: 'true' + image: aws/codebuild/docker:17.09.0 + type: LINUX_CONTAINER + encryption_key: arn:aws:kms:us-east-1:123123:alias/aws/s3 + region: us-east-1 + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/a14ad534-acbe-4a8e-9404-2f7e1045646e.md b/docs/queries/ansible-queries/aws/a14ad534-acbe-4a8e-9404-2f7e1045646e.md new file mode 100644 index 00000000000..616afe15f11 --- /dev/null +++ b/docs/queries/ansible-queries/aws/a14ad534-acbe-4a8e-9404-2f7e1045646e.md @@ -0,0 +1,233 @@ +--- +title: HTTP Port Open To Internet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a14ad534-acbe-4a8e-9404-2f7e1045646e +- **Query name:** HTTP Port Open To Internet +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/http_port_open_to_internet) + +### Description +The HTTP port is open to the internet in a Security Group
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="64 36 9 79 49 23 93" +- name: example ec2 group1 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 67 + to_port: 82 + cidr_ip: 0.0.0.0/0 + +- name: example ec2 group2 + amazon.aws.ec2_group: + name: example2 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: 80 + cidr_ip: 0.0.0.0/0 + +- name: example ec2 group3 + amazon.aws.ec2_group: + name: example3 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: 79-90 + cidr_ip: 0.0.0.0/0 + +- name: example ec2 group4 + amazon.aws.ec2_group: + name: example4 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: + - 100 + - 70-90 + cidr_ip: 0.0.0.0/0 + +- name: example ec2 group5 + amazon.aws.ec2_group: + name: example5 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: + - 80 + - 30-31 + cidr_ip: 0.0.0.0/0 + +- name: example ec2 group6 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: -1 + to_port: 82 + cidr_ip: 0.0.0.0/0 + +- name: example ec2 group7 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 67 + to_port: -1 + cidr_ip: 0.0.0.0/0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example ec2 group1 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 67 + to_port: 82 + cidr_ip: 0.0.0.0/1 + +- name: example ec2 group2 + amazon.aws.ec2_group: + name: example2 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: 80 + cidr_ip: 0.0.1.0/0 + +- name: example ec2 group3 + amazon.aws.ec2_group: + name: example3 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: 79-90 + cidr_ip: 0.1.0.0/0 + +- name: example ec2 group4 + amazon.aws.ec2_group: + name: example3 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: + - 100 + - 70-90 + cidr_ip: 10.0.0.0/0 + +- name: example ec2 group5 + amazon.aws.ec2_group: + name: example5 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: + - 80 + - 30-31 + cidr_ip: 0.0.0.0/10 + +- name: example ec2 group6 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: -1 + to_port: 82 + cidr_ip: 0.1.0.0/0 + +- name: example ec2 group7 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 67 + to_port: -1 + cidr_ip: 1.0.0.0/0 + +``` diff --git a/docs/queries/ansible-queries/aws/a19b2942-142e-4e2b-93b7-6cf6a6c8d90f.md b/docs/queries/ansible-queries/aws/a19b2942-142e-4e2b-93b7-6cf6a6c8d90f.md new file mode 100644 index 00000000000..a228b16f699 --- /dev/null +++ b/docs/queries/ansible-queries/aws/a19b2942-142e-4e2b-93b7-6cf6a6c8d90f.md @@ -0,0 +1,57 @@ +--- +title: AMI Shared With Multiple Accounts +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a19b2942-142e-4e2b-93b7-6cf6a6c8d90f +- **Query name:** AMI Shared With Multiple Accounts +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ami_shared_with_multiple_accounts) + +### Description +Limits access to AWS AMIs by checking if more than one account is using the same image
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_ami_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 5" +- name: Update AMI Launch Permissions, making it public + amazon.aws.ec2_ami: + image_id: "{{ instance.image_id }}" + state: present + launch_permissions: + group_names: ['all'] +- name: Allow AMI to be launched by another account + amazon.aws.ec2_ami: + image_id: "{{ instance.image_id }}" + state: present + launch_permissions: + user_ids: ['123456789012', '121212'] + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Allow AMI to be launched by another account V2 + amazon.aws.ec2_ami: + image_id: '{{ instance.image_id }}' + state: present + launch_permissions: + user_ids: ['123456789012'] + +``` diff --git a/docs/queries/ansible-queries/aws/a1ef9d2e-4163-40cb-bd92-04f0d602a15d.md b/docs/queries/ansible-queries/aws/a1ef9d2e-4163-40cb-bd92-04f0d602a15d.md new file mode 100644 index 00000000000..b0fa7d7f0b3 --- /dev/null +++ b/docs/queries/ansible-queries/aws/a1ef9d2e-4163-40cb-bd92-04f0d602a15d.md @@ -0,0 +1,59 @@ +--- +title: S3 Bucket ACL Allows Read to All Users +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a1ef9d2e-4163-40cb-bd92-04f0d602a15d +- **Query name:** S3 Bucket ACL Allows Read to All Users +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users) + +### Description +S3 Buckets should not be readable to all users
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 6" +--- +- name: Create an empty bucket + amazon.aws.aws_s3: + bucket: mybucket + mode: create + permission: public-read +- name: Create an empty bucket2 + amazon.aws.aws_s3: + bucket: mybucket + mode: create + permission: public-read-write + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create an empty bucket + amazon.aws.aws_s3: + bucket: mybucket + mode: create + permission: private +- name: Create an empty bucket2 + amazon.aws.aws_s3: + bucket: mybucket + mode: create + +``` diff --git a/docs/queries/ansible-queries/aws/a2fdf451-89dd-451e-af92-bf6c0f4bab96.md b/docs/queries/ansible-queries/aws/a2fdf451-89dd-451e-af92-bf6c0f4bab96.md new file mode 100644 index 00000000000..726cc76665e --- /dev/null +++ b/docs/queries/ansible-queries/aws/a2fdf451-89dd-451e-af92-bf6c0f4bab96.md @@ -0,0 +1,75 @@ +--- +title: Configuration Aggregator to All Regions Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a2fdf451-89dd-451e-af92-bf6c0f4bab96 +- **Query name:** Configuration Aggregator to All Regions Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/config_configuration_aggregator_to_all_regions_disabled) + +### Description +AWS Config Configuration Aggregator All Regions must be set to True
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/aws_config_aggregator_module.html#parameter-organization_source) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 10" +- name: Create cross-account aggregator + community.aws.aws_config_aggregator: + name: test_config_rule + state: present + account_sources: + account_ids: + - 1234567890 + - 0123456789 + - 9012345678 + all_aws_regions: no + organization_source: + all_aws_regions: yes +- name: Create cross-account aggregator2 + community.aws.aws_config_aggregator: + name: test_config_rule + state: present + account_sources: + account_ids: + - 1234567890 + - 0123456789 + - 9012345678 + all_aws_regions: yes + organization_source: + all_aws_regions: no + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create cross-account aggregator + community.aws.aws_config_aggregator: + name: test_config_rule + state: present + account_sources: + account_ids: + - 1234567890 + - 0123456789 + - 9012345678 + all_aws_regions: yes + organization_source: + all_aws_regions: yes + +``` diff --git a/docs/queries/ansible-queries/aws/a6d27cf7-61dc-4bde-ae08-3b353b609f76.md b/docs/queries/ansible-queries/aws/a6d27cf7-61dc-4bde-ae08-3b353b609f76.md new file mode 100644 index 00000000000..ee01a11273f --- /dev/null +++ b/docs/queries/ansible-queries/aws/a6d27cf7-61dc-4bde-ae08-3b353b609f76.md @@ -0,0 +1,157 @@ +--- +title: Cloudfront Viewer Protocol Policy Allows HTTP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a6d27cf7-61dc-4bde-ae08-3b353b609f76 +- **Query name:** Cloudfront Viewer Protocol Policy Allows HTTP +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/viewer_protocol_policy_allows_http) + +### Description +Checks if the connection between CloudFront and the viewer is encrypted
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="50 20" +- name: example1 + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: 'my test origin-000111' + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + default_cache_behavior: + target_origin_id: 'my test origin-000111' + forwarded_values: + query_string: true + cookies: + forward: all + headers: + - '*' + viewer_protocol_policy: allow-all + smooth_streaming: true + compress: true + allowed_methods: + items: + - GET + - HEAD + cached_methods: + - GET + - HEAD + +- name: example2 + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: 'my test origin-000111' + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + cache_behaviors: + target_origin_id: 'my test origin-000111' + forwarded_values: + query_string: true + cookies: + forward: all + headers: + - '*' + viewer_protocol_policy: allow-all + smooth_streaming: true + compress: true + allowed_methods: + items: + - GET + - HEAD + cached_methods: + - GET + - HEAD + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example1 + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: my test origin-000111 + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + default_cache_behavior: + target_origin_id: my test origin-000111 + forwarded_values: + query_string: true + cookies: + forward: all + headers: + - '*' + viewer_protocol_policy: https-only + smooth_streaming: true + compress: true + allowed_methods: + items: + - GET + - HEAD + cached_methods: + - GET + - HEAD + +- name: example2 + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: my test origin-000111 + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + cache_behaviors: + target_origin_id: my test origin-000111 + forwarded_values: + query_string: true + cookies: + forward: all + headers: + - '*' + viewer_protocol_policy: https-only + smooth_streaming: true + compress: true + allowed_methods: + items: + - GET + - HEAD + cached_methods: + - GET + - HEAD + +``` diff --git a/docs/queries/ansible-queries/aws/a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1.md b/docs/queries/ansible-queries/aws/a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1.md new file mode 100644 index 00000000000..4514ea16287 --- /dev/null +++ b/docs/queries/ansible-queries/aws/a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1.md @@ -0,0 +1,89 @@ +--- +title: EC2 Instance Has Public IP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a8b0c58b-cd25-4b53-9ad0-55bca0be0bc1 +- **Query name:** EC2 Instance Has Public IP +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ec2_instance_has_public_ip) + +### Description +EC2 Instance should not have a public IP address.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html#parameter-assign_public_ip) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 15 7" +- name: example + amazon.aws.ec2: + key_name: mykey + instance_type: t2.micro + count: 3 + vpc_subnet_id: subnet-29e63245 + assign_public_ip: yes +- name: Create an ec2 launch template + community.aws.ec2_launch_template: + name: "my_template" + image_id: "ami-04b762b4289fba92b" + key_name: my_ssh_key + instance_type: t2.micro + network_interfaces: + associate_public_ip_address: true +- name: start an instance with a public IP address + community.aws.ec2_instance: + name: "public-compute-instance" + key_name: "prod-ssh-key" + vpc_subnet_id: subnet-5ca1ab1e + instance_type: c5.large + security_group: default + network: + assign_public_ip: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- amazon.aws.ec2: + key_name: mykey + instance_type: t2.micro + count: 3 + vpc_subnet_id: subnet-29e63245 + assign_public_ip: false +- name: Create an ec2 launch template + community.aws.ec2_launch_template: + name: my_template + image_id: ami-04b762b4289fba92b + key_name: my_ssh_key + instance_type: t2.micro +- name: Create an ec2 launch template + community.aws.ec2_launch_template: + name: "my_template" + image_id: "ami-04b762b4289fba92b" + key_name: my_ssh_key + instance_type: t2.micro + network_interfaces: + - interface_type: interface + ipv6_addresses: [] + mac_address: '0 e: 0 e: 36: 60: 67: cf' + network_interface_id: eni - 061 dee20eba3b445a + owner_id: '721066863947' + source_dest_check: true + status: " in -use" + +``` diff --git a/docs/queries/ansible-queries/aws/af167837-9636-4086-b815-c239186b9dda.md b/docs/queries/ansible-queries/aws/af167837-9636-4086-b815-c239186b9dda.md new file mode 100644 index 00000000000..66d219531aa --- /dev/null +++ b/docs/queries/ansible-queries/aws/af167837-9636-4086-b815-c239186b9dda.md @@ -0,0 +1,169 @@ +--- +title: Cross-Account IAM Assume Role Policy Without ExternalId or MFA +hide: + toc: true + navigation: true +--- + + + +- **Query id:** af167837-9636-4086-b815-c239186b9dda +- **Query name:** Cross-Account IAM Assume Role Policy Without ExternalId or MFA +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa) + +### Description +Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_role_module.html#parameter-assume_role_policy_document) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +- name: Create a role with description and tags + community.aws.iam_role: + name: mynewrole + assume_role_policy_document: > + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "" + } + ] + } + description: This is My New Role + tags: + env: dev + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +- name: Create a role with description and tags2 + community.aws.iam_role: + name: mynewrole2 + assume_role_policy_document: > + { + "Version": "2012-10-17", + "Statement": { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "", + "Condition": { + "Bool": { + "aws:MultiFactorAuthPresent": "false" + } + } + } + } + description: This is My New Role + tags: + env: dev + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +- name: Create a role with description and tags3 + community.aws.iam_role: + name: mynewrole3 + assume_role_policy_document: > + { + "Version": "2012-10-17", + "Statement": { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + } + description: This is My New Role + tags: + env: dev + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create a role with description and tags4 + community.aws.iam_role: + name: mynewrole4 + assume_role_policy_document: > + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "", + "Condition": { + "StringEquals": { + "sts:ExternalId": "98765" + } + } + } + ] + } + description: This is My New Role + tags: + env: dev + +``` +```yaml title="Negative test num. 2 - yaml file" +- name: Create a role with description and tags5 + community.aws.iam_role: + name: mynewrole5 + assume_role_policy_document: > + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "", + "Condition": { + "Bool": { + "aws:MultiFactorAuthPresent": "true" + } + } + } + ] + } + description: This is My New Role + tags: + env: dev + +``` diff --git a/docs/queries/ansible-queries/aws/af96d737-0818-4162-8c41-40d969bd65d1.md b/docs/queries/ansible-queries/aws/af96d737-0818-4162-8c41-40d969bd65d1.md new file mode 100644 index 00000000000..6e763fa37f0 --- /dev/null +++ b/docs/queries/ansible-queries/aws/af96d737-0818-4162-8c41-40d969bd65d1.md @@ -0,0 +1,62 @@ +--- +title: CMK Rotation Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** af96d737-0818-4162-8c41-40d969bd65d1 +- **Query name:** CMK Rotation Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cmk_rotation_disabled) + +### Description +Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/aws_kms_module.html#parameter-enable_key_rotation) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: Update IAM policy on an existing KMS key + community.aws.aws_kms: + alias: my-kms-key + policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { } ]}' + state: present + enabled: true + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +- name: Update IAM policy on an existing KMS key2 + community.aws.aws_kms: + alias: my-kms-key + policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { } ]}' + state: present + enabled: true + enable_key_rotation: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Update IAM policy on an existing KMS key3 + community.aws.aws_kms: + alias: my-kms-key + policy: '{"Version": "2012-10-17", "Id": "my-kms-key-permissions", "Statement": [ { } ]}' + state: present + enabled: true + enable_key_rotation: true + +``` diff --git a/docs/queries/ansible-queries/aws/b16cdb37-ce15-4ab2-8401-d42b05d123fc.md b/docs/queries/ansible-queries/aws/b16cdb37-ce15-4ab2-8401-d42b05d123fc.md new file mode 100644 index 00000000000..93e447ba8b7 --- /dev/null +++ b/docs/queries/ansible-queries/aws/b16cdb37-ce15-4ab2-8401-d42b05d123fc.md @@ -0,0 +1,201 @@ +--- +title: API Gateway Without Configured Authorizer +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b16cdb37-ce15-4ab2-8401-d42b05d123fc +- **Query name:** API Gateway Without Configured Authorizer +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/api_gateway_without_configured_authorizer) + +### Description +API Gateway REST API should have an API Gateway Authorizer
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/aws_api_gateway_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +- name: Setup AWS API Gateway setup on AWS and deploy API definition + community.aws.aws_api_gateway: + swagger_dict: + { + "openapi": "3.0.0", + "info": + { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { "name": "contact", "email": "user@gmail.com" }, + }, + "components": + { + "securitySchemes": + { + "request_authorizer_single_stagevar": + { + "type": "apiKey", + "name": "Unused", + "in": "header", + "x-amazon-apigateway-authtype": "custom", + }, + }, + }, + } + stage: production + cache_enabled: true + cache_size: "1.6" + tracing_enabled: true + endpoint_type: EDGE + state: present + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" +- name: Setup AWS API Gateway setup on AWS and deploy API definition2 + aws_api_gateway: + stage: production + cache_enabled: true + cache_size: "1.6" + tracing_enabled: true + endpoint_type: EDGE + state: present + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="3" +- name: Setup AWS API Gateway setup on AWS and deploy API 222 + aws_api_gateway: + swagger_file: swaggerFileWithoutAuthorizer.yaml + stage: production + cache_enabled: true + cache_size: "1.6" + tracing_enabled: true + endpoint_type: EDGE + state: present + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="3" +- name: Setup AWS API Gateway setup on AWS and deploy API 222 + aws_api_gateway: + swagger_text: | + openapi: 3.0.0 + info: + title: Sample API + description: Optional multiline or single-line description + version: 0.1.9 + components: + ssecuritySchemes: + request_authorizer_single_stagevar: + type: apiKey + name: Unused + in: header + x-amazon-apigateway-authtype: custom + stage: production + cache_enabled: true + cache_size: "1.6" + tracing_enabled: true + endpoint_type: EDGE + state: present + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Setup AWS API Gateway setup on AWS and deploy API definition3 + community.aws.aws_api_gateway: + swagger_file: swaggerFile.yaml + stage: production + cache_enabled: true + cache_size: "1.6" + tracing_enabled: true + endpoint_type: EDGE + state: present + +``` +```yaml title="Negative test num. 2 - yaml file" +- name: Setup AWS API Gateway setup on AWS and deploy API definition22222 + community.aws.aws_api_gateway: + swagger_dict: + { + "openapi": "3.0.0", + "info": + { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { "name": "contact", "email": "user@gmail.com" }, + }, + "components": + { + "securitySchemes": + { + "request_authorizer_single_stagevar": + { + "type": "apiKey", + "name": "Unused", + "in": "header", + "x-amazon-apigateway-authtype": "custom", + "x-amazon-apigateway-authorizer": + { + "type": "request", + "identitySource": "stageVariables.stage", + "authorizerCredentials": "arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole", + "authorizerUri": "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations", + "authorizerResultTtlInSeconds": 300, + }, + }, + }, + }, + } + stage: production + cache_enabled: true + cache_size: "1.6" + tracing_enabled: true + endpoint_type: EDGE + state: present + +``` +```yaml title="Negative test num. 3 - yaml file" +- name: Setup AWS API Gateway setup on AWS and deploy API 222 + aws_api_gateway: + swagger_text: | + openapi: 3.0.0 + info: + title: Sample API + description: Optional multiline or single-line description + version: 0.1.9 + components: + securitySchemes: + request_authorizer_single_stagevar: + type: apiKey + name: Unused + in: header + x-amazon-apigateway-authtype: custom + x-amazon-apigateway-authorizer: + type: request + identitySource: stageVariables.stage + authorizerCredentials: arn:aws:iam::123456789012:role/AWSepIntegTest-CS-LambdaRole + authorizerUri: arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:APIGateway-Request-Authorizer:vtwo/invocations + authorizerResultTtlInSeconds: 300 + stage: production + cache_enabled: true + cache_size: "1.6" + tracing_enabled: true + endpoint_type: EDGE + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/b25398a2-0625-4e61-8e4d-a1bb23905bf6.md b/docs/queries/ansible-queries/aws/b25398a2-0625-4e61-8e4d-a1bb23905bf6.md new file mode 100644 index 00000000000..0a42aa226db --- /dev/null +++ b/docs/queries/ansible-queries/aws/b25398a2-0625-4e61-8e4d-a1bb23905bf6.md @@ -0,0 +1,103 @@ +--- +title: CDN Configuration Is Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b25398a2-0625-4e61-8e4d-a1bb23905bf6 +- **Query name:** CDN Configuration Is Missing +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cdn_configuration_is_missing) + +### Description +Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 23" +- name: create a distribution without an origin and with enabled=false + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + default_cache_behavior: + target_origin_id: 'my test origin-000111' + forwarded_values: + query_string: true + cookies: + forward: all + headers: + - '*' + viewer_protocol_policy: allow-all + smooth_streaming: true + compress: true + allowed_methods: + items: + - GET + - HEAD + cached_methods: + - GET + - HEAD + enabled: false + logging: + enabled: true + include_cookies: false + bucket: mylogbucket.s3.amazonaws.com + prefix: myprefix/ + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a distribution with an origin, logging and default cache behavior + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: 'my test origin-000111' + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + default_cache_behavior: + target_origin_id: 'my test origin-000111' + forwarded_values: + query_string: true + cookies: + forward: all + headers: + - '*' + viewer_protocol_policy: allow-all + smooth_streaming: true + compress: true + allowed_methods: + items: + - GET + - HEAD + cached_methods: + - GET + - HEAD + logging: + enabled: true + include_cookies: false + bucket: mylogbucket.s3.amazonaws.com + prefix: myprefix/ + enabled: true + comment: this is a CloudFront distribution with logging + +``` diff --git a/docs/queries/ansible-queries/aws/b47b98ab-e481-4a82-8bb1-1ab39fd36e33.md b/docs/queries/ansible-queries/aws/b47b98ab-e481-4a82-8bb1-1ab39fd36e33.md new file mode 100644 index 00000000000..480c0bec175 --- /dev/null +++ b/docs/queries/ansible-queries/aws/b47b98ab-e481-4a82-8bb1-1ab39fd36e33.md @@ -0,0 +1,85 @@ +--- +title: API Gateway Without SSL Certificate +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b47b98ab-e481-4a82-8bb1-1ab39fd36e33 +- **Query name:** API Gateway Without SSL Certificate +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/api_gateway_without_ssl_certificate) + +### Description +SSL Client Certificate should be enabled
+[Documentation](https://docs.ansible.com/ansible/2.8/modules/aws_api_gateway_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 21 6 23" +- name: update API + aws_api_gateway: + api_id: 'abc123321cba' + state: present + swagger_file: my_api.yml + validate_certs: no +- name: update API v1 + aws_api_gateway: + api_id: 'abc123321cba' + state: present + swagger_file: my_api.yml +- name: Setup AWS API Gateway setup on AWS and deploy API definition + community.aws.aws_api_gateway: + swagger_file: my_api.yml + stage: production + cache_enabled: true + cache_size: '1.6' + tracing_enabled: true + endpoint_type: EDGE + state: present + validate_certs: no +- name: Setup AWS API Gateway setup on AWS and deploy API definition v1 + community.aws.aws_api_gateway: + swagger_file: my_api.yml + stage: production + cache_enabled: true + cache_size: '1.6' + tracing_enabled: true + endpoint_type: EDGE + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: update API v2 + aws_api_gateway: + api_id: abc123321cba + state: present + swagger_file: my_api.yml + validate_certs: yes +- name: Setup AWS API Gateway setup on AWS and deploy API definition v2 + community.aws.aws_api_gateway: + swagger_file: my_api.yml + stage: production + cache_enabled: true + cache_size: '1.6' + tracing_enabled: true + endpoint_type: EDGE + state: present + validate_certs: yes + +``` diff --git a/docs/queries/ansible-queries/aws/b5ed026d-a772-4f07-97f9-664ba0b116f8.md b/docs/queries/ansible-queries/aws/b5ed026d-a772-4f07-97f9-664ba0b116f8.md new file mode 100644 index 00000000000..df8d391fdbf --- /dev/null +++ b/docs/queries/ansible-queries/aws/b5ed026d-a772-4f07-97f9-664ba0b116f8.md @@ -0,0 +1,61 @@ +--- +title: IAM Policy Grants Full Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b5ed026d-a772-4f07-97f9-664ba0b116f8 +- **Query name:** IAM Policy Grants Full Permissions +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_policy_grants_full_permissions) + +### Description +IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +- name: Create IAM Managed Policy + community.aws.iam_managed_policy: + policy_name: "ManagedPolicy" + policy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "*" + Resource: "*" + make_default: false + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create IAM Managed Policy + community.aws.iam_managed_policy: + policy_name: ManagedPolicy + policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: logs:CreateLogGroup + Resource: SomeResource + make_default: false + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/b8a9852c-9943-4973-b8d5-77dae9352851.md b/docs/queries/ansible-queries/aws/b8a9852c-9943-4973-b8d5-77dae9352851.md new file mode 100644 index 00000000000..23bd1a8013a --- /dev/null +++ b/docs/queries/ansible-queries/aws/b8a9852c-9943-4973-b8d5-77dae9352851.md @@ -0,0 +1,56 @@ +--- +title: EFS Without Tags +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b8a9852c-9943-4973-b8d5-77dae9352851 +- **Query name:** EFS Without Tags +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/efs_without_tags) + +### Description +Amazon Elastic Filesystem should have filesystem tags associated
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: EFS provisioning without tags + community.aws.efs: + state: present + name: myTestEFS + targets: + - subnet_id: subnet-748c5d03 + security_groups: [ "sg-1a2b3c4d" ] + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: EFS provisioning + community.aws.efs: + state: present + name: myTestEFS + tags: + Name: myTestNameTag + purpose: file-storage + targets: + - subnet_id: subnet-748c5d03 + security_groups: [ "sg-1a2b3c4d" ] + +``` diff --git a/docs/queries/ansible-queries/aws/babdedcf-d859-43da-9a7b-6d72e661a8fd.md b/docs/queries/ansible-queries/aws/babdedcf-d859-43da-9a7b-6d72e661a8fd.md new file mode 100644 index 00000000000..ac2616dff16 --- /dev/null +++ b/docs/queries/ansible-queries/aws/babdedcf-d859-43da-9a7b-6d72e661a8fd.md @@ -0,0 +1,78 @@ +--- +title: IAM Role Allows All Principals To Assume +hide: + toc: true + navigation: true +--- + + + +- **Query id:** babdedcf-d859-43da-9a7b-6d72e661a8fd +- **Query name:** IAM Role Allows All Principals To Assume +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_role_allows_all_principals_to_assume) + +### Description +IAM role allows all services or principals to assume it
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 4" +- name: Create IAM Managed Policy + community.aws.iam_managed_policy: + policy_name: "ManagedPolicy" + policy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "logs:CreateLogGroup" + Resource: "*" + Principal: + AWS: "arn:aws:iam::root" + make_default: false + state: present +- name: Create2 IAM Managed Policy + community.aws.iam_managed_policy: + policy_name: "ManagedPolicy2" + policy: > + { + "Version": "2012-10-17", + "Statement":[{ + "Effect": "Allow", + "Action": "logs:PutRetentionPolicy", + "Resource": "*", + "Principal" : { "AWS" : "arn:aws:iam::root" } + }] + } + only_version: true + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create IAM Managed Policy + community.aws.iam_managed_policy: + policy_name: ManagedPolicy + policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: logs:CreateLogGroup + Resource: '*' + make_default: false + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/bd77554e-f138-40c5-91b2-2a09f878608e.md b/docs/queries/ansible-queries/aws/bd77554e-f138-40c5-91b2-2a09f878608e.md new file mode 100644 index 00000000000..6a7f98b7b5a --- /dev/null +++ b/docs/queries/ansible-queries/aws/bd77554e-f138-40c5-91b2-2a09f878608e.md @@ -0,0 +1,63 @@ +--- +title: EFS Without KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bd77554e-f138-40c5-91b2-2a09f878608e +- **Query name:** EFS Without KMS +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/efs_without_kms) + +### Description +Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +--- +- name: foo + community.aws.efs: + state: present + name: myTestEFS + encrypt: no + tags: + Name: myTestNameTag + purpose: file-storage + targets: + - subnet_id: subnet-748c5d03 + security_groups: ["sg-1a2b3c4d"] + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: foo + community.aws.efs: + state: present + name: myTestEFS + encrypt: yes + tags: + Name: myTestNameTag + purpose: file-storage + targets: + - subnet_id: subnet-748c5d03 + security_groups: [sg-1a2b3c4d] + kms_key_id: "some-key-id" + +``` diff --git a/docs/queries/ansible-queries/aws/c09e3ca5-f08a-4717-9c87-3919c5e6d209.md b/docs/queries/ansible-queries/aws/c09e3ca5-f08a-4717-9c87-3919c5e6d209.md new file mode 100644 index 00000000000..415e3d5288d --- /dev/null +++ b/docs/queries/ansible-queries/aws/c09e3ca5-f08a-4717-9c87-3919c5e6d209.md @@ -0,0 +1,81 @@ +--- +title: DB Instance Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c09e3ca5-f08a-4717-9c87-3919c5e6d209 +- **Query name:** DB Instance Publicly Accessible +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/db_instance_publicly_accessible) + +### Description +RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-auto_minor_version_upgrade) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12 22" +--- +- name: community - Create a DB instance using the default AWS KMS encryption key + community.aws.rds_instance: + id: test-encrypted-db + state: present + engine: mariadb + storage_encrypted: True + db_instance_class: db.t2.medium + username: "{{ username }}" + password: "{{ password }}" + allocated_storage: "{{ allocated_storage }}" + publicly_accessible: Yes +- name: community - Basic mysql provisioning example + community.aws.rds: + command: create + instance_name: new-database + db_engine: MySQL + size: 10 + instance_type: db.m1.small + username: mysql_admin + password: 1nsecure + publicly_accessible: "true" + tags: + Environment: testing + Application: cms + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create RDS instance in default VPC and default subnet group02 + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: '{{ password }}' + username: '{{ username }}' + cluster_id: ansible-test-cluster + publicly_accessible: false +- name: create RDS instance in default VPC and default subnet group03 + rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: '{{ password }}' + username: '{{ username }}' + cluster_id: ansible-test-cluster + +``` diff --git a/docs/queries/ansible-queries/aws/c09f4d3e-27d2-4d46-9453-abbe9687a64e.md b/docs/queries/ansible-queries/aws/c09f4d3e-27d2-4d46-9453-abbe9687a64e.md new file mode 100644 index 00000000000..c41b265c5ee --- /dev/null +++ b/docs/queries/ansible-queries/aws/c09f4d3e-27d2-4d46-9453-abbe9687a64e.md @@ -0,0 +1,91 @@ +--- +title: User Data Contains Encoded Private Key +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c09f4d3e-27d2-4d46-9453-abbe9687a64e +- **Query name:** User Data Contains Encoded Private Key +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/user_data_contains_encoded_private_key) + +### Description +User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_lc_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +--- +- name: note that encrypted volumes are only supported in >= Ansible 2.4 + community.aws.ec2_lc: + name: special + image_id: ami-XXX + key_name: default + security_groups: ['group', 'group2' ] + instance_type: t1.micro + user_data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5 + volumes: + - device_name: /dev/sda1 + volume_size: 100 + volume_type: io1 + iops: 3000 + delete_on_termination: true + encrypted: true + - device_name: /dev/sdb + ephemeral: ephemeral0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: note that encrypted volumes are only supported in >= Ansible 2.4 + community.aws.ec2_lc: + name: special + image_id: ami-XXX + key_name: default + security_groups: [group, group2] + instance_type: t1.micro + user_data: dGVzdA== + volumes: + - device_name: /dev/sda1 + volume_size: 100 + volume_type: io1 + iops: 3000 + delete_on_termination: true + encrypted: true + - device_name: /dev/sdb + ephemeral: ephemeral0 +- name: note that encrypted volumes are only supported in >= Ansible 2.4.2 + community.aws.ec2_lc: + name: special2 + image_id: ami-XXX + key_name: default + security_groups: [group, group2] + instance_type: t1.micro + user_data: + volumes: + - device_name: /dev/sda1 + volume_size: 100 + volume_type: io1 + iops: 3000 + delete_on_termination: true + encrypted: true + - device_name: /dev/sdb + ephemeral: ephemeral0 + +``` diff --git a/docs/queries/ansible-queries/aws/c2f15af3-66a0-4176-a56e-e4711e502e5c.md b/docs/queries/ansible-queries/aws/c2f15af3-66a0-4176-a56e-e4711e502e5c.md new file mode 100644 index 00000000000..6c615dddfb3 --- /dev/null +++ b/docs/queries/ansible-queries/aws/c2f15af3-66a0-4176-a56e-e4711e502e5c.md @@ -0,0 +1,60 @@ +--- +title: Hardcoded AWS Access Key +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c2f15af3-66a0-4176-a56e-e4711e502e5c +- **Query name:** Hardcoded AWS Access Key +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/hardcoded_aws_access_key) + +### Description +AWS Access Key should not be hardcoded
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ec2_instance_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +- name: start an instance with a cpu_options + community.aws.ec2_instance: + name: "public-cpuoption-instance" + vpc_subnet_id: subnet-5ca1ab1e + tags: + Environment: Testing + user_data: "1234567890123456789012345678901234567890$" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: start an instance with a cpu_options + community.aws.ec2_instance: + name: public-cpuoption-instance + vpc_subnet_id: subnet-5ca1ab1e + tags: + Environment: Testing + instance_type: c4.large + volumes: + - device_name: /dev/sda1 + ebs: + delete_on_termination: true + cpu_options: + core_count: 1 + threads_per_core: 1 + +``` diff --git a/docs/queries/ansible-queries/aws/c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d.md b/docs/queries/ansible-queries/aws/c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d.md new file mode 100644 index 00000000000..b07b3c65cc4 --- /dev/null +++ b/docs/queries/ansible-queries/aws/c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d.md @@ -0,0 +1,49 @@ +--- +title: S3 Bucket Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d +- **Query name:** S3 Bucket Logging Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_logging_disabled) + +### Description +Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-debug_botocore_endpoint_logs) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +--- +- name: "Create S3 bucket" + amazon.aws.s3_bucket: + name: mys3bucket + state: present + debug_botocore_endpoint_logs: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- amazon.aws.s3_bucket: + name: mys3bucket + state: present + debug_botocore_endpoint_logs: true + +``` diff --git a/docs/queries/ansible-queries/aws/c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9.md b/docs/queries/ansible-queries/aws/c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9.md new file mode 100644 index 00000000000..ed1ba01835e --- /dev/null +++ b/docs/queries/ansible-queries/aws/c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9.md @@ -0,0 +1,59 @@ +--- +title: S3 Bucket With Public Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c3e073c1-f65e-4d18-bd67-4a8f20ad1ab9 +- **Query name:** S3 Bucket With Public Access +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_with_public_access) + +### Description +S3 Bucket allows public access
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 6" +--- +- name: Create an empty bucket + amazon.aws.aws_s3: + bucket: mybucket + mode: create + permission: public-read +- name: Create an empty bucket 01 + amazon.aws.aws_s3: + bucket: mybucket 01 + mode: create + permission: public-read-write + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create an empty bucket + amazon.aws.aws_s3: + bucket: mybucket + mode: create + permission: private +- name: Create an empty bucket 02 + amazon.aws.aws_s3: + bucket: mybucket + mode: create + +``` diff --git a/docs/queries/ansible-queries/aws/d0c13053-d2c8-44a6-95da-d592996e9e67.md b/docs/queries/ansible-queries/aws/d0c13053-d2c8-44a6-95da-d592996e9e67.md new file mode 100644 index 00000000000..2ce244f926f --- /dev/null +++ b/docs/queries/ansible-queries/aws/d0c13053-d2c8-44a6-95da-d592996e9e67.md @@ -0,0 +1,113 @@ +--- +title: CloudFront Without Minimum Protocol TLS 1.2 +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d0c13053-d2c8-44a6-95da-d592996e9e67 +- **Query name:** CloudFront Without Minimum Protocol TLS 1.2 +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cloudfront_without_minimum_protocol_tls_1.2) + +### Description +CloudFront Minimum Protocol version should be at least TLS 1.2
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html#parameter-viewer_certificate/minimum_protocol_version) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 18 37" +- name: create a distribution with an origin and logging + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: 'my test origin-000111' + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + logging: + enabled: true + include_cookies: false + bucket: mylogbucket.s3.amazonaws.com + prefix: myprefix/ + viewer_certificate: + minimum_protocol_version: TLSv1 + comment: this is a CloudFront distribution with logging +- name: create another distribution with an origin and logging + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: 'my test origin-000111' + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + logging: + enabled: true + include_cookies: false + bucket: mylogbucket.s3.amazonaws.com + prefix: myprefix/ + viewer_certificate: + minimum_protocol_version: TLSv1.1_2016 + comment: this is a CloudFront distribution with logging +- name: create a third distribution + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: 'my test origin-000111' + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + logging: + enabled: true + include_cookies: false + bucket: mylogbucket.s3.amazonaws.com + prefix: myprefix/ + comment: this is a CloudFront distribution with logging + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a distribution with an origin and logging + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: 'my test origin-000111' + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + logging: + enabled: true + include_cookies: false + bucket: mylogbucket.s3.amazonaws.com + prefix: myprefix/ + viewer_certificate: + minimum_protocol_version: TLSv1.2_2018 + comment: this is a CloudFront distribution with logging + +``` diff --git a/docs/queries/ansible-queries/aws/d31cb911-bf5b-4eb6-9fc3-16780c77c7bd.md b/docs/queries/ansible-queries/aws/d31cb911-bf5b-4eb6-9fc3-16780c77c7bd.md new file mode 100644 index 00000000000..054fc336a53 --- /dev/null +++ b/docs/queries/ansible-queries/aws/d31cb911-bf5b-4eb6-9fc3-16780c77c7bd.md @@ -0,0 +1,142 @@ +--- +title: CloudFront Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d31cb911-bf5b-4eb6-9fc3-16780c77c7bd +- **Query name:** CloudFront Logging Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cloudfront_logging_disabled) + +### Description +AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' should be defined with 'enabled' set to true
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 62" +- name: create a distribution with an origin, logging and default cache behavior + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: 'my test origin-000111' + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + default_cache_behavior: + target_origin_id: 'my test origin-000111' + forwarded_values: + query_string: true + cookies: + forward: all + headers: + - '*' + viewer_protocol_policy: allow-all + smooth_streaming: true + compress: true + allowed_methods: + items: + - GET + - HEAD + cached_methods: + - GET + - HEAD + enabled: false + comment: this is a CloudFront distribution with logging +- name: create a second distribution with an origin, logging and default cache behavior + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: 'my test origin-000111' + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + default_cache_behavior: + target_origin_id: 'my test origin-000111' + forwarded_values: + query_string: true + cookies: + forward: all + headers: + - '*' + viewer_protocol_policy: allow-all + smooth_streaming: true + compress: true + allowed_methods: + items: + - GET + - HEAD + cached_methods: + - GET + - HEAD + logging: + enabled: false + include_cookies: false + bucket: mylogbucket.s3.amazonaws.com + prefix: myprefix/ + enabled: false + comment: this is a CloudFront distribution with logging + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a distribution with an origin, logging and default cache behavior + community.aws.cloudfront_distribution: + state: present + caller_reference: unique test distribution ID + origins: + - id: my test origin-000111 + domain_name: www.example.com + origin_path: /production + custom_headers: + - header_name: MyCustomHeaderName + header_value: MyCustomHeaderValue + default_cache_behavior: + target_origin_id: my test origin-000111 + forwarded_values: + query_string: true + cookies: + forward: all + headers: + - '*' + viewer_protocol_policy: allow-all + smooth_streaming: true + compress: true + allowed_methods: + items: + - GET + - HEAD + cached_methods: + - GET + - HEAD + logging: + enabled: true + include_cookies: false + bucket: mylogbucket.s3.amazonaws.com + prefix: myprefix/ + enabled: false + comment: this is a CloudFront distribution with logging + +``` diff --git a/docs/queries/ansible-queries/aws/d395a950-12ce-4314-a742-ac5a785ab44e.md b/docs/queries/ansible-queries/aws/d395a950-12ce-4314-a742-ac5a785ab44e.md new file mode 100644 index 00000000000..696ca377bfc --- /dev/null +++ b/docs/queries/ansible-queries/aws/d395a950-12ce-4314-a742-ac5a785ab44e.md @@ -0,0 +1,61 @@ +--- +title: S3 Bucket Allows List Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d395a950-12ce-4314-a742-ac5a785ab44e +- **Query name:** S3 Bucket Allows List Action From All Principals +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals) + +### Description +S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +#this is a problematic code where the query should report a result(s) +- name: Bucket + amazon.aws.s3_bucket: + name: mys3bucket + state: present + policy: + Version: "2020-10-07" + Statement: + - Effect: Allow + Action: ListObject + Principal: "*" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: Bucket + amazon.aws.s3_bucket: + name: mys3bucket + state: present + policy: + Version: '2020-10-07' + Statement: + - Effect: Allow + Action: ListObject + Principal: NotAll + +``` diff --git a/docs/queries/ansible-queries/aws/d39761d7-94ab-45b0-ab5e-27c44e381d58.md b/docs/queries/ansible-queries/aws/d39761d7-94ab-45b0-ab5e-27c44e381d58.md new file mode 100644 index 00000000000..86069b459d2 --- /dev/null +++ b/docs/queries/ansible-queries/aws/d39761d7-94ab-45b0-ab5e-27c44e381d58.md @@ -0,0 +1,69 @@ +--- +title: Stack Notifications Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d39761d7-94ab-45b0-ab5e-27c44e381d58 +- **Query name:** Stack Notifications Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/stack_notifications_disabled) + +### Description +AWS CloudFormation should have stack notifications enabled to be notified when an event occurs
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html#parameter-notification_arns) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: create a stack, pass in the template via an URL + amazon.aws.cloudformation: + stack_name: "ansible-cloudformation" + state: present + region: us-east-1 + disable_rollback: true + template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template + template_parameters: + KeyName: jmartin + DiskType: ephemeral + InstanceType: m1.small + ClusterSize: 3 + tags: + Stack: ansible-cloudformation + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a stack, pass in the template via an URL + amazon.aws.cloudformation: + stack_name: ansible-cloudformation + stack_policy: wowowowoowow + notification_arns: a, b + state: present + region: us-east-1 + disable_rollback: true + template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template + template_parameters: + KeyName: jmartin + DiskType: ephemeral + InstanceType: m1.small + ClusterSize: 3 + tags: + Stack: ansible-cloudformation + +``` diff --git a/docs/queries/ansible-queries/aws/d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5.md b/docs/queries/ansible-queries/aws/d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5.md new file mode 100644 index 00000000000..94026e8db7b --- /dev/null +++ b/docs/queries/ansible-queries/aws/d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5.md @@ -0,0 +1,49 @@ +--- +title: CloudTrail Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d4a73c49-cbaa-4c6f-80ee-d6ef5a3a26f5 +- **Query name:** CloudTrail Logging Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cloudtrail_logging_disabled) + +### Description +Checks if logging is enabled for CloudTrail.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html#parameter-enable_logging) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +- name: example + community.aws.cloudtrail: + state: present + name: default + enable_logging: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example + community.aws.cloudtrail: + state: present + name: default + enable_logging: true + +``` diff --git a/docs/queries/ansible-queries/aws/d5ec2080-340a-4259-b885-f833c4ea6a31.md b/docs/queries/ansible-queries/aws/d5ec2080-340a-4259-b885-f833c4ea6a31.md new file mode 100644 index 00000000000..e10ad0a88d7 --- /dev/null +++ b/docs/queries/ansible-queries/aws/d5ec2080-340a-4259-b885-f833c4ea6a31.md @@ -0,0 +1,51 @@ +--- +title: Certificate RSA Key Bytes Lower Than 256 +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d5ec2080-340a-4259-b885-f833c4ea6a31 +- **Query name:** Certificate RSA Key Bytes Lower Than 256 +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/certificate_rsa_key_bytes_lower_than_256) + +### Description +The certificate should use a RSA key with a length equal to or higher than 256 bytes
+[Documentation](https://docs.ansible.com/ansible/2.10/collections/community/aws/aws_acm_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +- name: upload a self-signed certificate + community.aws.aws_acm: + certificate: "{{ lookup('file', 'rsa1024.pem' ) }}" + privateKey: "{{ lookup('file', 'key.pem' ) }}" + name_tag: my_cert + region: ap-southeast-2 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: upload a self-signed certificate2 + community.aws.aws_acm: + certificate: "{{ lookup('file', 'rsa4096.pem' ) }}" + privateKey: "{{ lookup('file', 'key.pem' ) }}" + name_tag: my_cert + region: ap-southeast-2 + +``` diff --git a/docs/queries/ansible-queries/aws/d994585f-defb-4b51-b6d2-c70f020ceb10.md b/docs/queries/ansible-queries/aws/d994585f-defb-4b51-b6d2-c70f020ceb10.md new file mode 100644 index 00000000000..56639d6a21d --- /dev/null +++ b/docs/queries/ansible-queries/aws/d994585f-defb-4b51-b6d2-c70f020ceb10.md @@ -0,0 +1,94 @@ +--- +title: SQS Policy With Public Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d994585f-defb-4b51-b6d2-c70f020ceb10 +- **Query name:** SQS Policy With Public Access +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/sqs_policy_with_public_access) + +### Description +Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 28" +- name: First SQS queue with policy + community.aws.sqs_queue: + name: my-queue1 + region: ap-southeast-1 + default_visibility_timeout: 120 + message_retention_period: 86400 + maximum_message_size: 1024 + delivery_delay: 30 + receive_message_wait_time: 20 + policy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "sqs:*" + Resource: "*" + Principal: "*" + make_default: false + state: present +- name: Second SQS queue with policy + community.aws.sqs_queue: + name: my-queue2 + region: ap-southeast-3 + default_visibility_timeout: 120 + message_retention_period: 86400 + maximum_message_size: 1024 + delivery_delay: 30 + receive_message_wait_time: 20 + policy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "*" + Resource: "*" + Principal: + AWS: "*" + make_default: false + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: First SQS queue with policy + community.aws.sqs_queue: + name: my-queue1 + region: ap-southeast-1 + default_visibility_timeout: 120 + message_retention_period: 86400 + maximum_message_size: 1024 + delivery_delay: 30 + receive_message_wait_time: 20 + policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: sqs:* + Resource: '*' + Principal: Principal + make_default: false + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/defe5b18-978d-4722-9325-4d1975d3699f.md b/docs/queries/ansible-queries/aws/defe5b18-978d-4722-9325-4d1975d3699f.md new file mode 100644 index 00000000000..b4724fae2dd --- /dev/null +++ b/docs/queries/ansible-queries/aws/defe5b18-978d-4722-9325-4d1975d3699f.md @@ -0,0 +1,95 @@ +--- +title: Batch Job Definition With Privileged Container Properties +hide: + toc: true + navigation: true +--- + + + +- **Query id:** defe5b18-978d-4722-9325-4d1975d3699f +- **Query name:** Batch Job Definition With Privileged Container Properties +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/batch_job_definition_with_privileged_container_properties) + +### Description +Batch Job Definition should not have Privileged Container Properties
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/aws_batch_job_definition_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +- name: My Batch Job Definition + community.aws.aws_batch_job_definition: + job_definition_name: My Batch Job Definition + state: present + type: container + parameters: + Param1: Val1 + Param2: Val2 + privileged: true + image: + vcpus: 1 + memory: 512 + command: + - python + - run_my_script.py + - arg1 + job_role_arn: + attempts: 3 + register: job_definition_create_result + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: My Batch Job Definition + community.aws.aws_batch_job_definition: + job_definition_name: My Batch Job Definition without privilege + state: present + type: container + parameters: + Param1: Val1 + Param2: Val2 + privileged: false + image: + vcpus: 1 + memory: 512 + command: + - python + - run_my_script.py + - arg1 + job_role_arn: + attempts: 3 + register: job_definition_create_result +- name: My Batch Job Definition without explicit privilege + community.aws.aws_batch_job_definition: + job_definition_name: My Batch Job Definition + state: present + type: container + parameters: + Param1: Val1 + Param2: Val2 + image: + vcpus: 1 + memory: 512 + command: + - python + - run_my_script.py + - arg1 + job_role_arn: + attempts: 3 + register: job_definition_create_result + +``` diff --git a/docs/queries/ansible-queries/aws/e01de151-a7bd-4db4-b49b-3c4775a5e881.md b/docs/queries/ansible-queries/aws/e01de151-a7bd-4db4-b49b-3c4775a5e881.md new file mode 100644 index 00000000000..1c18f74c268 --- /dev/null +++ b/docs/queries/ansible-queries/aws/e01de151-a7bd-4db4-b49b-3c4775a5e881.md @@ -0,0 +1,55 @@ +--- +title: Redshift Using Default Port +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e01de151-a7bd-4db4-b49b-3c4775a5e881 +- **Query name:** Redshift Using Default Port +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/redshift_using_default_port) + +### Description +Redshift should not use the default port (5439) because an attacker can easily guess the port
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/redshift_module.html#parameter-port) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +- name: Redshift + community.aws.redshift: + command: create + node_type: ds1.xlarge + identifier: new_cluster + username: cluster_admin + password: 1nsecur3 + port: 5439 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Redshift2 + community.aws.redshift: + command: create + node_type: ds1.xlarge + identifier: new_cluster + username: cluster_admin + password: 1nsecur3 + port: 1150 + +``` diff --git a/docs/queries/ansible-queries/aws/e1e7b278-2a8b-49bd-a26e-66a7f70b17eb.md b/docs/queries/ansible-queries/aws/e1e7b278-2a8b-49bd-a26e-66a7f70b17eb.md new file mode 100644 index 00000000000..9d122e2e9f7 --- /dev/null +++ b/docs/queries/ansible-queries/aws/e1e7b278-2a8b-49bd-a26e-66a7f70b17eb.md @@ -0,0 +1,84 @@ +--- +title: SQS With SSE Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e1e7b278-2a8b-49bd-a26e-66a7f70b17eb +- **Query name:** SQS With SSE Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/sqs_with_sse_disabled) + +### Description +Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#ansible-collections-community-aws-sqs-queue-module) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 2 29 22" +- name: Create SQS queue with redrive policy + community.aws.sqs_queue: + name: my-queue + region: ap-southeast-2 + default_visibility_timeout: 120 + message_retention_period: 86400 + maximum_message_size: 1024 + delivery_delay: 30 + receive_message_wait_time: 20 + policy: "{{ json_dict }}" + redrive_policy: + maxReceiveCount: 5 + deadLetterTargetArn: arn:aws:sqs:eu-west-1:123456789012:my-dead-queue + +- name: Drop redrive policy + community.aws.sqs_queue: + name: my-queue + region: ap-southeast-2 + redrive_policy: {} + +- name: Create FIFO queue + community.aws.sqs_queue: + name: fifo-queue + region: ap-southeast-2 + queue_type: fifo + content_based_deduplication: yes + +- name: Tag queue + community.aws.sqs_queue: + name: fifo-queue + region: ap-southeast-2 + tags: + example: SomeValue + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Configure Encryption, automatically uses a new data key every hour + community.aws.sqs_queue: + name: fifo-queue + region: ap-southeast-2 + kms_master_key_id: alias/MyQueueKey + kms_data_key_reuse_period_seconds: 3600 + +- name: Delete SQS queue + community.aws.sqs_queue: + name: my-queue + region: ap-southeast-2 + state: absent + +``` diff --git a/docs/queries/ansible-queries/aws/e24e18d9-4c2b-4649-b3d0-18c088145e24.md b/docs/queries/ansible-queries/aws/e24e18d9-4c2b-4649-b3d0-18c088145e24.md new file mode 100644 index 00000000000..4d6a727f863 --- /dev/null +++ b/docs/queries/ansible-queries/aws/e24e18d9-4c2b-4649-b3d0-18c088145e24.md @@ -0,0 +1,50 @@ +--- +title: CloudWatch Without Retention Period Specified +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e24e18d9-4c2b-4649-b3d0-18c088145e24 +- **Query name:** CloudWatch Without Retention Period Specified +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cloudwatch_without_retention_period_specified) + +### Description +AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudwatchlogs_log_group_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 7" +- name: example ec2 group + community.aws.cloudwatchlogs_log_group: + log_group_name: test-log-group +- name: example2 ec2 group + community.aws.cloudwatchlogs_log_group: + log_group_name: test-log-group + retention: 111111 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example3 ec2 group + community.aws.cloudwatchlogs_log_group: + log_group_name: test-log-group + retention: 5 + +``` diff --git a/docs/queries/ansible-queries/aws/e28ceb92-d588-4166-aac5-766c8f5b7472.md b/docs/queries/ansible-queries/aws/e28ceb92-d588-4166-aac5-766c8f5b7472.md new file mode 100644 index 00000000000..b46499f5ff9 --- /dev/null +++ b/docs/queries/ansible-queries/aws/e28ceb92-d588-4166-aac5-766c8f5b7472.md @@ -0,0 +1,75 @@ +--- +title: AWS Password Policy With Unchangeable Passwords +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e28ceb92-d588-4166-aac5-766c8f5b7472 +- **Query name:** AWS Password Policy With Unchangeable Passwords +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/aws_password_policy_with_unchangeable_passwords) + +### Description +Unchangeable passwords in AWS password policy
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 21" +- name: Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: false + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false +- name: Alias Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_password_change: false + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Password policy for AWS account + community.aws.iam_password_policy: + state: present + min_pw_length: 8 + require_symbols: false + require_numbers: true + require_uppercase: true + require_lowercase: true + allow_pw_change: true + pw_max_age: 60 + pw_reuse_prevent: 5 + pw_expire: false + +``` diff --git a/docs/queries/ansible-queries/aws/e401d614-8026-4f4b-9af9-75d1197461ba.md b/docs/queries/ansible-queries/aws/e401d614-8026-4f4b-9af9-75d1197461ba.md new file mode 100644 index 00000000000..64b8d7ebbdc --- /dev/null +++ b/docs/queries/ansible-queries/aws/e401d614-8026-4f4b-9af9-75d1197461ba.md @@ -0,0 +1,61 @@ +--- +title: IAM Policies With Full Privileges +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e401d614-8026-4f4b-9af9-75d1197461ba +- **Query name:** IAM Policies With Full Privileges +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_policies_with_full_privileges) + +### Description +IAM policies shouldn't allow full administrative privileges (for all resources)
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +- name: Create IAM Managed Policy + community.aws.iam_managed_policy: + policy_name: "ManagedPolicy" + policy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: ["*"] + Resource: "*" + make_default: false + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create IAM Managed Policy + community.aws.iam_managed_policy: + policy_name: ManagedPolicy + policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: logs:CreateLogGroup + Resource: '*' + make_default: false + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/e69890e6-fce5-461d-98ad-cb98318dfc96.md b/docs/queries/ansible-queries/aws/e69890e6-fce5-461d-98ad-cb98318dfc96.md new file mode 100644 index 00000000000..6e5fed73f24 --- /dev/null +++ b/docs/queries/ansible-queries/aws/e69890e6-fce5-461d-98ad-cb98318dfc96.md @@ -0,0 +1,66 @@ +--- +title: RDS With Backup Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e69890e6-fce5-461d-98ad-cb98318dfc96 +- **Query name:** RDS With Backup Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/rds_with_backup_disabled) + +### Description +Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-backup_retention_period) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +--- +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster # This cluster must exist - see rds_cluster to manage it + backup_retention_period: 0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: '{{ password }}' + username: '{{ username }}' + cluster_id: ansible-test-cluster # This cluster must exist - see rds_cluster to manage it + backup_retention_period: 5 +- name: create minimal aurora instance in default VPC and default subnet group2 + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: '{{ password }}' + username: '{{ username }}' + cluster_id: ansible-test-cluster # This cluster must exist - see rds_cluster to manage it + +``` diff --git a/docs/queries/ansible-queries/aws/e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40.md b/docs/queries/ansible-queries/aws/e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40.md new file mode 100644 index 00000000000..9470411ce90 --- /dev/null +++ b/docs/queries/ansible-queries/aws/e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40.md @@ -0,0 +1,61 @@ +--- +title: Root Account Has Active Access Keys +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e71d0bc7-d9e8-4e6e-ae90-0a4206db6f40 +- **Query name:** Root Account Has Active Access Keys +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/root_account_has_active_access_keys) + +### Description +The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +#this is a problematic code where the query should report a result(s) +- name: Create two new IAM users with API keys + community.aws.iam: + iam_type: user + name: "{{ root }}" + state: present + password: "{{ temp_pass }}" + access_key_state: active + loop: + - jcleese + - mpython + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: Create two new IAM users with API keys + community.aws.iam: + iam_type: user + name: '{{ root }}' + state: present + password: '{{ temp_pass }}' + access_key_state: inactive + loop: + - jcleese + - mpython + +``` diff --git a/docs/queries/ansible-queries/aws/ea0ed1c7-9aef-4464-b7c7-94c762da3640.md b/docs/queries/ansible-queries/aws/ea0ed1c7-9aef-4464-b7c7-94c762da3640.md new file mode 100644 index 00000000000..f205e2f4d4c --- /dev/null +++ b/docs/queries/ansible-queries/aws/ea0ed1c7-9aef-4464-b7c7-94c762da3640.md @@ -0,0 +1,101 @@ +--- +title: DB Security Group Open To Large Scope +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ea0ed1c7-9aef-4464-b7c7-94c762da3640 +- **Query name:** DB Security Group Open To Large Scope +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/db_security_group_open_to_large_scope) + +### Description +The IP address in a DB Security Group must not have more than 256 hosts.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +- name: create minimal aurora instance in default VPC and default subnet group + community.aws.rds_instance: + engine: aurora + db_instance_identifier: ansible-test-aurora-db-instance + instance_type: db.t2.small + password: "{{ password }}" + username: "{{ username }}" + cluster_id: ansible-test-cluster + db_security_groups: ["example"] +- name: example ec2 group + ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1a + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 0.0.0.0/0 + - proto: tcp + from_port: 22 + to_port: 22 + cidr_ip: 10.0.0.0/8 + - proto: tcp + from_port: 443 + to_port: 443 + group_id: amazon-elb/sg-87654321/amazon-elb-sg + - proto: tcp + from_port: 3306 + to_port: 3306 + group_id: 123412341234/sg-87654321/exact-name-of-sg + - proto: udp + from_port: 10050 + to_port: 10050 + cidr_ip: 10.0.0.0/8 + - proto: udp + from_port: 10051 + to_port: 10051 + group_id: sg-12345678 + - proto: icmp + from_port: 8 # icmp type, -1 = any type + to_port: -1 # icmp subtype, -1 = any subtype + cidr_ip: 192.168.1.0/24 + - proto: all + # the containing group name may be specified here + group_name: example + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example ec2 group2 + ec2_group: + name: example1 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1a + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 10.1.1.1/32 + +``` diff --git a/docs/queries/ansible-queries/aws/ea6bc7a6-d696-4dcf-a788-17fa03c17c81.md b/docs/queries/ansible-queries/aws/ea6bc7a6-d696-4dcf-a788-17fa03c17c81.md new file mode 100644 index 00000000000..db7324f592b --- /dev/null +++ b/docs/queries/ansible-queries/aws/ea6bc7a6-d696-4dcf-a788-17fa03c17c81.md @@ -0,0 +1,99 @@ +--- +title: Security Group Ingress Not Restricted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ea6bc7a6-d696-4dcf-a788-17fa03c17c81 +- **Query name:** Security Group Ingress Not Restricted +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/security_group_ingress_not_restricted) + +### Description +AWS Security Group should restrict ingress access
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 7" +- name: example ec2 group + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: -1 + from_port: 0 + to_port: 0 + cidr_ip: 0.0.0.0/0 + - proto: all + from_port: 0 + to_port: 0 + cidr_ip: 0.0.0.0/0 + - proto: 12121 + from_port: 0 + to_port: 0 + cidr_ip: 0.0.0.0/0 +- name: example ec2 group v2 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: -1 + from_port: 0 + to_port: 0 + cidr_ipv6: ::/0 + - proto: all + from_port: 0 + to_port: 0 + cidr_ipv6: ::/0 + - proto: 121212 + from_port: 0 + to_port: 0 + cidr_ipv6: ::/0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example ec2 group v3 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ip: 10.0.0.0/8 +- name: example ec2 group v4 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + rules: + - proto: tcp + from_port: 80 + to_port: 80 + cidr_ipv6: 2001:DB8:8086:6502::/32 + +``` diff --git a/docs/queries/ansible-queries/aws/eafe4bc3-1042-4f88-b988-1939e64bf060.md b/docs/queries/ansible-queries/aws/eafe4bc3-1042-4f88-b988-1939e64bf060.md new file mode 100644 index 00000000000..98c2ff355ad --- /dev/null +++ b/docs/queries/ansible-queries/aws/eafe4bc3-1042-4f88-b988-1939e64bf060.md @@ -0,0 +1,53 @@ +--- +title: IAM Policies Attached To User +hide: + toc: true + navigation: true +--- + + + +- **Query id:** eafe4bc3-1042-4f88-b988-1939e64bf060 +- **Query name:** IAM Policies Attached To User +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_policies_attached_to_user) + +### Description +IAM policies should be attached only to groups or roles
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +- name: Assign a policy called Admin to user + community.aws.iam_policy: + iam_type: user + iam_name: administrators + policy_name: Admin + state: present + policy_document: admin_policy.json + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Assign a policy called Admin to the administrators group + community.aws.iam_policy: + iam_type: group + iam_name: administrators + policy_name: Admin + state: present + policy_document: admin_policy.json + +``` diff --git a/docs/queries/ansible-queries/aws/ebb2118a-03bc-4d53-ab43-d8750f5cb8d3.md b/docs/queries/ansible-queries/aws/ebb2118a-03bc-4d53-ab43-d8750f5cb8d3.md new file mode 100644 index 00000000000..cb92086b896 --- /dev/null +++ b/docs/queries/ansible-queries/aws/ebb2118a-03bc-4d53-ab43-d8750f5cb8d3.md @@ -0,0 +1,91 @@ +--- +title: CloudTrail Not Integrated With CloudWatch +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ebb2118a-03bc-4d53-ab43-d8750f5cb8d3 +- **Query name:** CloudTrail Not Integrated With CloudWatch +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cloudtrail_not_integrated_with_cloudwatch) + +### Description +CloudTrail should be integrated with CloudWatch
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 27 14" +- name: positive1 + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + region: us-east-1 + is_multi_region_trail: true + enable_log_file_validation: true + kms_key_id: "alias/MyAliasName" + tags: + environment: dev + Name: default +- name: positive2 + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + region: us-east-1 + is_multi_region_trail: true + enable_log_file_validation: true + cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role" + kms_key_id: "alias/MyAliasName" + tags: + environment: dev + Name: default +- name: positive3 + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + region: us-east-1 + is_multi_region_trail: true + enable_log_file_validation: true + cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*" + kms_key_id: "alias/MyAliasName" + tags: + environment: dev + Name: default + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create multi-region trail with validation and tags negative + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + region: us-east-1 + is_multi_region_trail: true + enable_log_file_validation: true + cloudwatch_logs_role_arn: "arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role" + cloudwatch_logs_log_group_arn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*" + kms_key_id: "alias/MyAliasName" + tags: + environment: dev + Name: default + +``` diff --git a/docs/queries/ansible-queries/aws/ed9b3beb-92cf-44d9-a9d2-171eeba569d4.md b/docs/queries/ansible-queries/aws/ed9b3beb-92cf-44d9-a9d2-171eeba569d4.md new file mode 100644 index 00000000000..3daee730587 --- /dev/null +++ b/docs/queries/ansible-queries/aws/ed9b3beb-92cf-44d9-a9d2-171eeba569d4.md @@ -0,0 +1,76 @@ +--- +title: SQS Policy Allows All Actions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ed9b3beb-92cf-44d9-a9d2-171eeba569d4 +- **Query name:** SQS Policy Allows All Actions +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/sqs_policy_allows_all_actions) + +### Description +SQS policy allows ALL (*) actions
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +- name: Second SQS queue with policy + community.aws.sqs_queue: + name: my-queue2 + region: ap-southeast-3 + default_visibility_timeout: 120 + message_retention_period: 86400 + maximum_message_size: 1024 + delivery_delay: 30 + receive_message_wait_time: 20 + policy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: "aws:action" + Resource: "*" + - Effect: "Allow" + Action: "*" + Resource: "*" + make_default: false + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create SQS queue with redrive policy + community.aws.sqs_queue: + name: my-queue + region: ap-southeast-2 + default_visibility_timeout: 120 + message_retention_period: 86400 + maximum_message_size: 1024 + delivery_delay: 30 + receive_message_wait_time: 20 + policy: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: logs:CreateLogGroup + Resource: '*' + make_default: false + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/eda7301d-1f3e-47cf-8d4e-976debc64341.md b/docs/queries/ansible-queries/aws/eda7301d-1f3e-47cf-8d4e-976debc64341.md new file mode 100644 index 00000000000..42247057641 --- /dev/null +++ b/docs/queries/ansible-queries/aws/eda7301d-1f3e-47cf-8d4e-976debc64341.md @@ -0,0 +1,233 @@ +--- +title: Remote Desktop Port Open To Internet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** eda7301d-1f3e-47cf-8d4e-976debc64341 +- **Query name:** Remote Desktop Port Open To Internet +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/remote_desktop_port_open) + +### Description +The Remote Desktop port is open to the internet in a Security Group
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html#ansible-collections-amazon-aws-ec2-group-module) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="64 36 9 79 49 23 93" +- name: example ec2 group1 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 3380 + to_port: 3450 + cidr_ip: 0.0.0.0/0 + +- name: example ec2 group2 + amazon.aws.ec2_group: + name: example2 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: 3389 + cidr_ip: 0.0.0.0/0 + +- name: example ec2 group3 + amazon.aws.ec2_group: + name: example3 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: 3380-3450 + cidr_ip: 0.0.0.0/0 + +- name: example ec2 group4 + amazon.aws.ec2_group: + name: example4 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: + - 80 + - 3380-3450 + cidr_ip: 0.0.0.0/0 + +- name: example ec2 group5 + amazon.aws.ec2_group: + name: example5 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: + - 3389 + - 10-50 + cidr_ip: 0.0.0.0/0 + +- name: example ec2 group6 + amazon.aws.ec2_group: + name: example1 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: -1 + to_port: 25 + cidr_ip: 0.0.0.0/0 + +- name: example ec2 group7 + amazon.aws.ec2_group: + name: example1 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 15 + to_port: -1 + cidr_ip: 0.0.0.0/0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example ec2 group1 + amazon.aws.ec2_group: + name: example + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 3380 + to_port: 3450 + cidr_ip: 0.0.0.0/1 + +- name: example ec2 group2 + amazon.aws.ec2_group: + name: example2 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: 3389 + cidr_ip: 0.0.1.0/0 + +- name: example ec2 group3 + amazon.aws.ec2_group: + name: example3 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: 3380-3450 + cidr_ip: 0.1.0.0/0 + +- name: example ec2 group4 + amazon.aws.ec2_group: + name: example4 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: + - 80 + - 3380-3450 + cidr_ip: 10.0.0.0/0 + +- name: example ec2 group5 + amazon.aws.ec2_group: + name: example5 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + ports: + - 3389 + - 10-50 + cidr_ip: 10.0.0.0/0 + +- name: example ec2 group6 + amazon.aws.ec2_group: + name: example1 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: -1 + to_port: 25 + cidr_ip: 0.1.0.0/0 + +- name: example ec2 group7 + amazon.aws.ec2_group: + name: example1 + description: an example EC2 group + vpc_id: 12345 + region: eu-west-1 + aws_secret_key: SECRET + aws_access_key: ACCESS + rules: + - proto: tcp + from_port: 15 + to_port: -1 + cidr_ip: 0.0.0.1/0 + +``` diff --git a/docs/queries/ansible-queries/aws/eee107f9-b3d8-45d3-b9c6-43b5a7263ce1.md b/docs/queries/ansible-queries/aws/eee107f9-b3d8-45d3-b9c6-43b5a7263ce1.md new file mode 100644 index 00000000000..98e46a28585 --- /dev/null +++ b/docs/queries/ansible-queries/aws/eee107f9-b3d8-45d3-b9c6-43b5a7263ce1.md @@ -0,0 +1,66 @@ +--- +title: Authentication Without MFA +hide: + toc: true + navigation: true +--- + + + +- **Query id:** eee107f9-b3d8-45d3-b9c6-43b5a7263ce1 +- **Query name:** Authentication Without MFA +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/authentication_without_mfa) + +### Description +Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_mfa_device_info_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 2" +- name: Assume an existing role + community.aws.sts_assume_role: + mfa_serial_number: "{{ mfa_devices.mfa_devices[0].serial_number }}" + role_arn: "arn:aws:iam::123456789012:role/someRole" + role_session_name: "someRoleSession" + register: assumed_role + +- name: Hello + sts_assume_role: + role_arn: "arn:aws:iam::123456789012:role/someRole" + role_session_name: "someRoleSession" + register: assumed_role + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Assume an existing role + community.aws.sts_assume_role: + mfa_serial_number: '{{ mfa_devices.mfa_devices[0].serial_number }}' + mfa_token: weewew + role_arn: arn:aws:iam::123456789012:role/someRole + role_session_name: someRoleSession + register: assumed_role + +- name: Hello + sts_assume_role: + mfa_serial_number: '{{ mfa_devices.mfa_devices[0].serial_number }}' + mfa_token: weewew + role_arn: arn:aws:iam::123456789012:role/someRole + role_session_name: someRoleSession + register: assumed_role + +``` diff --git a/docs/queries/ansible-queries/aws/f2ea6481-1d31-4d40-946a-520dc6321dd7.md b/docs/queries/ansible-queries/aws/f2ea6481-1d31-4d40-946a-520dc6321dd7.md new file mode 100644 index 00000000000..d239b2e3970 --- /dev/null +++ b/docs/queries/ansible-queries/aws/f2ea6481-1d31-4d40-946a-520dc6321dd7.md @@ -0,0 +1,101 @@ +--- +title: Kinesis Not Encrypted With KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f2ea6481-1d31-4d40-946a-520dc6321dd7 +- **Query name:** Kinesis Not Encrypted With KMS +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/kinesis_not_encrypted_with_kms) + +### Description +AWS Kinesis Streams and metadata should be protected with KMS
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/kinesis_stream_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 38 44 16 23" +- name: Encrypt Kinesis Stream test-stream. + community.aws.kinesis_stream: + name: test-stream + state: present + shards: 1 + encryption_type: KMS + key_id: alias/aws/kinesis + wait: yes + wait_timeout: 600 + register: test_stream +- name: Encrypt Kinesis Stream test-stream. v2 + community.aws.kinesis_stream: + name: test-stream + state: present + shards: 1 + encryption_state: disabled + encryption_type: KMS + key_id: alias/aws/kinesis + wait: yes + wait_timeout: 600 + register: test_stream +- name: Encrypt Kinesis Stream test-stream. v3 + community.aws.kinesis_stream: + name: test-stream + state: present + shards: 1 + encryption_state: enabled + key_id: alias/aws/kinesis + wait: yes + wait_timeout: 600 + register: test_stream +- name: Encrypt Kinesis Stream test-stream. v4 + community.aws.kinesis_stream: + name: test-stream + state: present + shards: 1 + encryption_state: enabled + encryption_type: NONE + key_id: alias/aws/kinesis + wait: yes + wait_timeout: 600 + register: test_stream +- name: Encrypt Kinesis Stream test-stream. v5 + community.aws.kinesis_stream: + name: test-stream + state: present + shards: 1 + encryption_state: enabled + encryption_type: KMS + wait: yes + wait_timeout: 600 + register: test_stream + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Encrypt Kinesis Stream test-stream. v6 + community.aws.kinesis_stream: + name: test-stream + state: present + shards: 1 + encryption_state: enabled + encryption_type: KMS + key_id: alias/aws/kinesis + wait: yes + wait_timeout: 600 + +``` diff --git a/docs/queries/ansible-queries/aws/f34508b9-f574-4330-b42d-88c44cced645.md b/docs/queries/ansible-queries/aws/f34508b9-f574-4330-b42d-88c44cced645.md new file mode 100644 index 00000000000..1a3d41d723f --- /dev/null +++ b/docs/queries/ansible-queries/aws/f34508b9-f574-4330-b42d-88c44cced645.md @@ -0,0 +1,131 @@ +--- +title: Hardcoded AWS Access Key In Lambda +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f34508b9-f574-4330-b42d-88c44cced645 +- **Query name:** Hardcoded AWS Access Key In Lambda +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/hardcoded_aws_access_key_in_lambda) + +### Description +Lambda access/secret keys should not be hardcoded
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 3" +- name: looped creation + community.aws.lambda: + aws_access_key: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY' + name: '{{ item.name }}' + state: present + zip_file: '{{ item.zip_file }}' + runtime: 'python2.7' + role: 'arn:aws:iam::987654321012:role/lambda_basic_execution' + handler: 'hello_python.my_handler' + vpc_subnet_ids: + - subnet-123abcde + - subnet-edcba321 + vpc_security_group_ids: + - sg-123abcde + - sg-edcba321 + environment_variables: '{{ item.env_vars }}' + tags: + key1: 'value1' + loop: + - name: HelloWorld + zip_file: hello-code.zip + env_vars: + key1: "first" + key2: "second" + - name: ByeBye + zip_file: bye-code.zip + env_vars: + key1: "1" + key2: "2" +- name: remove tags + community.aws.lambda: + aws_access_key: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY' + name: 'Lambda function' + state: present + zip_file: 'code.zip' + runtime: 'python2.7' + role: 'arn:aws:iam::987654321012:role/lambda_basic_execution' + handler: 'hello_python.my_handler' + tags: {} + +- name: Delete Lambda functions HelloWorld and ByeBye + community.aws.lambda: + name: '{{ item }}' + state: absent + loop: + - HelloWorld + - ByeBye + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: looped creation + community.aws.lambda: + name: '{{ item.name }}' + state: present + zip_file: '{{ item.zip_file }}' + runtime: python2.7 + role: arn:aws:iam::987654321012:role/lambda_basic_execution + handler: hello_python.my_handler + vpc_subnet_ids: + - subnet-123abcde + - subnet-edcba321 + vpc_security_group_ids: + - sg-123abcde + - sg-edcba321 + environment_variables: '{{ item.env_vars }}' + tags: + key1: value1 + loop: + - name: HelloWorld + zip_file: hello-code.zip + env_vars: + key1: first + key2: second + - name: ByeBye + zip_file: bye-code.zip + env_vars: + key1: '1' + key2: '2' +- name: remove tags + community.aws.lambda: + name: Lambda function + state: present + zip_file: code.zip + runtime: python2.7 + role: arn:aws:iam::987654321012:role/lambda_basic_execution + handler: hello_python.my_handler + tags: {} + +- name: Delete Lambda functions HelloWorld and ByeBye + community.aws.lambda: + name: '{{ item }}' + state: absent + loop: + - HelloWorld + - ByeBye + +``` diff --git a/docs/queries/ansible-queries/aws/f509931b-bbb0-443c-bd9b-10e92ecf2193.md b/docs/queries/ansible-queries/aws/f509931b-bbb0-443c-bd9b-10e92ecf2193.md new file mode 100644 index 00000000000..a5a5ba38c16 --- /dev/null +++ b/docs/queries/ansible-queries/aws/f509931b-bbb0-443c-bd9b-10e92ecf2193.md @@ -0,0 +1,62 @@ +--- +title: IAM Group Without Users +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f509931b-bbb0-443c-bd9b-10e92ecf2193 +- **Query name:** IAM Group Without Users +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/iam_group_without_users) + +### Description +IAM Group should have at least one user associated
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/iam_group_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: Group1 + iam_group: + name: testgroup1 + state: present + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" +- name: Group2 + iam_group: + name: testgroup2 + managed_policy: + - arn:aws:iam::aws:policy/AmazonSNSFullAccess + users: + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Group3 + iam_group: + name: testgroup2 + managed_policy: + - arn:aws:iam::aws:policy/AmazonSNSFullAccess + users: + - test_user1 + - test_user2 + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/f5587077-3f57-4370-9b4e-4eb5b1bac85b.md b/docs/queries/ansible-queries/aws/f5587077-3f57-4370-9b4e-4eb5b1bac85b.md new file mode 100644 index 00000000000..b81c92e75a8 --- /dev/null +++ b/docs/queries/ansible-queries/aws/f5587077-3f57-4370-9b4e-4eb5b1bac85b.md @@ -0,0 +1,60 @@ +--- +title: CloudTrail Log Files Not Encrypted With KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f5587077-3f57-4370-9b4e-4eb5b1bac85b +- **Query name:** CloudTrail Log Files Not Encrypted With KMS +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/cloudtrail_log_files_not_encrypted_with_kms) + +### Description +Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudtrail_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: no sns topic name + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + s3_key_prefix: cloudtrail + region: us-east-1 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create multi-region trail with validation and tags v2 + community.aws.cloudtrail: + state: present + name: default + s3_bucket_name: mylogbucket + region: us-east-1 + is_multi_region_trail: true + enable_log_file_validation: true + cloudwatch_logs_role_arn: arn:aws:iam::123456789012:role/CloudTrail_CloudWatchLogs_Role + cloudwatch_logs_log_group_arn: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:* + kms_key_id: alias/MyAliasName + tags: + environment: dev + Name: default + +``` diff --git a/docs/queries/ansible-queries/aws/f5c45127-1d28-4b49-a692-0b97da1c3a84.md b/docs/queries/ansible-queries/aws/f5c45127-1d28-4b49-a692-0b97da1c3a84.md new file mode 100644 index 00000000000..6fafae6356d --- /dev/null +++ b/docs/queries/ansible-queries/aws/f5c45127-1d28-4b49-a692-0b97da1c3a84.md @@ -0,0 +1,68 @@ +--- +title: ECS Service Without Running Tasks +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f5c45127-1d28-4b49-a692-0b97da1c3a84 +- **Query name:** ECS Service Without Running Tasks +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ecs_service_without_running_tasks) + +### Description +ECS Service should have at least 1 task running
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_service_module.html#ansible-collections-community-aws-ecs-service-module) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: ECS Service + community.aws.ecs_service: + state: present + name: test-service + cluster: test-cluster + task_definition: test-task-definition + desired_count: 3 + placement_constraints: + - type: memberOf + expression: 'attribute:flavor==test' + placement_strategy: + - type: binpack + field: memory + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: ECS Service + community.aws.ecs_service: + state: present + name: test-service + cluster: test-cluster + task_definition: test-task-definition + desired_count: 3 + deployment_configuration: + minimum_healthy_percent: 75 + maximum_percent: 150 + placement_constraints: + - type: memberOf + expression: 'attribute:flavor==test' + placement_strategy: + - type: binpack + field: memory + +``` diff --git a/docs/queries/ansible-queries/aws/f5f38943-664b-4acc-ab11-f292fa10ed0b.md b/docs/queries/ansible-queries/aws/f5f38943-664b-4acc-ab11-f292fa10ed0b.md new file mode 100644 index 00000000000..6fc1e7072f9 --- /dev/null +++ b/docs/queries/ansible-queries/aws/f5f38943-664b-4acc-ab11-f292fa10ed0b.md @@ -0,0 +1,69 @@ +--- +title: API Gateway without WAF +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f5f38943-664b-4acc-ab11-f292fa10ed0b +- **Query name:** API Gateway without WAF +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/api_gateway_without_waf) + +### Description +API Gateway should have WAF (Web Application Firewall) enabled
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/wafv2_resources_module.html#parameter-arn) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +- name: add test alb to waf string032 + community.aws.wafv2_resources: + name: string03 + scope: REGIONAL + state: present + arn: "arn:aws:apigateway:region::/restapis/api-id/stages/prod" +- name: Setup AWS API Gateway setup on AWS and deploy API definition2 + community.aws.aws_api_gateway: + swagger_file: my_api.yml + stage: production + cache_enabled: true + cache_size: '1.6' + tracing_enabled: true + endpoint_type: EDGE + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: add test alb to waf string03 + community.aws.wafv2_resources: + name: string03 + scope: REGIONAL + state: present + arn: "arn:aws:apigateway:region::/restapis/api-id/stages/produ" +- name: Setup AWS API Gateway setup on AWS and deploy API definition + community.aws.aws_api_gateway: + swagger_file: my_api.yml + stage: produ + cache_enabled: true + cache_size: '1.6' + tracing_enabled: true + endpoint_type: EDGE + state: present + +``` diff --git a/docs/queries/ansible-queries/aws/f81d63d2-c5d7-43a4-a5b5-66717a41c895.md b/docs/queries/ansible-queries/aws/f81d63d2-c5d7-43a4-a5b5-66717a41c895.md new file mode 100644 index 00000000000..c29bd60b613 --- /dev/null +++ b/docs/queries/ansible-queries/aws/f81d63d2-c5d7-43a4-a5b5-66717a41c895.md @@ -0,0 +1,96 @@ +--- +title: ALB Listening on HTTP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f81d63d2-c5d7-43a4-a5b5-66717a41c895 +- **Query name:** ALB Listening on HTTP +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/alb_listening_on_http) + +### Description +AWS Application Load Balancer (alb) should not listen on HTTP
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/elb_application_lb_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 29" +- name: my_elb_application + community.aws.elb_application_lb: + name: myelb + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTP + Port: 80 + SslPolicy: ELBSecurityPolicy-2015-05 + Certificates: + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward + TargetGroupName: targetname + state: present +- name: my_elb_application2 + community.aws.elb_application_lb: + name: myelb2 + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + Port: 80 + SslPolicy: ELBSecurityPolicy-2015-05 + Certificates: + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward + TargetGroupName: targetname + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: my_elb_application + community.aws.elb_application_lb: + name: myelb + security_groups: + - sg-12345678 + - my-sec-group + subnets: + - subnet-012345678 + - subnet-abcdef000 + listeners: + - Protocol: HTTPS + Port: 80 + SslPolicy: ELBSecurityPolicy-2015-05 + Certificates: + - CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com + DefaultActions: + - Type: forward + TargetGroupName: targetname + state: present + # trigger validation + +``` diff --git a/docs/queries/ansible-queries/aws/fb5a5df7-6d74-4243-ab82-ff779a958bfd.md b/docs/queries/ansible-queries/aws/fb5a5df7-6d74-4243-ab82-ff779a958bfd.md new file mode 100644 index 00000000000..13adf971f48 --- /dev/null +++ b/docs/queries/ansible-queries/aws/fb5a5df7-6d74-4243-ab82-ff779a958bfd.md @@ -0,0 +1,82 @@ +--- +title: ECR Repository Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fb5a5df7-6d74-4243-ab82-ff779a958bfd +- **Query name:** ECR Repository Is Publicly Accessible +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/ecr_repository_is_publicly_accessible) + +### Description +Amazon ECR image repositories shouldn't have public access
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/ecs_ecr_module.html#parameter-policy) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 4" +- name: set-policy as object + community.aws.ecs_ecr: + name: needs-policy-object + policy: + Version: '2008-10-17' + Statement: + - Sid: read-only + Effect: Allow + Principal: '*' + Action: + - ecr:GetDownloadUrlForLayer + - ecr:BatchGetImage + - ecr:BatchCheckLayerAvailability +- name: set-policy as string + community.aws.ecs_ecr: + name: needs-policy-string + policy: > + { + "Id": "id113", + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "s3:put" + ], + "Effect": "Allow", + "Resource": "arn:aws:s3:::S3B_181355/*", + "Principal": "*" + } + ] + } + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: set-policy as object + community.aws.ecs_ecr: + name: needs-policy-object + policy: + Version: '2008-10-17' + Statement: + - Sid: read-only + Effect: Allow + Action: + - ecr:GetDownloadUrlForLayer + - ecr:BatchGetImage + - ecr:BatchCheckLayerAvailability + +``` diff --git a/docs/queries/ansible-queries/aws/fb8f8929-afeb-4c46-99f0-a6cf410f7df4.md b/docs/queries/ansible-queries/aws/fb8f8929-afeb-4c46-99f0-a6cf410f7df4.md new file mode 100644 index 00000000000..18ab4d7fc41 --- /dev/null +++ b/docs/queries/ansible-queries/aws/fb8f8929-afeb-4c46-99f0-a6cf410f7df4.md @@ -0,0 +1,71 @@ +--- +title: Vulnerable Default SSL Certificate +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fb8f8929-afeb-4c46-99f0-a6cf410f7df4 +- **Query name:** Vulnerable Default SSL Certificate +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/vulnerable_default_ssl_certificate) + +### Description +CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/cloudfront_distribution_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6 15" +- name: create a basic distribution with defaults, tags and default SSL certificate + community.aws.cloudfront_distribution: + state: present + default_origin_domain_name: www.my-cloudfront-origin.com + viewer_certificate: + cloudfront_default_certificate: true + tags: + Name: example distribution + Project: example project + Priority: '1' +- name: create a basic distribution with defaults, tags and misconfigured custom SSL certificate + community.aws.cloudfront_distribution: + state: present + default_origin_domain_name: www.my-cloudfront-origin.com + viewer_certificate: + acm_certificate_arn: arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012 + tags: + Name: example distribution + Project: example project + Priority: '1' + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a basic distribution with defaults, tags and custom SSL certificate + community.aws.cloudfront_distribution: + state: present + default_origin_domain_name: www.my-cloudfront-origin.com + viewer_certificate: + acm_certificate_arn: arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012 + ssl_support_method: sni-only + minimum_protocol_version: TLS1.2_2018 + tags: + Name: example distribution + Project: example project + Priority: '1' + +``` diff --git a/docs/queries/ansible-queries/aws/ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9.md b/docs/queries/ansible-queries/aws/ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9.md new file mode 100644 index 00000000000..8df9b7e5b4c --- /dev/null +++ b/docs/queries/ansible-queries/aws/ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9.md @@ -0,0 +1,68 @@ +--- +title: No Stack Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ffe0fd52-7a8b-4a5c-8fc7-49844418e6c9 +- **Query name:** No Stack Policy +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/aws/no_stack_policy) + +### Description +AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions
+[Documentation](https://docs.ansible.com/ansible/latest/collections/amazon/aws/cloudformation_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: create a stack, pass in the template via an URL + amazon.aws.cloudformation: + stack_name: "ansible-cloudformation" + state: present + region: us-east-1 + disable_rollback: true + template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template + template_parameters: + KeyName: jmartin + DiskType: ephemeral + InstanceType: m1.small + ClusterSize: 3 + tags: + Stack: ansible-cloudformation + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a stack, pass in the template via an URL + amazon.aws.cloudformation: + stack_name: ansible-cloudformation + stack_policy: wowowowoowow + state: present + region: us-east-1 + disable_rollback: true + template_url: https://s3.amazonaws.com/my-bucket/cloudformation.template + template_parameters: + KeyName: jmartin + DiskType: ephemeral + InstanceType: m1.small + ClusterSize: 3 + tags: + Stack: ansible-cloudformation + +``` diff --git a/docs/queries/ansible-queries/azure/0461b4fd-21ef-4687-929e-484ee4796785.md b/docs/queries/ansible-queries/azure/0461b4fd-21ef-4687-929e-484ee4796785.md new file mode 100644 index 00000000000..7eeb2b5ebb7 --- /dev/null +++ b/docs/queries/ansible-queries/azure/0461b4fd-21ef-4687-929e-484ee4796785.md @@ -0,0 +1,52 @@ +--- +title: Log Retention Is Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0461b4fd-21ef-4687-929e-484ee4796785 +- **Query name:** Log Retention Is Not Set +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/log_retention_is_not_set) + +### Description +Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +--- +- name: Update PostgreSQL Server setting + azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_retention + value: off + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Update PostgreSQL Server setting + azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_retention + value: on + +``` diff --git a/docs/queries/ansible-queries/azure/054d07b5-941b-4c28-8eef-18989dc62323.md b/docs/queries/ansible-queries/azure/054d07b5-941b-4c28-8eef-18989dc62323.md new file mode 100644 index 00000000000..47dd49fe0d8 --- /dev/null +++ b/docs/queries/ansible-queries/azure/054d07b5-941b-4c28-8eef-18989dc62323.md @@ -0,0 +1,112 @@ +--- +title: PostgreSQL Log Disconnections Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 054d07b5-941b-4c28-8eef-18989dc62323 +- **Query name:** PostgreSQL Log Disconnections Not Set +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/postgresql_log_disconnections_not_set) + +### Description +Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="37 7 13 19 25 31" +--- +- name: Update PostgreSQL Server setting + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_disconnections + value: off +- name: Update PostgreSQL Server setting2 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_disconnections + value: Off +- name: Update PostgreSQL Server setting3 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_disconnections + value: OFF +- name: Update PostgreSQL Server setting4 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_disconnections + value: "off" +- name: Update PostgreSQL Server setting5 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_disconnections + value: "Off" +- name: Update PostgreSQL Server setting6 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_disconnections + value: "OFF" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Update PostgreSQL Server setting + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_disconnections + value: on +- name: Update PostgreSQL Server setting2 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_disconnections + value: On +- name: Update PostgreSQL Server setting3 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_disconnections + value: ON +- name: Update PostgreSQL Server setting4 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_disconnections + value: on +- name: Update PostgreSQL Server setting5 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_disconnections + value: On +- name: Update PostgreSQL Server setting6 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_disconnections + value: ON + +``` diff --git a/docs/queries/ansible-queries/azure/0632d0db-9190-450a-8bb3-c283bffea445.md b/docs/queries/ansible-queries/azure/0632d0db-9190-450a-8bb3-c283bffea445.md new file mode 100644 index 00000000000..c68e98fcded --- /dev/null +++ b/docs/queries/ansible-queries/azure/0632d0db-9190-450a-8bb3-c283bffea445.md @@ -0,0 +1,54 @@ +--- +title: Redis Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0632d0db-9190-450a-8bb3-c283bffea445 +- **Query name:** Redis Publicly Accessible +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/redis_publicly_accessible) + +### Description +Firewall rule allowing unrestricted access to Redis from other Azure sources
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html#parameter-start_ip_address) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +--- +- name: Create a Firewall rule for Azure Cache for Redis + azure_rm_rediscachefirewallrule: + resource_group: myResourceGroup + cache_name: myRedisCache + name: myRule + start_ip_address: 1.2.3.4 + end_ip_address: 2.3.4.5 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create a Firewall rule for Azure Cache for Redis + azure_rm_rediscachefirewallrule: + resource_group: myResourceGroup + cache_name: myRedisCache + name: myRule + start_ip_address: 192.168.1.1 + end_ip_address: 192.168.1.4 + +``` diff --git a/docs/queries/ansible-queries/azure/0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc.md b/docs/queries/ansible-queries/azure/0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc.md new file mode 100644 index 00000000000..f8c42111933 --- /dev/null +++ b/docs/queries/ansible-queries/azure/0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc.md @@ -0,0 +1,336 @@ +--- +title: Sensitive Port Is Exposed To Entire Network +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc +- **Query name:** Sensitive Port Is Exposed To Entire Network +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/sensitive_port_is_exposed_to_entire_network) + +### Description +A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_securitygroup_module.html#parameter-rules) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="130 99 69 41 13 142 113 85 55 27" +--- +- name: foo1 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example1 + priority: 100 + direction: Inbound + access: Allow + protocol: UDP + source_port_range: "*" + destination_port_range: "61621" + source_address_prefix: "/0" + destination_address_prefix: "*" +- name: foo2 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example2 + priority: 100 + direction: Inbound + access: Allow + protocol: TCP + source_port_range: "*" + destination_port_range: "23-34" + source_address_prefix: "1.1.1.1/0" + destination_address_prefix: "*" +- name: foo3 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example3 + priority: 100 + direction: Inbound + access: Allow + protocol: "*" + source_port_range: "*" + destination_port_range: "21-23" + source_address_prefix: "/0" + destination_address_prefix: "*" +- name: foo4 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example4 + priority: 100 + direction: Inbound + access: Allow + protocol: "*" + source_port_range: "*" + destination_port_range: "23" + source_address_prefix: "0.0.0.0/0" + destination_address_prefix: "*" +- name: foo5 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example5 + priority: 100 + direction: Inbound + access: Allow + protocol: "UDP" + source_port_range: "*" + destination_port_range: + - "23" + - "245" + source_address_prefix: "34.15.11.3/0" + destination_address_prefix: "*" +- name: foo6 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example6 + priority: 100 + direction: Inbound + access: Allow + protocol: "TCP" + source_port_range: "*" + destination_port_range: "23" + source_address_prefix: "/0" + destination_address_prefix: "*" +- name: foo7 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example7 + priority: 100 + direction: Inbound + access: Allow + protocol: "UDP" + source_port_range: "*" + destination_port_range: "22-64, 94" + source_address_prefix: "10.0.0.0/0" + destination_address_prefix: "*" +- name: foo8 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example8 + priority: 100 + direction: Inbound + access: Allow + protocol: "TCP" + source_port_range: "*" + destination_port_range: + - "14" + - "23" + - "48" + source_address_prefix: "12.12.12.12/0" + destination_address_prefix: "*" +- name: foo9 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example9 + priority: 100 + direction: Inbound + access: Allow + protocol: "*" + source_port_range: "*" + destination_port_range: + - "12" + - "23-24" + - "46" + source_address_prefix: "/0" + destination_address_prefix: "*" + - name: example10 + priority: 100 + direction: Inbound + access: Allow + protocol: "*" + source_port_range: "*" + destination_port_range: 46-146, 18-36, 1-2, 3 + source_address_prefix: "1.2.3.4/0" + destination_address_prefix: "*" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: foo1 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example1 + priority: 100 + direction: Inbound + access: Deny + protocol: TCP + source_port_range: '*' + destination_port_range: 23 + source_address_prefix: '*' + destination_address_prefix: '*' +- name: foo2 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example2 + priority: 100 + direction: Inbound + access: Allow + protocol: Icmp + source_port_range: '*' + destination_port_range: 23-24 + source_address_prefix: '*' + destination_address_prefix: '*' +- name: foo3 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example3 + priority: 100 + direction: Inbound + access: Allow + protocol: TCP + source_port_range: '*' + destination_port_range: 8-174 + source_address_prefix: 0.0.0.0 + destination_address_prefix: '*' +- name: foo4 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example4 + priority: 100 + direction: Inbound + access: Allow + protocol: TCP + source_port_range: '*' + destination_port_range: 23-196 + source_address_prefix: 192.168.0.0 + destination_address_prefix: '*' +- name: foo5 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example5 + priority: 100 + direction: Inbound + access: Allow + protocol: TCP + source_port_range: '*' + destination_port_range: 23 + source_address_prefix: /1 + destination_address_prefix: '*' +- name: foo6 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example6 + priority: 100 + direction: Inbound + access: Allow + protocol: '*' + source_port_range: '*' + destination_port_range: 43 + source_address_prefix: /0 + destination_address_prefix: '*' +- name: foo7 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example7 + priority: 100 + direction: Inbound + access: Allow + protocol: Icmp + source_port_range: '*' + destination_port_range: 23 + source_address_prefix: internet + destination_address_prefix: '*' +- name: foo8 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example8 + priority: 100 + direction: Inbound + access: Allow + protocol: '*' + source_port_range: '*' + destination_port_range: 22, 24,49-67 + source_address_prefix: any + destination_address_prefix: '*' +- name: foo9 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example9 + priority: 100 + direction: Inbound + access: Allow + protocol: Icmp + source_port_range: '*' + destination_port_range: 23 + source_address_prefix: /0 + destination_address_prefix: '*' +- name: foo10 + azure_rm_securitygroup: + resource_group: myResourceGroup + name: mysecgroup + rules: + - name: example10 + priority: 100 + direction: Inbound + access: Allow + protocol: TCP + source_port_range: '*' + destination_port_range: + - 23 + - 69 + source_address_prefix: 0.0.1.0 + destination_address_prefix: '*' + - name: example11 + priority: 100 + direction: Inbound + access: Allow + protocol: TCP + source_port_range: '*' + destination_port_range: + - 2 + - 310 + source_address_prefix: 0.0.0.0 + destination_address_prefix: '*' + +``` diff --git a/docs/queries/ansible-queries/azure/0d0c12b9-edce-4510-9065-13f6a758750c.md b/docs/queries/ansible-queries/azure/0d0c12b9-edce-4510-9065-13f6a758750c.md new file mode 100644 index 00000000000..2decd466aef --- /dev/null +++ b/docs/queries/ansible-queries/azure/0d0c12b9-edce-4510-9065-13f6a758750c.md @@ -0,0 +1,54 @@ +--- +title: Redis Entirely Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0d0c12b9-edce-4510-9065-13f6a758750c +- **Query name:** Redis Entirely Accessible +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/redis_entirely_accessible) + +### Description +Firewall rule allowing unrestricted access to Redis from the Internet
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html#parameter-start_ip_address) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +--- +- name: Create a Firewall rule for Azure Cache for Redis + azure_rm_rediscachefirewallrule: + resource_group: myResourceGroup + cache_name: myRedisCache + name: myRule + start_ip_address: 0.0.0.0 + end_ip_address: 0.0.0.0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create a Firewall rule for Azure Cache for Redis + azure_rm_rediscachefirewallrule: + resource_group: myResourceGroup + cache_name: myRedisCache + name: myRule + start_ip_address: 192.168.1.1 + end_ip_address: 192.168.1.4 + +``` diff --git a/docs/queries/ansible-queries/azure/149fa56c-4404-4f90-9e25-d34b676d5b39.md b/docs/queries/ansible-queries/azure/149fa56c-4404-4f90-9e25-d34b676d5b39.md new file mode 100644 index 00000000000..8ea992a250f --- /dev/null +++ b/docs/queries/ansible-queries/azure/149fa56c-4404-4f90-9e25-d34b676d5b39.md @@ -0,0 +1,101 @@ +--- +title: AKS RBAC Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 149fa56c-4404-4f90-9e25-d34b676d5b39 +- **Query name:** AKS RBAC Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/aks_rbac_disabled) + +### Description +Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="21 23" +- name: Create an AKS instance + azure_rm_aks: + name: myAKS + resource_group: myResourceGroup + location: eastus + dns_prefix: akstest + kubernetes_version: 1.14.6 + linux_profile: + admin_username: azureuser + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA... + service_principal: + client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948" + client_secret: "Password1234!" + agent_pool_profiles: + - name: default + count: 1 + vm_size: Standard_DS1_v2 + type: VirtualMachineScaleSets + max_count: 3 + min_count: 1 + enable_rbac: no +- name: Create an AKS instance v2 + azure_rm_aks: + name: myAKS + resource_group: myResourceGroup + location: eastus + dns_prefix: akstest + kubernetes_version: 1.14.6 + linux_profile: + admin_username: azureuser + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA... + service_principal: + client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948" + client_secret: "Password1234!" + agent_pool_profiles: + - name: default + count: 1 + vm_size: Standard_DS1_v2 + type: VirtualMachineScaleSets + max_count: 3 + min_count: 1 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create an AKS instance v3 + azure_rm_aks: + name: myAKS + resource_group: myResourceGroup + location: eastus + dns_prefix: akstest + kubernetes_version: 1.14.6 + linux_profile: + admin_username: azureuser + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA... + service_principal: + client_id: cf72ca99-f6b9-4004-b0e0-bee10c521948 + client_secret: Password1234! + agent_pool_profiles: + - name: default + count: 1 + vm_size: Standard_DS1_v2 + type: VirtualMachineScaleSets + max_count: 3 + min_count: 1 + enable_rbac: yes + +``` diff --git a/docs/queries/ansible-queries/azure/1bc398a8-d274-47de-a4c8-6ac867b353de.md b/docs/queries/ansible-queries/azure/1bc398a8-d274-47de-a4c8-6ac867b353de.md new file mode 100644 index 00000000000..2f40717ba4a --- /dev/null +++ b/docs/queries/ansible-queries/azure/1bc398a8-d274-47de-a4c8-6ac867b353de.md @@ -0,0 +1,134 @@ +--- +title: Trusted Microsoft Services Not Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1bc398a8-d274-47de-a4c8-6ac867b353de +- **Query name:** Trusted Microsoft Services Not Enabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/trusted_microsoft_services_not_enabled) + +### Description +Trusted Microsoft Services should be enabled for Storage Account access
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls/bypass) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 40 7" +- name: configure firewall and virtual networks + azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + network_acls: + bypass: Metrics + default_action: Deny + virtual_network_rules: + - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet + action: Allow + ip_rules: + - value: 1.2.3.4 + action: Allow + - value: 123.234.123.0/24 + action: Allow +- name: configure firewall and virtual networks2 + azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0003 + type: Standard_RAGRS + network_acls: + default_action: Deny + bypass: Metrics,Logging + virtual_network_rules: + - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet + action: Allow + ip_rules: + - value: 1.2.3.4 + action: Allow + - value: 123.234.123.0/24 + action: Allow +- name: configure firewall and virtual networks3 + azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0004 + type: Standard_RAGRS + network_acls: + default_action: Deny + bypass: "" + virtual_network_rules: + - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet + action: Allow + ip_rules: + - value: 1.2.3.4 + action: Allow + - value: 123.234.123.0/24 + action: Allow + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: configure firewall and virtual networks + azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + network_acls: + bypass: AzureServices,Metrics + default_action: Deny + virtual_network_rules: + - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet + action: Allow + ip_rules: + - value: 1.2.3.4 + action: Allow + - value: 123.234.123.0/24 + action: Allow +- name: configure firewall and virtual networks2 + azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0003 + type: Standard_RAGRS + network_acls: + default_action: Deny + virtual_network_rules: + - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet + action: Allow + ip_rules: + - value: 1.2.3.4 + action: Allow + - value: 123.234.123.0/24 + action: Allow +- name: configure firewall and virtual networks3 + azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0004 + type: Standard_RAGRS + network_acls: + default_action: Deny + bypass: AzureServices + virtual_network_rules: + - id: /subscriptions/mySubscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/mySubnet + action: Allow + ip_rules: + - value: 1.2.3.4 + action: Allow + - value: 123.234.123.0/24 + action: Allow + +``` diff --git a/docs/queries/ansible-queries/azure/1e5f5307-3e01-438d-8da6-985307ed25ce.md b/docs/queries/ansible-queries/azure/1e5f5307-3e01-438d-8da6-985307ed25ce.md new file mode 100644 index 00000000000..496177d4ee1 --- /dev/null +++ b/docs/queries/ansible-queries/azure/1e5f5307-3e01-438d-8da6-985307ed25ce.md @@ -0,0 +1,57 @@ +--- +title: VM Not Attached To Network +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1e5f5307-3e01-438d-8da6-985307ed25ce +- **Query name:** VM Not Attached To Network +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/vm_not_attached_to_network) + +### Description +No Network Security Group is attached to the Virtual Machine
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html#parameter-network_interface_names) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +--- +- name: Create a VM with a custom image + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: testvm001 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: password01 + image: customimage001 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create a VM with a custom image + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: testvm001 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: password01 + image: customimage001 + network_interfaces: testvm001 + +``` diff --git a/docs/queries/ansible-queries/azure/23a4dc83-4959-4d99-8056-8e051a82bc1e.md b/docs/queries/ansible-queries/azure/23a4dc83-4959-4d99-8056-8e051a82bc1e.md new file mode 100644 index 00000000000..dd26ec4cd16 --- /dev/null +++ b/docs/queries/ansible-queries/azure/23a4dc83-4959-4d99-8056-8e051a82bc1e.md @@ -0,0 +1,61 @@ +--- +title: Cosmos DB Account Without Tags +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 23a4dc83-4959-4d99-8056-8e051a82bc1e +- **Query name:** Cosmos DB Account Without Tags +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/cosmosdb_account_without_tags) + +### Description +Cosmos DB Account must have a mapping of tags.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_cosmosdbaccount_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +--- +- name: Create Cosmos DB Account - min + azure_rm_cosmosdbaccount: + resource_group: myResourceGroup + name: myDatabaseAccount + location: westus + geo_rep_locations: + - name: southcentralus + failover_priority: 0 + database_account_offer_type: Standard + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create Cosmos DB Account - min + azure_rm_cosmosdbaccount: + resource_group: myResourceGroup + name: myDatabaseAccount + location: westus + geo_rep_locations: + - name: southcentralus + failover_priority: 0 + database_account_offer_type: Standard + tags: + t1: t1 + t2: t2 + +``` diff --git a/docs/queries/ansible-queries/azure/29f35127-98e6-43af-8ec1-201b79f99604.md b/docs/queries/ansible-queries/azure/29f35127-98e6-43af-8ec1-201b79f99604.md new file mode 100644 index 00000000000..2558133f6fa --- /dev/null +++ b/docs/queries/ansible-queries/azure/29f35127-98e6-43af-8ec1-201b79f99604.md @@ -0,0 +1,80 @@ +--- +title: Admin User Enabled For Container Registry +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 29f35127-98e6-43af-8ec1-201b79f99604 +- **Query name:** Admin User Enabled For Container Registry +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/admin_user_enabled_for_container_registry) + +### Description +Admin user is enabled for Container Registry
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_containerregistry_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 7" +--- +- name: Create an azure container registry + azure.azcollection.azure_rm_containerregistry: + name: myRegistry + location: eastus + resource_group: myResourceGroup + admin_user_enabled: true + sku: Premium + tags: + Release: beta1 + Environment: Production +- name: Create an azure container registry2 + azure.azcollection.azure_rm_containerregistry: + name: myRegistry + location: eastus + resource_group: myResourceGroup + admin_user_enabled: "true" + sku: Premium + tags: + Release: beta1 + Environment: Production + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create an azure container registry + azure.azcollection.azure_rm_containerregistry: + name: myRegistry + location: eastus + resource_group: myResourceGroup + admin_user_enabled: false + sku: Premium + tags: + Release: beta1 + Environment: Production +- name: Create an azure container registry2 + azure.azcollection.azure_rm_containerregistry: + name: myRegistry + location: eastus + resource_group: myResourceGroup + admin_user_enabled: false + sku: Premium + tags: + Release: beta1 + Environment: Production + +``` diff --git a/docs/queries/ansible-queries/azure/2a901825-0f3b-4655-a0fe-e0470e50f8e6.md b/docs/queries/ansible-queries/azure/2a901825-0f3b-4655-a0fe-e0470e50f8e6.md new file mode 100644 index 00000000000..c256a19a0a4 --- /dev/null +++ b/docs/queries/ansible-queries/azure/2a901825-0f3b-4655-a0fe-e0470e50f8e6.md @@ -0,0 +1,78 @@ +--- +title: MySQL SSL Connection Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2a901825-0f3b-4655-a0fe-e0470e50f8e6 +- **Query name:** MySQL SSL Connection Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/mysql_ssl_connection_disabled) + +### Description +Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_mysqlserver_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 23" +--- +- name: Create (or update) MySQL Server + azure.azcollection.azure_rm_mysqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + version: 5.6 + admin_username: cloudsa + admin_password: password +- name: Create (or update) MySQL Server2 + azure.azcollection.azure_rm_mysqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + enforce_ssl: false + version: 5.6 + admin_username: cloudsa + admin_password: password + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create (or update) MySQL Server + azure.azcollection.azure_rm_mysqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + enforce_ssl: true + version: 5.6 + admin_username: cloudsa + admin_password: password + +``` diff --git a/docs/queries/ansible-queries/azure/2c99a474-2a3c-4c17-8294-53ffa5ed0522.md b/docs/queries/ansible-queries/azure/2c99a474-2a3c-4c17-8294-53ffa5ed0522.md new file mode 100644 index 00000000000..d25ab40f05d --- /dev/null +++ b/docs/queries/ansible-queries/azure/2c99a474-2a3c-4c17-8294-53ffa5ed0522.md @@ -0,0 +1,192 @@ +--- +title: Storage Account Not Forcing HTTPS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2c99a474-2a3c-4c17-8294-53ffa5ed0522 +- **Query name:** Storage Account Not Forcing HTTPS +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/storage_account_not_forcing_https) + +### Description +Storage Accounts should enforce the use of HTTPS
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-https_only) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 3 69 42 78 15 51 24 60" +--- +- name: create an account + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + tags: + testing: testing + delete: on-exit +- name: create an account2 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: false + tags: + testing: testing + delete: on-exit +- name: create an account3 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: False + tags: + testing: testing + delete: on-exit +- name: create an account4 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: no + tags: + testing: testing + delete: on-exit +- name: create an account5 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: No + tags: + testing: testing + delete: on-exit +- name: create an account6 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: "false" + tags: + testing: testing + delete: on-exit +- name: create an account7 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: "False" + tags: + testing: testing + delete: on-exit +- name: create an account8 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: "no" + tags: + testing: testing + delete: on-exit +- name: create an account9 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: "No" + tags: + testing: testing + delete: on-exit + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create an account + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: yes + tags: + testing: testing + delete: on-exit +- name: create an account2 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: true + tags: + testing: testing + delete: on-exit +- name: create an account3 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: true + tags: + testing: testing + delete: on-exit +- name: create an account4 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: 'true' + tags: + testing: testing + delete: on-exit +- name: create an account5 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: 'True' + tags: + testing: testing + delete: on-exit +- name: create an account6 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: yes + tags: + testing: testing + delete: on-exit +- name: create an account7 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: Yes + tags: + testing: testing + delete: on-exit +- name: create an account8 + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + https_only: Yes + tags: + testing: testing + delete: on-exit + +``` diff --git a/docs/queries/ansible-queries/azure/2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255.md b/docs/queries/ansible-queries/azure/2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255.md new file mode 100644 index 00000000000..f627722f9a8 --- /dev/null +++ b/docs/queries/ansible-queries/azure/2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255.md @@ -0,0 +1,55 @@ +--- +title: WAF Is Disabled For Azure Application Gateway +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2fc5ab5a-c5eb-4ae4-b687-0f16fe77c255 +- **Query name:** WAF Is Disabled For Azure Application Gateway +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/waf_is_disabled_for_azure_application_gateway) + +### Description +Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_appgateway_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +- name: Create instance of Application Gateway + azure_rm_appgateway: + resource_group: myResourceGroup + name: myAppGateway + sku: + name: standard_small + tier: standard + capacity: 2 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create instance of Application Gateway + azure_rm_appgateway: + resource_group: myResourceGroup + name: myAppGateway + sku: + name: waf_medium + tier: waf + capacity: 2 + +``` diff --git a/docs/queries/ansible-queries/azure/35e2f133-a395-40de-a79d-b260d973d1bd.md b/docs/queries/ansible-queries/azure/35e2f133-a395-40de-a79d-b260d973d1bd.md new file mode 100644 index 00000000000..4f1ffaa7c52 --- /dev/null +++ b/docs/queries/ansible-queries/azure/35e2f133-a395-40de-a79d-b260d973d1bd.md @@ -0,0 +1,69 @@ +--- +title: Public Storage Account +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 35e2f133-a395-40de-a79d-b260d973d1bd +- **Query name:** Public Storage Account +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/public_storage_account) + +### Description +Storage Account should not be public to grant the principle of least privileges
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 19" +- name: configure firewall and virtual networks + azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + network_acls: + bypass: AzureServices,Metrics + default_action: Deny + ip_rules: + - value: 0.0.0.0/0 + action: Allow +- name: configure firewall and more virtual networks + azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0003 + type: Standard_RAGRS + network_acls: + bypass: AzureServices,Metrics + default_action: Allow + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: configure firewall and virtual networks + azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + network_acls: + bypass: AzureServices,Metrics + default_action: Deny + ip_rules: + - value: 1.2.3.4 + action: Allow + +``` diff --git a/docs/queries/ansible-queries/azure/37fafbea-dedb-4e0d-852e-d16ee0589326.md b/docs/queries/ansible-queries/azure/37fafbea-dedb-4e0d-852e-d16ee0589326.md new file mode 100644 index 00000000000..24daf0b1e99 --- /dev/null +++ b/docs/queries/ansible-queries/azure/37fafbea-dedb-4e0d-852e-d16ee0589326.md @@ -0,0 +1,106 @@ +--- +title: Small Activity Log Retention Period +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 37fafbea-dedb-4e0d-852e-d16ee0589326 +- **Query name:** Small Activity Log Retention Period +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/small_activity_log_retention_period) + +### Description +Ensure that Activity Log Retention is set 365 days or greater
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_monitorlogprofile_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="20 13 46" +--- +- name: Create a log profile + azure_rm_monitorlogprofile: + name: myProfile + location: eastus + locations: + - eastus + - westus + categories: + - Write + - Action + retention_policy: + enabled: False + storage_account: + resource_group: myResourceGroup + name: myStorageAccount + register: output + +- name: Create a log profile2 + azure_rm_monitorlogprofile: + name: myProfile + location: eastus + locations: + - eastus + - westus + categories: + - Write + - Action + storage_account: + resource_group: myResourceGroup + name: myStorageAccount + register: output + +- name: Create a log profile3 + azure_rm_monitorlogprofile: + name: myProfile + location: eastus + locations: + - eastus + - westus + categories: + - Write + - Action + retention_policy: + enabled: True + days: 50 + storage_account: + resource_group: myResourceGroup + name: myStorageAccount + register: output + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create a log profile + azure_rm_monitorlogprofile: + name: myProfile + location: eastus + locations: + - eastus + - westus + categories: + - Write + - Action + retention_policy: + enabled: true + days: 380 + storage_account: + resource_group: myResourceGroup + name: myStorageAccount + register: output + +``` diff --git a/docs/queries/ansible-queries/azure/3f23c96c-f9f5-488d-9b17-605b8da5842f.md b/docs/queries/ansible-queries/azure/3f23c96c-f9f5-488d-9b17-605b8da5842f.md new file mode 100644 index 00000000000..570d3c17a69 --- /dev/null +++ b/docs/queries/ansible-queries/azure/3f23c96c-f9f5-488d-9b17-605b8da5842f.md @@ -0,0 +1,62 @@ +--- +title: Unrestricted SQL Server Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3f23c96c-f9f5-488d-9b17-605b8da5842f +- **Query name:** Unrestricted SQL Server Access +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/unrestricted_sql_server_acess) + +### Description +Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlfirewallrule_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 3" +#this is a problematic code where the query should report a result(s) +- name: Create (or update) Firewall Rule1 + azure_rm_sqlfirewallrule: + resource_group: myResourceGroup1 + server_name: firewallrulecrudtest-6285 + name: firewallrulecrudtest-5370 + start_ip_address: 0.0.0.0 + end_ip_address: 172.28.11.138 +- name: Create (or update) Firewall Rule2 + azure_rm_sqlfirewallrule: + resource_group: myResourceGroup2 + server_name: firewallrulecrudtest-6285 + name: firewallrulecrudtest-5370 + start_ip_address: 172.28.10.136 + end_ip_address: 172.28.11.138 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: Create (or update) Firewall Rule + azure_rm_sqlfirewallrule: + resource_group: myResourceGroup + server_name: firewallrulecrudtest-6285 + name: firewallrulecrudtest-5370 + start_ip_address: 172.28.10.136 + end_ip_address: 172.28.10.138 + +``` diff --git a/docs/queries/ansible-queries/azure/4d3817db-dd35-4de4-a80d-3867157e7f7f.md b/docs/queries/ansible-queries/azure/4d3817db-dd35-4de4-a80d-3867157e7f7f.md new file mode 100644 index 00000000000..a2008bc31b7 --- /dev/null +++ b/docs/queries/ansible-queries/azure/4d3817db-dd35-4de4-a80d-3867157e7f7f.md @@ -0,0 +1,66 @@ +--- +title: Storage Container Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4d3817db-dd35-4de4-a80d-3867157e7f7f +- **Query name:** Storage Container Is Publicly Accessible +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/storage_container_is_publicly_accessible) + +### Description +Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageblob_module.html#parameter-public_access) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 17" +- name: Create container foo and upload a file + azure_rm_storageblob: + resource_group: myResourceGroup + storage_account_name: clh0002 + container: foo + blob: graylog.png + src: ./files/graylog.png + content_type: 'application/image' + public_access: blob +- name: Create container foo2 and upload a file + azure_rm_storageblob: + resource_group: myResourceGroup + storage_account_name: clh0002 + container: foo2 + blob: graylog.png + src: ./files/graylog.png + public_access: container + content_type: 'application/image' + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create container foo and upload a file + azure_rm_storageblob: + resource_group: myResourceGroup + storage_account_name: clh0002 + container: foo + blob: graylog.png + src: ./files/graylog.png + content_type: application/image +# access mode defaults to private + +``` diff --git a/docs/queries/ansible-queries/azure/530e8291-2f22-4bab-b7ea-306f1bc2a308.md b/docs/queries/ansible-queries/azure/530e8291-2f22-4bab-b7ea-306f1bc2a308.md new file mode 100644 index 00000000000..41c55bbf863 --- /dev/null +++ b/docs/queries/ansible-queries/azure/530e8291-2f22-4bab-b7ea-306f1bc2a308.md @@ -0,0 +1,65 @@ +--- +title: SQL Server Predictable Active Directory Account Name +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 530e8291-2f22-4bab-b7ea-306f1bc2a308 +- **Query name:** SQL Server Predictable Active Directory Account Name +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/sql_server_predictable_active_directory_admin_account_name) + +### Description +Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'ad_user' must be set to a name that is not easy to predict
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_adserviceprincipal_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="19 13 7" +#this is a problematic code where the query should report a result(s) +- name: create ad sp + azure_ad_serviceprincipal: + app_id: "{{ app_id }}" + state: present + tenant: "{{ tenant_id }}" + ad_user: admin +- name: create ad sp2 + azure_ad_serviceprincipal: + app_id: "{{ app_id2 }}" + state: present + tenant: "{{ tenant_id2 }}" + ad_user: "" +- name: create ad sp3 + azure_ad_serviceprincipal: + app_id: "{{ app_id3 }}" + state: present + tenant: "{{ tenant_id3 }}" + ad_user: + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create ad sp + azure_ad_serviceprincipal: + app_id: '{{ app_id }}' + state: present + tenant: '{{ tenant_id }}' + ad_user: unpredictableName + +``` diff --git a/docs/queries/ansible-queries/azure/581dae78-307d-45d5-aae4-fe2b0db267a5.md b/docs/queries/ansible-queries/azure/581dae78-307d-45d5-aae4-fe2b0db267a5.md new file mode 100644 index 00000000000..7956f65b749 --- /dev/null +++ b/docs/queries/ansible-queries/azure/581dae78-307d-45d5-aae4-fe2b0db267a5.md @@ -0,0 +1,115 @@ +--- +title: Azure Container Registry With No Locks +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 581dae78-307d-45d5-aae4-fe2b0db267a5 +- **Query name:** Azure Container Registry With No Locks +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/azure_container_registry_with_no_locks) + +### Description +Azurerm Container Registry should contain associated locks, which means 'azure_rm_lock.managed_resource_id' or 'azure_rm_lock.resource_group' association should be defined
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_lock_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 2" +- name: Create an azure container registry + azure_rm_containerregistry: + name: myRegistry + location: eastus + resource_group: myResourceGroupFake + admin_user_enabled: true + sku: Premium + tags: + Release: beta1 + Environment: Production +- name: Create a lock for a resource group + azure_rm_lock: + resource_group: myResourceGroup32 + name: myLock + level: read_only +- name: Create an azure container registry2 + azure.azcollection.azure_rm_containerregistry: + name: myRegistry + location: eastus + resource_group: someResourceGroup + admin_user_enabled: "true" + sku: Premium + tags: + Release: beta1 + Environment: Production + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" +- name: Create an azure container registryy1 + azure.azcollection.azure_rm_containerregistry: + name: myRegistry + location: eastus + admin_user_enabled: "true" + sku: Premium + tags: + Release: beta1 + Environment: Production + register: acr +- name: "Create lock for ACR1" + azure.azcollection.azure_rm_lock: + managed_resource_id: "{{ acr3.id }}" + name: "acr_lock" + level: can_not_delete + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create an azure container registry + azure_rm_containerregistry: + name: myRegistry + location: eastus + resource_group: myResourceGroup + admin_user_enabled: true + sku: Premium + tags: + Release: beta1 + Environment: Production +- name: Create a lock for a resource group + azure_rm_lock: + resource_group: myResourceGroup + name: myLock + level: read_only + +``` +```yaml title="Negative test num. 2 - yaml file" +- name: Create an azure container registry11 + azure.azcollection.azure_rm_containerregistry: + name: myRegistry + location: eastus + admin_user_enabled: "true" + sku: Premium + tags: + Release: beta1 + Environment: Production + register: acr2 +- name: "Create lock for ACR11" + azure.azcollection.azure_rm_lock: + managed_resource_id: "{{ acr2.id }}" + name: "acr_lock" + level: can_not_delete + +``` diff --git a/docs/queries/ansible-queries/azure/5c80db8e-03f5-43a2-b4af-1f3f87018157.md b/docs/queries/ansible-queries/azure/5c80db8e-03f5-43a2-b4af-1f3f87018157.md new file mode 100644 index 00000000000..1b155caf465 --- /dev/null +++ b/docs/queries/ansible-queries/azure/5c80db8e-03f5-43a2-b4af-1f3f87018157.md @@ -0,0 +1,74 @@ +--- +title: Role Definition Allows Custom Role Creation +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5c80db8e-03f5-43a2-b4af-1f3f87018157 +- **Query name:** Role Definition Allows Custom Role Creation +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/role_definition_allows_custom_role_creation) + +### Description +Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_roledefinition_module.html#parameter-permissions/actions) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +--- +- name: Create a role definition + azure_rm_roledefinition: + name: myTestRole + scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup + permissions: + - actions: + - "Microsoft.Authorization/roleDefinitions/write" + assignable_scopes: + - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +--- +- name: Create a role definition2 + azure_rm_roledefinition: + name: myTestRole2 + scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup + permissions: + - actions: + - "*" + assignable_scopes: + - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +--- +- name: Create a role definition3 + azure_rm_roledefinition: + name: myTestRole3 + scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourceGroup + permissions: + - actions: + - "Microsoft.Compute/virtualMachines/read" + data_actions: + - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" + assignable_scopes: + - "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" + +``` diff --git a/docs/queries/ansible-queries/azure/663062e9-473d-4e87-99bc-6f3684b3df40.md b/docs/queries/ansible-queries/azure/663062e9-473d-4e87-99bc-6f3684b3df40.md new file mode 100644 index 00000000000..8731938b34b --- /dev/null +++ b/docs/queries/ansible-queries/azure/663062e9-473d-4e87-99bc-6f3684b3df40.md @@ -0,0 +1,69 @@ +--- +title: SQL Server Predictable Admin Account Name +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 663062e9-473d-4e87-99bc-6f3684b3df40 +- **Query name:** SQL Server Predictable Admin Account Name +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/sql_server_predictable_admin_account_name) + +### Description +Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'admin_username' must be set to a name that is not easy to predict
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlserver_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="21 14 7" +#this is a problematic code where the query should report a result(s) +- name: Create (or update) SQL Server1 + azure_rm_sqlserver: + resource_group: myResourceGroup + name: server_name1 + location: westus + admin_username: "" + admin_password: Testpasswordxyz12! +- name: Create (or update) SQL Server2 + azure_rm_sqlserver: + resource_group: myResourceGroup + name: server_name2 + location: westus + admin_username: + admin_password: Testpasswordxyz12! +- name: Create (or update) SQL Server3 + azure_rm_sqlserver: + resource_group: myResourceGroup + name: server_name3 + location: westus + admin_username: admin + admin_password: Testpasswordxyz12! + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: Create (or update) SQL Server + azure_rm_sqlserver: + resource_group: myResourceGroup + name: server_name + location: westus + admin_username: mylogin + admin_password: Testpasswordxyz12! + +``` diff --git a/docs/queries/ansible-queries/azure/69f72007-502e-457b-bd2d-5012e31ac049.md b/docs/queries/ansible-queries/azure/69f72007-502e-457b-bd2d-5012e31ac049.md new file mode 100644 index 00000000000..68c068e731c --- /dev/null +++ b/docs/queries/ansible-queries/azure/69f72007-502e-457b-bd2d-5012e31ac049.md @@ -0,0 +1,53 @@ +--- +title: Firewall Rule Allows Too Many Hosts To Access Redis Cache +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 69f72007-502e-457b-bd2d-5012e31ac049 +- **Query name:** Firewall Rule Allows Too Many Hosts To Access Redis Cache +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache) + +### Description +Check if any firewall rule allows too many hosts to access Redis Cache.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscachefirewallrule_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +- name: too_many_hosts + azure_rm_rediscachefirewallrule: + resource_group: myResourceGroup + cache_name: myRedisCache + name: myRule + start_ip_address: 192.168.1.1 + end_ip_address: 192.169.1.4 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: reduced_hosts + azure_rm_rediscachefirewallrule: + resource_group: myResourceGroup + cache_name: myRedisCache + name: myRule + start_ip_address: 192.168.1.1 + end_ip_address: 192.168.1.4 + +``` diff --git a/docs/queries/ansible-queries/azure/729ebb15-8060-40f7-9017-cb72676a5487.md b/docs/queries/ansible-queries/azure/729ebb15-8060-40f7-9017-cb72676a5487.md new file mode 100644 index 00000000000..e64f6662ed6 --- /dev/null +++ b/docs/queries/ansible-queries/azure/729ebb15-8060-40f7-9017-cb72676a5487.md @@ -0,0 +1,111 @@ +--- +title: PostgreSQL Log Duration Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 729ebb15-8060-40f7-9017-cb72676a5487 +- **Query name:** PostgreSQL Log Duration Not Set +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/postgre_sql_log_duration_not_set) + +### Description +Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="36 6 12 18 24 30" +- name: example1 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_duration + value: off +- name: example2 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_duration + value: Off +- name: example3 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_duration + value: OFF +- name: example4 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_duration + value: "off" +- name: example5 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_duration + value: "Off" +- name: example6 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_duration + value: "OFF" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: example1 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_duration + value: on +- name: example2 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_duration + value: On +- name: example3 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_duration + value: ON +- name: example4 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_duration + value: on +- name: example5 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_duration + value: On +- name: example6 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_duration + value: ON + +``` diff --git a/docs/queries/ansible-queries/azure/7ab33ac0-e4a3-418f-a673-50da4e34df21.md b/docs/queries/ansible-queries/azure/7ab33ac0-e4a3-418f-a673-50da4e34df21.md new file mode 100644 index 00000000000..ad7edb50cc2 --- /dev/null +++ b/docs/queries/ansible-queries/azure/7ab33ac0-e4a3-418f-a673-50da4e34df21.md @@ -0,0 +1,112 @@ +--- +title: PostgreSQL Log Checkpoints Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7ab33ac0-e4a3-418f-a673-50da4e34df21 +- **Query name:** PostgreSQL Log Checkpoints Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/postgre_sql_log_checkpoints_disabled) + +### Description +Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="37 7 13 19 25 31" +--- +- name: Update PostgreSQL Server setting + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_checkpoints + value: off +- name: Update PostgreSQL Server setting2 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_checkpoints + value: Off +- name: Update PostgreSQL Server setting3 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_checkpoints + value: OFF +- name: Update PostgreSQL Server setting4 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_checkpoints + value: "off" +- name: Update PostgreSQL Server setting5 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_checkpoints + value: "Off" +- name: Update PostgreSQL Server setting6 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_checkpoints + value: "OFF" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Update PostgreSQL Server setting + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_checkpoints + value: on +- name: Update PostgreSQL Server setting2 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_checkpoints + value: On +- name: Update PostgreSQL Server setting3 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_checkpoints + value: ON +- name: Update PostgreSQL Server setting4 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_checkpoints + value: on +- name: Update PostgreSQL Server setting5 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_checkpoints + value: On +- name: Update PostgreSQL Server setting6 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_checkpoints + value: ON + +``` diff --git a/docs/queries/ansible-queries/azure/7b47138f-ec0e-47dc-8516-e7728fe3cc17.md b/docs/queries/ansible-queries/azure/7b47138f-ec0e-47dc-8516-e7728fe3cc17.md new file mode 100644 index 00000000000..39414e9db2f --- /dev/null +++ b/docs/queries/ansible-queries/azure/7b47138f-ec0e-47dc-8516-e7728fe3cc17.md @@ -0,0 +1,112 @@ +--- +title: PostgreSQL Log Connections Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7b47138f-ec0e-47dc-8516-e7728fe3cc17 +- **Query name:** PostgreSQL Log Connections Not Set +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/postgre_sql_log_connections_not_set) + +### Description +Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="37 7 13 19 25 31" +--- +- name: Update PostgreSQL Server setting + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_connections + value: off +- name: Update PostgreSQL Server setting2 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_connections + value: Off +- name: Update PostgreSQL Server setting3 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_connections + value: OFF +- name: Update PostgreSQL Server setting4 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_connections + value: "off" +- name: Update PostgreSQL Server setting5 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_connections + value: "Off" +- name: Update PostgreSQL Server setting6 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_connections + value: "OFF" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Update PostgreSQL Server setting + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_connections + value: on +- name: Update PostgreSQL Server setting2 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_connections + value: On +- name: Update PostgreSQL Server setting3 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_connections + value: ON +- name: Update PostgreSQL Server setting4 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_connections + value: on +- name: Update PostgreSQL Server setting5 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_connections + value: On +- name: Update PostgreSQL Server setting6 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: log_connections + value: ON + +``` diff --git a/docs/queries/ansible-queries/azure/869e7fb4-30f0-4bdb-b360-ad548f337f2f.md b/docs/queries/ansible-queries/azure/869e7fb4-30f0-4bdb-b360-ad548f337f2f.md new file mode 100644 index 00000000000..2088c8fa27f --- /dev/null +++ b/docs/queries/ansible-queries/azure/869e7fb4-30f0-4bdb-b360-ad548f337f2f.md @@ -0,0 +1,53 @@ +--- +title: Redis Cache Allows Non SSL Connections +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 869e7fb4-30f0-4bdb-b360-ad548f337f2f +- **Query name:** Redis Cache Allows Non SSL Connections +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/redis_cache_allows_non_ssl_connections) + +### Description +Redis Cache resources should not allow non-SSL connections
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_rediscache_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +- name: Non SSl Allowed + azure_rm_rediscache: + resource_group: myResourceGroup + name: myRedis + enable_non_ssl_port: yes + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Non SSl Disallowed + azure_rm_rediscache: + resource_group: myResourceGroup + name: myRedis + enable_non_ssl_port: no +- name: Non SSl Undefined + azure_rm_rediscache: + resource_group: myResourceGroup + name: myRedis + +``` diff --git a/docs/queries/ansible-queries/azure/881696a8-68c5-4073-85bc-7c38a3deb854.md b/docs/queries/ansible-queries/azure/881696a8-68c5-4073-85bc-7c38a3deb854.md new file mode 100644 index 00000000000..9063b660f61 --- /dev/null +++ b/docs/queries/ansible-queries/azure/881696a8-68c5-4073-85bc-7c38a3deb854.md @@ -0,0 +1,84 @@ +--- +title: Key Vault Soft Delete Is Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 881696a8-68c5-4073-85bc-7c38a3deb854 +- **Query name:** Key Vault Soft Delete Is Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/key_vault_soft_delete_is_disabled) + +### Description +Make sure Soft Delete is enabled for Key Vault
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_keyvault_module.html#parameter-enable_soft_delete) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="18 7" +--- +- name: Create instance of Key Vault + azure_rm_keyvault: + resource_group: myResourceGroup + vault_name: samplekeyvault + enabled_for_deployment: yes + enable_soft_delete: no + vault_tenant: 72f98888-8666-4144-9199-2d7cd0111111 + sku: + name: standard + access_policies: + - tenant_id: 72f98888-8666-4144-9199-2d7cd0111111 + object_id: 99998888-8666-4144-9199-2d7cd0111111 + keys: + - get + - list +- name: Create instance of Key Vault 02 + azure_rm_keyvault: + resource_group: myResourceGroup 02 + vault_name: samplekeyvault + enabled_for_deployment: yes + vault_tenant: 72f98888-8666-4144-9199-2d7cd0111111 + sku: + name: standard + access_policies: + - tenant_id: 72f98888-8666-4144-9199-2d7cd0111111 + object_id: 99998888-8666-4144-9199-2d7cd0111111 + keys: + - get + - list + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create instance of Key Vault + azure_rm_keyvault: + resource_group: myResourceGroup + vault_name: samplekeyvault + enabled_for_deployment: yes + enable_soft_delete: yes + vault_tenant: 72f98888-8666-4144-9199-2d7cd0111111 + sku: + name: standard + access_policies: + - tenant_id: 72f98888-8666-4144-9199-2d7cd0111111 + object_id: 99998888-8666-4144-9199-2d7cd0111111 + keys: + - get + - list + +``` diff --git a/docs/queries/ansible-queries/azure/89f84a1e-75f8-47c5-83b5-bee8e2de4168.md b/docs/queries/ansible-queries/azure/89f84a1e-75f8-47c5-83b5-bee8e2de4168.md new file mode 100644 index 00000000000..d8a82ab4746 --- /dev/null +++ b/docs/queries/ansible-queries/azure/89f84a1e-75f8-47c5-83b5-bee8e2de4168.md @@ -0,0 +1,90 @@ +--- +title: Monitoring Log Profile Without All Activities +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 89f84a1e-75f8-47c5-83b5-bee8e2de4168 +- **Query name:** Monitoring Log Profile Without All Activities +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/monitoring_log_profile_without_all_activities) + +### Description +Monitoring log profile captures all the activities (Action, Write, Delete)
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_monitorlogprofile_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 21" +--- +- name: Create a log profile + azure_rm_monitorlogprofile: + name: myProfile + location: eastus + locations: + - eastus + - westus + categories: + - Write + - Action + retention_policy: + enabled: False + days: 1 + storage_account: + resource_group: myResourceGroup + name: myStorageAccount + register: output + +- name: Create a log profile2 + azure_rm_monitorlogprofile: + name: myProfile + location: eastus + locations: + - eastus + - westus + retention_policy: + enabled: False + days: 1 + storage_account: + resource_group: myResourceGroup + name: myStorageAccount + register: output + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create a log profile + azure_rm_monitorlogprofile: + name: myProfile + location: eastus + locations: + - eastus + - westus + categories: + - Write + - Action + - Delete + retention_policy: + enabled: false + days: 1 + storage_account: + resource_group: myResourceGroup + name: myStorageAccount + register: output + +``` diff --git a/docs/queries/ansible-queries/azure/8c3bedf1-c570-4c3b-b414-d068cd39a00c.md b/docs/queries/ansible-queries/azure/8c3bedf1-c570-4c3b-b414-d068cd39a00c.md new file mode 100644 index 00000000000..dbc8b333111 --- /dev/null +++ b/docs/queries/ansible-queries/azure/8c3bedf1-c570-4c3b-b414-d068cd39a00c.md @@ -0,0 +1,122 @@ +--- +title: AKS Network Policy Misconfigured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8c3bedf1-c570-4c3b-b414-d068cd39a00c +- **Query name:** AKS Network Policy Misconfigured +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/aks_network_policy_misconfigured) + +### Description +Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html#parameter-network_profile/network_policy) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 10" +--- +- name: Create a managed Azure Container Services (AKS) instance03 + azure_rm_aks: + name: myAKS + location: eastus + resource_group: myResourceGroup + dns_prefix: akstest + kubernetes_version: 1.14.6 + network_profile: + network_policy: istio + linux_profile: + admin_username: azureuser + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA... + service_principal: + client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948" + client_secret: "Password123!" + agent_pool_profiles: + - name: default + count: 5 + vm_size: Standard_D2_v2 + tags: + Environment: Production +- name: Create a managed Azure Container Services (AKS) instance04 + azure_rm_aks: + name: myAKS + location: eastus + resource_group: myResourceGroup + dns_prefix: akstest + kubernetes_version: 1.14.6 + linux_profile: + admin_username: azureuser + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA... + service_principal: + client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948" + client_secret: "Password123!" + agent_pool_profiles: + - name: default + count: 5 + vm_size: Standard_D2_v2 + tags: + Environment: Production + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create a managed Azure Container Services (AKS) instance01 + azure_rm_aks: + name: myAKS + location: eastus + resource_group: myResourceGroup + dns_prefix: akstest + kubernetes_version: 1.14.6 + network_profile: + network_policy: calico + linux_profile: + admin_username: azureuser + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA... + service_principal: + client_id: cf72ca99-f6b9-4004-b0e0-bee10c521948 + client_secret: Password123! + agent_pool_profiles: + - name: default + count: 5 + vm_size: Standard_D2_v2 + tags: + Environment: Production +- name: Create a managed Azure Container Services (AKS) instance02 + azure_rm_aks: + name: myAKS + location: eastus + resource_group: myResourceGroup + dns_prefix: akstest + kubernetes_version: 1.14.6 + network_profile: + network_policy: azure + linux_profile: + admin_username: azureuser + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA... + service_principal: + client_id: cf72ca99-f6b9-4004-b0e0-bee10c521948 + client_secret: Password123! + agent_pool_profiles: + - name: default + count: 5 + vm_size: Standard_D2_v2 + tags: + Environment: Production + +``` diff --git a/docs/queries/ansible-queries/azure/961ce567-a16d-4d7d-9027-f0ec2628a555.md b/docs/queries/ansible-queries/azure/961ce567-a16d-4d7d-9027-f0ec2628a555.md new file mode 100644 index 00000000000..d94b83619fd --- /dev/null +++ b/docs/queries/ansible-queries/azure/961ce567-a16d-4d7d-9027-f0ec2628a555.md @@ -0,0 +1,158 @@ +--- +title: SSL Enforce Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 961ce567-a16d-4d7d-9027-f0ec2628a555 +- **Query name:** SSL Enforce Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/ssl_enforce_is_disabled) + +### Description +Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlserver_module.html#parameter-enforce_ssl) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 21" +- name: Create (or update) PostgreSQL Server + azure.azcollection.azure_rm_postgresqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + admin_username: cloudsa + admin_password: password +- name: Create (or update) PostgreSQL Server2 + azure.azcollection.azure_rm_postgresqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + enforce_ssl: no + admin_username: cloudsa + admin_password: password + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create (or update) PostgreSQL Server + azure.azcollection.azure_rm_postgresqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + enforce_ssl: yes + admin_username: cloudsa + admin_password: password +- name: Create (or update) PostgreSQL Server2 + azure.azcollection.azure_rm_postgresqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + enforce_ssl: Yes + admin_username: cloudsa + admin_password: password +- name: Create (or update) PostgreSQL Server3 + azure.azcollection.azure_rm_postgresqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + enforce_ssl: true + admin_username: cloudsa + admin_password: password +- name: Create (or update) PostgreSQL Server4 + azure.azcollection.azure_rm_postgresqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + enforce_ssl: true + admin_username: cloudsa + admin_password: password +- name: Create (or update) PostgreSQL Server5 + azure.azcollection.azure_rm_postgresqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + enforce_ssl: yes + admin_username: cloudsa + admin_password: password +- name: Create (or update) PostgreSQL Server6 + azure.azcollection.azure_rm_postgresqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + enforce_ssl: Yes + admin_username: cloudsa + admin_password: password +- name: Create (or update) PostgreSQL Server7 + azure.azcollection.azure_rm_postgresqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + enforce_ssl: 'true' + admin_username: cloudsa + admin_password: password +- name: Create (or update) PostgreSQL Server8 + azure.azcollection.azure_rm_postgresqlserver: + resource_group: myResourceGroup + name: testserver + sku: + name: B_Gen5_1 + tier: Basic + location: eastus + storage_mb: 1024 + enforce_ssl: 'True' + admin_username: cloudsa + admin_password: password + +``` diff --git a/docs/queries/ansible-queries/azure/a9becca7-892a-4af7-b9e1-44bf20a4cd9a.md b/docs/queries/ansible-queries/azure/a9becca7-892a-4af7-b9e1-44bf20a4cd9a.md new file mode 100644 index 00000000000..ee1f5be5c4a --- /dev/null +++ b/docs/queries/ansible-queries/azure/a9becca7-892a-4af7-b9e1-44bf20a4cd9a.md @@ -0,0 +1,112 @@ +--- +title: PostgreSQL Server Without Connection Throttling +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a9becca7-892a-4af7-b9e1-44bf20a4cd9a +- **Query name:** PostgreSQL Server Without Connection Throttling +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/postgre_sql_server_without_connection_throttling) + +### Description +Ensure that Connection Throttling is set for the PostgreSQL server
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_postgresqlconfiguration_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="37 7 13 19 25 31" +--- +- name: Update PostgreSQL Server setting + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: connection_throttling + value: off +- name: Update PostgreSQL Server setting2 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: connection_throttling + value: Off +- name: Update PostgreSQL Server setting3 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: connection_throttling + value: OFF +- name: Update PostgreSQL Server setting4 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: connection_throttling + value: "off" +- name: Update PostgreSQL Server setting5 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: connection_throttling + value: "Off" +- name: Update PostgreSQL Server setting6 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: connection_throttling + value: "OFF" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Update PostgreSQL Server setting + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: connection_throttling + value: on +- name: Update PostgreSQL Server setting2 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: connection_throttling + value: On +- name: Update PostgreSQL Server setting3 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: connection_throttling + value: ON +- name: Update PostgreSQL Server setting4 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: connection_throttling + value: on +- name: Update PostgreSQL Server setting5 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: connection_throttling + value: On +- name: Update PostgreSQL Server setting6 + azure.azcollection.azure_rm_postgresqlconfiguration: + resource_group: myResourceGroup + server_name: myServer + name: connection_throttling + value: ON + +``` diff --git a/docs/queries/ansible-queries/azure/b176e927-bbe2-44a6-a9c3-041417137e5f.md b/docs/queries/ansible-queries/azure/b176e927-bbe2-44a6-a9c3-041417137e5f.md new file mode 100644 index 00000000000..982144d5b45 --- /dev/null +++ b/docs/queries/ansible-queries/azure/b176e927-bbe2-44a6-a9c3-041417137e5f.md @@ -0,0 +1,55 @@ +--- +title: AD Admin Not Configured For SQL Server +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b176e927-bbe2-44a6-a9c3-041417137e5f +- **Query name:** AD Admin Not Configured For SQL Server +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/ad_admin_not_configured_for_sql_server) + +### Description +The Active Directory Administrator is not configured for a SQL server
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlserver_module.html#parameter-ad_user) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +--- +- name: Create (or update) SQL Server + azure_rm_sqlserver: + resource_group: myResourceGroup + name: server_name + location: westus + admin_username: mylogin + admin_password: Testpasswordxyz12! + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create (or update) SQL Server + azure_rm_sqlserver: + resource_group: myResourceGroup + name: server_name + location: westus + admin_username: mylogin + admin_password: Testpasswordxyz12! + ad_user: sqladmin + +``` diff --git a/docs/queries/ansible-queries/azure/c62746cf-92d5-4649-9acf-7d48d086f2ee.md b/docs/queries/ansible-queries/azure/c62746cf-92d5-4649-9acf-7d48d086f2ee.md new file mode 100644 index 00000000000..59567c8bcee --- /dev/null +++ b/docs/queries/ansible-queries/azure/c62746cf-92d5-4649-9acf-7d48d086f2ee.md @@ -0,0 +1,64 @@ +--- +title: Storage Account Not Using Latest TLS Encryption Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c62746cf-92d5-4649-9acf-7d48d086f2ee +- **Query name:** Storage Account Not Using Latest TLS Encryption Version +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/storage_account_not_using_latest_tls_encryption_version) + +### Description +Ensure Storage Account is using the latest version of TLS encryption
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-minimum_tls_version) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 12" +--- +- name: Create an account with kind of FileStorage + azure_rm_storageaccount: + resource_group: myResourceGroup + name: c1h0002 + type: Premium_LRS + kind: FileStorage + minimum_tls_version: TLS1_0 + tags: + testing: testing +- name: Create a second account with kind of FileStorage + azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0003 + type: Premium_LRS + kind: FileStorage + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create an account with kind of FileStorage + azure_rm_storageaccount: + resource_group: myResourceGroup + name: c1h0002 + type: Premium_LRS + kind: FileStorage + minimum_tls_version: TLS1_2 + tags: + testing: testing + +``` diff --git a/docs/queries/ansible-queries/azure/ca4df748-613a-4fbf-9c76-f02cbd580307.md b/docs/queries/ansible-queries/azure/ca4df748-613a-4fbf-9c76-f02cbd580307.md new file mode 100644 index 00000000000..b6258405bf6 --- /dev/null +++ b/docs/queries/ansible-queries/azure/ca4df748-613a-4fbf-9c76-f02cbd580307.md @@ -0,0 +1,99 @@ +--- +title: Default Azure Storage Account Network Access Is Too Permissive +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ca4df748-613a-4fbf-9c76-f02cbd580307 +- **Query name:** Default Azure Storage Account Network Access Is Too Permissive +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/default_azure_storage_account_network_access_is_too_permissive) + +### Description +Make sure that your Azure Storage Account access is limited to those who require it.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-public_network_access) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +--- +- name: create an account + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + tags: + testing: testing + delete: on-exit + public_network_access: Enabled + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="3" +--- +- name: create an account + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + tags: + testing: testing + delete: on-exit + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="3" +--- +- name: create an account + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + tags: + testing: testing + delete: on-exit + network_acls: + default_action: Allow + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +--- +- name: create an account + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + tags: + testing: testing + delete: on-exit + network_acls: + default_action: Deny + +``` +```yaml title="Negative test num. 2 - yaml file" +--- +- name: create an account + azure.azcollection.azure_rm_storageaccount: + resource_group: myResourceGroup + name: clh0002 + type: Standard_RAGRS + tags: + testing: testing + delete: on-exit + public_network_access: Disabled + +``` diff --git a/docs/queries/ansible-queries/azure/d5e83b32-56dd-4247-8c2e-074f43b38a5e.md b/docs/queries/ansible-queries/azure/d5e83b32-56dd-4247-8c2e-074f43b38a5e.md new file mode 100644 index 00000000000..ad27b832d44 --- /dev/null +++ b/docs/queries/ansible-queries/azure/d5e83b32-56dd-4247-8c2e-074f43b38a5e.md @@ -0,0 +1,158 @@ +--- +title: AKS Monitoring Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d5e83b32-56dd-4247-8c2e-074f43b38a5e +- **Query name:** AKS Monitoring Logging Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/aks_monitoring_logging_disabled) + +### Description +Azure Container Service (AKS) instance should have logging enabled to Azure Monitoring
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_aks_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 43 68 94" +- name: Create an AKS instance v0 + azure_rm_aks: + name: myAKS + resource_group: myResourceGroup + location: eastus + dns_prefix: akstest + kubernetes_version: 1.14.6 + linux_profile: + admin_username: azureuser + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA... + service_principal: + client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948" + client_secret: "Password1234!" + agent_pool_profiles: + - name: default + count: 1 + vm_size: Standard_DS1_v2 + type: VirtualMachineScaleSets + max_count: 3 + min_count: 1 + enable_rbac: yes +- name: Create an AKS instance + azure_rm_aks: + name: myAKS + resource_group: myResourceGroup + location: eastus + dns_prefix: akstest + kubernetes_version: 1.14.6 + linux_profile: + admin_username: azureuser + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA... + service_principal: + client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948" + client_secret: "Password1234!" + agent_pool_profiles: + - name: default + count: 1 + vm_size: Standard_DS1_v2 + type: VirtualMachineScaleSets + max_count: 3 + min_count: 1 + enable_rbac: yes + addon: + http_application_routing: + enabled: yes +- name: Create an AKS instance v3 + azure_rm_aks: + name: myAKS + resource_group: myResourceGroup + location: eastus + dns_prefix: akstest + kubernetes_version: 1.14.6 + linux_profile: + admin_username: azureuser + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA... + service_principal: + client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948" + client_secret: "Password1234!" + agent_pool_profiles: + - name: default + count: 1 + vm_size: Standard_DS1_v2 + type: VirtualMachineScaleSets + max_count: 3 + min_count: 1 + enable_rbac: yes + addon: + monitoring: + log_analytics_workspace_resource_id: "qwqeqe" +- name: Create an AKS instance v9 + azure_rm_aks: + name: myAKS + resource_group: myResourceGroup + location: eastus + dns_prefix: akstest + kubernetes_version: 1.14.6 + linux_profile: + admin_username: azureuser + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA... + service_principal: + client_id: "cf72ca99-f6b9-4004-b0e0-bee10c521948" + client_secret: "Password1234!" + agent_pool_profiles: + - name: default + count: 1 + vm_size: Standard_DS1_v2 + type: VirtualMachineScaleSets + max_count: 3 + min_count: 1 + enable_rbac: yes + addon: + monitoring: + log_analytics_workspace_resource_id: "qwqeqe" + enabled: no + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create an AKS instance v4 + azure_rm_aks: + name: myAKS + resource_group: myResourceGroup + location: eastus + dns_prefix: akstest + kubernetes_version: 1.14.6 + linux_profile: + admin_username: azureuser + ssh_key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA... + service_principal: + client_id: cf72ca99-f6b9-4004-b0e0-bee10c521948 + client_secret: Password1234! + agent_pool_profiles: + - name: default + count: 1 + vm_size: Standard_DS1_v2 + type: VirtualMachineScaleSets + max_count: 3 + min_count: 1 + enable_rbac: yes + addon: + monitoring: + log_analytics_workspace_resource_id: qwqeqe + enabled: yes + +``` diff --git a/docs/queries/ansible-queries/azure/da4f2739-174f-4cdd-b9ef-dc3f14b5931f.md b/docs/queries/ansible-queries/azure/da4f2739-174f-4cdd-b9ef-dc3f14b5931f.md new file mode 100644 index 00000000000..83e0d65fd83 --- /dev/null +++ b/docs/queries/ansible-queries/azure/da4f2739-174f-4cdd-b9ef-dc3f14b5931f.md @@ -0,0 +1,82 @@ +--- +title: Security Group is Not Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** da4f2739-174f-4cdd-b9ef-dc3f14b5931f +- **Query name:** Security Group is Not Configured +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/security_group_is_not_configured) + +### Description +Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_subnet_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 35 9 16 28" +#this is a problematic code where the query should report a result(s) +- name: Create a subnet1 + azure_rm_subnet: + resource_group: myResourceGroup1 + virtual_network_name: myVirtualNetwork1 + name: mySubnet1 + address_prefix_cidr: "10.1.0.0/24" +- name: Create a subnet2 + azure_rm_subnet: + resource_group: myResourceGroup2 + virtual_network_name: myVirtualNetwork2 + name: mySubnet2 + address_prefix_cidr: "10.1.0.0/24" + security_group: +- name: Create a subnet3 + azure_rm_subnet: + resource_group: myResourceGroup3 + virtual_network_name: myVirtualNetwork3 + name: mySubnet3 + address_prefix_cidr: "10.1.0.0/24" + security_group_name: +- name: Create a subnet4 + azure_rm_subnet: + resource_group: myResourceGroup4 + virtual_network_name: myVirtualNetwork4 + name: mySubnet4 + address_prefix_cidr: "10.1.0.0/24" + security_group: "" +- name: Create a subnet5 + azure_rm_subnet: + resource_group: myResourceGroup5 + virtual_network_name: myVirtualNetwork5 + name: mySubnet5 + address_prefix_cidr: "10.1.0.0/24" + security_group_name: "" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: Create a subnet + azure_rm_subnet: + resource_group: myResourceGroup + virtual_network_name: myVirtualNetwork + name: mySubnet + address_prefix_cidr: 10.1.0.0/24 + security_group: mySecurityGroup + +``` diff --git a/docs/queries/ansible-queries/azure/e2d834b7-8b25-4935-af53-4a60668dcbe0.md b/docs/queries/ansible-queries/azure/e2d834b7-8b25-4935-af53-4a60668dcbe0.md new file mode 100644 index 00000000000..8e1bc38728e --- /dev/null +++ b/docs/queries/ansible-queries/azure/e2d834b7-8b25-4935-af53-4a60668dcbe0.md @@ -0,0 +1,61 @@ +--- +title: Azure Instance Using Basic Authentication +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e2d834b7-8b25-4935-af53-4a60668dcbe0 +- **Query name:** Azure Instance Using Basic Authentication +- **Platform:** Ansible +- **Severity:** High +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/azure_instance_using_basic_authentication) + +### Description +Azure Instances should use SSH Key instead of basic authentication
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_virtualmachine_module.html#parameter-linux_config/disable_password_authentication) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="1" +--- +- name: Create a VM with a custom image + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: testvm001 + vm_size: Standard_DS1_v2 + admin_username: adminUser + admin_password: password01 + image: customimage001 + os_type: Linux + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +--- +- name: Create a VM with a custom image + azure_rm_virtualmachine: + resource_group: myResourceGroup + name: testvm001 + vm_size: Standard_DS1_v2 + ssh_password_enabled: false + ssh_public_keys: + - path: ~/.ssh/id_rsa.pub + key_data: somegeneratedkeydata + image: customimage001 + os_type: Linux + +``` diff --git a/docs/queries/ansible-queries/azure/e8c80448-31d8-4755-85fc-6dbab69c2717.md b/docs/queries/ansible-queries/azure/e8c80448-31d8-4755-85fc-6dbab69c2717.md new file mode 100644 index 00000000000..9e4b85376de --- /dev/null +++ b/docs/queries/ansible-queries/azure/e8c80448-31d8-4755-85fc-6dbab69c2717.md @@ -0,0 +1,76 @@ +--- +title: CosmosDB Account IP Range Filter Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e8c80448-31d8-4755-85fc-6dbab69c2717 +- **Query name:** CosmosDB Account IP Range Filter Not Set +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/cosmosdb_account_ip_range_filter_not_set) + +### Description +The IP range filter should be defined to secure the data stored
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_cosmosdbaccount_module.html#parameter-ip_range_filter) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: Create Cosmos DB Account - max + azure_rm_cosmosdbaccount: + resource_group: myResourceGroup + name: myDatabaseAccount + location: westus + kind: mongo_db + geo_rep_locations: + - name: southcentralus + failover_priority: 0 + database_account_offer_type: Standard + enable_multiple_write_locations: yes + virtual_network_rules: + - subnet: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVi + rtualNetwork/subnets/mySubnet" + consistency_policy: + default_consistency_level: bounded_staleness + max_staleness_prefix: 10 + max_interval_in_seconds: 1000 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create Cosmos DB Account - max + azure_rm_cosmosdbaccount: + resource_group: myResourceGroup + name: myDatabaseAccount + location: westus + kind: mongo_db + geo_rep_locations: + - name: southcentralus + failover_priority: 0 + database_account_offer_type: Standard + ip_range_filter: 10.10.10.10 + enable_multiple_write_locations: yes + virtual_network_rules: + - subnet: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVi + rtualNetwork/subnets/mySubnet + consistency_policy: + default_consistency_level: bounded_staleness + max_staleness_prefix: 10 + max_interval_in_seconds: 1000 + +``` diff --git a/docs/queries/ansible-queries/azure/eb8c2560-8bee-4248-9d0d-e80c8641dd91.md b/docs/queries/ansible-queries/azure/eb8c2560-8bee-4248-9d0d-e80c8641dd91.md new file mode 100644 index 00000000000..aff552f1e0f --- /dev/null +++ b/docs/queries/ansible-queries/azure/eb8c2560-8bee-4248-9d0d-e80c8641dd91.md @@ -0,0 +1,68 @@ +--- +title: Web App Accepting Traffic Other Than HTTPS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** eb8c2560-8bee-4248-9d0d-e80c8641dd91 +- **Query name:** Web App Accepting Traffic Other Than HTTPS +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/web_app_accepting_traffic_other_than_https) + +### Description +Web app should only accept HTTPS traffic in Azure Web App Service.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_webapp_module.html#parameter-https_only) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12 5" +- name: Create a windows web app with non-exist app service plan + azure_rm_webapp: + resource_group: myResourceGroup + name: myWinWebapp + https_only: false + plan: + resource_group: myAppServicePlan_rg + name: myAppServicePlan + is_linux: false + sku: S1 +- name: Create another windows web app + azure_rm_webapp: + resource_group: myResourceGroup + name: myWinWebapp + plan: + resource_group: myAppServicePlan_rg + name: myAppServicePlan + is_linux: false + sku: S1 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create a windows web app with non-exist app service plan + azure_rm_webapp: + resource_group: myResourceGroup + name: myWinWebapp + https_only: true + plan: + resource_group: myAppServicePlan_rg + name: myAppServicePlan + is_linux: false + sku: S1 + +``` diff --git a/docs/queries/ansible-queries/azure/f4e9ff70-0f3b-4c50-a713-26cbe7ec4039.md b/docs/queries/ansible-queries/azure/f4e9ff70-0f3b-4c50-a713-26cbe7ec4039.md new file mode 100644 index 00000000000..1f9a137c237 --- /dev/null +++ b/docs/queries/ansible-queries/azure/f4e9ff70-0f3b-4c50-a713-26cbe7ec4039.md @@ -0,0 +1,68 @@ +--- +title: SQLServer Ingress From Any IP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f4e9ff70-0f3b-4c50-a713-26cbe7ec4039 +- **Query name:** SQLServer Ingress From Any IP +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/azure/sql_server_ingress_from_any_ip) + +### Description +Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_sqlfirewallrule_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +--- +- name: Create (or update) Firewall Rule + azure.azcollection.azure_rm_sqlfirewallrule: + resource_group: myResourceGroup + server_name: firewallrulecrudtest-6285 + name: firewallrulecrudtest-5370 + start_ip_address: 0.0.0.0 + end_ip_address: 255.255.255.255 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: Create (or update) Firewall Rule + azure.azcollection.azure_rm_sqlfirewallrule: + resource_group: myResourceGroup + server_name: firewallrulecrudtest-6285 + name: firewallrulecrudtest-5370 + start_ip_address: 172.28.10.136 + end_ip_address: 172.28.10.138 +- name: Create (or update) Firewall Rule2 + azure.azcollection.azure_rm_sqlfirewallrule: + resource_group: myResourceGroup + server_name: firewallrulecrudtest-6285 + name: firewallrulecrudtest-5370 + start_ip_address: 0.0.0.0 + end_ip_address: 0.0.0.3 +- name: Create (or update) Firewall Rule3 + azure.azcollection.azure_rm_sqlfirewallrule: + resource_group: myResourceGroup + server_name: firewallrulecrudtest-6285 + name: firewallrulecrudtest-5370 + start_ip_address: 255.255.255.250 + end_ip_address: 255.255.255.255 + +``` diff --git a/docs/queries/ansible-queries/gcp/086031e1-9d4a-4249-acb3-5bfe4c363db2.md b/docs/queries/ansible-queries/gcp/086031e1-9d4a-4249-acb3-5bfe4c363db2.md new file mode 100644 index 00000000000..d8946219946 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/086031e1-9d4a-4249-acb3-5bfe4c363db2.md @@ -0,0 +1,83 @@ +--- +title: Cloud Storage Anonymous or Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 086031e1-9d4a-4249-acb3-5bfe4c363db2 +- **Query name:** Cloud Storage Anonymous or Publicly Accessible +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/cloud_storage_anonymous_or_publicly_accessible) + +### Description +Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'entity' must not be 'allUsers' or 'allAuthenticatedUsers'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 28 22" +#this is a problematic code where the query should report a result(s) +- name: create a bucket1 + google.cloud.gcp_storage_bucket: + name: ansible-storage-module1 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + default_object_acl: + bucket: bucketName1 + entity: allUsers + role: READER +- name: create a bucket2 + google.cloud.gcp_storage_bucket: + name: ansible-storage-module2 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + acl: + bucket: bucketName2 + entity: allAuthenticatedUsers + default_object_acl: + bucket: bucketName2 + entity: allUsers + role: READER +- name: create a bucket3 + google.cloud.gcp_storage_bucket: + name: ansible-storage-module3 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a bucket + google.cloud.gcp_storage_bucket: + name: ansible-storage-module + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + acl: + bucket: bucketName + entity: group-example@googlegroups.com + +``` diff --git a/docs/queries/ansible-queries/gcp/092bae86-6105-4802-99d2-99cd7e7431f3.md b/docs/queries/ansible-queries/gcp/092bae86-6105-4802-99d2-99cd7e7431f3.md new file mode 100644 index 00000000000..a869ac269ce --- /dev/null +++ b/docs/queries/ansible-queries/gcp/092bae86-6105-4802-99d2-99cd7e7431f3.md @@ -0,0 +1,123 @@ +--- +title: Disk Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 092bae86-6105-4802-99d2-99cd7e7431f3 +- **Query name:** Disk Encryption Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/disk_encryption_disabled) + +### Description +VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_disk_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="27 3 15" +#this is a problematic code where the query should report a result(s) +- name: create a disk1 + google.cloud.gcp_compute_disk: + name: test_object1 + size_gb: 50 + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a disk3 + google.cloud.gcp_compute_disk: + name: test_object3 + size_gb: 50 + disk_encryption_key: + raw_key: + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a disk4 + google.cloud.gcp_compute_disk: + name: test_object4 + size_gb: 50 + disk_encryption_key: + raw_key: "" + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="17 5" +- name: create a disk3 + google.cloud.gcp_compute_disk: + name: test_object3 + size_gb: 50 + disk_encryption_key: + kms_key_name: + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a disk4 + google.cloud.gcp_compute_disk: + name: test_object4 + size_gb: 50 + disk_encryption_key: + kms_key_name: "" + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a disk + google.cloud.gcp_compute_disk: + name: test_object + size_gb: 50 + disk_encryption_key: + raw_key: SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0= + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + +``` +```yaml title="Negative test num. 2 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a disk + google.cloud.gcp_compute_disk: + name: test_object + size_gb: 50 + disk_encryption_key: + kms_key_name: disk-crypto-key + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/099b4411-d11e-4537-a0fc-146b19762a79.md b/docs/queries/ansible-queries/gcp/099b4411-d11e-4537-a0fc-146b19762a79.md new file mode 100644 index 00000000000..2e132716117 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/099b4411-d11e-4537-a0fc-146b19762a79.md @@ -0,0 +1,62 @@ +--- +title: Project-wide SSH Keys Are Enabled In VM Instances +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 099b4411-d11e-4537-a0fc-146b19762a79 +- **Query name:** Project-wide SSH Keys Are Enabled In VM Instances +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances) + +### Description +VM Instance should block project-wide SSH keys
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 4 15" +- name: ssh_keys_unblocked + google.cloud.gcp_compute_instance: + metadata: + block-project-ssh-keys: no + zone: us-central1-a + auth_kind: serviceaccount +- name: ssh_keys_missing + google.cloud.gcp_compute_instance: + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + zone: us-central1-a + auth_kind: serviceaccount +- name: no_metadata + google.cloud.gcp_compute_instance: + zone: us-central1-a + auth_kind: serviceaccount + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: ssh_keys_blocked + google.cloud.gcp_compute_instance: + metadata: + block-project-ssh-keys: yes + zone: us-central1-a + auth_kind: serviceaccount + +``` diff --git a/docs/queries/ansible-queries/gcp/0c82eae2-aca0-401f-93e4-fb37a0f9e5e8.md b/docs/queries/ansible-queries/gcp/0c82eae2-aca0-401f-93e4-fb37a0f9e5e8.md new file mode 100644 index 00000000000..7d964613042 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/0c82eae2-aca0-401f-93e4-fb37a0f9e5e8.md @@ -0,0 +1,96 @@ +--- +title: SQL DB Instance Backup Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0c82eae2-aca0-401f-93e4-fb37a0f9e5e8 +- **Query name:** SQL DB Instance Backup Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/sql_db_instance_backup_disabled) + +### Description +Checks if backup configuration is enabled for all Cloud SQL Database instances
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/backup_configuration/enabled) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 3 13 38" +--- +- name: create a instance + google.cloud.gcp_sql_instance: + name: "{{ resource_name }}-2" + region: us-central1 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a second instance + google.cloud.gcp_sql_instance: + name: "{{ resource_name }}-2" + settings: + tier: db-n1-standard-1 + region: us-central1 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a third instance + google.cloud.gcp_sql_instance: + name: "{{ resource_name }}-2" + settings: + backup_configuration: + binary_log_enabled: yes + tier: db-n1-standard-1 + region: us-central1 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a forth instance + google.cloud.gcp_sql_instance: + name: "{{ resource_name }}-2" + settings: + backup_configuration: + binary_log_enabled: yes + enabled: no + tier: db-n1-standard-1 + region: us-central1 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a instance + google.cloud.gcp_sql_instance: + name: '{{ resource_name }}-2' + settings: + backup_configuration: + binary_log_enabled: yes + enabled: yes + tier: db-n1-standard-1 + region: us-central1 + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/11bd3554-cd56-4257-8e25-7aaf30cf8f5f.md b/docs/queries/ansible-queries/gcp/11bd3554-cd56-4257-8e25-7aaf30cf8f5f.md new file mode 100644 index 00000000000..a4f845ab494 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/11bd3554-cd56-4257-8e25-7aaf30cf8f5f.md @@ -0,0 +1,83 @@ +--- +title: IP Forwarding Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 11bd3554-cd56-4257-8e25-7aaf30cf8f5f +- **Query name:** IP Forwarding Enabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/ip_forwarding_enabled) + +### Description +Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +#this is a problematic code where the query should report a result(s) +- name: create a instance + google.cloud.gcp_compute_instance: + name: test_object + machine_type: n1-standard-1 + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + can_ip_forward: yes + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a instance + google.cloud.gcp_compute_instance: + name: test_object + machine_type: n1-standard-1 + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: '{{ network }}' + access_configs: + - name: External NAT + nat_ip: '{{ address }}' + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + can_ip_forward: no + +``` diff --git a/docs/queries/ansible-queries/gcp/18d3a83d-4414-49dc-90ea-f0387b2856cc.md b/docs/queries/ansible-queries/gcp/18d3a83d-4414-49dc-90ea-f0387b2856cc.md new file mode 100644 index 00000000000..2e85e54ee60 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/18d3a83d-4414-49dc-90ea-f0387b2856cc.md @@ -0,0 +1,235 @@ +--- +title: Shielded VM Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 18d3a83d-4414-49dc-90ea-f0387b2856cc +- **Query name:** Shielded VM Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/shielded_vm_disabled) + +### Description +Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="65 162 3 137 42 112 88" +#this is a problematic code where the query should report a result(s) +- name: create a instance1 + google.cloud.gcp_compute_instance: + name: test_object1 + machine_type: n1-standard-1 + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a instance2 + google.cloud.gcp_compute_instance: + name: test_object2 + machine_type: n1-standard-1 + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + shielded_instance_config: + enable_secure_boot: yes + enable_vtpm: yes +- name: create a instance3 + google.cloud.gcp_compute_instance: + name: test_object3 + machine_type: n1-standard-1 + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + shielded_instance_config: + enable_integrity_monitoring: yes + enable_vtpm: yes +- name: create a instance4 + google.cloud.gcp_compute_instance: + name: test_object4 + machine_type: n1-standard-1 + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + shielded_instance_config: + enable_integrity_monitoring: yes + enable_secure_boot: yes +- name: create a instance5 + google.cloud.gcp_compute_instance: + name: test_object5 + machine_type: n1-standard-1 + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + shielded_instance_config: + enable_integrity_monitoring: no + enable_secure_boot: yes + enable_vtpm: yes +- name: create a instance6 + google.cloud.gcp_compute_instance: + name: test_object6 + machine_type: n1-standard-1 + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + shielded_instance_config: + enable_integrity_monitoring: yes + enable_secure_boot: no + enable_vtpm: yes +- name: create a instance7 + google.cloud.gcp_compute_instance: + name: test_object7 + machine_type: n1-standard-1 + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + shielded_instance_config: + enable_integrity_monitoring: yes + enable_secure_boot: yes + enable_vtpm: no + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a instance + google.cloud.gcp_compute_instance: + name: test_object + machine_type: n1-standard-1 + disks: + - auto_delete: 'true' + boot: 'true' + source: '{{ disk }}' + - auto_delete: 'true' + interface: NVME + type: SCRATCH + initialize_params: + disk_type: local-ssd + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: '{{ network }}' + access_configs: + - name: External NAT + nat_ip: '{{ address }}' + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + shielded_instance_config: + enable_integrity_monitoring: yes + enable_secure_boot: yes + enable_vtpm: yes + +``` diff --git a/docs/queries/ansible-queries/gcp/19c9e2a0-fc33-4264-bba1-e3682661e8f7.md b/docs/queries/ansible-queries/gcp/19c9e2a0-fc33-4264-bba1-e3682661e8f7.md new file mode 100644 index 00000000000..11e373c0fa8 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/19c9e2a0-fc33-4264-bba1-e3682661e8f7.md @@ -0,0 +1,88 @@ +--- +title: Stackdriver Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 19c9e2a0-fc33-4264-bba1-e3682661e8f7 +- **Query name:** Stackdriver Logging Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/stackdriver_logging_disabled) + +### Description +Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 3" +#this is a problematic code where the query should report a result(s) +- name: create a cluster1 + google.cloud.gcp_container_cluster: + name: my-cluster1 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster2 + google.cloud.gcp_container_cluster: + name: my-cluster2 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + logging_service: none + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + logging_service: logging.googleapis.com + +``` diff --git a/docs/queries/ansible-queries/gcp/20180133-a0d0-4745-bfe0-94049fbb12a9.md b/docs/queries/ansible-queries/gcp/20180133-a0d0-4745-bfe0-94049fbb12a9.md new file mode 100644 index 00000000000..57df6ff6116 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/20180133-a0d0-4745-bfe0-94049fbb12a9.md @@ -0,0 +1,102 @@ +--- +title: Client Certificate Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 20180133-a0d0-4745-bfe0-94049fbb12a9 +- **Query name:** Client Certificate Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/client_certificate_disabled) + +### Description +Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="18 3 37" +#this is a problematic code where the query should report a result(s) +- name: create a cluster1 + google.cloud.gcp_container_cluster: + name: my-cluster1 + initial_node_count: 2 + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster2 + google.cloud.gcp_container_cluster: + name: my-cluster2 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster3 + google.cloud.gcp_container_cluster: + name: my-cluster3 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + client_certificate_config: + issue_client_certificate: no + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + client_certificate_config: + issue_client_certificate: yes + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/20dcd953-a8b8-4892-9026-9afa6d05a525.md b/docs/queries/ansible-queries/gcp/20dcd953-a8b8-4892-9026-9afa6d05a525.md new file mode 100644 index 00000000000..f77fc09204d --- /dev/null +++ b/docs/queries/ansible-queries/gcp/20dcd953-a8b8-4892-9026-9afa6d05a525.md @@ -0,0 +1,88 @@ +--- +title: Stackdriver Monitoring Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 20dcd953-a8b8-4892-9026-9afa6d05a525 +- **Query name:** Stackdriver Monitoring Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/stackdriver_monitoring_disabled) + +### Description +Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 3" +#this is a problematic code where the query should report a result(s) +- name: create a cluster1 + google.cloud.gcp_container_cluster: + name: my-cluster1 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster2 + google.cloud.gcp_container_cluster: + name: my-cluster2 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + monitoring_service: none + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + monitoring_service: monitoring.googleapis.com + +``` diff --git a/docs/queries/ansible-queries/gcp/2263b286-2fe9-4747-a0ae-8b4768a2bbd2.md b/docs/queries/ansible-queries/gcp/2263b286-2fe9-4747-a0ae-8b4768a2bbd2.md new file mode 100644 index 00000000000..4dc1eca78ca --- /dev/null +++ b/docs/queries/ansible-queries/gcp/2263b286-2fe9-4747-a0ae-8b4768a2bbd2.md @@ -0,0 +1,60 @@ +--- +title: BigQuery Dataset Is Public +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2263b286-2fe9-4747-a0ae-8b4768a2bbd2 +- **Query name:** BigQuery Dataset Is Public +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/bigquery_dataset_is_public) + +### Description +BigQuery dataset is anonymously or publicly accessible
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_bigquery_dataset_module.html#parameter-access/special_group) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +--- +- name: create a dataset + google.cloud.gcp_bigquery_dataset: + name: my_example_dataset + access: + - special_group: allAuthenticatedUsers + dataset_reference: + dataset_id: my_example_dataset + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a dataset + google.cloud.gcp_bigquery_dataset: + name: my_example_dataset + dataset_reference: + dataset_id: my_example_dataset + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/2775e169-e708-42a9-9305-b58aadd2c4dd.md b/docs/queries/ansible-queries/gcp/2775e169-e708-42a9-9305-b58aadd2c4dd.md new file mode 100644 index 00000000000..8c10e184e02 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/2775e169-e708-42a9-9305-b58aadd2c4dd.md @@ -0,0 +1,185 @@ +--- +title: Using Default Service Account +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2775e169-e708-42a9-9305-b58aadd2c4dd +- **Query name:** Using Default Service Account +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/using_default_service_account) + +### Description +Instances must not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account_email' must be defined. Additionally, it must not be empty and must also not be a default Google Compute Engine service account.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="115 57 3 86" +#this is a problematic code where the query should report a result(s) +- name: create a instance1 + google.cloud.gcp_compute_instance: + name: test_object1 + machine_type: n1-standard-1 + disks: + - auto_delete: 'true' + boot: 'true' + source: "{{ disk }}" + - auto_delete: 'true' + interface: NVME + type: SCRATCH + initialize_params: + disk_type: local-ssd + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + state: present +- name: create a instance2 + google.cloud.gcp_compute_instance: + name: test_object2 + machine_type: n1-standard-1 + disks: + - auto_delete: 'true' + boot: 'true' + source: "{{ disk }}" + - auto_delete: 'true' + interface: NVME + type: SCRATCH + initialize_params: + disk_type: local-ssd + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_email: "" + state: present +- name: create a instance3 + google.cloud.gcp_compute_instance: + name: test_object3 + machine_type: n1-standard-1 + disks: + - auto_delete: 'true' + boot: 'true' + source: "{{ disk }}" + - auto_delete: 'true' + interface: NVME + type: SCRATCH + initialize_params: + disk_type: local-ssd + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_email: "admin" + state: present +- name: create a instance4 + google.cloud.gcp_compute_instance: + name: test_object4 + machine_type: n1-standard-1 + disks: + - auto_delete: 'true' + boot: 'true' + source: "{{ disk }}" + - auto_delete: 'true' + interface: NVME + type: SCRATCH + initialize_params: + disk_type: local-ssd + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_email: "admin@developer.gserviceaccount.com" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a instance + google.cloud.gcp_compute_instance: + name: test_object + machine_type: n1-standard-1 + disks: + - auto_delete: 'true' + boot: 'true' + source: '{{ disk }}' + - auto_delete: 'true' + interface: NVME + type: SCRATCH + initialize_params: + disk_type: local-ssd + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + labels: + environment: production + network_interfaces: + - network: '{{ network }}' + access_configs: + - name: External NAT + nat_ip: '{{ address }}' + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_email: admin@admin.com + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/28a757fc-3d8f-424a-90c0-4233363b2711.md b/docs/queries/ansible-queries/gcp/28a757fc-3d8f-424a-90c0-4233363b2711.md new file mode 100644 index 00000000000..4496527db2f --- /dev/null +++ b/docs/queries/ansible-queries/gcp/28a757fc-3d8f-424a-90c0-4233363b2711.md @@ -0,0 +1,67 @@ +--- +title: PostgreSQL Misconfigured Log Messages Flag +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 28a757fc-3d8f-424a-90c0-4233363b2711 +- **Query name:** PostgreSQL Misconfigured Log Messages Flag +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/postgresql_misconfigured_log_messages_flag) + +### Description +PostgreSQL database 'log_min_messages' flag isn't set to a valid value
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + database_version: SQLSERVER_13_1 + name: "{{ resource_name }}-2" + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + database_flags: + - name: log_min_messages + value: debug6 + tier: db-n1-standard-1 + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + database_version: SQLSERVER_13_1 + name: '{{ resource_name }}-2' + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + database_flags: + - name: log_min_messages + value: log + tier: db-n1-standard-1 + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/29b8224a-60e9-4011-8ac2-7916a659841f.md b/docs/queries/ansible-queries/gcp/29b8224a-60e9-4011-8ac2-7916a659841f.md new file mode 100644 index 00000000000..766873b0973 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/29b8224a-60e9-4011-8ac2-7916a659841f.md @@ -0,0 +1,83 @@ +--- +title: Google Compute Network Using Default Firewall Rule +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 29b8224a-60e9-4011-8ac2-7916a659841f +- **Query name:** Google Compute Network Using Default Firewall Rule +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/google_compute_network_using_default_firewall_rule) + +### Description +Google Compute Network should not use default firewall rule
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-name) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +- name: create a firewall2 + google.cloud.gcp_compute_firewall: + name: default + allowed: + - ip_protocol: tcp + ports: + - '22' + state: present + network: "{{ my_network2 }}" +- name: create a network2 + google.cloud.gcp_compute_network: + name: test_object2 + auto_create_subnetworks: 'true' + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + register: my_network2 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a firewall + google.cloud.gcp_compute_firewall: + name: test_object + allowed: + - ip_protocol: tcp + ports: + - '22' + target_tags: + - test-ssh-server + - staging-ssh-server + source_tags: + - test-ssh-clients + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + network: "{{ my_network }}" +- name: create a network + google.cloud.gcp_compute_network: + name: test_object + auto_create_subnetworks: 'true' + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + register: my_network + +``` diff --git a/docs/queries/ansible-queries/gcp/300a9964-b086-41f7-9378-b6de3ba1c32b.md b/docs/queries/ansible-queries/gcp/300a9964-b086-41f7-9378-b6de3ba1c32b.md new file mode 100644 index 00000000000..a97e66b97d0 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/300a9964-b086-41f7-9378-b6de3ba1c32b.md @@ -0,0 +1,75 @@ +--- +title: GKE Legacy Authorization Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 300a9964-b086-41f7-9378-b6de3ba1c32b +- **Query name:** GKE Legacy Authorization Enabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/gke_legacy_authorization_enabled) + +### Description +Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacy_abac.enabled' must be false.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +#this is a problematic code where the query should report a result(s) +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + legacy_abac: + enabled: yes + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + legacy_abac: + enabled: no + +``` diff --git a/docs/queries/ansible-queries/gcp/344bf8ab-9308-462b-a6b2-697432e40ba1.md b/docs/queries/ansible-queries/gcp/344bf8ab-9308-462b-a6b2-697432e40ba1.md new file mode 100644 index 00000000000..e857f058faa --- /dev/null +++ b/docs/queries/ansible-queries/gcp/344bf8ab-9308-462b-a6b2-697432e40ba1.md @@ -0,0 +1,126 @@ +--- +title: GKE Basic Authentication Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 344bf8ab-9308-462b-a6b2-697432e40ba1 +- **Query name:** GKE Basic Authentication Enabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/gke_basic_authentication_enabled) + +### Description +GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 3 47 18 63" +#this is a problematic code where the query should report a result(s) +- name: create a cluster1 + google.cloud.gcp_container_cluster: + name: my-cluster1 + initial_node_count: 2 + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster2 + google.cloud.gcp_container_cluster: + name: my-cluster2 + initial_node_count: 2 + master_auth: + password: "" + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster3 + google.cloud.gcp_container_cluster: + name: my-cluster3 + initial_node_count: 2 + master_auth: + username: "" + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster4 + google.cloud.gcp_container_cluster: + name: my-cluster4 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: "" + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster5 + google.cloud.gcp_container_cluster: + name: my-cluster5 + initial_node_count: 2 + master_auth: + username: "" + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: '' + password: '' + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/3602d273-3290-47b2-80fa-720162b1a8af.md b/docs/queries/ansible-queries/gcp/3602d273-3290-47b2-80fa-720162b1a8af.md new file mode 100644 index 00000000000..a9bf319e955 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/3602d273-3290-47b2-80fa-720162b1a8af.md @@ -0,0 +1,91 @@ +--- +title: Google Compute Network Using Firewall Rule that Allows All Ports +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3602d273-3290-47b2-80fa-720162b1a8af +- **Query name:** Google Compute Network Using Firewall Rule that Allows All Ports +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/google_compute_network_using_firewall_rule_allows_all_ports) + +### Description +Google Compute Network should not use a firewall rule that allows all ports
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-allowed) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="19" +- name: create a firewall2 + google.cloud.gcp_compute_firewall: + name: test_object + allowed: + - ip_protocol: tcp + ports: + - '0-65535' + target_tags: + - test-ssh-server + - staging-ssh-server + source_tags: + - test-ssh-clients + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + network: "{{ my_network2 }}" +- name: create a network2 + google.cloud.gcp_compute_network: + name: test_object + auto_create_subnetworks: 'true' + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + register: my_network2 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a firewall + google.cloud.gcp_compute_firewall: + name: test_object + allowed: + - ip_protocol: tcp + ports: + - '22' + target_tags: + - test-ssh-server + - staging-ssh-server + source_tags: + - test-ssh-clients + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + network: "{{ my_network }}" +- name: create a network + google.cloud.gcp_compute_network: + name: test_object + auto_create_subnetworks: 'true' + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + register: my_network + +``` diff --git a/docs/queries/ansible-queries/gcp/3b30e3d6-c99b-4318-b38f-b99db74578b5.md b/docs/queries/ansible-queries/gcp/3b30e3d6-c99b-4318-b38f-b99db74578b5.md new file mode 100644 index 00000000000..1d6c11f29cb --- /dev/null +++ b/docs/queries/ansible-queries/gcp/3b30e3d6-c99b-4318-b38f-b99db74578b5.md @@ -0,0 +1,142 @@ +--- +title: Private Cluster Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3b30e3d6-c99b-4318-b38f-b99db74578b5 +- **Query name:** Private Cluster Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/private_cluster_disabled) + +### Description +Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_endpoint' and 'enable_private_nodes' must be true.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 66 48 85 31" +- name: create a cluster1 + google.cloud.gcp_container_cluster: + name: my-cluster1 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster2 + google.cloud.gcp_container_cluster: + name: my-cluster2 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + private_cluster_config: + enable_private_endpoint: yes +- name: create a cluster3 + google.cloud.gcp_container_cluster: + name: my-cluster3 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + private_cluster_config: + enable_private_nodes: yes +- name: create a cluster4 + google.cloud.gcp_container_cluster: + name: my-cluster4 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + private_cluster_config: + enable_private_endpoint: no + enable_private_nodes: yes +- name: create a cluster5 + google.cloud.gcp_container_cluster: + name: my-cluster5 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + private_cluster_config: + enable_private_endpoint: yes + enable_private_nodes: no + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + private_cluster_config: + enable_private_endpoint: yes + enable_private_nodes: yes + +``` diff --git a/docs/queries/ansible-queries/gcp/507df964-ad97-4035-ab14-94a82eabdfdd.md b/docs/queries/ansible-queries/gcp/507df964-ad97-4035-ab14-94a82eabdfdd.md new file mode 100644 index 00000000000..2a7aa48c448 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/507df964-ad97-4035-ab14-94a82eabdfdd.md @@ -0,0 +1,57 @@ +--- +title: Cloud Storage Bucket Logging Not Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 507df964-ad97-4035-ab14-94a82eabdfdd +- **Query name:** Cloud Storage Bucket Logging Not Enabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/cloud_storage_bucket_logging_not_enabled) + +### Description +Cloud storage bucket should have logging enabled
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html#parameter-logging) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +--- +- name: create a bucket + google.cloud.gcp_storage_bucket: + name: ansible-storage-module + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a bucket + google.cloud.gcp_storage_bucket: + name: ansible-storage-module + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + logging: + log_bucket: a_bucket_for_logs + log_object_prefix: log + +``` diff --git a/docs/queries/ansible-queries/gcp/66dae697-507b-4aef-be18-eec5bd707f33.md b/docs/queries/ansible-queries/gcp/66dae697-507b-4aef-be18-eec5bd707f33.md new file mode 100644 index 00000000000..44b56fab352 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/66dae697-507b-4aef-be18-eec5bd707f33.md @@ -0,0 +1,58 @@ +--- +title: OSLogin Is Disabled In VM Instance +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 66dae697-507b-4aef-be18-eec5bd707f33 +- **Query name:** OSLogin Is Disabled In VM Instance +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/oslogin_is_disabled_for_vm_instance) + +### Description +VM instance should have OSLogin enabled
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +- name: oslogin-disabled + google.cloud.gcp_compute_instance: + metadata: + enable-oslogin: no + zone: us-central1-a + auth_kind: serviceaccount + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: oslogin-enabled + google.cloud.gcp_compute_instance: + metadata: + enable-oslogin: yes + zone: us-central1-a + auth_kind: serviceaccount +- name: oslogin-missing + google.cloud.gcp_compute_instance: + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + zone: us-central1-a + auth_kind: serviceaccount + +``` diff --git a/docs/queries/ansible-queries/gcp/6a4080ae-79bd-42f6-a924-8f534c1c018b.md b/docs/queries/ansible-queries/gcp/6a4080ae-79bd-42f6-a924-8f534c1c018b.md new file mode 100644 index 00000000000..64c8a40532c --- /dev/null +++ b/docs/queries/ansible-queries/gcp/6a4080ae-79bd-42f6-a924-8f534c1c018b.md @@ -0,0 +1,74 @@ +--- +title: Google Compute Subnetwork with Private Google Access Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6a4080ae-79bd-42f6-a924-8f534c1c018b +- **Query name:** Google Compute Subnetwork with Private Google Access Disabled +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/google_compute_subnetwork_with_private_google_access_disabled) + +### Description +Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to yes
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_subnetwork_module.html#parameter-private_ip_google_access) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: create a subnetwork + google.cloud.gcp_compute_subnetwork: + name: ansiblenet + region: us-west1 + network: "{{ network }}" + ip_cidr_range: 172.16.0.0/16 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +- name: create a subnetwork2 + google.cloud.gcp_compute_subnetwork: + name: ansiblenet + region: us-west1 + network: "{{ network }}" + ip_cidr_range: 172.16.0.0/16 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + private_ip_google_access: no + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a subnetwork3 + google.cloud.gcp_compute_subnetwork: + name: ansiblenet + region: us-west1 + network: "{{ network }}" + ip_cidr_range: 172.16.0.0/16 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + private_ip_google_access: yes + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/6cf4c3a7-ceb0-4475-8892-3745b84be24a.md b/docs/queries/ansible-queries/gcp/6cf4c3a7-ceb0-4475-8892-3745b84be24a.md new file mode 100644 index 00000000000..da2f120ab37 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/6cf4c3a7-ceb0-4475-8892-3745b84be24a.md @@ -0,0 +1,66 @@ +--- +title: DNSSEC Using RSASHA1 +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6cf4c3a7-ceb0-4475-8892-3745b84be24a +- **Query name:** DNSSEC Using RSASHA1 +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/dnssec_using_rsasha1) + +### Description +DNSSEC should not use the RSASHA1 algorithm
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_dns_managed_zone_module.html#return-dnssecConfig/defaultKeySpecs/algorithm) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +--- +- name: create a managed zone + google.cloud.gcp_dns_managed_zone: + name: test_object + dns_name: test.somewild2.example.com. + description: test zone + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + dnssec_config: + defaultKeySpecs: + algorithm: RSASHA1 + state: off + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a managed zone + google.cloud.gcp_dns_managed_zone: + name: test_object + dns_name: test.somewild2.example.com. + description: test zone + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + dnssec_config: + defaultKeySpecs: + algorithm: RSASHA256 + state: off + +``` diff --git a/docs/queries/ansible-queries/gcp/6d34aff3-fdd2-460c-8190-756a3b4969e8.md b/docs/queries/ansible-queries/gcp/6d34aff3-fdd2-460c-8190-756a3b4969e8.md new file mode 100644 index 00000000000..8f762c1f5f5 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/6d34aff3-fdd2-460c-8190-756a3b4969e8.md @@ -0,0 +1,67 @@ +--- +title: Cloud SQL Instance With Contained Database Authentication On +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6d34aff3-fdd2-460c-8190-756a3b4969e8 +- **Query name:** Cloud SQL Instance With Contained Database Authentication On +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/cloud_sql_instance_with_contained_database_authentication_on) + +### Description +SQL Instance should not have Contained Database Authentication On
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + database_version: SQLSERVER_13_1 + name: "{{ resource_name }}-2" + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + database_flags: + - name: contained database authentication + value: on + tier: db-n1-standard-1 + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + database_version: SQLSERVER_13_1 + name: '{{ resource_name }}-2' + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + database_flags: + - name: name1 + value: value1 + tier: db-n1-standard-1 + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/7289eebd-a477-4064-8ad4-3c044bd70b00.md b/docs/queries/ansible-queries/gcp/7289eebd-a477-4064-8ad4-3c044bd70b00.md new file mode 100644 index 00000000000..ffd7447de0c --- /dev/null +++ b/docs/queries/ansible-queries/gcp/7289eebd-a477-4064-8ad4-3c044bd70b00.md @@ -0,0 +1,91 @@ +--- +title: Google Compute Network Using Firewall Rule that Allows Port Range +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7289eebd-a477-4064-8ad4-3c044bd70b00 +- **Query name:** Google Compute Network Using Firewall Rule that Allows Port Range +- **Platform:** Ansible +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/google_compute_network_using_firewall_allows_port_range) + +### Description +Google Compute Network should not use a firewall rule that allows port range
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html#parameter-allowed) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="19" +- name: create a firewall2 + google.cloud.gcp_compute_firewall: + name: test_object + allowed: + - ip_protocol: tcp + ports: + - '20-1000' + target_tags: + - test-ssh-server + - staging-ssh-server + source_tags: + - test-ssh-clients + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + network: "{{ my_network2 }}" +- name: create a network2 + google.cloud.gcp_compute_network: + name: test_object + auto_create_subnetworks: 'true' + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + register: my_network2 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a firewall + google.cloud.gcp_compute_firewall: + name: test_object + allowed: + - ip_protocol: tcp + ports: + - '22' + target_tags: + - test-ssh-server + - staging-ssh-server + source_tags: + - test-ssh-clients + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + network: "{{ my_network }}" +- name: create a network + google.cloud.gcp_compute_network: + name: test_object + auto_create_subnetworks: 'true' + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + register: my_network + +``` diff --git a/docs/queries/ansible-queries/gcp/75418eb9-39ec-465f-913c-6f2b6a80dc77.md b/docs/queries/ansible-queries/gcp/75418eb9-39ec-465f-913c-6f2b6a80dc77.md new file mode 100644 index 00000000000..39661fe890f --- /dev/null +++ b/docs/queries/ansible-queries/gcp/75418eb9-39ec-465f-913c-6f2b6a80dc77.md @@ -0,0 +1,96 @@ +--- +title: RDP Access Is Not Restricted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 75418eb9-39ec-465f-913c-6f2b6a80dc77 +- **Query name:** RDP Access Is Not Restricted +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/rdp_access_is_not_restricted) + +### Description +Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 29" +- name: rdp_in_range + google.cloud.gcp_compute_firewall: + name: test_object + source_ranges: + - "0.0.0.0/0" + allowed: + - ip_protocol: tcp + ports: + - "22" + - "80" + - "8080" + - "2000-4000" + target_tags: + - test-ssh-server + - staging-ssh-server + source_tags: + - test-ssh-clients + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: rdp_in_port + google.cloud.gcp_compute_firewall: + name: test_object + source_ranges: + - "0.0.0.0/0" + allowed: + - ip_protocol: tcp + ports: + - "22" + - "80" + - "3389" + target_tags: + - test-ssh-server + - staging-ssh-server + source_tags: + - test-ssh-clients + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a firewall + google.cloud.gcp_compute_firewall: + name: test_object + allowed: + - ip_protocol: tcp + ports: + - '80' + target_tags: + - test-ssh-server + - staging-ssh-server + source_tags: + - test-ssh-clients + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/7814ddda-e758-4a56-8be3-289a81ded929.md b/docs/queries/ansible-queries/gcp/7814ddda-e758-4a56-8be3-289a81ded929.md new file mode 100644 index 00000000000..63f1584112d --- /dev/null +++ b/docs/queries/ansible-queries/gcp/7814ddda-e758-4a56-8be3-289a81ded929.md @@ -0,0 +1,65 @@ +--- +title: Cloud Storage Bucket Versioning Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7814ddda-e758-4a56-8be3-289a81ded929 +- **Query name:** Cloud Storage Bucket Versioning Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/cloud_storage_bucket_versioning_disabled) + +### Description +Cloud Storage Bucket should have versioning enabled
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_storage_bucket_module.html#parameter-versioning) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 3" +--- +- name: create a bucket + google.cloud.gcp_storage_bucket: + name: ansible-storage-module + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a second bucket + google.cloud.gcp_storage_bucket: + name: ansible-storage-module + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + versioning: + enabled: no + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a bucket + google.cloud.gcp_storage_bucket: + name: ansible-storage-module + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + versioning: + enabled: yes + +``` diff --git a/docs/queries/ansible-queries/gcp/7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b.md b/docs/queries/ansible-queries/gcp/7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b.md new file mode 100644 index 00000000000..1851651bb14 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b.md @@ -0,0 +1,89 @@ +--- +title: SQL DB Instance Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b +- **Query name:** SQL DB Instance Publicly Accessible +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/sql_db_instance_is_publicly_accessible) + +### Description +Cloud SQL instances should not be publicly accessible.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 34 12" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + name: "{{ resource_name }}-2" + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + ip_configuration: + authorized_networks: + - name: "google dns server" + value: "0.0.0.0" + tier: db-n1-standard-1 + state: present +- name: sql_instance2 + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + name: "{{ resource_name }}-2" + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + ip_configuration: + ipv4_enabled: yes + tier: db-n1-standard-1 + state: present +- name: sql_instance3 + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + name: "{{ resource_name }}-2" + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + tier: db-n1-standard-1 + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + name: '{{ resource_name }}-2' + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + ip_configuration: + authorized_networks: + - name: google dns server + value: 8.8.8.8/32 + tier: db-n1-standard-1 + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/80b15fb1-6207-40f4-a803-6915ae619a03.md b/docs/queries/ansible-queries/gcp/80b15fb1-6207-40f4-a803-6915ae619a03.md new file mode 100644 index 00000000000..0305edcda16 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/80b15fb1-6207-40f4-a803-6915ae619a03.md @@ -0,0 +1,84 @@ +--- +title: Cloud DNS Without DNSSEC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 80b15fb1-6207-40f4-a803-6915ae619a03 +- **Query name:** Cloud DNS Without DNSSEC +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/cloud_dns_without_dnnsec) + +### Description +DNSSEC must be enabled for Cloud DNS
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_dns_managed_zone_module.html#return-dnssecConfig/state) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 3 20" +--- +- name: create a managed zone + google.cloud.gcp_dns_managed_zone: + name: test_object + dns_name: test.somewild2.example.com. + description: test zone + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a second managed zone + google.cloud.gcp_dns_managed_zone: + name: test_object + dns_name: test.somewild2.example.com. + description: test zone + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + dnssec_config: + kind: some_kind +- name: create a third managed zone + google.cloud.gcp_dns_managed_zone: + name: test_object + dns_name: test.somewild2.example.com. + description: test zone + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + dnssec_config: + kind: some_kind + state: off + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a managed zone + google.cloud.gcp_dns_managed_zone: + name: test_object + dns_name: test.somewild2.example.com. + description: test zone + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + dnssec_config: + kind: some_kind + state: on + +``` diff --git a/docs/queries/ansible-queries/gcp/829f1c60-2bab-44c6-8a21-5cd9d39a2c82.md b/docs/queries/ansible-queries/gcp/829f1c60-2bab-44c6-8a21-5cd9d39a2c82.md new file mode 100644 index 00000000000..74ebf47b919 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/829f1c60-2bab-44c6-8a21-5cd9d39a2c82.md @@ -0,0 +1,61 @@ +--- +title: Compute Instance Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 829f1c60-2bab-44c6-8a21-5cd9d39a2c82 +- **Query name:** Compute Instance Is Publicly Accessible +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/compute_instance_is_publicly_accessible) + +### Description +Compute instances shouldn't be accessible from the Internet.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html#parameter-network_interfaces/access_configs) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +- name: create a instance + google.cloud.gcp_compute_instance: + name: test_object + network_interfaces: + - network: "{{ network }}" + access_configs: + - name: External NAT + nat_ip: "{{ address }}" + type: ONE_TO_ONE_NAT + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a instance + google.cloud.gcp_compute_instance: + name: test_object + network_interfaces: + - network: '{{ network }}' + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/89afe3f0-4681-4ce3-89ed-896cebd4277c.md b/docs/queries/ansible-queries/gcp/89afe3f0-4681-4ce3-89ed-896cebd4277c.md new file mode 100644 index 00000000000..4154d513ced --- /dev/null +++ b/docs/queries/ansible-queries/gcp/89afe3f0-4681-4ce3-89ed-896cebd4277c.md @@ -0,0 +1,78 @@ +--- +title: PostgreSQL log_checkpoints Flag Not Set To ON +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 89afe3f0-4681-4ce3-89ed-896cebd4277c +- **Query name:** PostgreSQL log_checkpoints Flag Not Set To ON +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/postgresql_log_checkpoints_flag_not_set_to_on) + +### Description +PostgreSQL database instance should have a 'log_checkpoints' flag with its value set to 'on'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 5" +- name: create instance + google.cloud.gcp_sql_instance: + name: GCP instance + settings: + databaseFlags: + - name: log_checkpoints + value: off + tier: db-n1-standard-1 + region: us-central1 + project: test_project + database_version: POSTGRES_9_6 + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create another instance + google.cloud.gcp_sql_instance: + name: GCP instance 2 + settings: + tier: db-n1-standard-1 + region: us-central1 + project: test_project + database_version: POSTGRES_9_6 + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a instance + google.cloud.gcp_sql_instance: + name: GCP instance + settings: + databaseFlags: + - name: log_checkpoints + value: on + tier: db-n1-standard-1 + region: us-central1 + project: test_project + database_version: POSTGRES_9_6 + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/98e04ca0-34f5-4c74-8fec-d2e611ce2790.md b/docs/queries/ansible-queries/gcp/98e04ca0-34f5-4c74-8fec-d2e611ce2790.md new file mode 100644 index 00000000000..812ba74c49e --- /dev/null +++ b/docs/queries/ansible-queries/gcp/98e04ca0-34f5-4c74-8fec-d2e611ce2790.md @@ -0,0 +1,156 @@ +--- +title: Network Policy Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 98e04ca0-34f5-4c74-8fec-d2e611ce2790 +- **Query name:** Network Policy Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/network_policy_disabled) + +### Description +Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="96 3 73 21 54" +#this is a problematic code where the query should report a result(s) +- name: create a cluster1 + google.cloud.gcp_container_cluster: + name: my-cluster1 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + addons_config: + network_policy_config: + disabled: false +- name: create a cluster2 + google.cloud.gcp_container_cluster: + name: my-cluster2 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + network_policy: + enabled: yes +- name: create a cluster3 + google.cloud.gcp_container_cluster: + name: my-cluster3 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + network_policy: + enabled: yes + addons_config: + horizontal_pod_autoscaling: + disabled: yes +- name: create a cluster4 + google.cloud.gcp_container_cluster: + name: my-cluster4 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + network_policy: + enabled: no + addons_config: + network_policy_config: + disabled: no +- name: create a cluster5 + google.cloud.gcp_container_cluster: + name: my-cluster5 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + network_policy: + enabled: yes + addons_config: + network_policy_config: + disabled: yes + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + network_policy: + enabled: yes + addons_config: + network_policy_config: + disabled: no + +``` diff --git a/docs/queries/ansible-queries/gcp/9df7f78f-ebe3-432e-ac3b-b67189c15518.md b/docs/queries/ansible-queries/gcp/9df7f78f-ebe3-432e-ac3b-b67189c15518.md new file mode 100644 index 00000000000..390963ff6b9 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/9df7f78f-ebe3-432e-ac3b-b67189c15518.md @@ -0,0 +1,126 @@ +--- +title: Cluster Master Authentication Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9df7f78f-ebe3-432e-ac3b-b67189c15518 +- **Query name:** Cluster Master Authentication Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/cluster_master_authentication_disabled) + +### Description +Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 3 46 18 61" +#this is a problematic code where the query should report a result(s) +- name: create a cluster1 + google.cloud.gcp_container_cluster: + name: my-cluster1 + initial_node_count: 2 + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster2 + google.cloud.gcp_container_cluster: + name: my-cluster2 + initial_node_count: 2 + master_auth: + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster3 + google.cloud.gcp_container_cluster: + name: my-cluster3 + initial_node_count: 2 + master_auth: + username: cluster_admin + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster4 + google.cloud.gcp_container_cluster: + name: my-cluster4 + initial_node_count: 2 + master_auth: + username: + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster5 + google.cloud.gcp_container_cluster: + name: my-cluster5 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f.md b/docs/queries/ansible-queries/gcp/9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f.md new file mode 100644 index 00000000000..68a51f40ece --- /dev/null +++ b/docs/queries/ansible-queries/gcp/9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f.md @@ -0,0 +1,67 @@ +--- +title: Cloud SQL Instance With Cross DB Ownership Chaining On +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9e0c33ed-97f3-4ed6-8be9-bcbf3f65439f +- **Query name:** Cloud SQL Instance With Cross DB Ownership Chaining On +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/cloud_sql_instance_with_cross_db_ownership_chaining_on) + +### Description +GCP SQL Instance should not have Cross DB Ownership Chaining On
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + database_version: SQLSERVER_13_1 + name: "{{ resource_name }}-2" + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + database_flags: + - name: cross db ownership chaining + value: on + tier: db-n1-standard-1 + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + database_version: SQLSERVER_13_1 + name: '{{ resource_name }}-2' + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + database_flags: + - name: name1 + value: value1 + tier: db-n1-standard-1 + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/a7b520bb-2509-4fb0-be05-bc38f54c7a4c.md b/docs/queries/ansible-queries/gcp/a7b520bb-2509-4fb0-be05-bc38f54c7a4c.md new file mode 100644 index 00000000000..d2a6a22f412 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/a7b520bb-2509-4fb0-be05-bc38f54c7a4c.md @@ -0,0 +1,67 @@ +--- +title: MySQL Instance With Local Infile On +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a7b520bb-2509-4fb0-be05-bc38f54c7a4c +- **Query name:** MySQL Instance With Local Infile On +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/mysql_instance_with_local_infile_on) + +### Description +MySQL Instance should not have Local Infile On
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + database_version: MYSQL_5_6 + name: "{{ resource_name }}-2" + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + database_flags: + - name: local_infile + value: on + tier: db-n1-standard-1 + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + database_version: SQLSERVER_13_1 + name: '{{ resource_name }}-2' + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + database_flags: + - name: name1 + value: value1 + tier: db-n1-standard-1 + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/aed98a2a-e680-497a-8886-277cea0f4514.md b/docs/queries/ansible-queries/gcp/aed98a2a-e680-497a-8886-277cea0f4514.md new file mode 100644 index 00000000000..d7840e712e7 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/aed98a2a-e680-497a-8886-277cea0f4514.md @@ -0,0 +1,67 @@ +--- +title: PostgreSQL Misconfigured Logging Duration Flag +hide: + toc: true + navigation: true +--- + + + +- **Query id:** aed98a2a-e680-497a-8886-277cea0f4514 +- **Query name:** PostgreSQL Misconfigured Logging Duration Flag +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/postgresql_misconfigured_logging_duration_flag) + +### Description +PostgreSQL database 'log_min_duration_statement' flag isn't set to '-1'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + database_version: SQLSERVER_13_1 + name: "{{ resource_name }}-2" + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + database_flags: + - name: log_min_duration_statement + value: 0 + tier: db-n1-standard-1 + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + database_version: SQLSERVER_13_1 + name: '{{ resource_name }}-2' + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + database_flags: + - name: log_min_duration_statement + value: -1 + tier: db-n1-standard-1 + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/b28bcd2f-c309-490e-ab7c-35fc4023eb26.md b/docs/queries/ansible-queries/gcp/b28bcd2f-c309-490e-ab7c-35fc4023eb26.md new file mode 100644 index 00000000000..ccdde05deb2 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/b28bcd2f-c309-490e-ab7c-35fc4023eb26.md @@ -0,0 +1,74 @@ +--- +title: Google Compute SSL Policy Weak Cipher In Use +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b28bcd2f-c309-490e-ab7c-35fc4023eb26 +- **Query name:** Google Compute SSL Policy Weak Cipher In Use +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/google_compute_ssl_policy_weak_cipher_in_use) + +### Description +This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_ssl_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 2" +- name: create a SSL policy + google.cloud.gcp_compute_ssl_policy: + name: test_object + profile: CUSTOM + custom_features: + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a SSL policy2 + google.cloud.gcp_compute_ssl_policy: + name: test_object2 + profile: CUSTOM + min_tls_version: TLS_1_1 + custom_features: + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a SSL policy + google.cloud.gcp_compute_ssl_policy: + name: test_object + profile: CUSTOM + min_tls_version: TLS_1_2 + custom_features: + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/b2fbf1df-76dd-4d78-a6c0-e538f4a9b016.md b/docs/queries/ansible-queries/gcp/b2fbf1df-76dd-4d78-a6c0-e538f4a9b016.md new file mode 100644 index 00000000000..8e3a000e985 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/b2fbf1df-76dd-4d78-a6c0-e538f4a9b016.md @@ -0,0 +1,75 @@ +--- +title: SSH Access Is Not Restricted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b2fbf1df-76dd-4d78-a6c0-e538f4a9b016 +- **Query name:** SSH Access Is Not Restricted +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/ssh_access_is_not_restricted) + +### Description +Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +- name: ssh_unrestricted + google.cloud.gcp_compute_firewall: + name: test_object + allowed: + - ip_protocol: tcp + ports: + - '22' + target_tags: + - test-ssh-server + - staging-ssh-server + source_tags: + - test-ssh-clients + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + source_ranges: + - "0.0.0.0/0" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: ssh_restricted + google.cloud.gcp_compute_firewall: + name: test_object + denied: + - ip_protocol: tcp + ports: + - '22' + target_tags: + - test-ssh-server + - staging-ssh-server + source_tags: + - test-ssh-clients + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + source_ranges: + - 0.0.0.0 + +``` diff --git a/docs/queries/ansible-queries/gcp/bc20bbc6-0697-4568-9a73-85af1dd97bdd.md b/docs/queries/ansible-queries/gcp/bc20bbc6-0697-4568-9a73-85af1dd97bdd.md new file mode 100644 index 00000000000..0da62b66cb9 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/bc20bbc6-0697-4568-9a73-85af1dd97bdd.md @@ -0,0 +1,56 @@ +--- +title: VM With Full Cloud Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bc20bbc6-0697-4568-9a73-85af1dd97bdd +- **Query name:** VM With Full Cloud Access +- **Platform:** Ansible +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/vm_with_full_cloud_access) + +### Description +A VM instance is configured to use the default service account with full access to all Cloud APIs
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html#parameter-service_accounts/scopes) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +- name: create a instance + google.cloud.gcp_compute_instance: + name: test_object + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + service_accounts: + - scopes: + - cloud-platform + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a instance + google.cloud.gcp_compute_instance: + name: test_object + zone: us-central1-a + project: test_project + auth_kind: serviceaccount + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/be41f891-96b1-4b9d-b74f-b922a918c778.md b/docs/queries/ansible-queries/gcp/be41f891-96b1-4b9d-b74f-b922a918c778.md new file mode 100644 index 00000000000..812f11b4b0f --- /dev/null +++ b/docs/queries/ansible-queries/gcp/be41f891-96b1-4b9d-b74f-b922a918c778.md @@ -0,0 +1,64 @@ +--- +title: COS Node Image Not Used +hide: + toc: true + navigation: true +--- + + + +- **Query id:** be41f891-96b1-4b9d-b74f-b922a918c778 +- **Query name:** COS Node Image Not Used +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/cos_node_image_not_used) + +### Description +The node image should be Container-Optimized OS(COS)
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-config/image_type) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +--- +- name: create a node pool + google.cloud.gcp_container_node_pool: + name: my-pool + initial_node_count: 4 + cluster: "{{ cluster }}" + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + config: + image_type: WINDOWS_LTSC + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a node pool + google.cloud.gcp_container_node_pool: + name: my-pool + initial_node_count: 4 + cluster: '{{ cluster }}' + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + config: + image_type: COS + +``` diff --git a/docs/queries/ansible-queries/gcp/c6fc6f29-dc04-46b6-99ba-683c01aff350.md b/docs/queries/ansible-queries/gcp/c6fc6f29-dc04-46b6-99ba-683c01aff350.md new file mode 100644 index 00000000000..3c5b274bda4 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/c6fc6f29-dc04-46b6-99ba-683c01aff350.md @@ -0,0 +1,58 @@ +--- +title: Serial Ports Are Enabled For VM Instances +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c6fc6f29-dc04-46b6-99ba-683c01aff350 +- **Query name:** Serial Ports Are Enabled For VM Instances +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/serial_ports_enabled_for_vm_instances) + +### Description +Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_instance_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +- name: serial_enabled + google.cloud.gcp_compute_instance: + metadata: + serial-port-enable: yes + zone: us-central1-a + auth_kind: serviceaccount + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: serial_disabled + google.cloud.gcp_compute_instance: + metadata: + serial-port-enabled: no + zone: us-central1-a + auth_kind: serviceaccount +- name: serial_undefined + google.cloud.gcp_compute_instance: + metadata: + startup-script-url: gs:://graphite-playground/bootstrap.sh + cost-center: '12345' + zone: us-central1-a + auth_kind: serviceaccount + +``` diff --git a/docs/queries/ansible-queries/gcp/d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md b/docs/queries/ansible-queries/gcp/d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md new file mode 100644 index 00000000000..e1733be190e --- /dev/null +++ b/docs/queries/ansible-queries/gcp/d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb.md @@ -0,0 +1,102 @@ +--- +title: SQL DB Instance With SSL Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d0f7da39-a2d5-4c78-bb85-4b7f338b3cbb +- **Query name:** SQL DB Instance With SSL Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/sql_db_instance_with_ssl_disabled) + +### Description +Cloud SQL Database Instance should have SLL enabled
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/ip_configuration/require_ssl) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 3 13 39" +--- +- name: create a instance + google.cloud.gcp_sql_instance: + name: "{{ resource_name }}-2" + region: us-central1 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a second instance + google.cloud.gcp_sql_instance: + name: "{{ resource_name }}-2" + settings: + tier: db-n1-standard-1 + region: us-central1 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a third instance + google.cloud.gcp_sql_instance: + name: "{{ resource_name }}-2" + settings: + ip_configuration: + authorized_networks: + - name: google dns server + value: 8.8.8.8/32 + tier: db-n1-standard-1 + region: us-central1 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a forth instance + google.cloud.gcp_sql_instance: + name: "{{ resource_name }}-2" + settings: + ip_configuration: + require_ssl: no + authorized_networks: + - name: google dns server + value: 8.8.8.8/32 + tier: db-n1-standard-1 + region: us-central1 + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a instance + google.cloud.gcp_sql_instance: + name: '{{ resource_name }}-2' + settings: + ip_configuration: + require_ssl: yes + authorized_networks: + - name: google dns server + value: 8.8.8.8/32 + tier: db-n1-standard-1 + region: us-central1 + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/d43366c5-80b0-45de-bbe8-2338f4ab0a83.md b/docs/queries/ansible-queries/gcp/d43366c5-80b0-45de-bbe8-2338f4ab0a83.md new file mode 100644 index 00000000000..a292263afa6 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/d43366c5-80b0-45de-bbe8-2338f4ab0a83.md @@ -0,0 +1,76 @@ +--- +title: GKE Master Authorized Networks Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d43366c5-80b0-45de-bbe8-2338f4ab0a83 +- **Query name:** GKE Master Authorized Networks Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/gke_master_authorized_networks_disabled) + +### Description +Master authorized networks must be enabled in GKE clusters
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html#parameter-master_authorized_networks_config/enabled) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 10 22" +--- +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + location: us-central1-a + auth_kind: serviceaccount + master_authorized_networks_config: + cidr_blocks: + - cidr_block: 192.0.2.0/24 + enabled: no + state: present +- name: create a second cluster + google.cloud.gcp_container_cluster: + name: my-second-cluster + location: us-central1-a + auth_kind: serviceaccount + master_authorized_networks_config: + cidr_blocks: + - cidr_block: 192.0.2.0/24 + state: present +- name: create a third cluster + google.cloud.gcp_container_cluster: + name: my-third-cluster + location: us-central1-a + auth_kind: serviceaccount + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + location: us-central1-a + auth_kind: serviceaccount + master_authorized_networks_config: + cidr_blocks: + - cidr_block: 192.0.2.0/24 + enabled: yes + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/d58c6f24-3763-4269-9f5b-86b2569a003b.md b/docs/queries/ansible-queries/gcp/d58c6f24-3763-4269-9f5b-86b2569a003b.md new file mode 100644 index 00000000000..7374ee28412 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/d58c6f24-3763-4269-9f5b-86b2569a003b.md @@ -0,0 +1,101 @@ +--- +title: Google Container Node Pool Auto Repair Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d58c6f24-3763-4269-9f5b-86b2569a003b +- **Query name:** Google Container Node Pool Auto Repair Disabled +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/google_container_node_pool_auto_repair_disabled) + +### Description +Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 29 13" +--- +- name: create a node pool + google.cloud.gcp_container_node_pool: + name: my-pool + initial_node_count: 4 + cluster: "{{ cluster }}" + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + management: + auto_repair: no + +- name: create a node pool2 + google.cloud.gcp_container_node_pool: + name: my-pool + initial_node_count: 4 + cluster: "{{ cluster }}" + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + management: + auto_repair: false + +- name: create a node pool3 + google.cloud.gcp_container_node_pool: + name: my-pool + initial_node_count: 4 + cluster: "{{ cluster }}" + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a node pool + google.cloud.gcp_container_node_pool: + name: my-pool + initial_node_count: 4 + cluster: '{{ cluster }}' + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + management: + auto_repair: yes + +- name: create a node pool + google.cloud.gcp_container_node_pool: + name: my-pool + initial_node_count: 4 + cluster: '{{ cluster }}' + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + management: + auto_repair: true + +``` diff --git a/docs/queries/ansible-queries/gcp/d6e10477-2e19-4bcd-b8a8-19c65b89ccdf.md b/docs/queries/ansible-queries/gcp/d6e10477-2e19-4bcd-b8a8-19c65b89ccdf.md new file mode 100644 index 00000000000..b107df816f9 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/d6e10477-2e19-4bcd-b8a8-19c65b89ccdf.md @@ -0,0 +1,88 @@ +--- +title: Node Auto Upgrade Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d6e10477-2e19-4bcd-b8a8-19c65b89ccdf +- **Query name:** Node Auto Upgrade Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/node_auto_upgrade_disabled) + +### Description +Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_node_pool_module.html#parameter-management/auto_upgrade) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 36 22" +--- +- name: create a node pool + google.cloud.gcp_container_node_pool: + name: my-pool + initial_node_count: 4 + cluster: "{{ cluster }}" + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a second node pool + google.cloud.gcp_container_node_pool: + name: my-pool + initial_node_count: 4 + cluster: "{{ cluster }}" + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + management: + auto_repair: yes +- name: create a third node pool + google.cloud.gcp_container_node_pool: + name: my-pool + initial_node_count: 4 + cluster: "{{ cluster }}" + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + management: + auto_repair: yes + auto_upgrade: no + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a node pool + google.cloud.gcp_container_node_pool: + name: my-pool + initial_node_count: 4 + cluster: '{{ cluster }}' + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + management: + auto-repair: yes + auto_upgrade: yes + +``` diff --git a/docs/queries/ansible-queries/gcp/d6fae5b6-ada9-46c0-8b36-3108a2a2f77b.md b/docs/queries/ansible-queries/gcp/d6fae5b6-ada9-46c0-8b36-3108a2a2f77b.md new file mode 100644 index 00000000000..1aa11f63f4e --- /dev/null +++ b/docs/queries/ansible-queries/gcp/d6fae5b6-ada9-46c0-8b36-3108a2a2f77b.md @@ -0,0 +1,67 @@ +--- +title: PostgreSQL Logging Of Temporary Files Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d6fae5b6-ada9-46c0-8b36-3108a2a2f77b +- **Query name:** PostgreSQL Logging Of Temporary Files Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/postgresql_logging_of_temporary_files_disabled) + +### Description +PostgreSQL database 'log_temp_files' flag isn't set to '0'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + database_version: SQLSERVER_13_1 + name: "{{ resource_name }}-2" + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + database_flags: + - name: log_temp_files + value: 1 + tier: db-n1-standard-1 + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: sql_instance + google.cloud.gcp_sql_instance: + auth_kind: serviceaccount + database_version: SQLSERVER_13_1 + name: '{{ resource_name }}-2' + project: test_project + region: us-central1 + service_account_file: /tmp/auth.pem + settings: + database_flags: + - name: log_temp_files + value: 0 + tier: db-n1-standard-1 + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/d7a5616f-0a3f-4d43-bc2b-29d1a183e317.md b/docs/queries/ansible-queries/gcp/d7a5616f-0a3f-4d43-bc2b-29d1a183e317.md new file mode 100644 index 00000000000..17a7152f719 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/d7a5616f-0a3f-4d43-bc2b-29d1a183e317.md @@ -0,0 +1,78 @@ +--- +title: PostgreSQL Log Connections Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d7a5616f-0a3f-4d43-bc2b-29d1a183e317 +- **Query name:** PostgreSQL Log Connections Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/postgresql_log_connections_disabled) + +### Description +PostgreSQL database instance should have a 'log_connections' flag with its value set to 'on'
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 5" +- name: create instance + google.cloud.gcp_sql_instance: + name: GCP instance + settings: + databaseFlags: + - name: log_connections + value: off + tier: db-n1-standard-1 + region: us-central1 + project: test_project + database_version: POSTGRES_9_6 + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create another instance + google.cloud.gcp_sql_instance: + name: GCP instance 2 + settings: + tier: db-n1-standard-1 + region: us-central1 + project: test_project + database_version: POSTGRES_9_6 + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a instance + google.cloud.gcp_sql_instance: + name: GCP instance + settings: + databaseFlags: + - name: log_connections + value: on + tier: db-n1-standard-1 + region: us-central1 + project: test_project + database_version: POSTGRES_9_6 + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/dc126833-125a-40fb-905a-ce5f2afde240.md b/docs/queries/ansible-queries/gcp/dc126833-125a-40fb-905a-ce5f2afde240.md new file mode 100644 index 00000000000..4276ae3eed4 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/dc126833-125a-40fb-905a-ce5f2afde240.md @@ -0,0 +1,107 @@ +--- +title: GKE Using Default Service Account +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dc126833-125a-40fb-905a-ce5f2afde240 +- **Query name:** GKE Using Default Service Account +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/gke_using_default_service_account) + +### Description +Kubernetes Engine Clusters should not be configured to use the default service account
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html#parameter-node_config/service_account) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + service_account: "{{ default }}" + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a service account + google.cloud.gcp_iam_service_account: + name: sa-{{ resource_name.split("-")[-1] }}@graphite-playground.google.com.iam.gserviceaccount.com + display_name: My Ansible test key + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + register: default + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + service_account: "{{ myaccount }}" + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a service account + google.cloud.gcp_iam_service_account: + name: sa-{{ resource_name.split("-")[-1] }}@graphite-playground.google.com.iam.gserviceaccount.com + display_name: My Ansible test key + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + register: myaccount + +``` diff --git a/docs/queries/ansible-queries/gcp/ed672a9f-fbf0-44d8-a47d-779501b0db05.md b/docs/queries/ansible-queries/gcp/ed672a9f-fbf0-44d8-a47d-779501b0db05.md new file mode 100644 index 00000000000..c0a5de150e1 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/ed672a9f-fbf0-44d8-a47d-779501b0db05.md @@ -0,0 +1,107 @@ +--- +title: IP Aliasing Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ed672a9f-fbf0-44d8-a47d-779501b0db05 +- **Query name:** IP Aliasing Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/ip_aliasing_disabled) + +### Description +Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ip_allocation_policy' must be defined and the subattribute 'use_ip_aliases' must be set to 'yes'.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 50 31" +- name: create a cluster1 + google.cloud.gcp_container_cluster: + name: my-cluster1 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster2 + google.cloud.gcp_container_cluster: + name: my-cluster2 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + ip_allocation_policy: + create_subnetwork: no +- name: create a cluster3 + google.cloud.gcp_container_cluster: + name: my-cluster3 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + ip_allocation_policy: + create_subnetwork: no + use_ip_aliases: no + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + ip_allocation_policy: + create_subnetwork: no + use_ip_aliases: yes + +``` diff --git a/docs/queries/ansible-queries/gcp/f9b7086b-deb8-4034-9330-d7fd38f1b8de.md b/docs/queries/ansible-queries/gcp/f9b7086b-deb8-4034-9330-d7fd38f1b8de.md new file mode 100644 index 00000000000..54d24d5f913 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/f9b7086b-deb8-4034-9330-d7fd38f1b8de.md @@ -0,0 +1,87 @@ +--- +title: High Google KMS Crypto Key Rotation Period +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f9b7086b-deb8-4034-9330-d7fd38f1b8de +- **Query name:** High Google KMS Crypto Key Rotation Period +- **Platform:** Ansible +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/high_google_kms_crypto_key_rotation_period) + +### Description +KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_kms_crypto_key_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="18 23" +--- +- name: create a key ring + google.cloud.gcp_kms_key_ring: + name: key-key-ring + location: us-central1 + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + state: present + register: keyring + +- name: create a crypto key + google.cloud.gcp_kms_crypto_key: + name: test_object + key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring + project: test_project + auth_kind: serviceaccount + rotation_period: "315356000s" + service_account_file: "/tmp/auth.pem" + state: present + +- name: create a crypto key2 + google.cloud.gcp_kms_crypto_key: + name: test_object + key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a key ring + google.cloud.gcp_kms_key_ring: + name: key-key-ring + location: us-central1 + project: '{{ gcp_project }}' + auth_kind: '{{ gcp_cred_kind }}' + service_account_file: '{{ gcp_cred_file }}' + state: present + register: keyring + +- name: create a crypto key + google.cloud.gcp_kms_crypto_key: + name: test_object + key_ring: projects/{{ gcp_project }}/locations/us-central1/keyRings/key-key-ring + project: test_project + auth_kind: serviceaccount + rotation_period: 7776000s + service_account_file: /tmp/auth.pem + state: present + +``` diff --git a/docs/queries/ansible-queries/gcp/fbe9b2d0-a2b7-47a1-a534-03775f3013f7.md b/docs/queries/ansible-queries/gcp/fbe9b2d0-a2b7-47a1-a534-03775f3013f7.md new file mode 100644 index 00000000000..25a9cba2bf7 --- /dev/null +++ b/docs/queries/ansible-queries/gcp/fbe9b2d0-a2b7-47a1-a534-03775f3013f7.md @@ -0,0 +1,102 @@ +--- +title: Cluster Labels Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fbe9b2d0-a2b7-47a1-a534-03775f3013f7 +- **Query name:** Cluster Labels Disabled +- **Platform:** Ansible +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/ansible/gcp/cluster_labels_disabled) + +### Description +Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined
+[Documentation](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_container_cluster_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 2 47" +- name: create a cluster1 + google.cloud.gcp_container_cluster: + name: my-cluster1 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +- name: create a cluster2 + google.cloud.gcp_container_cluster: + name: my-cluster3 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + resource_labels: +- name: create a cluster3 + google.cloud.gcp_container_cluster: + name: my-cluster3 + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + resource_labels: "" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + master_auth: + username: cluster_admin + password: my-secret-password + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: /tmp/auth.pem + state: present + resource_labels: label1 + +``` diff --git a/docs/queries/azureresourcemanager-queries.md b/docs/queries/azureresourcemanager-queries.md index 2149e47edff..f2eb61b2b1b 100644 --- a/docs/queries/azureresourcemanager-queries.md +++ b/docs/queries/azureresourcemanager-queries.md @@ -3,45 +3,45 @@ This page contains all queries from AzureResourceManager. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true|Documentation
| -|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|High|Best Practices|All Secrets must have an expiration date defined|Documentation
| -|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'|Documentation
| -|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|High|Encryption|Azure Disk Encryption should be enabled|Documentation
| -|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS|Documentation
| -|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible|Documentation
| -|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL|Documentation
| -|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'|Documentation
| -|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet|Documentation
| -|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet|Documentation
| -|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS|Documentation
| -|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled|Documentation
| -|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true|Documentation
| -|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it.|Documentation
| -|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties|Documentation
| -|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined.|Documentation
| -|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'|Documentation
| -|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled|Documentation
| -|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'|Documentation
| -|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated.|Documentation
| -|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'|Documentation
| -|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'|Documentation
| -|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods|Documentation
| -|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)|Documentation
| -|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled.|Documentation
| -|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled|Documentation
| -|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90|Documentation
| -|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days|Documentation
| -|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|Medium|Secret Management|Secure parameters should not have hardcoded default value|Documentation
| -|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'|Documentation
| -|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined|Documentation
| -|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled.|Documentation
| -|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled|Documentation
| -|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS|Documentation
| -|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|Info|Access Control|Azure App Service should have App Service Authentication set|Documentation
| -|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert|Documentation
| -|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts|Documentation
| -|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription|Documentation
| +|Key Vault Not Recoverable
7c25f361-7c66-44bf-9b69-022acd5eb4bd|High|Backup|Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true (read more)|Documentation
| +|Azure Instance Using Basic Authentication
6797f581-0433-4768-ae3e-7ceb2f8b138e|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|Secret Without Expiration Date
cff9c3f7-e8f0-455f-9fb4-5f72326da96e|High|Best Practices|All Secrets must have an expiration date defined (read more)|Documentation
| +|Web App Not Using TLS Last Version
b5c851d5-00f1-43dc-a8de-3218fd6f71be|High|Encryption|Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2' (read more)|Documentation
| +|Azure Managed Disk Without Encryption
350f3955-b5be-436f-afaa-3d2be2fa6cdd|High|Encryption|Azure Disk Encryption should be enabled (read more)|Documentation
| +|Storage Account Allows Unsecure Transfer
1367dd13-2c90-4020-80b7-e4339a3dc2c4|High|Encryption|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|Website Not Forcing HTTPS
488847ff-6031-487c-bf42-98fd6ac5c9a0|High|Insecure Configurations|'Microsoft.Web/sites' should force the use of HTTPS (read more)|Documentation
| +|Storage Blob Service Container With Public Access
a0ab985d-660b-41f7-ac81-70957ee8e627|High|Networking and Firewall|Storage Blob Service Container should not publicly accessible (read more)|Documentation
| +|MySQL Server SSL Enforcement Disabled
90120147-f2e7-4fda-bb21-6fa9109afd63|High|Networking and Firewall|'Microsoft.DBforMySQL/servers' should enforce SSL (read more)|Documentation
| +|PostgreSQL Database Server SSL Disabled
bf500309-da53-4dd3-bcf7-95f7974545a5|High|Networking and Firewall|Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled' (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
e25b56cd-a4d6-498f-ab92-e6296a082097|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|Network Security Group With Unrestricted Access To SSH
2ade1579-4b2c-4590-bebb-f99bf597f612|High|Networking and Firewall|Port 22 (SSH) is exposed to the Internet (read more)|Documentation
| +|Network Security Group With Unrestricted Access To RDP
59cb3da7-f206-4ae6-b827-7abf0a9cab9d|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the Internet (read more)|Documentation
| +|SQL Database Server Firewall Allows All IPS
6a3201a5-1630-494b-b294-3129d06b0eca|High|Networking and Firewall|SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS (read more)|Documentation
| +|Website with Client Certificate Auth Disabled
92302b47-b0cc-46cb-a28f-5610ecda140b|High|Networking and Firewall|'Microsoft.Web/sites' should have client certificate authentication enabled (read more)|Documentation
| +|AKS Cluster RBAC Disabled
9307a2ed-35c2-413d-94de-a1a0682c2158|Medium|Access Control|Microsoft.ContainerService/managedClusters should have enableRBAC set to true (read more)|Documentation
| +|Role Definitions Allow Custom Subscription Role Creation
8fa9ceea-881f-4ef0-b0b8-728f589699a7|Medium|Access Control|Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write') (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
d855ced8-6157-448f-9f1d-f05a41d046f7|Medium|Access Control|Make sure that your Azure Storage Account access is limited to those who require it. (read more)|Documentation
| +|SQL Server Database With Alerts Disabled
574e8d82-1db2-4b9c-b526-e320ede9a9ff|Medium|Best Practices|All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties (read more)|Documentation
| +|AKS Cluster Network Policy Not Configured
25c0228e-4444-459b-a2df-93c7df40b7ed|Medium|Insecure Configurations|Azure Kubernetes Service must have a network policy defined. (read more)|Documentation
| +|PostgreSQL Database Server Log Connections Disabled
e69bda39-e1e2-47ca-b9ee-b6531b23aedd|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on' (read more)|Documentation
| +|AKS With Authorized IP Ranges Disabled
2583fab1-953b-4fae-bd02-4a136a6c21f9|Medium|Networking and Firewall|Azure Kubernetes Service must have an authorized IP range for API Services enabled (read more)|Documentation
| +|PostgreSQL Database Server Log Checkpoints Disabled
f9112910-c7bb-4864-9f5e-2059ba413bb7|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on' (read more)|Documentation
| +|Standard Price Is Not Selected
2081c7d6-2851-4cce-bda5-cb49d462da42|Medium|Networking and Firewall|Azure Security Center provides more features for standard pricing mode, so it must be activated. (read more)|Documentation
| +|PostgresSQL Database Server Connection Throttling Disabled
a6d774b6-d9ea-4bf4-8433-217bf15d2fb8|Medium|Networking and Firewall|Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on' (read more)|Documentation
| +|Log Profile Incorrect Category
4d522e7b-f938-4d51-a3b1-974ada528bd3|Medium|Observability|Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action' (read more)|Documentation
| +|Storage Logging For Read Write And Delete Requests Disabled
43f6e60c-9cdb-4e77-864d-a66595d26518|Medium|Observability|Storage Logging should be enabled for read, write and delete methods (read more)|Documentation
| +|Unrecommended Log Profile Retention Policy
25684eac-daaa-4c2c-94b4-8d2dbb627909|Medium|Observability|Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely) (read more)|Documentation
| +|AKS Logging To Azure Monitoring Is Disabled
9b09dee1-f09b-4013-91d2-158fa4695f4b|Medium|Observability|Azure Kubernetes Service should have logging to Azure Monitoring enabled. (read more)|Documentation
| +|SQL Server Database Without Auditing
e055285c-bc01-48b4-8aa5-8a54acdd29df|Medium|Observability|Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled (read more)|Documentation
| +|Unrecommended Network Watcher Flow Log Retention Policy
564b70f8-41cd-4690-aff8-bb53add86bc9|Medium|Observability|Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90 (read more)|Documentation
| +|SQL Server Database With Unrecommended Retention Days
c09cdac2-7670-458a-bf6c-efad6880973a|Medium|Observability|SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days (read more)|Documentation
| +|Hardcoded SecureString Parameter Default Value
4d2cf896-c053-4be5-9c95-8b4771112f29|Medium|Secret Management|Secure parameters should not have hardcoded default value (read more)|Documentation
| +|Website Azure Active Directory Disabled
e9c133e5-c2dd-4b7b-8fff-40f2de367b56|Low|Access Control|WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true' (read more)|Documentation
| +|Phone Number Not Set For Security Contacts
3e9fcc67-1f64-405f-b2f9-0a6be17598f0|Low|Best Practices|Microsoft.Security securityContacts should have a phone number defined (read more)|Documentation
| +|AKS Dashboard Is Enabled
c62d3b92-9a11-4ffd-b7b7-6faaae83faed|Low|Insecure Configurations|Azure Kubernetes Service should have the Kubernetes dashboard disabled. (read more)|Documentation
| +|Website with 'Http20Enabled' Disabled
70111098-7f85-48f0-b1b4-e4261cf5f61b|Low|Networking and Firewall|'Microsoft.Web/sites' should have 'Http20Enabled' enabled (read more)|Documentation
| +|Storage Account Allows Default Network Access
9073f073-5d60-4b46-b569-0d6baa80ed95|Low|Networking and Firewall|'Microsoft.Storage/storageAccounts' should force the use of HTTPS (read more)|Documentation
| +|App Service Authentication Is Not Set
83130a07-235b-4a80-918b-a370e53f0bd9|Info|Access Control|Azure App Service should have App Service Authentication set (read more)|Documentation
| +|SQL Alert Policy Without Emails
89b79fe5-49bd-4d39-84ce-55f5fc6f7764|Info|Best Practices|SQL Database Server should contain emails to be notified in the event of a Security Alert (read more)|Documentation
| +|Account Admins Not Notified By Email
a8852cc0-fd4b-4fc7-9372-1e43fad0732e|Info|Best Practices|Account admins should be notified by email in the event of security alerts (read more)|Documentation
| +|Email Notifications Disabled
79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92|Info|Networking and Firewall|Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription (read more)|Documentation
| diff --git a/docs/queries/azureresourcemanager-queries/azure/1367dd13-2c90-4020-80b7-e4339a3dc2c4.md b/docs/queries/azureresourcemanager-queries/azure/1367dd13-2c90-4020-80b7-e4339a3dc2c4.md new file mode 100644 index 00000000000..a9f95adbc70 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/1367dd13-2c90-4020-80b7-e4339a3dc2c4.md @@ -0,0 +1,341 @@ +--- +title: Storage Account Allows Unsecure Transfer +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1367dd13-2c90-4020-80b7-e4339a3dc2c4 +- **Query name:** Storage Account Allows Unsecure Transfer +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/storage_account_allows_unsecure_transfer) + +### Description +'Microsoft.Storage/storageAccounts' should force the use of HTTPS
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#storageaccountpropertiescreateparameters-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="19" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-02-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": { + "supportsHttpsTrafficOnly": false + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Positive2", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2017-10-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="18" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Positive3", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2018-02-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": {} + } + ], + "outputs": {} +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="21" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-02-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": { + "supportsHttpsTrafficOnly": false + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="8" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Positive2", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2017-10-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="20" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Positive3", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2018-02-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": {} + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Negative1", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-02-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": { + "supportsHttpsTrafficOnly": true + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Positive3", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": {} + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 3 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Negative1", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-02-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": { + "supportsHttpsTrafficOnly": true + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Positive3", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": {} + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/2081c7d6-2851-4cce-bda5-cb49d462da42.md b/docs/queries/azureresourcemanager-queries/azure/2081c7d6-2851-4cce-bda5-cb49d462da42.md new file mode 100644 index 00000000000..5d50cfd9bb0 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/2081c7d6-2851-4cce-bda5-cb49d462da42.md @@ -0,0 +1,533 @@ +--- +title: Standard Price Is Not Selected +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2081c7d6-2851-4cce-bda5-cb49d462da42 +- **Query name:** Standard Price Is Not Selected +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/standard_price_not_selected) + +### Description +Azure Security Center provides more features for standard pricing mode, so it must be activated.
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.security/pricings?tabs=json#pricingproperties-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="27" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2017-08-01-preview", + "name": "Princing", + "properties": { + "pricingTier": "Free" + } + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="29" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2017-08-01-preview", + "name": "Princing", + "properties": { + "pricingTier": "Free" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="23" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "virtualMachineTier": { + "type": "string", + "defaultValue": "Free", + "allowedValues": [ + "Standard", + "Free" + ], + "metadata": { + "description": "Specifiy whether you want to enable Standard tier for Virtual Machine resource type" + } + } + }, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "VirtualMachines", + "properties": { + "pricingTier": "[parameters('virtualMachineTier')]" + } + } + ], + "outputs": { + } +} + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2017-08-01-preview", + "name": "Princing", + "properties": { + "pricingTier": "Standard" + } + } + ] +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2017-08-01-preview", + "name": "Princing", + "properties": { + "pricingTier": "Standard" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +```json title="Negative test num. 3 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "workspaceName": { + "type": "string", + "defaultValue": "az-security-workspace", + "allowedValues": [ + "az-security-workspace" + ], + "metadata": { + "description": "Name of the central Log Analytics workspace that stores security event and data collected by Azure Security Center" + } + }, + "workspaceRgName": { + "type": "string", + "defaultValue": "azsec-security-rg", + "allowedValues": [ + "azsec-security-rg" + ], + "metadata": { + "description": "Name of the resource group where the central log analytics workspace belongs to" + } + }, + "autoProvisionSetting": { + "type": "string", + "defaultValue": "On", + "allowedValues": [ + "On", + "Off" + ], + "metadata": { + "description": "Specify whether Auto Provisoning is turned on or off" + } + }, + "ascOwnerEmail": { + "type": "string", + "metadata": { + "description": "Email of the administrator who should be notified about Azure Security Center alert" + } + }, + "ascOwnerContact": { + "type": "string", + "metadata": { + "description": "Phone number of the administrator should be notified about Azure Security Center alert" + } + }, + "highSeverityAlertNotification": { + "type": "string", + "defaultValue": "On", + "allowedValues": [ + "On", + "Off" + ], + "metadata": { + "description": "Specify whether you want to notify high severity alert to ASC administrator" + } + }, + "subscriptionOwnerNotification": { + "type": "string", + "defaultValue": "On", + "allowedValues": [ + "On", + "Off" + ], + "metadata": { + "description": "Specifiy whether you want to notify high severity alert to subscription owner" + } + }, + "virtualMachineTier": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Standard", + "Free" + ], + "metadata": { + "description": "Specifiy whether you want to enable Standard tier for Virtual Machine resource type" + } + }, + "appServiceTier": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Standard", + "Free" + ], + "metadata": { + "description": "Specify whether you want to enable Standard tier for Azure App Service resource type" + } + }, + "paasSQLServiceTier": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Standard", + "Free" + ], + "metadata": { + "description": "Specify whether you want to enable Standard tier for PaaS SQL Service resource type" + } + }, + "sqlServerOnVmTier": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Standard", + "Free" + ], + "metadata": { + "description": "Specify whether you want to enable Standard tier for SQL Server on VM resource type" + } + }, + "storageAccountTier": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Standard", + "Free" + ], + "metadata": { + "description": "Specify whether you want to enable Standard tier for Storage Account resource type" + } + }, + "kubernetesServiceTier": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Standard", + "Free" + ], + "metadata": { + "description": "Specify whether you want to enable Standard tier for Kubernetes service resource type" + } + }, + "containerRegistryTier": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Standard", + "Free" + ], + "metadata": { + "description": "Specify whether you want to enable Standard tier for Container Registry resource type" + } + }, + "keyvaultTier": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Standard", + "Free" + ], + "metadata": { + "description": "Specify whether you want to enable Standard tier for Key Vault resource type" + } + }, + "integrationName": { + "type": "string", + "allowedValues": [ + "MCAS", + "MDATP" + ], + "metadata": { + "description": "Select integration name to enable. Only MCAS or MDATP is supported." + } + }, + "integrationEnabled": { + "type": "bool", + "allowedValues": [ + true, + false + ], + "metadata": { + "description": "Specify whether you want to enable or not." + } + } + }, + "resources": [ + { + "type": "Microsoft.Security/workspaceSettings", + "apiVersion": "2017-08-01-preview", + "name": "default", + "properties": { + "scope": "[subscription().id]", + "workspaceId": "[concat(subscription().id,'/resourceGroups/',parameters('workspaceRgName'),'/providers/Microsoft.OperationalInsights/workspaces/',parameters('workspaceName'))]" + } + }, + { + "type": "Microsoft.Security/autoProvisioningSettings", + "apiVersion": "2017-08-01-preview", + "name": "default", + "properties": { + "autoProvision": "[parameters('autoProvisionSetting')]" + } + }, + { + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2017-08-01-preview", + "name": "default1", + "properties": { + "emails": "[parameters('ascOwnerEmail')]", + "phone": "[parameters('ascOwnerContact')]", + "alertNotifications": { + "state": "On", + "minimalSeverity": "[parameters('highSeverityAlertNotification')]" + }, + "notificationsByRole": { + "state": "On", + "roles": "[parameters('subscriptionOwnerNotification')]" + } + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "VirtualMachines", + "properties": { + "pricingTier": "[parameters('virtualMachineTier')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "AppServices", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/VirtualMachines')]" + ], + "properties": { + "pricingTier": "[parameters('appServiceTier')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "SqlServers", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/AppServices')]" + ], + "properties": { + "pricingTier": "[parameters('paasSQLServiceTier')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "SqlServerVirtualMachines", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/SqlServers')]" + ], + "properties": { + "pricingTier": "[parameters('sqlServerOnVmTier')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "StorageAccounts", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/SqlServerVirtualMachines')]" + ], + "properties": { + "pricingTier": "[parameters('storageAccountTier')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "KubernetesService", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/StorageAccounts')]" + ], + "properties": { + "pricingTier": "[parameters('kubernetesServiceTier')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "ContainerRegistry", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/KubernetesService')]" + ], + "properties": { + "pricingTier": "[parameters('containerRegistryTier')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "KeyVaults", + "dependsOn": [ + "[concat('Microsoft.Security/pricings/ContainerRegistry')]" + ], + "properties": { + "pricingTier": "[parameters('keyvaultTier')]" + } + }, + { + "type": "Microsoft.Security/settings", + "apiVersion": "2019-01-01", + "name": "[parameters('integrationName')]", + "kind": "DataExportSettings", + "properties": { + "enabled": "[parameters('integrationEnabled')]" + } + } + ], + "outputs": { + } +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/25684eac-daaa-4c2c-94b4-8d2dbb627909.md b/docs/queries/azureresourcemanager-queries/azure/25684eac-daaa-4c2c-94b4-8d2dbb627909.md new file mode 100644 index 00000000000..2e33d9c1abd --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/25684eac-daaa-4c2c-94b4-8d2dbb627909.md @@ -0,0 +1,270 @@ +--- +title: Unrecommended Log Profile Retention Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 25684eac-daaa-4c2c-94b4-8d2dbb627909 +- **Query name:** Unrecommended Log Profile Retention Policy +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/unrecommended_log_profile_retention_policy) + +### Description +Log Profile Retention Policy should be enabled and the recommended number of days for the retention should be higher than 365 or 0 (0 will retain the events indefinitely)
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2016-03-01/logprofiles?tabs=json#retentionpolicy-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="26" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "string", + "type": "microsoft.insights/logprofiles", + "apiVersion": "2016-03-01", + "location": "location", + "tags": {}, + "properties": { + "storageAccountId": "storageAccountId", + "serviceBusRuleId": "serviceBusRuleId", + "locations": [ + "location1" + ], + "categories": [ + "Write" + ], + "retentionPolicy": { + "enabled": true, + "days": 300 + } + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="25 26" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "string", + "type": "microsoft.insights/logprofiles", + "apiVersion": "2016-03-01", + "location": "location", + "tags": {}, + "properties": { + "storageAccountId": "storageAccountId", + "serviceBusRuleId": "serviceBusRuleId", + "locations": [ + "location1" + ], + "categories": [ + "Write" + ], + "retentionPolicy": { + "enabled": false, + "days": 300 + } + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="28" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "string", + "type": "microsoft.insights/logprofiles", + "apiVersion": "2016-03-01", + "location": "location", + "tags": {}, + "properties": { + "storageAccountId": "storageAccountId", + "serviceBusRuleId": "serviceBusRuleId", + "locations": [ + "location1" + ], + "categories": [ + "Write" + ], + "retentionPolicy": { + "enabled": true, + "days": 300 + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="27 28" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "string", + "type": "microsoft.insights/logprofiles", + "apiVersion": "2016-03-01", + "location": "location", + "tags": {}, + "properties": { + "storageAccountId": "storageAccountId", + "serviceBusRuleId": "serviceBusRuleId", + "locations": [ + "location1" + ], + "categories": [ + "Write" + ], + "retentionPolicy": { + "enabled": false, + "days": 300 + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "string", + "type": "microsoft.insights/logprofiles", + "apiVersion": "2016-03-01", + "location": "location", + "tags": {}, + "properties": { + "storageAccountId": "storageAccountId", + "serviceBusRuleId": "serviceBusRuleId", + "locations": [ + "location1" + ], + "categories": [ + "Write" + ], + "retentionPolicy": { + "enabled": true, + "days": 400 + } + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "string", + "type": "microsoft.insights/logprofiles", + "apiVersion": "2016-03-01", + "location": "location", + "tags": {}, + "properties": { + "storageAccountId": "storageAccountId", + "serviceBusRuleId": "serviceBusRuleId", + "locations": [ + "location1" + ], + "categories": [ + "Write" + ], + "retentionPolicy": { + "enabled": true, + "days": 400 + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/2583fab1-953b-4fae-bd02-4a136a6c21f9.md b/docs/queries/azureresourcemanager-queries/azure/2583fab1-953b-4fae-bd02-4a136a6c21f9.md new file mode 100644 index 00000000000..e9806cbd530 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/2583fab1-953b-4fae-bd02-4a136a6c21f9.md @@ -0,0 +1,736 @@ +--- +title: AKS With Authorized IP Ranges Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2583fab1-953b-4fae-bd02-4a136a6c21f9 +- **Query name:** AKS With Authorized IP Ranges Disabled +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/aks_with_authorized_ip_ranges_disabled) + +### Description +Azure Kubernetes Service must have an authorized IP range for API Services enabled
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusterapiserveraccessprofile-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="8" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2017-08-31", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2019-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ] +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="36" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2019-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "apiServerAuthorizedIPRanges": [] + } + } + ] +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="6" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ] +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="37" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "apiServerAccessProfile": { + "authorizedIPRanges": [] + } + } + } + ] +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="10" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2017-08-31", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="8" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2019-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="38" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2019-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "apiServerAuthorizedIPRanges": [] + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 9 - json file + +```json hl_lines="8" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 10 - json file + +```json hl_lines="39" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "apiServerAccessProfile": { + "authorizedIPRanges": [] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "apiServerAccessProfile": { + "authorizedIPRanges": [ + "192.168.0.1", + "192.168.0.18" + ] + } + } + } + ] +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2019-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "apiServerAuthorizedIPRanges": [ + "192.168.0.1", + "192.168.0.18" + ] + } + } + ] +} + +``` +```json title="Negative test num. 3 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "apiServerAccessProfile": { + "authorizedIPRanges": [ + "192.168.0.1", + "192.168.0.18" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2019-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "apiServerAuthorizedIPRanges": [ + "192.168.0.1", + "192.168.0.18" + ] + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/25c0228e-4444-459b-a2df-93c7df40b7ed.md b/docs/queries/azureresourcemanager-queries/azure/25c0228e-4444-459b-a2df-93c7df40b7ed.md new file mode 100644 index 00000000000..eb196c50a62 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/25c0228e-4444-459b-a2df-93c7df40b7ed.md @@ -0,0 +1,327 @@ +--- +title: AKS Cluster Network Policy Not Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 25c0228e-4444-459b-a2df-93c7df40b7ed +- **Query name:** AKS Cluster Network Policy Not Configured +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/aks_cluster_network_policy_not_configured) + +### Description +Azure Kubernetes Service must have a network policy defined.
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#containerservicenetworkprofile-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="6" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="37" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "" + } + } + } + ] +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="8" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="39" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ] +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/2ade1579-4b2c-4590-bebb-f99bf597f612.md b/docs/queries/azureresourcemanager-queries/azure/2ade1579-4b2c-4590-bebb-f99bf597f612.md new file mode 100644 index 00000000000..39cb11d318f --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/2ade1579-4b2c-4590-bebb-f99bf597f612.md @@ -0,0 +1,578 @@ +--- +title: Network Security Group With Unrestricted Access To SSH +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2ade1579-4b2c-4590-bebb-f99bf597f612 +- **Query name:** Network Security Group With Unrestricted Access To SSH +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_ssh) + +### Description +Port 22 (SSH) is exposed to the Internet
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-07-01/networksecuritygroups?tabs=json#securityrulepropertiesformat-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="19" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security group", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": { + "securityRules": [ + { + "id": "id", + "properties": { + "description": "access to SSH", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 301, + "direction": "Inbound" + }, + "name": "security rule" + }, + { + "id": "id2", + "properties": { + "description": "access to RDP", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "3389", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Deny", + "priority": 301, + "direction": "Inbound" + }, + "name": "security rule2" + } + ] + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="13" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "sample/securitygroup", + "type": "Microsoft.Network/networkSecurityGroups/securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access to SSH", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "22-23" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="20" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "securitygroup", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access to SSH", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "22-23" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + }, + "name": "sr" + } + + ] + } + ], + "outputs": {} +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="21" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security group", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": { + "securityRules": [ + { + "id": "id", + "properties": { + "description": "access to SSH", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 301, + "direction": "Inbound" + }, + "name": "security rule" + } + ] + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="15" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "sample/securitygroup", + "type": "Microsoft.Network/networkSecurityGroups/securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access to SSH", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "22-23" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="22" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "securitygroup", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access to SSH", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "22-23" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + }, + "name": "sr" + } + + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security group", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": { + "securityRules": [ + { + "id": "id", + "properties": { + "description": "access to SSH", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Deny", + "priority": 301, + "direction": "Inbound" + }, + "name": "security rule" + } + ] + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "sample/securitygroup", + "type": "Microsoft.Network/networkSecurityGroups/securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "4030-5100" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 3 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "securitygroup", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "6634" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + }, + "name": "sr" + } + + ] + } + ], + "outputs": {} +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security group", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": { + "securityRules": [ + { + "id": "id", + "properties": { + "description": "access to SSH", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Deny", + "priority": 301, + "direction": "Inbound" + }, + "name": "security rule" + } + ] + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "sample/securitygroup", + "type": "Microsoft.Network/networkSecurityGroups/securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "4030-5100" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "securitygroup", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "6634" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + }, + "name": "sr" + } + + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/350f3955-b5be-436f-afaa-3d2be2fa6cdd.md b/docs/queries/azureresourcemanager-queries/azure/350f3955-b5be-436f-afaa-3d2be2fa6cdd.md new file mode 100644 index 00000000000..8bcfb8784f2 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/350f3955-b5be-436f-afaa-3d2be2fa6cdd.md @@ -0,0 +1,325 @@ +--- +title: Azure Managed Disk Without Encryption +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 350f3955-b5be-436f-afaa-3d2be2fa6cdd +- **Query name:** Azure Managed Disk Without Encryption +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/azure_managed_disk_without_encryption) + +### Description +Azure Disk Encryption should be enabled
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/disks?tabs=json#encryptionsettingscollection-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="30" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/disks", + "apiVersion": "2020-09-30", + "name": "[concat(variables('vmName'),'-disk1')]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS" + }, + "properties": { + "creationData": { + "createOption": "Empty" + }, + "diskSizeGB": 512, + "encryptionSettingsCollection": { + "enabled": false, + "encryptionSettings": [ + { + "diskEncryptionKey": { + "secretUrl": "https://secret.com/secrets/secret", + "sourceVault": { + "id": "/someid/somekey" + } + } + } + ] + } + } + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="19" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/disks", + "apiVersion": "2020-09-30", + "name": "[concat(variables('vmName'),'-disk1')]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS" + }, + "properties": { + "creationData": { + "createOption": "Empty" + }, + "diskSizeGB": 512 + } + } + ] +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="32" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/disks", + "apiVersion": "2020-09-30", + "name": "[concat(variables('vmName'),'-disk1')]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS" + }, + "properties": { + "creationData": { + "createOption": "Empty" + }, + "diskSizeGB": 512, + "encryptionSettingsCollection": { + "enabled": false, + "encryptionSettings": [ + { + "diskEncryptionKey": { + "secretUrl": "https://secret.com/secrets/secret", + "sourceVault": { + "id": "/someid/somekey" + } + } + } + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="21" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/disks", + "apiVersion": "2020-09-30", + "name": "[concat(variables('vmName'),'-disk1')]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS" + }, + "properties": { + "creationData": { + "createOption": "Empty" + }, + "diskSizeGB": 512 + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/disks", + "apiVersion": "2020-09-30", + "name": "[concat(variables('vmName'),'-disk1')]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS" + }, + "properties": { + "creationData": { + "createOption": "Empty" + }, + "diskSizeGB": 512, + "encryptionSettingsCollection": { + "enabled": true, + "encryptionSettings": [ + { + "diskEncryptionKey": { + "secretUrl": "https://secret.com/secrets/secret", + "sourceVault": { + "id": "/someid/somekey" + } + } + } + ] + } + } + } + ] +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/disks", + "apiVersion": "2020-09-30", + "name": "[concat(variables('vmName'),'-disk1')]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS" + }, + "properties": { + "creationData": { + "createOption": "Empty" + }, + "diskSizeGB": 512, + "encryptionSettingsCollection": { + "enabled": true, + "encryptionSettings": [ + { + "diskEncryptionKey": { + "secretUrl": "https://secret.com/secrets/secret", + "sourceVault": { + "id": "/someid/somekey" + } + } + } + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/3e9fcc67-1f64-405f-b2f9-0a6be17598f0.md b/docs/queries/azureresourcemanager-queries/azure/3e9fcc67-1f64-405f-b2f9-0a6be17598f0.md new file mode 100644 index 00000000000..fafb33df225 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/3e9fcc67-1f64-405f-b2f9-0a6be17598f0.md @@ -0,0 +1,193 @@ +--- +title: Phone Number Not Set For Security Contacts +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3e9fcc67-1f64-405f-b2f9-0a6be17598f0 +- **Query name:** Phone Number Not Set For Security Contacts +- **Platform:** AzureResourceManager +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/phone_number_not_set_security_contacts) + +### Description +Microsoft.Security securityContacts should have a phone number defined
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts?tabs=json) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="13" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + }, + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="15" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + }, + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "Name sof resource group" + } + } + }, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + }, + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "Name sof resource group" + } + } + }, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + }, + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/43f6e60c-9cdb-4e77-864d-a66595d26518.md b/docs/queries/azureresourcemanager-queries/azure/43f6e60c-9cdb-4e77-864d-a66595d26518.md new file mode 100644 index 00000000000..72739bb799a --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/43f6e60c-9cdb-4e77-864d-a66595d26518.md @@ -0,0 +1,858 @@ +--- +title: Storage Logging For Read Write And Delete Requests Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 43f6e60c-9cdb-4e77-864d-a66595d26518 +- **Query name:** Storage Logging For Read Write And Delete Requests Disabled +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/storage_logging_for_read_write_delete_requests_disabled) + +### Description +Storage Logging should be enabled for read, write and delete methods
+[Documentation](https://docs.microsoft.com/pt-pt/azure/azure-monitor/essentials/resource-manager-diagnostic-settings#diagnostic-setting-for-azure-storage) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="83 87 79" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string" + }, + "settingName": { + "type": "string" + }, + "storageSyncName": { + "type": "string" + }, + "workspaceId": { + "type": "string" + } + }, + "resources": [ + { + "apiVersion": "2019-10-01", + "name": "nested", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "endpoints": { + "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]" + }, + "settingName": { + "value": "[parameters('settingName')]" + }, + "storageAccountName": { + "value": "[parameters('storageAccountName')]" + }, + "storageSyncName": { + "value": "[parameters('storageSyncName')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "endpoints": { + "type": "object" + }, + "settingName": { + "type": "String" + }, + "storageAccountName": { + "type": "String" + }, + "storageSyncName": { + "type": "String" + }, + "workspaceId": { + "type": "String" + } + }, + "variables": { + "hasqueue": "[contains(parameters('endpoints'),'queue')]" + }, + "resources": [ + { + "condition": "[variables('hasqueue')]", + "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "properties": { + "workspaceId": "[parameters('workspaceId')]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]", + "logs": [ + { + "category": "StorageRead", + "enabled": false + }, + { + "category": "StorageWrite", + "enabled": false + }, + { + "category": "StorageDelete", + "enabled": false + } + ], + "metrics": [ + { + "category": "Transaction", + "enabled": true + } + ] + } + } + ] + } + } + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="77 79" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string" + }, + "settingName": { + "type": "string" + }, + "storageSyncName": { + "type": "string" + }, + "workspaceId": { + "type": "string" + } + }, + "resources": [ + { + "apiVersion": "2019-10-01", + "name": "nested", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "endpoints": { + "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]" + }, + "settingName": { + "value": "[parameters('settingName')]" + }, + "storageAccountName": { + "value": "[parameters('storageAccountName')]" + }, + "storageSyncName": { + "value": "[parameters('storageSyncName')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "endpoints": { + "type": "object" + }, + "settingName": { + "type": "String" + }, + "storageAccountName": { + "type": "String" + }, + "storageSyncName": { + "type": "String" + }, + "workspaceId": { + "type": "String" + } + }, + "variables": { + "hasqueue": "[contains(parameters('endpoints'),'queue')]" + }, + "resources": [ + { + "condition": "[variables('hasqueue')]", + "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "properties": { + "workspaceId": "[parameters('workspaceId')]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]", + "logs": [ + { + "category": "StorageRead", + "enabled": false + } + ], + "metrics": [ + { + "category": "Transaction", + "enabled": true + } + ] + } + } + ] + } + } + } + ] +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="67" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string" + }, + "settingName": { + "type": "string" + }, + "storageSyncName": { + "type": "string" + }, + "workspaceId": { + "type": "string" + } + }, + "resources": [ + { + "apiVersion": "2019-10-01", + "name": "nested", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "endpoints": { + "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]" + }, + "settingName": { + "value": "[parameters('settingName')]" + }, + "storageAccountName": { + "value": "[parameters('storageAccountName')]" + }, + "storageSyncName": { + "value": "[parameters('storageSyncName')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "endpoints": { + "type": "object" + }, + "settingName": { + "type": "String" + }, + "storageAccountName": { + "type": "String" + } + }, + "variables": { + "hasqueue": "[contains(parameters('endpoints'),'queue')]" + }, + "resources": [ + { + "condition": "[variables('hasqueue')]", + "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]" + } + ] + } + } + } + ] +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="89 81 85" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string" + }, + "settingName": { + "type": "string" + }, + "storageSyncName": { + "type": "string" + }, + "workspaceId": { + "type": "string" + } + }, + "resources": [ + { + "apiVersion": "2019-10-01", + "name": "nested", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "endpoints": { + "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]" + }, + "settingName": { + "value": "[parameters('settingName')]" + }, + "storageAccountName": { + "value": "[parameters('storageAccountName')]" + }, + "storageSyncName": { + "value": "[parameters('storageSyncName')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "endpoints": { + "type": "object" + }, + "settingName": { + "type": "String" + }, + "storageAccountName": { + "type": "String" + }, + "storageSyncName": { + "type": "String" + }, + "workspaceId": { + "type": "String" + } + }, + "variables": { + "hasqueue": "[contains(parameters('endpoints'),'queue')]" + }, + "resources": [ + { + "condition": "[variables('hasqueue')]", + "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "properties": { + "workspaceId": "[parameters('workspaceId')]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]", + "logs": [ + { + "category": "StorageRead", + "enabled": false + }, + { + "category": "StorageWrite", + "enabled": false + }, + { + "category": "StorageDelete", + "enabled": false + } + ], + "metrics": [ + { + "category": "Transaction", + "enabled": true + } + ] + } + } + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="81 79" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string" + }, + "settingName": { + "type": "string" + }, + "storageSyncName": { + "type": "string" + }, + "workspaceId": { + "type": "string" + } + }, + "resources": [ + { + "apiVersion": "2019-10-01", + "name": "nested", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "endpoints": { + "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]" + }, + "settingName": { + "value": "[parameters('settingName')]" + }, + "storageAccountName": { + "value": "[parameters('storageAccountName')]" + }, + "storageSyncName": { + "value": "[parameters('storageSyncName')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "endpoints": { + "type": "object" + }, + "settingName": { + "type": "String" + }, + "storageAccountName": { + "type": "String" + }, + "storageSyncName": { + "type": "String" + }, + "workspaceId": { + "type": "String" + } + }, + "variables": { + "hasqueue": "[contains(parameters('endpoints'),'queue')]" + }, + "resources": [ + { + "condition": "[variables('hasqueue')]", + "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "properties": { + "workspaceId": "[parameters('workspaceId')]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]", + "logs": [ + { + "category": "StorageRead", + "enabled": false + } + ], + "metrics": [ + { + "category": "Transaction", + "enabled": true + } + ] + } + } + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="69" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string" + }, + "settingName": { + "type": "string" + }, + "storageSyncName": { + "type": "string" + }, + "workspaceId": { + "type": "string" + } + }, + "resources": [ + { + "apiVersion": "2019-10-01", + "name": "nested", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "endpoints": { + "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]" + }, + "settingName": { + "value": "[parameters('settingName')]" + }, + "storageAccountName": { + "value": "[parameters('storageAccountName')]" + }, + "storageSyncName": { + "value": "[parameters('storageSyncName')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "endpoints": { + "type": "object" + }, + "settingName": { + "type": "String" + }, + "storageAccountName": { + "type": "String" + } + }, + "variables": { + "hasqueue": "[contains(parameters('endpoints'),'queue')]" + }, + "resources": [ + { + "condition": "[variables('hasqueue')]", + "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]" + } + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string" + }, + "settingName": { + "type": "string" + }, + "storageSyncName": { + "type": "string" + }, + "workspaceId": { + "type": "string" + } + }, + "resources": [ + { + "apiVersion": "2019-10-01", + "name": "nested", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "endpoints": { + "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]" + }, + "settingName": { + "value": "[parameters('settingName')]" + }, + "storageAccountName": { + "value": "[parameters('storageAccountName')]" + }, + "storageSyncName": { + "value": "[parameters('storageSyncName')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "endpoints": { + "type": "object" + }, + "settingName": { + "type": "String" + }, + "storageAccountName": { + "type": "String" + }, + "storageSyncName": { + "type": "String" + }, + "workspaceId": { + "type": "String" + } + }, + "variables": { + "hasqueue": "[contains(parameters('endpoints'),'queue')]" + }, + "resources": [ + { + "condition": "[variables('hasqueue')]", + "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "properties": { + "workspaceId": "[parameters('workspaceId')]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]", + "logs": [ + { + "category": "StorageRead", + "enabled": true + }, + { + "category": "StorageWrite", + "enabled": true + }, + { + "category": "StorageDelete", + "enabled": true + } + ], + "metrics": [ + { + "category": "Transaction", + "enabled": true + } + ] + } + } + ] + } + } + } + ] +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string" + }, + "settingName": { + "type": "string" + }, + "storageSyncName": { + "type": "string" + }, + "workspaceId": { + "type": "string" + } + }, + "resources": [ + { + "apiVersion": "2019-10-01", + "name": "nested", + "type": "Microsoft.Resources/deployments", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "endpoints": { + "value": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01', 'Full').properties.primaryEndpoints]" + }, + "settingName": { + "value": "[parameters('settingName')]" + }, + "storageAccountName": { + "value": "[parameters('storageAccountName')]" + }, + "storageSyncName": { + "value": "[parameters('storageSyncName')]" + }, + "workspaceId": { + "value": "[parameters('workspaceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "endpoints": { + "type": "object" + }, + "settingName": { + "type": "String" + }, + "storageAccountName": { + "type": "String" + }, + "storageSyncName": { + "type": "String" + }, + "workspaceId": { + "type": "String" + } + }, + "variables": { + "hasqueue": "[contains(parameters('endpoints'),'queue')]" + }, + "resources": [ + { + "condition": "[variables('hasqueue')]", + "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticsettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('storageAccountName'),'/default/Microsoft.Insights/', parameters('settingName'))]", + "properties": { + "workspaceId": "[parameters('workspaceId')]", + "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageSyncName'))]", + "logs": [ + { + "category": "StorageRead", + "enabled": true + }, + { + "category": "StorageWrite", + "enabled": true + }, + { + "category": "StorageDelete", + "enabled": true + } + ], + "metrics": [ + { + "category": "Transaction", + "enabled": true + } + ] + } + } + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/488847ff-6031-487c-bf42-98fd6ac5c9a0.md b/docs/queries/azureresourcemanager-queries/azure/488847ff-6031-487c-bf42-98fd6ac5c9a0.md new file mode 100644 index 00000000000..23e3cfe8a57 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/488847ff-6031-487c-bf42-98fd6ac5c9a0.md @@ -0,0 +1,214 @@ +--- +title: Website Not Forcing HTTPS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 488847ff-6031-487c-bf42-98fd6ac5c9a0 +- **Query name:** Website Not Forcing HTTPS +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/website_not_forcing_https) + +### Description +'Microsoft.Web/sites' should force the use of HTTPS
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="15" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="17" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": false + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="17" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="19" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": false + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/4d2cf896-c053-4be5-9c95-8b4771112f29.md b/docs/queries/azureresourcemanager-queries/azure/4d2cf896-c053-4be5-9c95-8b4771112f29.md new file mode 100644 index 00000000000..debe607b323 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/4d2cf896-c053-4be5-9c95-8b4771112f29.md @@ -0,0 +1,280 @@ +--- +title: Hardcoded SecureString Parameter Default Value +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4d2cf896-c053-4be5-9c95-8b4771112f29 +- **Query name:** Hardcoded SecureString Parameter Default Value +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/hardcoded_securestring_parameter_default_value) + +### Description +Secure parameters should not have hardcoded default value
+[Documentation](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-test-cases#secure-parameters-cant-have-hardcoded-default) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="7" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": { + "adminPassword": { + "defaultValue": "HardcodedPassword", + "type": "secureString" + }, + "adminLogin": { + "type": "string" + }, + "sqlServerName": { + "type": "string" + } + }, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2015-05-01-preview", + "name": "[parameters('sqlServerName')]", + "location": "[resourceGroup().location]", + "tags": {}, + "properties": { + "administratorLogin": "[parameters('adminLogin')]", + "administratorLoginPassword": "[parameters('adminPassword')]", + "version": "12.0" + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": { + "adminPassword": { + "defaultValue": "HardcodedPassword", + "type": "secureString" + }, + "adminLogin": { + "type": "string" + }, + "sqlServerName": { + "type": "string" + } + }, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2015-05-01-preview", + "name": "[parameters('sqlServerName')]", + "location": "[resourceGroup().location]", + "tags": {}, + "properties": { + "administratorLogin": "[parameters('adminLogin')]", + "administratorLoginPassword": "[parameters('adminPassword')]", + "version": "12.0" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": { + "secureParameter": { + "type": "secureString", + "defaultValue": "[newGuid()]" + }, + "adminLogin": { + "type": "string" + }, + "sqlServerName": { + "type": "string" + } + }, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2015-05-01-preview", + "name": "[parameters('sqlServerName')]", + "location": "[resourceGroup().location]", + "tags": {}, + "properties": { + "administratorLogin": "[parameters('adminLogin')]", + "administratorLoginPassword": "[parameters('secureParameter')]", + "version": "12.0" + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": { + "adminPassword": { + "type": "secureString" + }, + "adminLogin": { + "type": "string" + }, + "sqlServerName": { + "type": "string" + } + }, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2015-05-01-preview", + "name": "[parameters('sqlServerName')]", + "location": "[resourceGroup().location]", + "tags": {}, + "properties": { + "administratorLogin": "[parameters('adminLogin')]", + "administratorLoginPassword": "[parameters('adminPassword')]", + "version": "12.0" + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 3 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": { + "secureParameter": { + "type": "secureString", + "defaultValue": "[newGuid()]" + }, + "adminLogin": { + "type": "string" + }, + "sqlServerName": { + "type": "string" + } + }, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2015-05-01-preview", + "name": "[parameters('sqlServerName')]", + "location": "[resourceGroup().location]", + "tags": {}, + "properties": { + "administratorLogin": "[parameters('adminLogin')]", + "administratorLoginPassword": "[parameters('secureParameter')]", + "version": "12.0" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": { + "adminPassword": { + "type": "secureString" + }, + "adminLogin": { + "type": "string" + }, + "sqlServerName": { + "type": "string" + } + }, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2015-05-01-preview", + "name": "[parameters('sqlServerName')]", + "location": "[resourceGroup().location]", + "tags": {}, + "properties": { + "administratorLogin": "[parameters('adminLogin')]", + "administratorLoginPassword": "[parameters('adminPassword')]", + "version": "12.0" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/4d522e7b-f938-4d51-a3b1-974ada528bd3.md b/docs/queries/azureresourcemanager-queries/azure/4d522e7b-f938-4d51-a3b1-974ada528bd3.md new file mode 100644 index 00000000000..efcab1e91c3 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/4d522e7b-f938-4d51-a3b1-974ada528bd3.md @@ -0,0 +1,189 @@ +--- +title: Log Profile Incorrect Category +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4d522e7b-f938-4d51-a3b1-974ada528bd3 +- **Query name:** Log Profile Incorrect Category +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/log_profile_incorrect_category) + +### Description +Log Profile Categories should be set to 'Write', 'Delete', and/or 'Action'
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/2016-03-01/logprofiles?tabs=json#logprofileproperties-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="22" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "string", + "type": "microsoft.insights/logprofiles", + "apiVersion": "2016-03-01", + "location": "eastus", + "tags": {}, + "properties": { + "storageAccountId": "storageAccountId", + "serviceBusRuleId": "serviceBusRuleId", + "locations": [ + "eastus" + ], + "categories": [ + "Writ" + ], + "retentionPolicy": { + "enabled": true, + "days": 450 + } + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="24" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "string", + "type": "microsoft.insights/logprofiles", + "apiVersion": "2016-03-01", + "location": "eastus", + "tags": {}, + "properties": { + "storageAccountId": "storageAccountId", + "serviceBusRuleId": "serviceBusRuleId", + "locations": [ + "eastus" + ], + "categories": [ + "Writ" + ], + "retentionPolicy": { + "enabled": true, + "days": 450 + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "string", + "type": "microsoft.insights/logprofiles", + "apiVersion": "2016-03-01", + "location": "eastus", + "tags": {}, + "properties": { + "storageAccountId": "storageAccountId", + "serviceBusRuleId": "serviceBusRuleId", + "locations": [ + "eastus" + ], + "categories": [ + "Write" + ], + "retentionPolicy": { + "enabled": true, + "days": 450 + } + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "string", + "type": "microsoft.insights/logprofiles", + "apiVersion": "2016-03-01", + "location": "eastus", + "tags": {}, + "properties": { + "storageAccountId": "storageAccountId", + "serviceBusRuleId": "serviceBusRuleId", + "locations": [ + "eastus" + ], + "categories": [ + "Write" + ], + "retentionPolicy": { + "enabled": true, + "days": 450 + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/564b70f8-41cd-4690-aff8-bb53add86bc9.md b/docs/queries/azureresourcemanager-queries/azure/564b70f8-41cd-4690-aff8-bb53add86bc9.md new file mode 100644 index 00000000000..fe89e050ccc --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/564b70f8-41cd-4690-aff8-bb53add86bc9.md @@ -0,0 +1,483 @@ +--- +title: Unrecommended Network Watcher Flow Log Retention Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 564b70f8-41cd-4690-aff8-bb53add86bc9 +- **Query name:** Unrecommended Network Watcher Flow Log Retention Policy +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/unrecommended_network_watcher_flow_log_retention_policy) + +### Description +Network Watcher Flow Log Retention Policy should be enabled and the recommended number of days for the retention should be higher than 90
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2019-11-01/networkwatchers/flowlogs?tabs=json#retentionpolicyparameters-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="20 21" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "flowlogs/sample", + "type": "Microsoft.Network/networkWatchers/flowLogs", + "apiVersion": "2020-11-01", + "location": "location", + "tags": {}, + "properties": { + "targetResourceId": "targetResourceId", + "storageId": "storageId", + "enabled": true, + "retentionPolicy": { + "days": 2, + "enabled": false + }, + "format": { + "type": "JSON" + } + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="19 20" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "flowlogs/sample", + "type": "Microsoft.Network/networkWatchers/FlowLogs", + "apiVersion": "2020-11-01", + "location": "location", + "tags": {}, + "properties": { + "targetResourceId": "targetResourceId", + "storageId": "storageId", + "enabled": true, + "retentionPolicy": { + "days": 2 + }, + "format": { + "type": "JSON" + } + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="15" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "flowlogs/sample", + "type": "Microsoft.Network/networkWatchers/FlowLogs", + "apiVersion": "2020-11-01", + "location": "location", + "tags": {}, + "properties": { + "targetResourceId": "targetResourceId", + "storageId": "storageId", + "enabled": true, + "format": { + "type": "JSON" + } + } + } + ], + "outputs": {} +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="15" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "flowlogs/sample", + "type": "Microsoft.Network/networkWatchers/FlowLogs", + "apiVersion": "2020-11-01", + "location": "location", + "tags": {}, + "properties": { + "targetResourceId": "targetResourceId", + "storageId": "storageId", + "retentionPolicy": { + "days": 95, + "enabled": true + }, + "format": { + "type": "JSON" + } + } + } + ], + "outputs": {} +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="22 23" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "flowlogs/sample", + "type": "Microsoft.Network/networkWatchers/flowLogs", + "apiVersion": "2020-11-01", + "location": "location", + "tags": {}, + "properties": { + "targetResourceId": "targetResourceId", + "storageId": "storageId", + "enabled": true, + "retentionPolicy": { + "days": 2, + "enabled": false + }, + "format": { + "type": "JSON" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="21 22" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "flowlogs/sample", + "type": "Microsoft.Network/networkWatchers/FlowLogs", + "apiVersion": "2020-11-01", + "location": "location", + "tags": {}, + "properties": { + "targetResourceId": "targetResourceId", + "storageId": "storageId", + "enabled": true, + "retentionPolicy": { + "days": 2 + }, + "format": { + "type": "JSON" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="17" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "flowlogs/sample", + "type": "Microsoft.Network/networkWatchers/FlowLogs", + "apiVersion": "2020-11-01", + "location": "location", + "tags": {}, + "properties": { + "targetResourceId": "targetResourceId", + "storageId": "storageId", + "enabled": true, + "format": { + "type": "JSON" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="17" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "flowlogs/sample", + "type": "Microsoft.Network/networkWatchers/FlowLogs", + "apiVersion": "2020-11-01", + "location": "location", + "tags": {}, + "properties": { + "targetResourceId": "targetResourceId", + "storageId": "storageId", + "retentionPolicy": { + "days": 95, + "enabled": true + }, + "format": { + "type": "JSON" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "flowlogs/sample", + "type": "Microsoft.Network/networkWatchers/flowLogs", + "apiVersion": "2020-11-01", + "location": "location", + "tags": {}, + "properties": { + "targetResourceId": "targetResourceId", + "storageId": "storageId", + "enabled": true, + "retentionPolicy": { + "days": 92, + "enabled": true + }, + "format": { + "type": "JSON" + } + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "flowlogs/sample", + "type": "Microsoft.Network/networkWatchers/FlowLogs", + "apiVersion": "2020-11-01", + "location": "location", + "tags": {}, + "properties": { + "targetResourceId": "targetResourceId", + "storageId": "storageId", + "enabled": true, + "retentionPolicy": { + "days": 95, + "enabled": true + }, + "format": { + "type": "JSON" + } + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 3 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "flowlogs/sample", + "type": "Microsoft.Network/networkWatchers/flowLogs", + "apiVersion": "2020-11-01", + "location": "location", + "tags": {}, + "properties": { + "targetResourceId": "targetResourceId", + "storageId": "storageId", + "enabled": true, + "retentionPolicy": { + "days": 92, + "enabled": true + }, + "format": { + "type": "JSON" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "flowlogs/sample", + "type": "Microsoft.Network/networkWatchers/FlowLogs", + "apiVersion": "2020-11-01", + "location": "location", + "tags": {}, + "properties": { + "targetResourceId": "targetResourceId", + "storageId": "storageId", + "enabled": true, + "retentionPolicy": { + "days": 95, + "enabled": true + }, + "format": { + "type": "JSON" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/574e8d82-1db2-4b9c-b526-e320ede9a9ff.md b/docs/queries/azureresourcemanager-queries/azure/574e8d82-1db2-4b9c-b526-e320ede9a9ff.md new file mode 100644 index 00000000000..89781afb7d3 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/574e8d82-1db2-4b9c-b526-e320ede9a9ff.md @@ -0,0 +1,278 @@ +--- +title: SQL Server Database With Alerts Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 574e8d82-1db2-4b9c-b526-e320ede9a9ff +- **Query name:** SQL Server Database With Alerts Disabled +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/sql_server_database_with_alerts_disabled) + +### Description +All Alerts should be enabled in SQL Database Server SecurityAlerts Policy Properties
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/securityalertpolicies?tabs=json) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="14" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/databases/default", + "properties": { + "disabledAlerts": [ "Sql_Injection" ], + "emailAccountAdmins": true, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="16" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/databases/default", + "properties": { + "disabledAlerts": [ "Sql_Injection" ], + "emailAccountAdmins": true, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/databases/default", + "properties": { + "disabledAlerts": [], + "emailAccountAdmins": true, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/databases/default", + "properties": { + "emailAccountAdmins": true, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 3 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/databases/default", + "properties": { + "emailAccountAdmins": true, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Disabled" + } + } + ], + "outputs": {} +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/databases/default", + "properties": { + "disabledAlerts": [], + "emailAccountAdmins": true, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/databases/default", + "properties": { + "emailAccountAdmins": true, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/databases/default", + "properties": { + "emailAccountAdmins": true, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Disabled" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/59cb3da7-f206-4ae6-b827-7abf0a9cab9d.md b/docs/queries/azureresourcemanager-queries/azure/59cb3da7-f206-4ae6-b827-7abf0a9cab9d.md new file mode 100644 index 00000000000..95ed0f1bdf0 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/59cb3da7-f206-4ae6-b827-7abf0a9cab9d.md @@ -0,0 +1,578 @@ +--- +title: Network Security Group With Unrestricted Access To RDP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 59cb3da7-f206-4ae6-b827-7abf0a9cab9d +- **Query name:** Network Security Group With Unrestricted Access To RDP +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/network_security_group_with_unrestricted_access_to_rdp) + +### Description +Port 3389 (Remote Desktop) is exposed to the Internet
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.network/2020-07-01/networksecuritygroups?tabs=json#securityrulepropertiesformat-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="19" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security group", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": { + "securityRules": [ + { + "id": "id", + "properties": { + "description": "access to RDP", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "3389", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 301, + "direction": "Inbound" + }, + "name": "security rule" + }, + { + "id": "id2", + "properties": { + "description": "access to SSH", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Deny", + "priority": 301, + "direction": "Inbound" + }, + "name": "security rule2" + } + ] + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="13" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "sample/securitygroup", + "type": "Microsoft.Network/networkSecurityGroups/securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access to RDP", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "3333-3389" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="20" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "securitygroup", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access to RDP", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "3333-3389" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + }, + "name": "sr" + } + + ] + } + ], + "outputs": {} +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="21" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security group", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": { + "securityRules": [ + { + "id": "id", + "properties": { + "description": "access to RDP", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "3389", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 301, + "direction": "Inbound" + }, + "name": "security rule" + } + ] + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="15" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "sample/securitygroup", + "type": "Microsoft.Network/networkSecurityGroups/securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access to RDP", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "3333-3389" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="22" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "securitygroup", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access to RDP", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "3333-3389" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + }, + "name": "sr" + } + + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security group", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": { + "securityRules": [ + { + "id": "id", + "properties": { + "description": "access to RDP", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "3389", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Deny", + "priority": 301, + "direction": "Inbound" + }, + "name": "security rule" + } + ] + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "sample/securitygroup", + "type": "Microsoft.Network/networkSecurityGroups/securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "4030-5100" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 3 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "securitygroup", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "6634" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + }, + "name": "sr" + } + + ] + } + ], + "outputs": {} +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security group", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": { + "securityRules": [ + { + "id": "id", + "properties": { + "description": "access to RDP", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "3389", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Deny", + "priority": 301, + "direction": "Inbound" + }, + "name": "security rule" + } + ] + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "sample/securitygroup", + "type": "Microsoft.Network/networkSecurityGroups/securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "4030-5100" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "securitygroup", + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-11-01", + "location": "location1", + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "securityRules", + "apiVersion": "2020-11-01", + "properties": { + "description": "access", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRanges": [ + "6634" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + }, + "name": "sr" + } + + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/6797f581-0433-4768-ae3e-7ceb2f8b138e.md b/docs/queries/azureresourcemanager-queries/azure/6797f581-0433-4768-ae3e-7ceb2f8b138e.md new file mode 100644 index 00000000000..683b52a8fca --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/6797f581-0433-4768-ae3e-7ceb2f8b138e.md @@ -0,0 +1,1240 @@ +--- +title: Azure Instance Using Basic Authentication +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6797f581-0433-4768-ae3e-7ceb2f8b138e +- **Query name:** Azure Instance Using Basic Authentication +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/azure_instance_using_basic_authentication) + +### Description +Azure Instances should use SSH Key instead of basic authentication
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines?tabs=json#linuxconfiguration-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="53" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Specifies the location for all resources." + } + }, + "adminUsername": { + "type": "string", + "metadata": { + "description": "Specifies a username for the Virtual Machine." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2s_v3", + "metadata": { + "description": "description" + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]", + "networkInterfaceName": "[concat(parameters('projectName'), '-nic')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-03-01", + "name": "[variables('vmName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "osProfile": { + "computerName": "[variables('vmName')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": false + } + }, + "storageProfile": { + "imageReference": { + "publisher": "Canonical", + "offer": "UbuntuServer", + "sku": "18.04-LTS", + "version": "latest" + }, + "osDisk": { + "createOption": "fromImage" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + } + ] + } + } + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="40" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Specifies the location for all resources." + } + }, + "adminUsername": { + "type": "string", + "metadata": { + "description": "Specifies a username for the Virtual Machine." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2s_v3", + "metadata": { + "description": "description" + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]", + "networkInterfaceName": "[concat(parameters('projectName'), '-nic')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-03-01", + "name": "[variables('vmName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "osProfile": { + "computerName": "[variables('vmName')]", + "adminUsername": "[parameters('adminUsername')]" + }, + "storageProfile": { + "imageReference": { + "publisher": "Canonical", + "offer": "UbuntuServer", + "sku": "18.04-LTS", + "version": "latest" + }, + "osDisk": { + "createOption": "fromImage" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + } + ] + } + } + } + ] +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="55" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Specifies the location for all resources." + } + }, + "adminUsername": { + "type": "string", + "metadata": { + "description": "Specifies a username for the Virtual Machine." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2s_v3", + "metadata": { + "description": "description" + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]", + "networkInterfaceName": "[concat(parameters('projectName'), '-nic')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-03-01", + "name": "[variables('vmName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "osProfile": { + "computerName": "[variables('vmName')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": false + } + }, + "storageProfile": { + "imageReference": { + "publisher": "Canonical", + "offer": "UbuntuServer", + "sku": "18.04-LTS", + "version": "latest" + }, + "osDisk": { + "createOption": "fromImage" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + } + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="42" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Specifies the location for all resources." + } + }, + "adminUsername": { + "type": "string", + "metadata": { + "description": "Specifies a username for the Virtual Machine." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2s_v3", + "metadata": { + "description": "description" + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]", + "networkInterfaceName": "[concat(parameters('projectName'), '-nic')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-03-01", + "name": "[variables('vmName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "osProfile": { + "computerName": "[variables('vmName')]", + "adminUsername": "[parameters('adminUsername')]" + }, + "storageProfile": { + "imageReference": { + "publisher": "Canonical", + "offer": "UbuntuServer", + "sku": "18.04-LTS", + "version": "latest" + }, + "osDisk": { + "createOption": "fromImage" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + } + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Specifies the location for all resources." + } + }, + "adminUsername": { + "type": "string", + "metadata": { + "description": "Specifies a username for the Virtual Machine." + } + }, + "adminPublicKey": { + "type": "string", + "metadata": { + "description": "Specifies the SSH rsa public key file as a string. Use \"ssh-keygen -t rsa -b 2048\" to generate your SSH key pairs." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2s_v3", + "metadata": { + "description": "description" + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]", + "networkInterfaceName": "[concat(parameters('projectName'), '-nic')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-03-01", + "name": "[variables('vmName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "osProfile": { + "computerName": "[variables('vmName')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": true, + "ssh": { + "publicKeys": [ + { + "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]", + "keyData": "[parameters('adminPublicKey')]" + } + ] + } + } + }, + "storageProfile": { + "imageReference": { + "publisher": "Canonical", + "offer": "UbuntuServer", + "sku": "18.04-LTS", + "version": "latest" + }, + "osDisk": { + "createOption": "fromImage" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + } + ] + } + } + } + ] +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.4.1.14562", + "templateHash": "8381960602397537918" + } + }, + "parameters": { + "adminUsername": { + "type": "string", + "metadata": { + "description": "Username for the Virtual Machine." + } + }, + "adminPassword": { + "type": "secureString", + "minLength": 12, + "metadata": { + "description": "Password for the Virtual Machine." + } + }, + "OSVersion": { + "type": "string", + "defaultValue": "2019-Datacenter", + "allowedValues": [ + "2008-R2-SP1", + "2012-Datacenter", + "2012-R2-Datacenter", + "2016-Nano-Server", + "2016-Datacenter-with-Containers", + "2016-Datacenter", + "2019-Datacenter", + "2019-Datacenter-Core", + "2019-Datacenter-Core-smalldisk", + "2019-Datacenter-Core-with-Containers", + "2019-Datacenter-Core-with-Containers-smalldisk", + "2019-Datacenter-smalldisk", + "2019-Datacenter-with-Containers", + "2019-Datacenter-with-Containers-smalldisk" + ], + "metadata": { + "description": "The Windows version for the VM. This will pick a fully patched image of this given Windows version." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2_v3", + "metadata": { + "description": "Size of the virtual machine." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + }, + "vmName": { + "type": "string", + "defaultValue": "simple-vm", + "metadata": { + "description": "Name of the virtual machine." + } + } + }, + "functions": [], + "variables": { + "storageAccountName": "[format('bootdiags{0}', uniqueString(resourceGroup().id))]", + "nicName": "myVMNic" + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-03-01", + "name": "[parameters('vmName')]", + "location": "[parameters('location')]", + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "osProfile": { + "computerName": "[parameters('vmName')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]" + }, + "storageProfile": { + "imageReference": { + "publisher": "MicrosoftWindowsServer", + "offer": "WindowsServer", + "sku": "[parameters('OSVersion')]", + "version": "latest" + }, + "osDisk": { + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "StandardSSD_LRS" + } + }, + "dataDisks": [ + { + "diskSizeGB": 1023, + "lun": 0, + "createOption": "Empty" + } + ] + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]" + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true, + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))).primaryEndpoints.blob]" + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + ] + } + ] +} + +``` +```json title="Negative test num. 3 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "projectName": { + "type": "string", + "metadata": { + "description": "Specifies a name for generating resource names." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Specifies the location for all resources." + } + }, + "adminUsername": { + "type": "string", + "metadata": { + "description": "Specifies a username for the Virtual Machine." + } + }, + "adminPublicKey": { + "type": "string", + "metadata": { + "description": "Specifies the SSH rsa public key file as a string. Use \"ssh-keygen -t rsa -b 2048\" to generate your SSH key pairs." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2s_v3", + "metadata": { + "description": "description" + } + } + }, + "variables": { + "vmName": "[concat(parameters('projectName'), '-vm')]", + "networkInterfaceName": "[concat(parameters('projectName'), '-nic')]" + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-03-01", + "name": "[variables('vmName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "osProfile": { + "computerName": "[variables('vmName')]", + "adminUsername": "[parameters('adminUsername')]", + "linuxConfiguration": { + "disablePasswordAuthentication": true, + "ssh": { + "publicKeys": [ + { + "path": "[concat('/home/', parameters('adminUsername'), '/.ssh/authorized_keys')]", + "keyData": "[parameters('adminPublicKey')]" + } + ] + } + } + }, + "storageProfile": { + "imageReference": { + "publisher": "Canonical", + "offer": "UbuntuServer", + "sku": "18.04-LTS", + "version": "latest" + }, + "osDisk": { + "createOption": "fromImage" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + } + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.4.1.14562", + "templateHash": "8381960602397537918" + } + }, + "parameters": { + "adminUsername": { + "type": "string", + "metadata": { + "description": "Username for the Virtual Machine." + } + }, + "adminPassword": { + "type": "secureString", + "minLength": 12, + "metadata": { + "description": "Password for the Virtual Machine." + } + }, + "OSVersion": { + "type": "string", + "defaultValue": "2019-Datacenter", + "allowedValues": [ + "2008-R2-SP1", + "2012-Datacenter", + "2012-R2-Datacenter", + "2016-Nano-Server", + "2016-Datacenter-with-Containers", + "2016-Datacenter", + "2019-Datacenter", + "2019-Datacenter-Core", + "2019-Datacenter-Core-smalldisk", + "2019-Datacenter-Core-with-Containers", + "2019-Datacenter-Core-with-Containers-smalldisk", + "2019-Datacenter-smalldisk", + "2019-Datacenter-with-Containers", + "2019-Datacenter-with-Containers-smalldisk" + ], + "metadata": { + "description": "The Windows version for the VM. This will pick a fully patched image of this given Windows version." + } + }, + "vmSize": { + "type": "string", + "defaultValue": "Standard_D2_v3", + "metadata": { + "description": "Size of the virtual machine." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + }, + "vmName": { + "type": "string", + "defaultValue": "simple-vm", + "metadata": { + "description": "Name of the virtual machine." + } + } + }, + "functions": [], + "variables": { + "storageAccountName": "[format('bootdiags{0}', uniqueString(resourceGroup().id))]", + "nicName": "myVMNic" + }, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2021-03-01", + "name": "[parameters('vmName')]", + "location": "[parameters('location')]", + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "osProfile": { + "computerName": "[parameters('vmName')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]" + }, + "storageProfile": { + "imageReference": { + "publisher": "MicrosoftWindowsServer", + "offer": "WindowsServer", + "sku": "[parameters('OSVersion')]", + "version": "latest" + }, + "osDisk": { + "createOption": "FromImage", + "managedDisk": { + "storageAccountType": "StandardSSD_LRS" + } + }, + "dataDisks": [ + { + "diskSizeGB": 1023, + "lun": 0, + "createOption": "Empty" + } + ] + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]" + } + ] + }, + "diagnosticsProfile": { + "bootDiagnostics": { + "enabled": true, + "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))).primaryEndpoints.blob]" + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "virtualMachineName": { + "type": "String", + "defaultValue": "myVM", + "metadata": { + "description": "The name of the VM" + } + }, + "virtualMachineSize": { + "type": "String", + "defaultValue": "Standard_D8s_v3", + "metadata": { + "description": "The virtual machine size." + } + }, + "existingVirtualNetworkName": { + "type": "String", + "metadata": { + "description": "Specify the name of an existing VNet in the same resource group" + } + }, + "existingVnetResourceGroup": { + "type": "String", + "metadata": { + "description": "Specify the resrouce group of the existing VNet" + }, + "defaultValue": "[resourceGroup().name]" + }, + "existingSubnetName": { + "type": "String", + "metadata": { + "description": "Specify the name of the Subnet Name" + } + }, + "imageOffer": { + "type": "String", + "allowedValues": [ + "sql2019-ws2019", + "sql2017-ws2019", + "SQL2017-WS2016", + "SQL2016SP1-WS2016", + "SQL2016SP2-WS2016", + "SQL2014SP3-WS2012R2", + "SQL2014SP2-WS2012R2" + ], + "defaultValue": "sql2019-ws2019", + "metadata": { + "description": "Windows Server and SQL Offer" + } + }, + "sqlSku": { + "type": "String", + "allowedValues": [ + "Standard", + "Enterprise", + "SQLDEV", + "Web", + "Express" + ], + "defaultValue": "Standard", + "metadata": { + "description": "SQL Server Sku" + } + }, + "zone": { + "defaultValue": 1, + "allowedValues": [ + 1, + 2, + 3 + ], + "type": "Int", + "metadata": { + "description": "Zone to deploy to" + } + }, + "adminUsername": { + "type": "String", + "metadata": { + "description": "The admin user name of the VM" + } + }, + "adminPassword": { + "type": "SecureString", + "metadata": { + "description": "The admin password of the VM" + } + }, + "storageWorkloadType": { + "type": "String", + "allowedValues": [ + "General", + "OLTP", + "DW" + ], + "defaultValue": "General", + "metadata": { + "description": "SQL Server Workload Type" + } + }, + "sqlDataDisksCount": { + "type": "int", + "defaultValue": 1, + "minValue": 1, + "maxValue": 8, + "metadata": { + "description": "Amount of data disks (1TB each) for SQL Data files" + } + }, + "dataPath": { + "type": "String", + "defaultValue": "F:\\SQLData", + "metadata": { + "description": "Path for SQL Data files. Please choose drive letter from F to Z, and other drives from A to E are reserved for system" + } + }, + "sqlLogUltraSSDDiskSizeInGB": { + "defaultValue": 512, + "type": "int", + "metadata": { + "description": "SQL Log UltraSSD Disk size in GiB." + } + }, + "sqlLogUltraSSDdiskIOPSReadWrite": { + "defaultValue": 20000, + "type": "int", + "metadata": { + "description": "SQL Log UltraSSD Disk IOPS value representing the maximum IOPS that the disk can achieve." + } + }, + "sqlLogUltraSSDdiskMbpsReadWrite": { + "defaultValue": 500, + "type": "int", + "metadata": { + "description": "SQL Log UltraSSD Disk MBps value representing the maximum throughput that the disk can achieve." + } + }, + "logPath": { + "type": "String", + "defaultValue": "G:\\SQLLog", + "metadata": { + "description": "Path for SQL Log files. Please choose drive letter from F to Z and different than the one used for SQL data. Drive letter from A to E are reserved for system" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for all resources." + }, + "allowedValues": [ + "East US 2", + "SouthEast Asia", + "North Europe" + ] + } + }, + "variables": { + "networkInterfaceName": "[concat(parameters('virtualMachineName'), '-nic')]", + "networkSecurityGroupName": "[concat(parameters('virtualMachineName'), '-nsg')]", + "networkSecurityGroupRules": [ + { + "name": "RDP", + "properties": { + "priority": 300, + "protocol": "TCP", + "access": "Allow", + "direction": "Inbound", + "sourceAddressPrefix": "*", + "sourcePortRange": "*", + "destinationAddressPrefix": "*", + "destinationPortRange": "3389" + } + } + ], + "publicIpAddressName": "[concat(parameters('virtualMachineName'), '-publicip-', uniqueString(parameters('virtualMachineName')))]", + "publicIpAddressType": "Dynamic", + "publicIpAddressSku": "Basic", + "diskConfigurationType": "NEW", + "nsgId": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]", + "subnetRef": "[resourceID(parameters('existingVNetResourceGroup'), 'Microsoft.Network/virtualNetWorks/subnets', parameters('existingVirtualNetworkName'), parameters('existingSubNetName'))]", + "dataDisksLuns": "[array(range(0 ,parameters('sqlDataDisksCount')))]", + "logDisksLuns": "[array(range(parameters('sqlDataDisksCount'), 1))]", + "dataDisks": { + "createOption": "empty", + "caching": "ReadOnly", + "writeAcceleratorEnabled": false, + "storageAccountType": "Premium_LRS", + "diskSizeGB": 1023 + }, + "tempDbPath": "D:\\SQLTempdb" + }, + "resources": [ + { + "type": "Microsoft.Compute/disks", + "apiVersion": "2019-11-01", + "name": "[concat(parameters('virtualMachineName'),'-dataDisk-UltraSSD-',copyIndex())]", + "location": "[parameters('location')]", + "sku": { + "name": "UltraSSD_LRS" + }, + "zones": [ + "[parameters('zone')]" + ], + "properties": { + "creationData": { + "createOption": "Empty" + }, + "encryptionSettingsCollection": { + "enabled": false, + "encryptionSettings": [ + { + "diskEncryptionKey": { + "sourceVault": { + "id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myVMVault" + }, + "secretUrl": "https://myvmvault.vault-int.azure-int.net/secrets/{secret}" + }, + "keyEncryptionKey": { + "sourceVault": { + "id": "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.KeyVault/vaults/myVMVault" + }, + "keyUrl": "https://myvmvault.vault-int.azure-int.net/keys/{key}" + } + } + ] + }, + "diskSizeGB": "[parameters('sqlLogUltraSSDDiskSizeInGB')]", + "diskIOPSReadWrite": "[parameters('sqlLogUltraSSDdiskIOPSReadWrite')]", + "diskMBpsReadWrite": "[parameters('sqlLogUltraSSDdiskMbpsReadWrite')]" + }, + "copy": { + "name": "UltraSSDLoop", + "count": 1 + } + }, + { + "type": "Microsoft.Network/publicIpAddresses", + "apiVersion": "2020-05-01", + "name": "[variables('publicIpAddressName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[variables('publicIpAddressSku')]" + }, + "zones": [ + "[parameters('zone')]" + ], + "properties": { + "publicIpAllocationMethod": "[variables('publicIpAddressType')]" + } + }, + { + "type": "Microsoft.Network/networkSecurityGroups", + "apiVersion": "2020-05-01", + "name": "[variables('networkSecurityGroupName')]", + "location": "[parameters('location')]", + "properties": { + "securityRules": "[variables('networkSecurityGroupRules')]" + } + }, + { + "type": "Microsoft.Network/networkInterfaces", + "apiVersion": "2020-05-01", + "name": "[variables('networkInterfaceName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkSecurityGroups/', variables('networkSecurityGroupName'))]", + "[resourceId('Microsoft.Network/publicIpAddresses/', variables('publicIpAddressName'))]" + ], + "properties": { + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "subnet": { + "id": "[variables('subnetRef')]" + }, + "privateIPAllocationMethod": "Dynamic", + "publicIpAddress": { + "id": "[resourceId('Microsoft.Network/publicIpAddresses', variables('publicIpAddressName'))]" + } + } + } + ], + "enableAcceleratedNetworking": true, + "networkSecurityGroup": { + "id": "[variables('nsgId')]" + } + } + }, + { + "type": "Microsoft.Compute/virtualMachines", + "apiVersion": "2019-12-01", + "name": "[parameters('virtualMachineName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Network/networkInterfaces/', variables('networkInterfaceName'))]", + "UltraSSDLoop", + "PremiumSSDLoop" + ], + "zones": [ + "[parameters('zone')]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('virtualMachineSize')]" + }, + "additionalCapabilities": { + "ultraSSDEnabled": "true" + }, + "storageProfile": { + "osDisk": { + "createOption": "fromImage", + "managedDisk": { + "storageAccountType": "Premium_LRS" + } + }, + "imageReference": { + "publisher": "MicrosoftSQLServer", + "offer": "[parameters('imageOffer')]", + "sku": "[parameters('sqlSku')]", + "version": "latest" + }, + "copy": [ + { + "name": "dataDisks", + "count": "[add(parameters('sqlDataDisksCount'), 1)]", + "input": { + "lun": "[copyIndex('dataDisks')]", + "createOption": "attach", + "caching": "[if(greaterOrEquals(copyIndex('dataDisks'), parameters('sqlDataDisksCount')), 'None', variables('dataDisks').caching)]", + "managedDisk": { + "id": "[if(greaterOrEquals(copyIndex('dataDisks'), parameters('sqlDataDisksCount')), resourceId('Microsoft.Compute/disks/', concat(parameters('virtualMachineName'),'-dataDisk-UltraSSD-0')), resourceId('Microsoft.Compute/disks/', concat(parameters('virtualMachineName'),'-dataDisk-',copyIndex('dataDisks'))))]" + } + } + } + ] + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('networkInterfaceName'))]" + } + ] + }, + "osProfile": { + "computerName": "[parameters('virtualMachineName')]", + "adminUsername": "[parameters('adminUsername')]", + "adminPassword": "[parameters('adminPassword')]", + "windowsConfiguration": { + "enableAutomaticUpdates": true, + "provisionVmAgent": true + } + } + } + }, + { + "type": "Microsoft.SqlVirtualMachine/SqlVirtualMachines", + "apiVersion": "2017-03-01-preview", + "name": "[parameters('virtualMachineName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Compute/virtualMachines', parameters('virtualMachineName'))]" + ], + "properties": { + "virtualMachineResourceId": "[resourceId('Microsoft.Compute/virtualMachines', parameters('virtualMachineName'))]", + "sqlManagement": "Full", + "SqlServerLicenseType": "PAYG", + "StorageConfigurationSettings": { + "DiskConfigurationType": "[variables('diskConfigurationType')]", + "StorageWorkloadType": "[parameters('storageWorkloadType')]", + "SQLDataSettings": { + "LUNs": "[variables('dataDisksLUNs')]", + "DefaultFilePath": "[parameters('dataPath')]" + }, + "SQLLogSettings": { + "Luns": "[variables('logDisksLUNs')]", + "DefaultFilePath": "[parameters('logPath')]" + }, + "SQLTempDbSettings": { + "DefaultFilePath": "[variables('tempDbPath')]" + } + } + } + } + ] + } + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/6a3201a5-1630-494b-b294-3129d06b0eca.md b/docs/queries/azureresourcemanager-queries/azure/6a3201a5-1630-494b-b294-3129d06b0eca.md new file mode 100644 index 00000000000..12c3c0878c2 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/6a3201a5-1630-494b-b294-3129d06b0eca.md @@ -0,0 +1,293 @@ +--- +title: SQL Database Server Firewall Allows All IPS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6a3201a5-1630-494b-b294-3129d06b0eca +- **Query name:** SQL Database Server Firewall Allows All IPS +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/sql_database_server_firewall_allows_all_ips) + +### Description +SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2014-04-01/servers/firewallrules?tabs=json) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="31" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "type": "firewallRules", + "apiVersion": "2021-02-01-preview", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "location": "[resourceGroup().location]", + "name": "AllowAllWindowsAzureIps", + "properties": { + "endIpAddress": "255.255.255.255", + "startIpAddress": "0.0.0.0" + } + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="14" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/firewallRules", + "apiVersion": "2021-02-01-preview", + "name": "sample/firewall", + "properties": { + "endIpAddress": "255.255.255.255", + "startIpAddress": "0.0.0.0/0" + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="33" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "type": "firewallRules", + "apiVersion": "2021-02-01-preview", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "location": "[resourceGroup().location]", + "name": "AllowAllWindowsAzureIps", + "properties": { + "endIpAddress": "255.255.255.255", + "startIpAddress": "0.0.0.0" + } + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="16" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/firewallRules", + "apiVersion": "2021-02-01-preview", + "name": "sample/firewall", + "properties": { + "endIpAddress": "255.255.255.255", + "startIpAddress": "0.0.0.0/0" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/firewallRules", + "apiVersion": "2021-02-01-preview", + "name": "sample/firewall", + "properties": { + "endIpAddress": "0.0.0.0", + "startIpAddress": "0.0.0.0" + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/firewallRules", + "apiVersion": "2021-02-01-preview", + "name": "sample/firewall", + "properties": { + "endIpAddress": "192.168.1.2", + "startIpAddress": "192.168.1.254" + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 3 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/firewallRules", + "apiVersion": "2021-02-01-preview", + "name": "sample/firewall", + "properties": { + "endIpAddress": "0.0.0.0", + "startIpAddress": "0.0.0.0" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/firewallRules", + "apiVersion": "2021-02-01-preview", + "name": "sample/firewall", + "properties": { + "endIpAddress": "192.168.1.2", + "startIpAddress": "192.168.1.254" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/70111098-7f85-48f0-b1b4-e4261cf5f61b.md b/docs/queries/azureresourcemanager-queries/azure/70111098-7f85-48f0-b1b4-e4261cf5f61b.md new file mode 100644 index 00000000000..6eaceb1123b --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/70111098-7f85-48f0-b1b4-e4261cf5f61b.md @@ -0,0 +1,296 @@ +--- +title: Website with 'Http20Enabled' Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 70111098-7f85-48f0-b1b4-e4261cf5f61b +- **Query name:** Website with 'Http20Enabled' Disabled +- **Platform:** AzureResourceManager +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/website_with_http20enabled_disabled) + +### Description +'Microsoft.Web/sites' should have 'Http20Enabled' enabled
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="15" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="15" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true, + "siteConfig": { + "http20Enabled": false + } + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="15" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true, + "siteConfig": {} + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="17" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="17" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true, + "siteConfig": { + "http20Enabled": false + } + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="17" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true, + "siteConfig": {} + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true, + "siteConfig": { + "http20Enabled": true + } + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true, + "siteConfig": { + "http20Enabled": true + } + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92.md b/docs/queries/azureresourcemanager-queries/azure/79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92.md new file mode 100644 index 00000000000..ab0d7bd8864 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92.md @@ -0,0 +1,554 @@ +--- +title: Email Notifications Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 79c2c2c0-eb00-47c0-ac16-f8b0e2c81c92 +- **Query name:** Email Notifications Disabled +- **Platform:** AzureResourceManager +- **Severity:** Info +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/email_notifications_set_off) + +### Description +Email notifications about new security alerts, should be set to 'On', and be sent to persons with specific RBAC roles on the subscription
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="17" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "state": "Off", + "minimalSeverity": "High" + }, + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="13" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="16" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "minimalSeverity": "High" + }, + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="13" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + } + } + } + ], + "outputs": {} +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="21" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + }, + "notificationsByRole": { + "state": "Off", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="20" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + }, + "notificationsByRole": { + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="19" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "state": "Off", + "minimalSeverity": "High" + }, + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="15" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 9 - json file + +```json hl_lines="18" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "minimalSeverity": "High" + }, + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 10 - json file + +```json hl_lines="15" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 11 - json file + +```json hl_lines="23" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + }, + "notificationsByRole": { + "state": "Off", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 12 - json file + +```json hl_lines="22" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + }, + "notificationsByRole": { + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + }, + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "security contact", + "type": "Microsoft.Security/securityContacts", + "apiVersion": "2020-01-01-preview", + "properties": { + "emails": "sample@email.com", + "phone": "9999999", + "alertNotifications": { + "state": "On", + "minimalSeverity": "High" + }, + "notificationsByRole": { + "state": "On", + "roles": [ + "Owner" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/7c25f361-7c66-44bf-9b69-022acd5eb4bd.md b/docs/queries/azureresourcemanager-queries/azure/7c25f361-7c66-44bf-9b69-022acd5eb4bd.md new file mode 100644 index 00000000000..4e0b3a109fd --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/7c25f361-7c66-44bf-9b69-022acd5eb4bd.md @@ -0,0 +1,364 @@ +--- +title: Key Vault Not Recoverable +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7c25f361-7c66-44bf-9b69-022acd5eb4bd +- **Query name:** Key Vault Not Recoverable +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/key_vault_not_recoverable) + +### Description +Key Vault should have 'enableSoftDelete' and 'enablePurgeProtection' set to true
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/2019-09-01/vaults?tabs=json#vaultproperties-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="15" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "keyVaultInstance", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2019-09-01", + "location": "location", + "tags": {}, + "properties": { + "tenantId": "72f98888-8666-4144-9199-2d7cd0111111", + "sku": { + "family": "A", + "name": "standard" + }, + "accessPolicies": [ + { + "tenantId": "72f98888-8666-4144-9199-2d7cd0111111", + "objectId": "99998888-8666-4144-9199-2d7cd0111111", + "permissions": { + "keys": [ + "encrypt" + ] + } + } + ], + "vaultUri": "string", + "enabledForDeployment": true, + "enabledForDiskEncryption": true, + "enabledForTemplateDeployment": true, + "enableSoftDelete": true, + "softDeleteRetentionInDays": 80, + "enableRbacAuthorization": true + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="39" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "keyVaultInstance", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2019-09-01", + "location": "location", + "tags": {}, + "properties": { + "tenantId": "72f98888-8666-4144-9199-2d7cd0111111", + "sku": { + "family": "A", + "name": "standard" + }, + "accessPolicies": [ + { + "tenantId": "72f98888-8666-4144-9199-2d7cd0111111", + "objectId": "99998888-8666-4144-9199-2d7cd0111111", + "permissions": { + "keys": [ + "encrypt" + ] + } + } + ], + "vaultUri": "string", + "enabledForDeployment": true, + "enabledForDiskEncryption": true, + "enabledForTemplateDeployment": true, + "enableSoftDelete": true, + "softDeleteRetentionInDays": 80, + "enableRbacAuthorization": true, + "enablePurgeProtection": false + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="17" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "keyVaultInstance", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2019-09-01", + "location": "location", + "tags": {}, + "properties": { + "tenantId": "72f98888-8666-4144-9199-2d7cd0111111", + "sku": { + "family": "A", + "name": "standard" + }, + "accessPolicies": [ + { + "tenantId": "72f98888-8666-4144-9199-2d7cd0111111", + "objectId": "99998888-8666-4144-9199-2d7cd0111111", + "permissions": { + "keys": [ + "encrypt" + ] + } + } + ], + "vaultUri": "string", + "enabledForDeployment": true, + "enabledForDiskEncryption": true, + "enabledForTemplateDeployment": true, + "enableSoftDelete": true, + "softDeleteRetentionInDays": 80, + "enableRbacAuthorization": true + }, + "resources": [] + } + ], + "outputs": {} + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="41" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "keyVaultInstance", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2019-09-01", + "location": "location", + "tags": {}, + "properties": { + "tenantId": "72f98888-8666-4144-9199-2d7cd0111111", + "sku": { + "family": "A", + "name": "standard" + }, + "accessPolicies": [ + { + "tenantId": "72f98888-8666-4144-9199-2d7cd0111111", + "objectId": "99998888-8666-4144-9199-2d7cd0111111", + "permissions": { + "keys": [ + "encrypt" + ] + } + } + ], + "vaultUri": "string", + "enabledForDeployment": true, + "enabledForDiskEncryption": true, + "enabledForTemplateDeployment": true, + "enableSoftDelete": true, + "softDeleteRetentionInDays": 80, + "enableRbacAuthorization": true, + "enablePurgeProtection": false + }, + "resources": [] + } + ], + "outputs": {} + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "keyVaultInstance", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2019-09-01", + "location": "location", + "tags": {}, + "properties": { + "tenantId": "72f98888-8666-4144-9199-2d7cd0111111", + "sku": { + "family": "A", + "name": "standard" + }, + "accessPolicies": [ + { + "tenantId": "72f98888-8666-4144-9199-2d7cd0111111", + "objectId": "99998888-8666-4144-9199-2d7cd0111111", + "permissions": { + "keys": [ + "encrypt" + ] + } + } + ], + "vaultUri": "string", + "enabledForDeployment": true, + "enabledForDiskEncryption": true, + "enabledForTemplateDeployment": true, + "enableSoftDelete": true, + "softDeleteRetentionInDays": 80, + "enableRbacAuthorization": true, + "enablePurgeProtection": true + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "keyVaultInstance", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2019-09-01", + "location": "location", + "tags": {}, + "properties": { + "tenantId": "72f98888-8666-4144-9199-2d7cd0111111", + "sku": { + "family": "A", + "name": "standard" + }, + "accessPolicies": [ + { + "tenantId": "72f98888-8666-4144-9199-2d7cd0111111", + "objectId": "99998888-8666-4144-9199-2d7cd0111111", + "permissions": { + "keys": [ + "encrypt" + ] + } + } + ], + "vaultUri": "string", + "enabledForDeployment": true, + "enabledForDiskEncryption": true, + "enabledForTemplateDeployment": true, + "enableSoftDelete": true, + "softDeleteRetentionInDays": 80, + "enableRbacAuthorization": true, + "enablePurgeProtection": true + }, + "resources": [] + } + ], + "outputs": {} + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/83130a07-235b-4a80-918b-a370e53f0bd9.md b/docs/queries/azureresourcemanager-queries/azure/83130a07-235b-4a80-918b-a370e53f0bd9.md new file mode 100644 index 00000000000..6acb237dbed --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/83130a07-235b-4a80-918b-a370e53f0bd9.md @@ -0,0 +1,729 @@ +--- +title: App Service Authentication Is Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 83130a07-235b-4a80-918b-a370e53f0bd9 +- **Query name:** App Service Authentication Is Not Set +- **Platform:** AzureResourceManager +- **Severity:** Info +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/app_service_authentication_not_set) + +### Description +Azure App Service should have App Service Authentication set
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites/config-web?tabs=json) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="37" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "appServicePlan1", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "F1", + "capacity": 1 + }, + "tags": { + "displayName": "appServicePlan1" + }, + "properties": { + "name": "appServicePlan1" + } + }, + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "resources": [ + { + "type": "config", + "name": "authsettings", + "apiVersion": "2020-12-01", + "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp1')]" ], + "properties": { + "enabled": false + } + } + ], + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="33" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "appServicePlan1", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "F1", + "capacity": 1 + }, + "tags": { + "displayName": "appServicePlan1" + }, + "properties": { + "name": "appServicePlan1" + } + }, + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "resources": [ + { + "type": "config", + "name": "authsettings", + "apiVersion": "2020-12-01", + "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp1')]" ], + "properties": { + "alwaysOn": true + } + } + ], + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + } + ] +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="44" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "appServicePlan1", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "F1", + "capacity": 1 + }, + "tags": { + "displayName": "appServicePlan1" + }, + "properties": { + "name": "appServicePlan1" + } + }, + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + }, + { + "type": "Microsoft.Web/sites/config", + "name": "webApp1/authsettings", + "apiVersion": "2020-12-01", + "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp1')]" ], + "properties": { + "enabled": false + } + } + ] +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="40" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "appServicePlan1", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "F1", + "capacity": 1 + }, + "tags": { + "displayName": "appServicePlan1" + }, + "properties": { + "name": "appServicePlan1" + } + }, + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + }, + { + "type": "Microsoft.Web/sites/config", + "name": "webApp1/authsettings", + "apiVersion": "2020-12-01", + "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp1')]" ], + "properties": { + "alwaysOn": false + } + } + ] +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="39" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "appServicePlan1", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "F1", + "capacity": 1 + }, + "tags": { + "displayName": "appServicePlan1" + }, + "properties": { + "name": "appServicePlan1" + } + }, + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "resources": [ + { + "type": "config", + "name": "authsettings", + "apiVersion": "2020-12-01", + "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp1')]" ], + "properties": { + "enabled": false + } + } + ], + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="35" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "appServicePlan1", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "F1", + "capacity": 1 + }, + "tags": { + "displayName": "appServicePlan1" + }, + "properties": { + "name": "appServicePlan1" + } + }, + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "resources": [ + { + "type": "config", + "name": "authsettings", + "apiVersion": "2020-12-01", + "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp1')]" ], + "properties": { + "alwaysOn": true + } + } + ], + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="46" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "appServicePlan1", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "F1", + "capacity": 1 + }, + "tags": { + "displayName": "appServicePlan1" + }, + "properties": { + "name": "appServicePlan1" + } + }, + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + }, + { + "type": "Microsoft.Web/sites/config", + "name": "webApp1/authsettings", + "apiVersion": "2020-12-01", + "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp1')]" ], + "properties": { + "enabled": false + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="42" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "appServicePlan1", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "F1", + "capacity": 1 + }, + "tags": { + "displayName": "appServicePlan1" + }, + "properties": { + "name": "appServicePlan1" + } + }, + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + }, + { + "type": "Microsoft.Web/sites/config", + "name": "webApp1/authsettings", + "apiVersion": "2020-12-01", + "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp1')]" ], + "properties": { + "alwaysOn": false + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "appServicePlan1", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "F1", + "capacity": 1 + }, + "tags": { + "displayName": "appServicePlan1" + }, + "properties": { + "name": "appServicePlan1" + } + }, + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "resources": [ + { + "type": "config", + "name": "authsettings", + "apiVersion": "2020-12-01", + "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp1')]" ], + "properties": { + "enabled": true + } + } + ], + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + } + ] +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "appServicePlan1", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "F1", + "capacity": 1 + }, + "tags": { + "displayName": "appServicePlan1" + }, + "properties": { + "name": "appServicePlan1" + } + }, + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + }, + { + "type": "Microsoft.Web/sites/config", + "name": "webApp1/authsettings", + "apiVersion": "2020-12-01", + "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp1')]" ], + "properties": { + "enabled": true + } + } + ] +} + +``` +```json title="Negative test num. 3 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "appServicePlan1", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "F1", + "capacity": 1 + }, + "tags": { + "displayName": "appServicePlan1" + }, + "properties": { + "name": "appServicePlan1" + } + }, + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "resources": [ + { + "type": "config", + "name": "authsettings", + "apiVersion": "2020-12-01", + "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp1')]" ], + "properties": { + "enabled": true + } + } + ], + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "appServicePlan1", + "type": "Microsoft.Web/serverfarms", + "apiVersion": "2018-02-01", + "location": "[resourceGroup().location]", + "sku": { + "name": "F1", + "capacity": 1 + }, + "tags": { + "displayName": "appServicePlan1" + }, + "properties": { + "name": "appServicePlan1" + } + }, + { + "name": "webApp1", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "[resourceGroup().location]", + "tags": { + "[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/appServicePlan1')]": "Resource", + "displayName": "webApp1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + ], + "properties": { + "name": "webApp1", + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'appServicePlan1')]" + } + }, + { + "type": "Microsoft.Web/sites/config", + "name": "webApp1/authsettings", + "apiVersion": "2020-12-01", + "dependsOn": [ "[resourceId('Microsoft.Web/sites', 'webApp1')]" ], + "properties": { + "enabled": true + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/89b79fe5-49bd-4d39-84ce-55f5fc6f7764.md b/docs/queries/azureresourcemanager-queries/azure/89b79fe5-49bd-4d39-84ce-55f5fc6f7764.md new file mode 100644 index 00000000000..be9841a901b --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/89b79fe5-49bd-4d39-84ce-55f5fc6f7764.md @@ -0,0 +1,552 @@ +--- +title: SQL Alert Policy Without Emails +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 89b79fe5-49bd-4d39-84ce-55f5fc6f7764 +- **Query name:** SQL Alert Policy Without Emails +- **Platform:** AzureResourceManager +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/sql_alert_policy_without_emails) + +### Description +SQL Database Server should contain emails to be notified in the event of a Security Alert
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/securityalertpolicies?tabs=json) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="46" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2014-04-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + } + }, + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/securityPolicy1", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "emailAccountAdmins": true, + "retentionDays": 4, + "state": "Enabled" + } + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="48" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2014-04-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + } + }, + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/securityPolicy1", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "emailAccountAdmins": true, + "emailAddresses": [], + "retentionDays": 4, + "state": "Enabled" + } + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="48" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2014-04-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + } + }, + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/securityPolicy1", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "emailAccountAdmins": true, + "emailAddresses": [ "", "" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ] + } + ], + "outputs": {} +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="48" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2014-04-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + } + }, + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/securityPolicy1", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "emailAccountAdmins": true, + "retentionDays": 4, + "state": "Enabled" + } + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="50" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2014-04-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + } + }, + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/securityPolicy1", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "emailAccountAdmins": true, + "emailAddresses": [], + "retentionDays": 4, + "state": "Enabled" + } + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="50" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2014-04-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + } + }, + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/securityPolicy1", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "emailAccountAdmins": true, + "emailAddresses": [ "", "" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2014-04-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + } + }, + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/securityPolicy1", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "emailAccountAdmins": true, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2014-04-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + } + }, + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/securityPolicy1", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "emailAccountAdmins": true, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/8fa9ceea-881f-4ef0-b0b8-728f589699a7.md b/docs/queries/azureresourcemanager-queries/azure/8fa9ceea-881f-4ef0-b0b8-728f589699a7.md new file mode 100644 index 00000000000..73de90855f9 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/8fa9ceea-881f-4ef0-b0b8-728f589699a7.md @@ -0,0 +1,258 @@ +--- +title: Role Definitions Allow Custom Subscription Role Creation +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8fa9ceea-881f-4ef0-b0b8-728f589699a7 +- **Query name:** Role Definitions Allow Custom Subscription Role Creation +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/role_definitions_allow_custom_subscription_role_creation) + +### Description +Role Definitions should not allow custom subscription role creation (actions set to '*' or 'Microsoft.Authorization/roleDefinitions/write')
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/roledefinitions?tabs=json#permission-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="18" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "roleDef", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "properties": { + "roleName": "my-custom-role", + "description": "This is a custom role", + "permissions": [ + { + "actions": [ + "*" + ] + } + ], + "assignableScopes": [ + "[subscription().id]" + ] + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="18" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "roleDef", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "properties": { + "roleName": "my-custom-role", + "description": "This is a custom role", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/roleDefinitions/write" + ] + } + ], + "assignableScopes": [ + "[subscription().id]" + ] + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="20" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "roleDef", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "properties": { + "roleName": "my-custom-role", + "description": "This is a custom role", + "permissions": [ + { + "actions": [ + "*" + ] + } + ], + "assignableScopes": [ + "[subscription().id]" + ] + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="20" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "roleDef", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "properties": { + "roleName": "my-custom-role", + "description": "This is a custom role", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/roleDefinitions/write" + ] + } + ], + "assignableScopes": [ + "[subscription().id]" + ] + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "roleDef", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "properties": { + "roleName": "my-custom-role", + "description": "This is a custom role", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/roleDefinitions/read" + ] + } + ], + "assignableScopes": [ + "[subscription().id]" + ] + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "roleDef", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "properties": { + "roleName": "my-custom-role", + "description": "This is a custom role", + "permissions": [ + { + "actions": [ + "Microsoft.Authorization/roleDefinitions/read" + ] + } + ], + "assignableScopes": [ + "[subscription().id]" + ] + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/90120147-f2e7-4fda-bb21-6fa9109afd63.md b/docs/queries/azureresourcemanager-queries/azure/90120147-f2e7-4fda-bb21-6fa9109afd63.md new file mode 100644 index 00000000000..66ebdec4f0b --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/90120147-f2e7-4fda-bb21-6fa9109afd63.md @@ -0,0 +1,244 @@ +--- +title: MySQL Server SSL Enforcement Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 90120147-f2e7-4fda-bb21-6fa9109afd63 +- **Query name:** MySQL Server SSL Enforcement Disabled +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/mysql_server_ssl_enforcement_disabled) + +### Description +'Microsoft.DBforMySQL/servers' should enforce SSL
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.dbformysql/servers?tabs=json#serverpropertiesforcreate-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="16" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "server", + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "version": "5.6", + "createMode": "GeoRestore", + "sourceServerId": "id" + }, + "location": "location", + "tags": {}, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="18" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "server", + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "version": "5.6", + "sslEnforcement": "Disabled", + "createMode": "GeoRestore", + "sourceServerId": "id" + }, + "location": "location", + "tags": {}, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="18" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "server", + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "version": "5.6", + "createMode": "GeoRestore", + "sourceServerId": "id" + }, + "location": "location", + "tags": {}, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="20" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "server", + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "version": "5.6", + "sslEnforcement": "Disabled", + "createMode": "GeoRestore", + "sourceServerId": "id" + }, + "location": "location", + "tags": {}, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "server", + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "version": "5.6", + "sslEnforcement": "Enabled", + "createMode": "GeoRestore", + "sourceServerId": "id" + }, + "location": "location", + "tags": {}, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "server", + "type": "Microsoft.DBforMySQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "version": "5.6", + "sslEnforcement": "Enabled", + "createMode": "GeoRestore", + "sourceServerId": "id" + }, + "location": "location", + "tags": {}, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/9073f073-5d60-4b46-b569-0d6baa80ed95.md b/docs/queries/azureresourcemanager-queries/azure/9073f073-5d60-4b46-b569-0d6baa80ed95.md new file mode 100644 index 00000000000..b899536050c --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/9073f073-5d60-4b46-b569-0d6baa80ed95.md @@ -0,0 +1,368 @@ +--- +title: Storage Account Allows Default Network Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9073f073-5d60-4b46-b569-0d6baa80ed95 +- **Query name:** Storage Account Allows Default Network Access +- **Platform:** AzureResourceManager +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/storage_account_allows_network_default_access) + +### Description +'Microsoft.Storage/storageAccounts' should force the use of HTTPS
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#storageaccountpropertiescreateparameters-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="41" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountType": { + "type": "string", + "defaultValue": "Standard_LRS", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS", + "Standard_ZRS", + "Premium_LRS" + ], + "metadata": { + "description": "Storage Account type" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "storageAccountName": "[concat('store', uniquestring(resourceGroup().id))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('storageAccountType')]" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "defaultAction": "Allow" + } + } + } + ], + "outputs": { + "storageAccountName": { + "type": "string", + "value": "[variables('storageAccountName')]" + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="18" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Positive2", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2017-10-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": { + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="8" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Positive3", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2016-12-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "Storage", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": {} + } + ], + "outputs": {} +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="43" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountType": { + "type": "string", + "defaultValue": "Standard_LRS", + "allowedValues": [ + "Standard_LRS", + "Standard_GRS", + "Standard_ZRS", + "Premium_LRS" + ], + "metadata": { + "description": "Storage Account type" + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "storageAccountName": "[concat('store', uniquestring(resourceGroup().id))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[variables('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "[parameters('storageAccountType')]" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "defaultAction": "Allow" + } + } + } + ], + "outputs": { + "storageAccountName": { + "type": "string", + "value": "[variables('storageAccountName')]" + } + } + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="20" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Positive2", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2017-10-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": { + } + } + ], + "outputs": {} + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="10" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Positive3", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2016-12-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "Storage", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": {} + } + ], + "outputs": {} + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Negative1", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-02-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": { + "networkAcls": { + "defaultAction": "Deny" + } + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "storageaccount1Negative1", + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2021-02-01", + "tags": { + "displayName": "storageaccount1" + }, + "location": "[resourceGroup().location]", + "kind": "StorageV2", + "sku": { + "name": "Premium_LRS", + "tier": "Premium" + }, + "properties": { + "networkAcls": { + "defaultAction": "Deny" + } + } + } + ], + "outputs": {} + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/92302b47-b0cc-46cb-a28f-5610ecda140b.md b/docs/queries/azureresourcemanager-queries/azure/92302b47-b0cc-46cb-a28f-5610ecda140b.md new file mode 100644 index 00000000000..7d0bca24f3a --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/92302b47-b0cc-46cb-a28f-5610ecda140b.md @@ -0,0 +1,214 @@ +--- +title: Website with Client Certificate Auth Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 92302b47-b0cc-46cb-a28f-5610ecda140b +- **Query name:** Website with Client Certificate Auth Disabled +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/website_with_client_certificate_auth_disabled) + +### Description +'Microsoft.Web/sites' should have client certificate authentication enabled
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteproperties-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="15" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="17" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "clientCertEnabled": false + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="17" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="19" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "clientCertEnabled": false + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "clientCertEnabled": true + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSite", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "clientCertEnabled": true + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/9307a2ed-35c2-413d-94de-a1a0682c2158.md b/docs/queries/azureresourcemanager-queries/azure/9307a2ed-35c2-413d-94de-a1a0682c2158.md new file mode 100644 index 00000000000..81c2ed4bc6a --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/9307a2ed-35c2-413d-94de-a1a0682c2158.md @@ -0,0 +1,346 @@ +--- +title: AKS Cluster RBAC Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9307a2ed-35c2-413d-94de-a1a0682c2158 +- **Query name:** AKS Cluster RBAC Disabled +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/aks_cluster_rbac_disabled) + +### Description +Microsoft.ContainerService/managedClusters should have enableRBAC set to true
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="14" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="36" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "enableRBAC": false, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="16" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="38" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "enableRBAC": false, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "enableRBAC": true, + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "enableRBAC": true, + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/9b09dee1-f09b-4013-91d2-158fa4695f4b.md b/docs/queries/azureresourcemanager-queries/azure/9b09dee1-f09b-4013-91d2-158fa4695f4b.md new file mode 100644 index 00000000000..87cf53b8f25 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/9b09dee1-f09b-4013-91d2-158fa4695f4b.md @@ -0,0 +1,353 @@ +--- +title: AKS Logging To Azure Monitoring Is Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9b09dee1-f09b-4013-91d2-158fa4695f4b +- **Query name:** AKS Logging To Azure Monitoring Is Disabled +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/aks_logging_azure_monitoring_disabled) + +### Description +Azure Kubernetes Service should have logging to Azure Monitoring enabled.
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusteraddonprofile) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="14" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "addonProfiles": { + "omsagent": { + "enabled": false + } + }, + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ] +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="16" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "addonProfiles": { + "omsagent": { + "enabled": false + } + }, + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="8" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "addonProfiles": { + "omsagent": { + "enabled": true + } + }, + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ] +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "addonProfiles": { + "omsagent": { + "enabled": true + } + }, + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/a0ab985d-660b-41f7-ac81-70957ee8e627.md b/docs/queries/azureresourcemanager-queries/azure/a0ab985d-660b-41f7-ac81-70957ee8e627.md new file mode 100644 index 00000000000..e5671afff09 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/a0ab985d-660b-41f7-ac81-70957ee8e627.md @@ -0,0 +1,943 @@ +--- +title: Storage Blob Service Container With Public Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a0ab985d-660b-41f7-ac81-70957ee8e627 +- **Query name:** Storage Blob Service Container With Public Access +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/storage_blob_service_container_with_public_access) + +### Description +Storage Blob Service Container should not publicly accessible
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts/blobservices/containers?tabs=json#containerproperties-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="15" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "blob/container/example", + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2021-02-01", + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "Container", + "metadata": {} + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="107" +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "existingVNETName": { + "type": "string", + "metadata": { + "description": "Name of the virtual network to use for cloud shell containers." + } + }, + "existingStorageSubnetName": { + "type": "string", + "metadata": { + "description": "Name of the subnet to use for storage account." + } + }, + "existingContainerSubnetName": { + "type": "string", + "metadata": { + "description": "Name of the subnet to use for cloud shell containers." + } + }, + "storageAccountName": { + "type": "string", + "metadata": { + "description": "Name of the storage account in subnet." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]", + "storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "None", + "virtualNetworkRules": [ + { + "id": "[variables('containerSubnetRef')]", + "action": "Allow" + }, + { + "id": "[variables('storageSubnetRef')]", + "action": "Allow" + } + ], + "defaultAction": "Deny" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + }, + "accessTier": "Cool" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(parameters('storageAccountName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "deleteRetentionPolicy": { + "enabled": false + } + }, + "resources": [ + { + "type": "containers", + "apiVersion": "2019-06-01", + "name": "container", + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "Blob", + "metadata": {} + } + } + ] + } + ] +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="50" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string", + "metadata": { + "description": "Specifies the name of the Azure Storage account." + } + }, + "containerName": { + "type": "string", + "defaultValue": "logs", + "metadata": { + "description": "Specifies the name of the blob container." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Specifies the location in which the Azure Storage resources should be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot" + }, + "resources": [ + { + "type": "blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat('default/', parameters('containerName'))]", + "dependsOn": [ + "[parameters('storageAccountName')]" + ], + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "Blob", + "metadata": {} + } + } + ] + } + ] +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="17" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "blob/container/example", + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2021-02-01", + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "Container", + "metadata": {} + }, + "resources": [] + } + ], + "outputs": {} + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="109" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "existingVNETName": { + "type": "string", + "metadata": { + "description": "Name of the virtual network to use for cloud shell containers." + } + }, + "existingStorageSubnetName": { + "type": "string", + "metadata": { + "description": "Name of the subnet to use for storage account." + } + }, + "existingContainerSubnetName": { + "type": "string", + "metadata": { + "description": "Name of the subnet to use for cloud shell containers." + } + }, + "storageAccountName": { + "type": "string", + "metadata": { + "description": "Name of the storage account in subnet." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]", + "storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "None", + "virtualNetworkRules": [ + { + "id": "[variables('containerSubnetRef')]", + "action": "Allow" + }, + { + "id": "[variables('storageSubnetRef')]", + "action": "Allow" + } + ], + "defaultAction": "Deny" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + }, + "accessTier": "Cool" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(parameters('storageAccountName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "deleteRetentionPolicy": { + "enabled": false + } + }, + "resources": [ + { + "type": "containers", + "apiVersion": "2019-06-01", + "name": "container", + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "Blob", + "metadata": {} + } + } + ] + } + ] + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="52" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string", + "metadata": { + "description": "Specifies the name of the Azure Storage account." + } + }, + "containerName": { + "type": "string", + "defaultValue": "logs", + "metadata": { + "description": "Specifies the name of the blob container." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Specifies the location in which the Azure Storage resources should be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot" + }, + "resources": [ + { + "type": "blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat('default/', parameters('containerName'))]", + "dependsOn": [ + "[parameters('storageAccountName')]" + ], + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "Blob", + "metadata": {} + } + } + ] + } + ] + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "blob/container/example", + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2021-02-01", + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "None", + "metadata": {} + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "existingVNETName": { + "type": "string", + "metadata": { + "description": "Name of the virtual network to use for cloud shell containers." + } + }, + "existingStorageSubnetName": { + "type": "string", + "metadata": { + "description": "Name of the subnet to use for storage account." + } + }, + "existingContainerSubnetName": { + "type": "string", + "metadata": { + "description": "Name of the subnet to use for cloud shell containers." + } + }, + "storageAccountName": { + "type": "string", + "metadata": { + "description": "Name of the storage account in subnet." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]", + "storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "None", + "virtualNetworkRules": [ + { + "id": "[variables('containerSubnetRef')]", + "action": "Allow" + }, + { + "id": "[variables('storageSubnetRef')]", + "action": "Allow" + } + ], + "defaultAction": "Deny" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + }, + "accessTier": "Cool" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(parameters('storageAccountName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "deleteRetentionPolicy": { + "enabled": false + } + }, + "resources": [ + { + "type": "containers", + "apiVersion": "2019-06-01", + "name": "container", + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "None", + "metadata": {} + } + } + ] + } + ] +} + +``` +```json title="Negative test num. 3 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string", + "metadata": { + "description": "Specifies the name of the Azure Storage account." + } + }, + "containerName": { + "type": "string", + "defaultValue": "logs", + "metadata": { + "description": "Specifies the name of the blob container." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Specifies the location in which the Azure Storage resources should be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot" + }, + "resources": [ + { + "type": "blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat('default/', parameters('containerName'))]", + "dependsOn": [ + "[parameters('storageAccountName')]" + ], + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "None", + "metadata": {} + } + } + ] + } + ] +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "blob/container/example", + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2021-02-01", + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "None", + "metadata": {} + }, + "resources": [] + } + ], + "outputs": {} + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "existingVNETName": { + "type": "string", + "metadata": { + "description": "Name of the virtual network to use for cloud shell containers." + } + }, + "existingStorageSubnetName": { + "type": "string", + "metadata": { + "description": "Name of the subnet to use for storage account." + } + }, + "existingContainerSubnetName": { + "type": "string", + "metadata": { + "description": "Name of the subnet to use for cloud shell containers." + } + }, + "storageAccountName": { + "type": "string", + "metadata": { + "description": "Name of the storage account in subnet." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Location for all resources." + } + } + }, + "variables": { + "containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]", + "storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]" + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "None", + "virtualNetworkRules": [ + { + "id": "[variables('containerSubnetRef')]", + "action": "Allow" + }, + { + "id": "[variables('storageSubnetRef')]", + "action": "Allow" + } + ], + "defaultAction": "Deny" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + }, + "accessTier": "Cool" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(parameters('storageAccountName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "deleteRetentionPolicy": { + "enabled": false + } + }, + "resources": [ + { + "type": "containers", + "apiVersion": "2019-06-01", + "name": "container", + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "None", + "metadata": {} + } + } + ] + } + ] + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "storageAccountName": { + "type": "string", + "metadata": { + "description": "Specifies the name of the Azure Storage account." + } + }, + "containerName": { + "type": "string", + "defaultValue": "logs", + "metadata": { + "description": "Specifies the name of the blob container." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Specifies the location in which the Azure Storage resources should be deployed." + } + } + }, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[parameters('storageAccountName')]", + "location": "[parameters('location')]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot" + }, + "resources": [ + { + "type": "blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat('default/', parameters('containerName'))]", + "dependsOn": [ + "[parameters('storageAccountName')]" + ], + "properties": { + "denyEncryptionScopeOverride": true, + "publicAccess": "None", + "metadata": {} + } + } + ] + } + ] + }, + "resourceGroup": "storageRG", + "parameters": { + "storageAccountType": { + "value": "[parameters('storageAccountType')]" + } + } + }, + "kind": "template", + "id": "/providers/Microsoft.Management/managementGroups/ContosoOnlineGroup/providers/Microsoft.Blueprint/blueprints/simpleBlueprint/artifacts/storageTemplate", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "storageTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/a6d774b6-d9ea-4bf4-8433-217bf15d2fb8.md b/docs/queries/azureresourcemanager-queries/azure/a6d774b6-d9ea-4bf4-8433-217bf15d2fb8.md new file mode 100644 index 00000000000..bfe3589627f --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/a6d774b6-d9ea-4bf4-8433-217bf15d2fb8.md @@ -0,0 +1,613 @@ +--- +title: PostgresSQL Database Server Connection Throttling Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a6d774b6-d9ea-4bf4-8433-217bf15d2fb8 +- **Query name:** PostgresSQL Database Server Connection Throttling Disabled +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/postgres_sql_database_server_connection_throttling_disabled) + +### Description +Microsoft.DBforPostgreSQL/servers/configurations should have 'connection_throttling' property set to 'on'
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations?tabs=json) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="45" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "servers1", + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "B_Gen4_1", + "tier": "Basic", + "capacity": 500, + "size": "500MB", + "family": "family" + }, + "properties": { + "version": "11", + "sslEnforcement": "Enabled", + "minimalTlsVersion": "TLS1_2", + "infrastructureEncryption": "Enabled", + "publicNetworkAccess": "Disabled", + "storageProfile": { + "backupRetentionDays": 90, + "geoRedundantBackup": "Enabled", + "storageMB": 50, + "storageAutogrow": "Enabled" + }, + "createMode": "Replica", + "sourceServerId": "sample_id" + }, + "location": "string", + "tags": {}, + "resources": [ + { + "name": "connection_throttling", + "type": "configurations", + "apiVersion": "2017-12-01", + "properties": { + "value": "Off" + } + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "servers1", + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "B_Gen4_1", + "tier": "Basic", + "capacity": 500, + "size": "500MB", + "family": "family" + }, + "properties": { + "version": "11", + "sslEnforcement": "Enabled", + "minimalTlsVersion": "TLS1_2", + "infrastructureEncryption": "Enabled", + "publicNetworkAccess": "Disabled", + "storageProfile": { + "backupRetentionDays": 90, + "geoRedundantBackup": "Enabled", + "storageMB": 50, + "storageAutogrow": "Enabled" + }, + "createMode": "Replica", + "sourceServerId": "sample_id" + }, + "location": "string", + "tags": {}, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="9" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "servers1", + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "B_Gen4_1", + "tier": "Basic", + "capacity": 500, + "size": "500MB", + "family": "family" + }, + "properties": { + "version": "11", + "sslEnforcement": "Enabled", + "minimalTlsVersion": "TLS1_2", + "infrastructureEncryption": "Enabled", + "publicNetworkAccess": "Disabled", + "storageProfile": { + "backupRetentionDays": 90, + "geoRedundantBackup": "Enabled", + "storageMB": 50, + "storageAutogrow": "Enabled" + }, + "createMode": "Replica", + "sourceServerId": "sample_id" + }, + "location": "string", + "tags": {}, + "resources": [ + { + "name": "sample_config", + "type": "configurations", + "apiVersion": "2017-12-01", + "properties": { + "value": "Off" + } + } + ] + } + ], + "outputs": {} +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="47" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "servers1", + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "B_Gen4_1", + "tier": "Basic", + "capacity": 500, + "size": "500MB", + "family": "family" + }, + "properties": { + "version": "11", + "sslEnforcement": "Enabled", + "minimalTlsVersion": "TLS1_2", + "infrastructureEncryption": "Enabled", + "publicNetworkAccess": "Disabled", + "storageProfile": { + "backupRetentionDays": 90, + "geoRedundantBackup": "Enabled", + "storageMB": 50, + "storageAutogrow": "Enabled" + }, + "createMode": "Replica", + "sourceServerId": "sample_id" + }, + "location": "string", + "tags": {}, + "resources": [ + { + "name": "connection_throttling", + "type": "configurations", + "apiVersion": "2017-12-01", + "properties": { + "value": "Off" + } + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="11" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "servers1", + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "B_Gen4_1", + "tier": "Basic", + "capacity": 500, + "size": "500MB", + "family": "family" + }, + "properties": { + "version": "11", + "sslEnforcement": "Enabled", + "minimalTlsVersion": "TLS1_2", + "infrastructureEncryption": "Enabled", + "publicNetworkAccess": "Disabled", + "storageProfile": { + "backupRetentionDays": 90, + "geoRedundantBackup": "Enabled", + "storageMB": 50, + "storageAutogrow": "Enabled" + }, + "createMode": "Replica", + "sourceServerId": "sample_id" + }, + "location": "string", + "tags": {}, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="11" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "servers1", + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "B_Gen4_1", + "tier": "Basic", + "capacity": 500, + "size": "500MB", + "family": "family" + }, + "properties": { + "version": "11", + "sslEnforcement": "Enabled", + "minimalTlsVersion": "TLS1_2", + "infrastructureEncryption": "Enabled", + "publicNetworkAccess": "Disabled", + "storageProfile": { + "backupRetentionDays": 90, + "geoRedundantBackup": "Enabled", + "storageMB": 50, + "storageAutogrow": "Enabled" + }, + "createMode": "Replica", + "sourceServerId": "sample_id" + }, + "location": "string", + "tags": {}, + "resources": [ + { + "name": "sample_config", + "type": "configurations", + "apiVersion": "2017-12-01", + "properties": { + "value": "Off" + } + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "servers1", + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "B_Gen4_1", + "tier": "Basic", + "capacity": 500, + "size": "500MB", + "family": "family" + }, + "properties": { + "version": "11", + "sslEnforcement": "Enabled", + "minimalTlsVersion": "TLS1_2", + "infrastructureEncryption": "Enabled", + "publicNetworkAccess": "Disabled", + "storageProfile": { + "backupRetentionDays": 90, + "geoRedundantBackup": "Enabled", + "storageMB": 50, + "storageAutogrow": "Enabled" + }, + "createMode": "Replica", + "sourceServerId": "sample_id" + }, + "location": "string", + "tags": {}, + "resources": [ + { + "name": "connection_throttling", + "type": "configurations", + "apiVersion": "2017-12-01", + "properties": { + "value": "On" + } + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "servers1", + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "B_Gen4_1", + "tier": "Basic", + "capacity": 500, + "size": "500MB", + "family": "family" + }, + "properties": { + "version": "11", + "sslEnforcement": "Enabled", + "minimalTlsVersion": "TLS1_2", + "infrastructureEncryption": "Enabled", + "publicNetworkAccess": "Disabled", + "storageProfile": { + "backupRetentionDays": 90, + "geoRedundantBackup": "Enabled", + "storageMB": 50, + "storageAutogrow": "Enabled" + }, + "createMode": "Replica", + "sourceServerId": "sample_id" + }, + "location": "string", + "tags": {} + }, + { + "name": "servers1/connection_throttling", + "type": "Microsoft.DBforPostgreSQL/servers/configurations", + "apiVersion": "2017-12-01", + "properties": { + "value": "On" + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 3 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "servers1", + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "B_Gen4_1", + "tier": "Basic", + "capacity": 500, + "size": "500MB", + "family": "family" + }, + "properties": { + "version": "11", + "sslEnforcement": "Enabled", + "minimalTlsVersion": "TLS1_2", + "infrastructureEncryption": "Enabled", + "publicNetworkAccess": "Disabled", + "storageProfile": { + "backupRetentionDays": 90, + "geoRedundantBackup": "Enabled", + "storageMB": 50, + "storageAutogrow": "Enabled" + }, + "createMode": "Replica", + "sourceServerId": "sample_id" + }, + "location": "string", + "tags": {}, + "resources": [ + { + "name": "connection_throttling", + "type": "configurations", + "apiVersion": "2017-12-01", + "properties": { + "value": "On" + } + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "servers1", + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "B_Gen4_1", + "tier": "Basic", + "capacity": 500, + "size": "500MB", + "family": "family" + }, + "properties": { + "version": "11", + "sslEnforcement": "Enabled", + "minimalTlsVersion": "TLS1_2", + "infrastructureEncryption": "Enabled", + "publicNetworkAccess": "Disabled", + "storageProfile": { + "backupRetentionDays": 90, + "geoRedundantBackup": "Enabled", + "storageMB": 50, + "storageAutogrow": "Enabled" + }, + "createMode": "Replica", + "sourceServerId": "sample_id" + }, + "location": "string", + "tags": {} + }, + { + "name": "servers1/connection_throttling", + "type": "Microsoft.DBforPostgreSQL/servers/configurations", + "apiVersion": "2017-12-01", + "properties": { + "value": "On" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/a8852cc0-fd4b-4fc7-9372-1e43fad0732e.md b/docs/queries/azureresourcemanager-queries/azure/a8852cc0-fd4b-4fc7-9372-1e43fad0732e.md new file mode 100644 index 00000000000..6bdecd8080e --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/a8852cc0-fd4b-4fc7-9372-1e43fad0732e.md @@ -0,0 +1,208 @@ +--- +title: Account Admins Not Notified By Email +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a8852cc0-fd4b-4fc7-9372-1e43fad0732e +- **Query name:** Account Admins Not Notified By Email +- **Platform:** AzureResourceManager +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/account_admins_not_notified_by_email) + +### Description +Account admins should be notified by email in the event of security alerts
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2017-03-01-preview/servers/securityalertpolicies?tabs=json) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="14" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/server/default", + "properties": { + "emailAccountAdmins": false, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="13" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/server/default", + "properties": { + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="16" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/server/default", + "properties": { + "emailAccountAdmins": false, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="15" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/server/default", + "properties": { + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/server/default", + "properties": { + "emailAccountAdmins": true, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2021-02-01-preview", + "name": "sample/server/default", + "properties": { + "emailAccountAdmins": true, + "emailAddresses": [ "sample@email.com" ], + "retentionDays": 4, + "state": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/b5c851d5-00f1-43dc-a8de-3218fd6f71be.md b/docs/queries/azureresourcemanager-queries/azure/b5c851d5-00f1-43dc-a8de-3218fd6f71be.md new file mode 100644 index 00000000000..94acce7ed41 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/b5c851d5-00f1-43dc-a8de-3218fd6f71be.md @@ -0,0 +1,175 @@ +--- +title: Web App Not Using TLS Last Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b5c851d5-00f1-43dc-a8de-3218fd6f71be +- **Query name:** Web App Not Using TLS Last Version +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/web_app_not_using_tls_last_version) + +### Description +Resources of type 'Microsoft.Web/sites' should define 'properties.siteConfig.minTlsVersion' with '1.2'
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/sites?tabs=json#siteconfig-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "name": "App", + "location": "[resourceGroup().location]", + "properties": { + "siteConfig": { + "minTlsVersion": "1.0" + } + } + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "name": "App", + "location": "[resourceGroup().location]", + "properties": {} + } + ] +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="14" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "name": "App", + "location": "[resourceGroup().location]", + "properties": { + "siteConfig": { + "minTlsVersion": "1.0" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="10" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "name": "App", + "location": "[resourceGroup().location]", + "properties": {} + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "name": "App", + "location": "[resourceGroup().location]", + "properties": { + "siteConfig": { + "minTlsVersion": "1.2" + } + } + } + ] +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "name": "App", + "location": "[resourceGroup().location]", + "properties": { + "siteConfig": { + "minTlsVersion": "1.2" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/bf500309-da53-4dd3-bcf7-95f7974545a5.md b/docs/queries/azureresourcemanager-queries/azure/bf500309-da53-4dd3-bcf7-95f7974545a5.md new file mode 100644 index 00000000000..fc4aab72ec9 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/bf500309-da53-4dd3-bcf7-95f7974545a5.md @@ -0,0 +1,498 @@ +--- +title: PostgreSQL Database Server SSL Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bf500309-da53-4dd3-bcf7-95f7974545a5 +- **Query name:** PostgreSQL Database Server SSL Disabled +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/postgres_sql_server_ssl_disabled) + +### Description +Microsoft.DBforPostgreSQL/servers sslEnforcement property should be set to 'Enabled'
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/2017-12-01/servers?tabs=json) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="14" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "[parameters('databaseSkuName')]", + "tier": "[parameters('databaseSkuTier')]", + "capacity": "[parameters('databaseDTU')]", + "size": "[parameters('databaseSkuSizeMB')]", + "family": "SkuFamily" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "firewallrules", + "apiVersion": "2017-12-01", + "dependsOn": [ + "[concat('Microsoft.DBforPostgreSQL/servers/', variables('serverName'))]" + ], + "location": "[resourceGroup().location]", + "name": "[concat(variables('serverName'),'firewall')]", + "properties": { + "startIpAddress": "0.0.0.0", + "endIpAddress": "255.255.255.255" + } + }, + { + "name": "myDB1", + "type": "databases", + "apiVersion": "2017-12-01", + "properties": { + "charset": "utf8", + "collation": "English_United States.1252" + }, + "dependsOn": [ + "[concat('Microsoft.DBforPostgreSQL/servers/', 'MyDBServer')]" + ] + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="13" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer", + "properties": { + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false", + "defaultSecondaryLocation": "[resourceGroup().location]", + "maxSizeInGB": "10", + "isEncrypted": "false", + "isNetworkAccessible": "true", + "identity": "" + }, + "sku": { + "name": "[parameters('databaseSkuName')]", + "tier": "[parameters('databaseSkuTier')]", + "capacity": "[parameters('databaseDTU')]", + "size": "[parameters('databaseSkuSizeMB')]", + "family": "SkuFamily" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "firewallrules", + "apiVersion": "2017-12-01", + "dependsOn": [ + "[concat('Microsoft.DBforPostgreSQL/servers/', variables('serverName'))]" + ], + "location": "[resourceGroup().location]", + "name": "[concat(variables('serverName'),'firewall')]", + "properties": { + "startIpAddress": "0.0.0.0", + "endIpAddress": "255.255.255.255" + } + }, + { + "name": "myDB1", + "type": "databases", + "apiVersion": "2017-12-01", + "properties": { + "charset": "utf8", + "collation": "English_United States.1252" + }, + "dependsOn": [ + "[concat('Microsoft.DBforPostgreSQL/servers/', 'MyDBServer')]" + ] + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="16" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "[parameters('databaseSkuName')]", + "tier": "[parameters('databaseSkuTier')]", + "capacity": "[parameters('databaseDTU')]", + "size": "[parameters('databaseSkuSizeMB')]", + "family": "SkuFamily" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "firewallrules", + "apiVersion": "2017-12-01", + "dependsOn": [ + "[concat('Microsoft.DBforPostgreSQL/servers/', variables('serverName'))]" + ], + "location": "[resourceGroup().location]", + "name": "[concat(variables('serverName'),'firewall')]", + "properties": { + "startIpAddress": "0.0.0.0", + "endIpAddress": "255.255.255.255" + } + }, + { + "name": "myDB1", + "type": "databases", + "apiVersion": "2017-12-01", + "properties": { + "charset": "utf8", + "collation": "English_United States.1252" + }, + "dependsOn": [ + "[concat('Microsoft.DBforPostgreSQL/servers/', 'MyDBServer')]" + ] + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="15" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer", + "properties": { + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false", + "defaultSecondaryLocation": "[resourceGroup().location]", + "maxSizeInGB": "10", + "isEncrypted": "false", + "isNetworkAccessible": "true", + "identity": "" + }, + "sku": { + "name": "[parameters('databaseSkuName')]", + "tier": "[parameters('databaseSkuTier')]", + "capacity": "[parameters('databaseDTU')]", + "size": "[parameters('databaseSkuSizeMB')]", + "family": "SkuFamily" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "firewallrules", + "apiVersion": "2017-12-01", + "dependsOn": [ + "[concat('Microsoft.DBforPostgreSQL/servers/', variables('serverName'))]" + ], + "location": "[resourceGroup().location]", + "name": "[concat(variables('serverName'),'firewall')]", + "properties": { + "startIpAddress": "0.0.0.0", + "endIpAddress": "255.255.255.255" + } + }, + { + "name": "myDB1", + "type": "databases", + "apiVersion": "2017-12-01", + "properties": { + "charset": "utf8", + "collation": "English_United States.1252" + }, + "dependsOn": [ + "[concat('Microsoft.DBforPostgreSQL/servers/', 'MyDBServer')]" + ] + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer", + "properties": { + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "sslEnforcement": "Enabled", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false", + "defaultSecondaryLocation": "[resourceGroup().location]", + "maxSizeInGB": "10", + "isEncrypted": "false", + "isNetworkAccessible": "true", + "identity": "" + }, + "sku": { + "name": "[parameters('databaseSkuName')]", + "tier": "[parameters('databaseSkuTier')]", + "capacity": "[parameters('databaseDTU')]", + "size": "[parameters('databaseSkuSizeMB')]", + "family": "SkuFamily" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "firewallrules", + "apiVersion": "2017-12-01", + "dependsOn": [ + "[concat('Microsoft.DBforPostgreSQL/servers/', variables('serverName'))]" + ], + "location": "[resourceGroup().location]", + "name": "[concat(variables('serverName'),'firewall')]", + "properties": { + "startIpAddress": "0.0.0.0", + "endIpAddress": "255.255.255.255" + } + }, + { + "name": "myDB1", + "type": "databases", + "apiVersion": "2017-12-01", + "properties": { + "charset": "utf8", + "collation": "English_United States.1252" + }, + "dependsOn": [ + "[concat('Microsoft.DBforPostgreSQL/servers/', 'MyDBServer')]" + ] + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer", + "properties": { + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "sslEnforcement": "Enabled", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false", + "defaultSecondaryLocation": "[resourceGroup().location]", + "maxSizeInGB": "10", + "isEncrypted": "false", + "isNetworkAccessible": "true", + "identity": "" + }, + "sku": { + "name": "[parameters('databaseSkuName')]", + "tier": "[parameters('databaseSkuTier')]", + "capacity": "[parameters('databaseDTU')]", + "size": "[parameters('databaseSkuSizeMB')]", + "family": "SkuFamily" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "firewallrules", + "apiVersion": "2017-12-01", + "dependsOn": [ + "[concat('Microsoft.DBforPostgreSQL/servers/', variables('serverName'))]" + ], + "location": "[resourceGroup().location]", + "name": "[concat(variables('serverName'),'firewall')]", + "properties": { + "startIpAddress": "0.0.0.0", + "endIpAddress": "255.255.255.255" + } + }, + { + "name": "myDB1", + "type": "databases", + "apiVersion": "2017-12-01", + "properties": { + "charset": "utf8", + "collation": "English_United States.1252" + }, + "dependsOn": [ + "[concat('Microsoft.DBforPostgreSQL/servers/', 'MyDBServer')]" + ] + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/c09cdac2-7670-458a-bf6c-efad6880973a.md b/docs/queries/azureresourcemanager-queries/azure/c09cdac2-7670-458a-bf6c-efad6880973a.md new file mode 100644 index 00000000000..377eb4f8414 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/c09cdac2-7670-458a-bf6c-efad6880973a.md @@ -0,0 +1,442 @@ +--- +title: SQL Server Database With Unrecommended Retention Days +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c09cdac2-7670-458a-bf6c-efad6880973a +- **Query name:** SQL Server Database With Unrecommended Retention Days +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/sql_server_database_with_low_retention_days) + +### Description +SQL Server Database Auditing Settings should keep the audit logs in the storage account for at least 90 days
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/auditingsettings?tabs=json) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="48" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/default", + "properties": { + "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], + "isAzureMonitorTargetEnabled": true, + "isStorageSecondaryKeyInUse": true, + "queueDelayMs": 1000, + "retentionDays": 50, + "state": "Enabled", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', 'sqlServer1/sqlDatabase1')]" + ] + } + } + ] + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="43" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/default", + "properties": { + "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], + "isAzureMonitorTargetEnabled": true, + "isStorageSecondaryKeyInUse": true, + "queueDelayMs": 1000, + "state": "Enabled", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', 'sqlServer1/sqlDatabase1')]" + ] + } + } + ] + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="50" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/default", + "properties": { + "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], + "isAzureMonitorTargetEnabled": true, + "isStorageSecondaryKeyInUse": true, + "queueDelayMs": 1000, + "retentionDays": 50, + "state": "Enabled", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', 'sqlServer1/sqlDatabase1')]" + ] + } + } + ] + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="45" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/default", + "properties": { + "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], + "isAzureMonitorTargetEnabled": true, + "isStorageSecondaryKeyInUse": true, + "queueDelayMs": 1000, + "state": "Enabled", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', 'sqlServer1/sqlDatabase1')]" + ] + } + } + ] + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/default", + "properties": { + "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], + "isAzureMonitorTargetEnabled": true, + "isStorageSecondaryKeyInUse": true, + "queueDelayMs": 1000, + "retentionDays": 100, + "state": "Enabled", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', 'sqlServer1/sqlDatabase1')]" + ] + } + } + ] + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + }, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/default", + "properties": { + "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], + "isAzureMonitorTargetEnabled": true, + "isStorageSecondaryKeyInUse": true, + "queueDelayMs": 1000, + "retentionDays": 100, + "state": "Enabled", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', 'sqlServer1/sqlDatabase1')]" + ] + } + } + ] + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/c62d3b92-9a11-4ffd-b7b7-6faaae83faed.md b/docs/queries/azureresourcemanager-queries/azure/c62d3b92-9a11-4ffd-b7b7-6faaae83faed.md new file mode 100644 index 00000000000..9c5aa0fbd13 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/c62d3b92-9a11-4ffd-b7b7-6faaae83faed.md @@ -0,0 +1,353 @@ +--- +title: AKS Dashboard Is Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c62d3b92-9a11-4ffd-b7b7-6faaae83faed +- **Query name:** AKS Dashboard Is Enabled +- **Platform:** AzureResourceManager +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/aks_dashboard_enabled) + +### Description +Azure Kubernetes Service should have the Kubernetes dashboard disabled.
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json#managedclusteraddonprofile) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="14" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "addonProfiles": { + "kubeDashboard": { + "enabled": true + } + }, + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="16" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "addonProfiles": { + "kubeDashboard": { + "enabled": true + } + }, + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "addonProfiles": { + "kubeDashboard": { + "enabled": false + } + }, + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ] +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "addonProfiles": { + "kubeDashboard": { + "enabled": false + } + }, + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +```json title="Negative test num. 3 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ] +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "name": "aksCluster1", + "type": "Microsoft.ContainerService/managedClusters", + "apiVersion": "2020-02-01", + "location": "[resourceGroup().location]", + "properties": { + "kubernetesVersion": "1.15.7", + "dnsPrefix": "dnsprefix", + "agentPoolProfiles": [ + { + "name": "agentpool", + "count": 2, + "vmSize": "Standard_A1", + "osType": "Linux", + "storageProfile": "ManagedDisks" + } + ], + "linuxProfile": { + "adminUsername": "adminUserName", + "ssh": { + "publicKeys": [ + { + "keyData": "keyData" + } + ] + } + }, + "servicePrincipalProfile": { + "clientId": "servicePrincipalAppId", + "secret": "servicePrincipalAppPassword" + }, + "networkProfile": { + "networkPolicy": "azure" + } + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/cff9c3f7-e8f0-455f-9fb4-5f72326da96e.md b/docs/queries/azureresourcemanager-queries/azure/cff9c3f7-e8f0-455f-9fb4-5f72326da96e.md new file mode 100644 index 00000000000..e0c4a136ecc --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/cff9c3f7-e8f0-455f-9fb4-5f72326da96e.md @@ -0,0 +1,446 @@ +--- +title: Secret Without Expiration Date +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cff9c3f7-e8f0-455f-9fb4-5f72326da96e +- **Query name:** Secret Without Expiration Date +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/secret_without_expiration_date) + +### Description +All Secrets must have an expiration date defined
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/secrets?tabs=json#SecretAttributes) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="49" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "keyVault1", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2016-10-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "keyVault1" + }, + "properties": { + "enabledForDeployment": true, + "enabledForTemplateDeployment": true, + "enabledForDiskEncryption": true, + "tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100", + "accessPolicies": [ + { + "tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100", + "objectId": "objectId", + "permissions": { + "keys": [ + "Get" + ], + "secrets": [ + "List", + "Get", + "Set" + ] + } + } + ], + "sku": { + "name": "standard", + "family": "A" + } + } + }, + { + "name": "keyVault1/secretid1", + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "tags": {}, + "properties": { + "value": "string", + "contentType": "string" + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="54" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "keyVault1", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2016-10-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "keyVault1" + }, + "properties": { + "enabledForDeployment": true, + "enabledForTemplateDeployment": true, + "enabledForDiskEncryption": true, + "tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100", + "accessPolicies": [ + { + "tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100", + "objectId": "objectId", + "permissions": { + "keys": [ + "Get" + ], + "secrets": [ + "List", + "Get", + "Set" + ] + } + } + ], + "sku": { + "name": "standard", + "family": "A" + } + }, + "resources": [ + { + "type": "secrets", + "name": "keyVaultSecret1", + "apiVersion": "2016-10-01", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', 'keyVault1')]" + ], + "properties": { + "value": "string", + "contentType": "string", + "attributes": { + "enabled": true, + "nbf": 1585206000 + } + } + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="51" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "keyVault1", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2016-10-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "keyVault1" + }, + "properties": { + "enabledForDeployment": true, + "enabledForTemplateDeployment": true, + "enabledForDiskEncryption": true, + "tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100", + "accessPolicies": [ + { + "tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100", + "objectId": "objectId", + "permissions": { + "keys": [ + "Get" + ], + "secrets": [ + "List", + "Get", + "Set" + ] + } + } + ], + "sku": { + "name": "standard", + "family": "A" + } + } + }, + { + "name": "keyVault1/secretid1", + "type": "Microsoft.KeyVault/vaults/secrets", + "apiVersion": "2019-09-01", + "tags": {}, + "properties": { + "value": "string", + "contentType": "string" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="56" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "keyVault1", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2016-10-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "keyVault1" + }, + "properties": { + "enabledForDeployment": true, + "enabledForTemplateDeployment": true, + "enabledForDiskEncryption": true, + "tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100", + "accessPolicies": [ + { + "tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100", + "objectId": "objectId", + "permissions": { + "keys": [ + "Get" + ], + "secrets": [ + "List", + "Get", + "Set" + ] + } + } + ], + "sku": { + "name": "standard", + "family": "A" + } + }, + "resources": [ + { + "type": "secrets", + "name": "keyVaultSecret1", + "apiVersion": "2016-10-01", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', 'keyVault1')]" + ], + "properties": { + "value": "string", + "contentType": "string", + "attributes": { + "enabled": true, + "nbf": 1585206000 + } + } + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "keyVault1", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2016-10-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "keyVault1" + }, + "properties": { + "enabledForDeployment": true, + "enabledForTemplateDeployment": true, + "enabledForDiskEncryption": true, + "tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100", + "accessPolicies": [ + { + "tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100", + "objectId": "objectId", + "permissions": { + "keys": [ + "Get" + ], + "secrets": [ + "List", + "Get", + "Set" + ] + } + } + ], + "sku": { + "name": "standard", + "family": "A" + } + }, + "resources": [ + { + "type": "secrets", + "name": "keyVaultSecret1", + "apiVersion": "2016-10-01", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', 'keyVault1')]" + ], + "properties": { + "value": "secretValue", + "attributes": { + "enabled": true, + "nbf": 1585206000, + "exp": 1679814000 + } + } + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "keyVault1", + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2016-10-01", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "keyVault1" + }, + "properties": { + "enabledForDeployment": true, + "enabledForTemplateDeployment": true, + "enabledForDiskEncryption": true, + "tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100", + "accessPolicies": [ + { + "tenantId": "xx0xxx10-00x0-00x0-0x01-x0x0x01xx100", + "objectId": "objectId", + "permissions": { + "keys": [ + "Get" + ], + "secrets": [ + "List", + "Get", + "Set" + ] + } + } + ], + "sku": { + "name": "standard", + "family": "A" + } + }, + "resources": [ + { + "type": "secrets", + "name": "keyVaultSecret1", + "apiVersion": "2016-10-01", + "dependsOn": [ + "[resourceId('Microsoft.KeyVault/vaults', 'keyVault1')]" + ], + "properties": { + "value": "secretValue", + "attributes": { + "enabled": true, + "nbf": 1585206000, + "exp": 1679814000 + } + } + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/d855ced8-6157-448f-9f1d-f05a41d046f7.md b/docs/queries/azureresourcemanager-queries/azure/d855ced8-6157-448f-9f1d-f05a41d046f7.md new file mode 100644 index 00000000000..18386f7396c --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/d855ced8-6157-448f-9f1d-f05a41d046f7.md @@ -0,0 +1,158 @@ +--- +title: Default Azure Storage Account Network Access Is Too Permissive +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d855ced8-6157-448f-9f1d-f05a41d046f7 +- **Query name:** Default Azure Storage Account Network Access Is Too Permissive +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/default_azure_storage_account_network_access_is_too_permissive) + +### Description +Make sure that your Azure Storage Account access is limited to those who require it.
+[Documentation](https://learn.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="13" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "dependsOn": [], + "kind": "Storage", + "location": "[variables('computeLocation')]", + "name": "positive1", + "properties": { + "networkAcls": { + "defaultAction": "Allow" + } + }, + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": {}, + "type": "Microsoft.Storage/storageAccounts" + } + ] +} +``` +```json title="Postitive test num. 2 - json file" hl_lines="11" +{ + "document": [ + { + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "dependsOn": [], + "kind": "Storage", + "location": "[variables('computeLocation')]", + "name": "positive2", + "properties": {}, + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": {}, + "type": "Microsoft.Storage/storageAccounts" + } + ] + } + ] +} +``` +```json title="Postitive test num. 3 - json file" hl_lines="12" +{ + "document": [ + { + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "dependsOn": [], + "kind": "Storage", + "location": "[variables('computeLocation')]", + "name": "positive3", + "properties": { + "publicNetworkAccess": "Enabled" + }, + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": {}, + "type": "Microsoft.Storage/storageAccounts" + } + ] + } + ] +} +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "document": [ + { + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "dependsOn": [], + "kind": "Storage", + "location": "[variables('computeLocation')]", + "name": "negative1", + "properties": { + "publicNetworkAccess": "Disabled" + }, + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": {}, + "type": "Microsoft.Storage/storageAccounts" + } + ] + } + ] +} +``` +```json title="Negative test num. 2 - json file" +{ + "document": [ + { + "resources": [ + { + "apiVersion": "[variables('storageApiVersion')]", + "dependsOn": [], + "kind": "Storage", + "location": "[variables('computeLocation')]", + "name": "negative2", + "properties": { + "networkAcls": { + "defaultAction": "Deny" + } + }, + "sku": { + "name": "[parameters('supportLogStorageAccountType')]" + }, + "tags": {}, + "type": "Microsoft.Storage/storageAccounts" + } + ] + } + ] +} +``` diff --git a/docs/queries/azureresourcemanager-queries/azure/e055285c-bc01-48b4-8aa5-8a54acdd29df.md b/docs/queries/azureresourcemanager-queries/azure/e055285c-bc01-48b4-8aa5-8a54acdd29df.md new file mode 100644 index 00000000000..61d02ad8816 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/e055285c-bc01-48b4-8aa5-8a54acdd29df.md @@ -0,0 +1,513 @@ +--- +title: SQL Server Database Without Auditing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e055285c-bc01-48b4-8aa5-8a54acdd29df +- **Query name:** SQL Server Database Without Auditing +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/sql_server_database_without_auditing) + +### Description +Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/auditingsettings) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="22" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + } + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="22" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + } + }, + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": 1073741824, + "requestedServiceObjectiveName": "Basic" + } + }, + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/default", + "properties": { + "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], + "isAzureMonitorTargetEnabled": true, + "isStorageSecondaryKeyInUse": true, + "queueDelayMs": 1000, + "retentionDays": 100, + "state": "Disabled" + } + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="24" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": "1073741824", + "requestedServiceObjectiveName": "Basic" + } + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="24" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + } + }, + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": 1073741824, + "requestedServiceObjectiveName": "Basic" + } + }, + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/default", + "properties": { + "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], + "isAzureMonitorTargetEnabled": true, + "isStorageSecondaryKeyInUse": true, + "queueDelayMs": 1000, + "retentionDays": 100, + "state": "Disabled" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "ssqlDatabase1", + "type": "databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": 107374182, + "requestedServiceObjectiveName": "Basic" + }, + "resources": [ + { + "type": "auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "default", + "properties": { + "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], + "isAzureMonitorTargetEnabled": true, + "isStorageSecondaryKeyInUse": true, + "queueDelayMs": 1000, + "retentionDays": 100, + "state": "Enabled" + } + } + ] + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + } + }, + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": 1073741824, + "requestedServiceObjectiveName": "Basic" + } + }, + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/default", + "properties": { + "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], + "isAzureMonitorTargetEnabled": true, + "isStorageSecondaryKeyInUse": true, + "queueDelayMs": 1000, + "retentionDays": 100, + "state": "Enabled" + } + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 3 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + }, + "resources": [ + { + "name": "ssqlDatabase1", + "type": "databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": 107374182, + "requestedServiceObjectiveName": "Basic" + }, + "resources": [ + { + "type": "auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "default", + "properties": { + "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], + "isAzureMonitorTargetEnabled": true, + "isStorageSecondaryKeyInUse": true, + "queueDelayMs": 1000, + "retentionDays": 100, + "state": "Enabled" + } + } + ] + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "name": "sqlServer1", + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlServer1" + }, + "properties": { + "administratorLogin": "adminUsername", + "administratorLoginPassword": "adminPassword" + } + }, + { + "name": "sqlServer1/sqlDatabase1", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "location": "[resourceGroup().location]", + "tags": { + "displayName": "sqlDatabase1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" + ], + "properties": { + "collation": "SQL_Latin1_General_CP1_CI_AS", + "edition": "Basic", + "maxSizeBytes": 1073741824, + "requestedServiceObjectiveName": "Basic" + } + }, + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/default", + "properties": { + "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], + "isAzureMonitorTargetEnabled": true, + "isStorageSecondaryKeyInUse": true, + "queueDelayMs": 1000, + "retentionDays": 100, + "state": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/e25b56cd-a4d6-498f-ab92-e6296a082097.md b/docs/queries/azureresourcemanager-queries/azure/e25b56cd-a4d6-498f-ab92-e6296a082097.md new file mode 100644 index 00000000000..6ac8dfb7ef1 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/e25b56cd-a4d6-498f-ab92-e6296a082097.md @@ -0,0 +1,401 @@ +--- +title: Trusted Microsoft Services Not Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e25b56cd-a4d6-498f-ab92-e6296a082097 +- **Query name:** Trusted Microsoft Services Not Enabled +- **Platform:** AzureResourceManager +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/trusted_microsoft_services_not_enabled) + +### Description +Trusted Microsoft Services should be enabled for Storage Account access
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json#networkruleset) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="21" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "storage", + "location": "location1", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "networkAcls": { + "bypass": "None", + "virtualNetworkRules": [ + { + "id": "id", + "action": "Allow" + }, + { + "id": "id", + "action": "Allow" + } + ], + "defaultAction": "Deny" + } + }, + "resources": [ + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="21" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "storage", + "location": "location1", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "networkAcls": { + "bypass": "None", + "defaultAction": "Deny" + } + }, + "resources": [ + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="23" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "storage", + "location": "location1", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "networkAcls": { + "bypass": "None", + "virtualNetworkRules": [ + { + "id": "id", + "action": "Allow" + }, + { + "id": "id", + "action": "Allow" + } + ], + "defaultAction": "Deny" + } + }, + "resources": [ + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="23" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "storage", + "location": "location1", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "networkAcls": { + "bypass": "None", + "defaultAction": "Deny" + } + }, + "resources": [ + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "storage", + "location": "location1", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "networkAcls": { + "virtualNetworkRules": [ + { + "id": "id", + "action": "Allow" + }, + { + "id": "id", + "action": "Allow" + } + ], + "defaultAction": "Allow" + } + }, + "resources": [ + ] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "storage", + "location": "location1", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [ + { + "id": "id", + "action": "Allow" + }, + { + "id": "id", + "action": "Allow" + } + ], + "defaultAction": "Deny" + } + }, + "resources": [ + ] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 3 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "storage", + "location": "location1", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "networkAcls": { + "virtualNetworkRules": [ + { + "id": "id", + "action": "Allow" + }, + { + "id": "id", + "action": "Allow" + } + ], + "defaultAction": "Allow" + } + }, + "resources": [ + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "storage", + "location": "location1", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "accessTier": "Hot", + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [ + { + "id": "id", + "action": "Allow" + }, + { + "id": "id", + "action": "Allow" + } + ], + "defaultAction": "Deny" + } + }, + "resources": [ + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/e69bda39-e1e2-47ca-b9ee-b6531b23aedd.md b/docs/queries/azureresourcemanager-queries/azure/e69bda39-e1e2-47ca-b9ee-b6531b23aedd.md new file mode 100644 index 00000000000..a9572850ff9 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/e69bda39-e1e2-47ca-b9ee-b6531b23aedd.md @@ -0,0 +1,773 @@ +--- +title: PostgreSQL Database Server Log Connections Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e69bda39-e1e2-47ca-b9ee-b6531b23aedd +- **Query name:** PostgreSQL Database Server Log Connections Disabled +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/postgres_sql_server_log_connections_disabled) + +### Description +Microsoft.DBforPostgreSQL/servers/configurations should have 'log_connections' property set to 'on'
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/servers/configurations?tabs=json#configurationproperties-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="40" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer1", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "configurations", + "apiVersion": "2017-12-01", + "dependsOn": [ + "[resourceId('Microsoft.DBforPostgreSQL/servers', 'MyDBServer1')]" + ], + "name": "log_connections", + "properties": { + "configurationSets": [ + { + "configurationSetType": "Microsoft.DBforPostgreSQL/servers/configurations/dbconfig", + "configurationSet": { + "name": "dbconfig" + } + } + ] + }, + "location": "[resourceGroup().location]" + } + ] + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="45" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer2", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "configurations", + "apiVersion": "2017-12-01", + "dependsOn": [ + "[resourceId('Microsoft.DBforPostgreSQL/servers', 'MyDBServer2')]" + ], + "name": "log_connections", + "properties": { + "value": "off" + }, + "location": "[resourceGroup().location]" + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="44" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer3", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "resources": [ + ] + }, + { + "type": "Microsoft.DBforPostgreSQL/servers/configurations", + "apiVersion": "2017-12-01", + "name": "MyDBServer/log_connections", + "properties": { + "value": "off" + }, + "dependsOn": [ + "MyDBServer" + ], + "location": "[resourceGroup().location]" + } + ], + "outputs": {} +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="43" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer3", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "resources": [ + ] + }, + { + "type": "Microsoft.DBforPostgreSQL/servers/configurations", + "apiVersion": "2017-12-01", + "name": "MyDBServer/log_connections", + "properties": { + "configurationSets": [ + { + "configurationSetType": "Microsoft.DBforPostgreSQL/servers/configurations/dbconfig", + "configurationSet": { + "name": "dbconfig" + } + } + ] + }, + "dependsOn": [ + "MyDBServer" + ], + "location": "[resourceGroup().location]" + } + ], + "outputs": {} +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="42" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer1", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "configurations", + "apiVersion": "2017-12-01", + "dependsOn": [ + "[resourceId('Microsoft.DBforPostgreSQL/servers', 'MyDBServer1')]" + ], + "name": "log_connections", + "properties": { + "configurationSets": [ + { + "configurationSetType": "Microsoft.DBforPostgreSQL/servers/configurations/dbconfig", + "configurationSet": { + "name": "dbconfig" + } + } + ] + }, + "location": "[resourceGroup().location]" + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="47" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer2", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "configurations", + "apiVersion": "2017-12-01", + "dependsOn": [ + "[resourceId('Microsoft.DBforPostgreSQL/servers', 'MyDBServer2')]" + ], + "name": "log_connections", + "properties": { + "value": "off" + }, + "location": "[resourceGroup().location]" + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="46" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer3", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "resources": [ + ] + }, + { + "type": "Microsoft.DBforPostgreSQL/servers/configurations", + "apiVersion": "2017-12-01", + "name": "MyDBServer/log_connections", + "properties": { + "value": "off" + }, + "dependsOn": [ + "MyDBServer" + ], + "location": "[resourceGroup().location]" + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="45" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer3", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "resources": [ + ] + }, + { + "type": "Microsoft.DBforPostgreSQL/servers/configurations", + "apiVersion": "2017-12-01", + "name": "MyDBServer/log_connections", + "properties": { + "configurationSets": [ + { + "configurationSetType": "Microsoft.DBforPostgreSQL/servers/configurations/dbconfig", + "configurationSet": { + "name": "dbconfig" + } + } + ] + }, + "dependsOn": [ + "MyDBServer" + ], + "location": "[resourceGroup().location]" + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServerNeg1", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "configurations", + "apiVersion": "2017-12-01", + "dependsOn": [ + "Microsoft.DBforPostgreSQL/servers/MyDBServer" + ], + "name": "log_connections", + "properties": { + "value": "on" + }, + "location": "[resourceGroup().location]" + } + ] + } + ] +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer3", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "resources": [ + ] + }, + { + "type": "Microsoft.DBforPostgreSQL/servers/configurations", + "apiVersion": "2017-12-01", + "name": "MyDBServer/log_connections", + "properties": { + "value": "on" + }, + "dependsOn": [ + "MyDBServer" + ], + "location": "[resourceGroup().location]" + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 3 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServerNeg1", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "configurations", + "apiVersion": "2017-12-01", + "dependsOn": [ + "Microsoft.DBforPostgreSQL/servers/MyDBServer" + ], + "name": "log_connections", + "properties": { + "value": "on" + }, + "location": "[resourceGroup().location]" + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer3", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "resources": [ + ] + }, + { + "type": "Microsoft.DBforPostgreSQL/servers/configurations", + "apiVersion": "2017-12-01", + "name": "MyDBServer/log_connections", + "properties": { + "value": "on" + }, + "dependsOn": [ + "MyDBServer" + ], + "location": "[resourceGroup().location]" + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/e9c133e5-c2dd-4b7b-8fff-40f2de367b56.md b/docs/queries/azureresourcemanager-queries/azure/e9c133e5-c2dd-4b7b-8fff-40f2de367b56.md new file mode 100644 index 00000000000..63332c0d5f1 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/e9c133e5-c2dd-4b7b-8fff-40f2de367b56.md @@ -0,0 +1,377 @@ +--- +title: Website Azure Active Directory Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e9c133e5-c2dd-4b7b-8fff-40f2de367b56 +- **Query name:** Website Azure Active Directory Disabled +- **Platform:** AzureResourceManager +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/website_azure_active_directory_disabled) + +### Description +WebApp should have Azure Active Directory enabled with 'identity.type' set to 'SystemAssigned' or 'userAssignedIdentities' set to 'true'
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.web/2019-08-01/sites?tabs=json#ManagedServiceIdentity) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="10" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSitePositive2", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="15" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSitePositive3", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "identity": { + "type": "None" + }, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="15" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSitePositive3", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "identity": {}, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="12" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSitePositive2", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="17" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSitePositive3", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "identity": { + "type": "None" + }, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="17" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSitePositive3", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "identity": {}, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSiteNegative1", + "type": "Microsoft.Web/sites", + "apiVersion": "2019-08-01", + "location": "location1", + "identity": { + "type": "SystemAssigned" + }, + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [ + ] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": { + "identityName": "value" + }, + "functions": [], + "resources": [ + { + "name": "webSiteNegative2", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]": {} + } + }, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 3 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": {}, + "functions": [], + "resources": [ + { + "name": "webSiteNegative1", + "type": "Microsoft.Web/sites", + "apiVersion": "2019-08-01", + "location": "location1", + "identity": { + "type": "SystemAssigned" + }, + "tags": {}, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [ + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
Negative test num. 4 - json file + +```json +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "2.0.0.0", + "apiProfile": "2019-03-01-hybrid", + "parameters": {}, + "variables": { + "identityName": "value" + }, + "functions": [], + "resources": [ + { + "name": "webSiteNegative2", + "type": "Microsoft.Web/sites", + "apiVersion": "2020-12-01", + "location": "location1", + "tags": {}, + "identity": { + "type": "UserAssigned", + "userAssignedIdentities": { + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]": {} + } + }, + "properties": { + "enabled": true, + "httpsOnly": true + }, + "resources": [] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
diff --git a/docs/queries/azureresourcemanager-queries/azure/f9112910-c7bb-4864-9f5e-2059ba413bb7.md b/docs/queries/azureresourcemanager-queries/azure/f9112910-c7bb-4864-9f5e-2059ba413bb7.md new file mode 100644 index 00000000000..1a16c7e3f23 --- /dev/null +++ b/docs/queries/azureresourcemanager-queries/azure/f9112910-c7bb-4864-9f5e-2059ba413bb7.md @@ -0,0 +1,732 @@ +--- +title: PostgreSQL Database Server Log Checkpoints Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f9112910-c7bb-4864-9f5e-2059ba413bb7 +- **Query name:** PostgreSQL Database Server Log Checkpoints Disabled +- **Platform:** AzureResourceManager +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/azureResourceManager/postgres_sql_server_log_checkpoint_disabled) + +### Description +Microsoft.DBforPostgreSQL/servers/configurations should have 'log_checkpoint' property set to 'on'
+[Documentation](https://docs.microsoft.com/en-us/azure/templates/microsoft.dbforpostgresql/2017-12-01/servers/configurations?tabs=json) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="43" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer1", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "configurations", + "apiVersion": "2017-12-01", + "dependsOn": [ + "Microsoft.DBforPostgreSQL/servers/MyDBServer" + ], + "name": "log_checkpoints", + "properties": { + "configurationSets": [ + { + "configurationSetType": "Microsoft.DBforPostgreSQL/servers/configurations/dbconfig", + "configurationSet": { + "name": "dbconfig", + "configurationParameters": [ + { + "name": "data_directory", + "value": "[parameters('dataDirectory')]" + }, + { + "name": "max_size", + "value": "[parameters('maxSizeMB')]" + }, + { + "name": "min_size", + "value": "[parameters('minSizeMB')]" + }, + { + "name": "page_size", + "value": "[parameters('pageSizeMB')]" + }, + { + "name": "work_mem", + "value": "[parameters('workMemMB')]" + }, + { + "name": "maintenance_work_mem", + "value": "[parameters('maintenanceMemMB')]" + }, + { + "name": "checkpoint_segments", + "value": "[parameters('checkpointSegments')]" + }, + { + "name": "checkpoint_completion_target", + "value": "[parameters('checkpointCompletionTarget')]" + } + ] + } + } + ] + }, + "location": "[resourceGroup().location]" + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="45" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer2", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "configurations", + "apiVersion": "2017-12-01", + "dependsOn": [ + "Microsoft.DBforPostgreSQL/servers/MyDBServer" + ], + "name": "log_checkpoints", + "properties": { + "value": "off" + }, + "location": "[resourceGroup().location]" + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="44" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer3", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "resources": [ + ] + }, + { + "type": "Microsoft.DBforPostgreSQL/servers/configurations", + "apiVersion": "2017-12-01", + "name": "MyDBServer/log_checkpoints", + "properties": { + "value": "off" + }, + "dependsOn": [ + "MyDBServer" + ], + "location": "[resourceGroup().location]" + } + ], + "outputs": {} +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="43" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer3", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "resources": [ + ] + }, + { + "type": "Microsoft.DBforPostgreSQL/servers/configurations", + "apiVersion": "2017-12-01", + "name": "MyDBServer/log_checkpoints", + "properties": { + "source": "source" + }, + "dependsOn": [ + "MyDBServer" + ], + "location": "[resourceGroup().location]" + } + ], + "outputs": {} +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="45" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer1", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "configurations", + "apiVersion": "2017-12-01", + "dependsOn": [ + "Microsoft.DBforPostgreSQL/servers/MyDBServer" + ], + "name": "log_checkpoints", + "properties": { + "configurationSets": [ + { + "configurationSetType": "Microsoft.DBforPostgreSQL/servers/configurations/dbconfig", + "configurationSet": { + "name": "dbconfig", + "configurationParameters": [ + { + "name": "data_directory", + "value": "[parameters('dataDirectory')]" + }, + { + "name": "max_size", + "value": "[parameters('maxSizeMB')]" + }, + { + "name": "min_size", + "value": "[parameters('minSizeMB')]" + }, + { + "name": "page_size", + "value": "[parameters('pageSizeMB')]" + }, + { + "name": "work_mem", + "value": "[parameters('workMemMB')]" + }, + { + "name": "maintenance_work_mem", + "value": "[parameters('maintenanceMemMB')]" + }, + { + "name": "checkpoint_segments", + "value": "[parameters('checkpointSegments')]" + }, + { + "name": "checkpoint_completion_target", + "value": "[parameters('checkpointCompletionTarget')]" + } + ] + } + } + ] + }, + "location": "[resourceGroup().location]" + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="47" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer2", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "configurations", + "apiVersion": "2017-12-01", + "dependsOn": [ + "Microsoft.DBforPostgreSQL/servers/MyDBServer" + ], + "name": "log_checkpoints", + "properties": { + "value": "off" + }, + "location": "[resourceGroup().location]" + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="46" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer3", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "resources": [ + ] + }, + { + "type": "Microsoft.DBforPostgreSQL/servers/configurations", + "apiVersion": "2017-12-01", + "name": "MyDBServer/log_checkpoints", + "properties": { + "value": "off" + }, + "dependsOn": [ + "MyDBServer" + ], + "location": "[resourceGroup().location]" + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="45" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers", + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServer3", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "S0", + "tier": "Basic", + "capacity": 1, + "family": "GeneralPurpose" + }, + "resources": [ + ] + }, + { + "type": "Microsoft.DBforPostgreSQL/servers/configurations", + "apiVersion": "2017-12-01", + "name": "MyDBServer/log_checkpoints", + "properties": { + "source": "source" + }, + "dependsOn": [ + "MyDBServer" + ], + "location": "[resourceGroup().location]" + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServerNeg1", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "[parameters('databaseSkuName')]", + "tier": "[parameters('databaseSkuTier')]", + "capacity": "[parameters('databaseDTU')]", + "size": "[parameters('databaseSkuSizeMB')]", + "family": "SkuFamily" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "configurations", + "apiVersion": "2017-12-01", + "dependsOn": [ + "Microsoft.DBforPostgreSQL/servers/MyDBServer" + ], + "name": "log_checkpoints", + "properties": { + "value": "on" + }, + "location": "[resourceGroup().location]" + } + ] + } + ], + "outputs": {} +} + +``` +```json title="Negative test num. 2 - json file" +{ + "properties": { + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "functions": [], + "variables": {}, + "resources": [ + { + "apiVersion": "2017-12-01", + "kind": "", + "location": "[resourceGroup().location]", + "name": "MyDBServerNeg1", + "properties": { + "sslEnforcement": "Disabled", + "version": "11", + "administratorLogin": "root", + "administratorLoginPassword": "12345", + "storageMB": "2048", + "createMode": "Default", + "collation": "SQL_Latin1_General_CP1_CI_AS", + "creationDate": "2019-04-01T00:00:00Z", + "lastModifiedDate": "2019-04-01T00:00:00Z", + "maxSizeUnits": "SizeUnit.megabytes", + "isReadOnly": "false", + "isAutoUpgradeEnabled": "true", + "isStateful": "false", + "isExternal": "false" + }, + "sku": { + "name": "[parameters('databaseSkuName')]", + "tier": "[parameters('databaseSkuTier')]", + "capacity": "[parameters('databaseDTU')]", + "size": "[parameters('databaseSkuSizeMB')]", + "family": "SkuFamily" + }, + "type": "Microsoft.DBforPostgreSQL/servers", + "resources": [ + { + "type": "configurations", + "apiVersion": "2017-12-01", + "dependsOn": [ + "Microsoft.DBforPostgreSQL/servers/MyDBServer" + ], + "name": "log_checkpoints", + "properties": { + "value": "on" + }, + "location": "[resourceGroup().location]" + } + ] + } + ], + "outputs": {} + }, + "parameters": {} + }, + "kind": "template", + "type": "Microsoft.Blueprint/blueprints/artifacts", + "name": "myTemplate" +} + +``` diff --git a/docs/queries/buildah-queries.md b/docs/queries/buildah-queries.md index 7ab45acd761..05627bb0f27 100644 --- a/docs/queries/buildah-queries.md +++ b/docs/queries/buildah-queries.md @@ -3,4 +3,4 @@ This page contains all queries from Buildah. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| +|Run Using apt
a1bc27c6-7115-48d8-bf9d-5a7e836845ba|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| diff --git a/docs/queries/buildah-queries/a1bc27c6-7115-48d8-bf9d-5a7e836845ba.md b/docs/queries/buildah-queries/a1bc27c6-7115-48d8-bf9d-5a7e836845ba.md new file mode 100644 index 00000000000..7c796f1ab4d --- /dev/null +++ b/docs/queries/buildah-queries/a1bc27c6-7115-48d8-bf9d-5a7e836845ba.md @@ -0,0 +1,33 @@ +--- +title: Run Using apt +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a1bc27c6-7115-48d8-bf9d-5a7e836845ba +- **Query name:** Run Using apt +- **Platform:** Buildah +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/buildah/run_using_apt) + +### Description +apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache
+[Documentation](https://github.com/containers/buildah/blob/main/docs/buildah-run.1.md) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/cloudformation-queries.md b/docs/queries/cloudformation-queries.md index 35c9df9c540..8a4aa6bb27c 100644 --- a/docs/queries/cloudformation-queries.md +++ b/docs/queries/cloudformation-queries.md @@ -8,16 +8,16 @@ Bellow are listed queries related with CloudFormation AWS_SAM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|High|Encryption|AWS Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|Medium|Insecure Configurations|AWS Serverless Function should have associated tags|Documentation
| -|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined|Documentation
| -|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled|Documentation
| -|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| -|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'|Documentation
| +|Serverless Function Environment Variables Not Encrypted
a7f8ac28-eed1-483d-87c8-4c325f022572|High|Encryption|AWS Serverless Function should encrypt environment variables (read more)|Documentation
| +|Serverless API Without Content Encoding
a2f2800e-614b-4bc8-89e6-fec8afd24800|Medium|Encryption|AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
4ba74f01-aba5-4be2-83bc-be79ff1a3b92|Medium|Insecure Configurations|AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless Function Without Tags
a71ecabe-03b6-456a-b3bc-d1a39aa20c98|Medium|Insecure Configurations|AWS Serverless Function should have associated tags (read more)|Documentation
| +|Serverless API Endpoint Config Not Private
6b5b0313-771b-4319-ad7a-122ee78700ef|Medium|Networking and Firewall|AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| +|Serverless API Access Logging Setting Undefined
0a994e04-c6dc-471d-817e-d37451d18a3b|Medium|Observability|AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
c757c6a3-ac87-4b9d-b28d-e5a5add6a315|Medium|Observability|AWS Serverless API should have X-Ray Tracing enabled (read more)|Documentation
| +|Serverless API Cache Cluster Disabled
60a05ede-0a68-4d0d-a58f-f538cf55ff79|Low|Insecure Configurations|AWS Serverless API should have cache clustering enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
cb2f612b-ed42-4ff5-9fb9-255c73d39a18|Low|Insecure Configurations|AWS Serverless Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| +|Serverless Function Without X-Ray Tracing
dc1ab429-1481-4540-9b1d-280e3f15f1f8|Low|Observability|AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active' (read more)|Documentation
| ### AWS Bellow are listed queries related with CloudFormation AWS: @@ -26,255 +26,255 @@ Bellow are listed queries related with CloudFormation AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges.|Documentation
| -|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.|Documentation
| -|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal|Documentation
| -|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted.|Documentation
| -|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined|Documentation
| -|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.|Documentation
| -|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data|Documentation
| -|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication|Documentation
| -|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true|Documentation
| -|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.|Documentation
| -|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled|Documentation
| -|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.|Documentation
| -|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.|Documentation
| -|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted|Documentation
| -|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true'|Documentation
| -|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)|Documentation
| -|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled|Documentation
| -|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do.|Documentation
| -|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined|Documentation
| -|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.|Documentation
| -|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false|Documentation
| -|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.|Documentation
| -|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW|Documentation
| -|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world|Documentation
| -|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses|Documentation
| -|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets|Documentation
| -|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access|Documentation
| -|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules|Documentation
| -|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network|Documentation
| -|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access|Documentation
| -|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)|Documentation
| -|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)|Documentation
| -|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet.|Documentation
| -|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true|Documentation
| -|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols.|Documentation
| -|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC|Documentation
| -|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined.|Documentation
| -|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail|Documentation
| -|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.|Documentation
| -|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.|Documentation
| -|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as *|Documentation
| -|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions.|Documentation
| -|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.|Documentation
| -|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as *|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users|Documentation
| -|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited|Documentation
| -|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses.|Documentation
| -|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as *|Documentation
| -|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.|Documentation
| -|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data|Documentation
| -|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|AWS RDS backup retention policy should be at least 7 days|Documentation
| -|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment|Documentation
| -|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true|Documentation
| -|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user.|Documentation
| -|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number|Documentation
| -|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.|Documentation
| -|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined|Documentation
| -|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined|Documentation
| -|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled|Documentation
| -|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key|Documentation
| -|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined|Documentation
| -|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information|Documentation
| -|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted|Documentation
| -|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.|Documentation
| -|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache|Documentation
| -|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true|Documentation
| -|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks|Documentation
| -|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.|Documentation
| -|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined.|Documentation
| -|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances.|Documentation
| -|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags.|Documentation
| -|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| -|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string|Documentation
| -|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.|Documentation
| -|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated|Documentation
| -|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).|Documentation
| -|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|AWS Security Group Egress should have a single port|Documentation
| -|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port|Documentation
| -|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports|Documentation
| -|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports|Documentation
| -|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules|Documentation
| -|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC.|Documentation
| -|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world|Documentation
| -|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port|Documentation
| -|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined.|Documentation
| -|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.|Documentation
| -|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true|Documentation
| -|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled|Documentation
| -|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined|Documentation
| -|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days.|Documentation
| -|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.|Documentation
| -|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value|Documentation
| -|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string|Documentation
| -|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.|Documentation
| -|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account|Documentation
| -|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined|Documentation
| -|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.|Documentation
| -|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC|Documentation
| -|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Low|Backup|RDS DBInstance should have deletion protection set to true|Documentation
| -|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content|Documentation
| -|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.|Documentation
| -|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group|Documentation
| -|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6|Documentation
| -|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED|Documentation
| -|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)|Documentation
| -|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled|Documentation
| -|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name|Documentation
| -|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress|Documentation
| -|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks|Documentation
| -|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'|Documentation
| -|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error|Documentation
| -|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Low|Resource Management|SimpleDB Domain resource should not be declared|Documentation
| -|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| +|Lambda Functions With Full Privileges
a0ae0a4e-712b-4115-8112-51b9eeed9d69|High|Access Control|AWS Lambda Functions should not have roles with policies granting full administrative privileges. (read more)|Documentation
| +|IAM Policies With Full Privileges
953b3cdb-ce13-428a-aa12-318726506661|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|IAM Policy Grants Full Permissions
f62aa827-4ade-4dc4-89e4-1433d384a368|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket Allows Restore Actions From All Principals
456b00a3-1072-4149-9740-6b8bb60251b0|High|Access Control|S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Allows Read to All Users
219f4c95-aa50-44e0-97de-cf71f4641170|High|Access Control|S3 Buckets should not be readable to all users (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
acc78859-765e-4011-a229-a65ea57db252|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
f97b7d23-568f-4bcc-9ac9-02df0d57fbba|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
faa8fddf-c0aa-4b2d-84ff-e993e233ebe9|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
f6397a20-4cf1-4540-a997-1d363c25ef58|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7772bb8c-c0f3-42d4-8e4e-f1b8939ad085|High|Access Control|The S3 Bucket should not be associated with a policy statement that grants access to any principal (read more)|Documentation
| +|S3 Bucket Allows Public Policy
860ba89b-b8de-4e72-af54-d6aee4138a69|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|S3 Bucket With All Permissions
4ae8af91-5108-42cb-9471-3bdbe596eac9|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|ECS Service Admin Role Is Present
01986452-bdd8-4aaa-b5df-d6bf61d616ff|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
835d5497-a526-4aea-a23f-98a9afd1635f|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
0ce1ba20-8ba8-4364-836f-40c24b8cb0ab|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|SNS Topic is Publicly Accessible
ae53ce91-42b5-46bf-a84f-9a13366a4f13|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
07dda8de-d90d-469e-9b37-1aca53526ced|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|User Data Shell Script Is Encoded
48c3bc58-6959-4f27-b647-4fedeace23be|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|CMK Unencrypted Storage
ffee2785-c347-451e-89f3-11aeb08e5c84|High|Encryption|Ensure that storage is encrypted. (read more)|Documentation
| +|User Data Contains Encoded Private Key
568cc372-ca64-420d-9015-ee347d00d288|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|EFS Not Encrypted
2ff8e83c-90e1-4d68-a300-6d652112e622|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|Redshift Cluster Without KMS CMK
de76a0d6-66d5-45c9-9022-f05545b85c78|High|Encryption|AWS Redshift Cluster should have KMS CMK defined (read more)|Documentation
| +|ECS Cluster Not Encrypted At Rest
6c131358-c54d-419b-9dd6-1f7dd41d180c|High|Encryption|Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. (read more)|Documentation
| +|S3 Bucket Without Server-side-encryption
b2e8752c-3497-4255-98d2-e4ae5b46bbf5|High|Encryption|S3 Buckets should have server-side encryption at rest enabled to protect sensitive data (read more)|Documentation
| +|MSK Cluster Encryption Disabled
a976d63f-af0e-46e8-b714-8c1a9c4bf768|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|ELB Without Secure Protocol
80908a75-586b-4c61-ab04-490f4f4525b8|High|Encryption|Check if the ELB is setup with SSL or HTTPS for secure communication (read more)|Documentation
| +|API Gateway Cache Encrypted Disabled
37cca703-b74c-48ba-ac81-595b53398e9b|High|Encryption|'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true (read more)|Documentation
| +|ELB Using Insecure Protocols
61a94903-3cd3-4780-88ec-fc918819b9c8|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|Secure Ciphers Disabled
be96849c-3df6-49c2-bc16-778a7be2519c|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|EFS Without KMS
6d087495-2a42-4735-abf7-02ef5660a7e6|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|IAM Database Auth Not Enabled
9fcd0a0a-9b6f-4670-a215-d94e6bf3f184|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|ElastiCache With Disabled Transit Encryption
3b02569b-fc6f-4153-b3a3-ba91022fed68|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled (read more)|Documentation
| +|ELB Using Weak Ciphers
809f77f8-d10e-4842-a84f-3be7b6ff1190|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|SageMaker Data Encryption Disabled
709e6da6-fa1f-44cc-8f17-7f25f96dadbe|High|Encryption|Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null. (read more)|Documentation
| +|S3 Bucket SSE Disabled
64ab651b-f5b2-4af0-8c89-ddd03c4d0e61|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
f9b10cdb-eaab-4e39-9793-e12b94a582ad|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|Connection Between CloudFront Origin Not Encrypted
a5366a50-932f-4085-896b-41402714a388|High|Encryption|Checks if the connection between the CloudFront and the origin server is encrypted (read more)|Documentation
| +|RDS Storage Not Encrypted
5beacce3-4020-4a3d-9e1d-a36f953df630|High|Encryption|RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true' (read more)|Documentation
| +|S3 Bucket Without SSL In Write Actions
38c64e76-c71e-4d92-a337-60174d1de1c9|High|Encryption|S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL) (read more)|Documentation
| +|ElastiCache With Disabled at Rest Encryption
e4ee3903-9225-4b6a-bdfb-e62dbadef821|High|Encryption|Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled (read more)|Documentation
| +|Redshift Not Encrypted
3b316b05-564c-44a7-9c3f-405bb95e211e|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
31733ee2-fef0-4e87-9778-65da22a8ecf1|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|CloudFormation Specifying Credentials Not Safe
9ecb6b21-18bc-4aa7-bd07-db20f1c746db|High|Encryption|Specifying credentials in the template itself is probably not safe to do. (read more)|Documentation
| +|Kinesis SSE Not Configured
7f65be75-90ab-4036-8c2a-410aef7bb650|High|Encryption|AWS Kinesis Stream should have SSE (Server Side Encryption) defined (read more)|Documentation
| +|DynamoDB With Aws Owned CMK
c8dee387-a2e6-4a73-a942-183c975549ac|High|Encryption|AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false. (read more)|Documentation
| +|Root Account Has Active Access Keys
4c137350-7307-4803-8c04-17c09a7a9fcf|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|S3 Bucket With Unsecured CORS Rule
3609d27c-3698-483a-9402-13af6ae80583|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|Redshift Publicly Accessible
bdf8dcb4-75df-4370-92c4-606e4ae6c4d3|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false (read more)|Documentation
| +|KMS Key With Vulnerable Policy
da905474-7454-43c0-b8d2-5756ab951aba|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating. (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
350cd468-0e2c-44ef-9d22-cfb73a62523c|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|API Gateway Without Security Policy
8275fab0-68ec-4705-bbf4-86975edb170e|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
027a4b7a-8a59-4938-a04f-ed532512cf45|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
dc17ee4b-ddf2-4e23-96e8-7a36abad1303|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
76ddf32c-85b1-4808-8935-7eef8030ab36|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|DB Instance Publicly Accessible
de38e1d5-54cb-4111-a868-6f7722695007|High|Insecure Configurations|RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false. (read more)|Documentation
| +|S3 Static Website Host Enabled
90501b1b-cded-4cc1-9e8b-206b85cda317|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|Permissive Web ACL Default Action
6d64f311-3da6-45f3-80f1-14db9771ea40|High|Insecure Defaults|WebAcl DefaultAction should not be ALLOW (read more)|Documentation
| +|Vulnerable Default SSL Certificate
b4d9c12b-bfba-4aeb-9cb8-2358546d8041|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Unrestricted Security Group Ingress
4a1e6b34-1008-4e61-a5f2-1f7c276f8d14|High|Networking and Firewall|AWS Security Group Ingress CIDR should not be open to the world (read more)|Documentation
| +|Fully Open Ingress
e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5|High|Networking and Firewall|ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses (read more)|Documentation
| +|EC2 Public Instance Exposed Through Subnet
c44c95fc-ae92-4bb8-bdf8-bb9bc412004a|High|Networking and Firewall|EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
ea33fcf7-394b-4d11-a228-985c5d08f205|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|EKS node group remote access
73d59e76-a12c-4b74-a3d8-d3e1e19c25b3|High|Networking and Firewall|Ensure Amazon EKS Node group has implict SSH access (read more)|Documentation
| +|EC2 Network ACL Overlapping Ports
77b6f1e2-bde4-4a6a-ae7e-a40659ff1576|High|Networking and Firewall|NetworkACL Entries are reusing or overlapping ports which may create ineffective rules (read more)|Documentation
| +|EC2 Sensitive Port Is Publicly Exposed
494b03d3-bf40-4464-8524-7c56ad0700ed|High|Networking and Firewall|The EC2 instance has a sensitive port connection exposed to the entire network (read more)|Documentation
| +|Security Groups Allows Unrestricted Outbound Traffic
66f2d8f9-a911-4ced-ae27-34f09690bb2c|High|Networking and Firewall|No security group should allow unrestricted egress access (read more)|Documentation
| +|Remote Desktop Port Open To Internet
c9846969-d066-431f-9b34-8c4abafe422a|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|Security Groups With Exposed Admin Ports
cdbb0467-2957-4a77-9992-7b55b29df7b7|High|Networking and Firewall|Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389) (read more)|Documentation
| +|Security Group Unrestricted Access To RDP
3ae83918-7ec7-4cb8-80db-b91ef0f94002|High|Networking and Firewall|Security Groups does not allow 0.0.0.0/0 for rdp (port:3389) (read more)|Documentation
| +|ALB Listening on HTTP
275a3217-ca37-40c1-a6cf-bb57d245ab32|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|Unknown Port Exposed To Internet
829ce3b8-065c-41a3-ad57-e0accfea82d2|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|ELB Sensitive Port Is Exposed To Entire Network
78055456-f670-4d2e-94d5-392d1cf4f5e4|High|Networking and Firewall|The load balancer of the application with a sensitive port connection is exposed to the entire internet. (read more)|Documentation
| +|EC2 Instance Subnet Has Public IP Mapping On Launch
b3de4e4c-14be-4159-b99d-9ad194365e4c|High|Networking and Firewall|EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
6e856af2-62d7-4ba2-adc1-73b62cef9cc1|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|Security Groups With Meta IP
adcd0082-e90b-4b63-862b-21899f6e6a48|High|Networking and Firewall|Security Groups allows 0.0.0.0/0 for all ports and protocols. (read more)|Documentation
| +|HTTP Port Open To Internet
ddfc4eaa-af23-409f-b96c-bf5c45dc4daa|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|SageMaker Notebook Not Placed In VPC
9c7028d9-04c2-45be-b8b2-1188ccaefb36|High|Networking and Firewall|SageMaker Notebook must be placed in a VPC (read more)|Documentation
| +|DB Security Group With Public Scope
9564406d-e761-4e61-b8d7-5926e3ab8e79|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|DB Security Group Open To Large Scope
0104165b-02d5-426f-abc9-91fb48189899|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|RDS Associated with Public Subnet
4e88adee-a8eb-4605-a78d-9fb1096e3091|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Route53 Record Undefined
24d932e1-91f0-46ea-836f-fdbd81694151|High|Networking and Firewall|Route53 HostedZone must have the Record Set defined. (read more)|Documentation
| +|S3 Bucket CloudTrail Logging Disabled
c3ce69fd-e3df-49c6-be78-1db3f802261c|High|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail (read more)|Documentation
| +|CloudTrail Logging Disabled
5c0b06d5-b7a4-484c-aeb0-75a836269ff0|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CMK Rotation Disabled
1c07bfaf-663c-4f6f-b22b-8e2d481e4df5|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
48f100d9-f499-4c6d-b2b8-deafe47ffb26|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|EC2 Instance Has No IAM Role
f914357d-8386-4d56-9ba6-456e5723f9a6|Medium|Access Control|Check if an EC2 instance refers to an IAM profile, which represents an IAM Role. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
7fd0d461-5b8c-4815-898c-f2b4b117eb28|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|IoT Policy Allows Wildcard Resource
be5b230d-4371-4a28-a441-85dc760e2aa3|Medium|Access Control|IoT Policy should not allow Resource to be set as * (read more)|Documentation
| +|Empty Roles For ECS Cluster Task Definitions
7f384a5f-b5a2-4d84-8ca3-ee0a5247becb|Medium|Access Control|Check if any ECS cluster has not defined proper roles for services' task definitions. (read more)|Documentation
| +|SQS Queue Policy Allows NotPrincipal
4a8fc9a2-2b2f-4b3f-aa8d-401425872034|Medium|Access Control|Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`. (read more)|Documentation
| +|IoT Policy Allows Action as Wildcard
4d32780f-43a4-424a-a06d-943c543576a5|Medium|Access Control|IoT Policy should not allow Action to be set as * (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
a3aa0087-8228-4e7e-b202-dc9036972d02|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
3641d5b4-d339-4bc2-bfb9-208fe8d3477f|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
818f38ed-8446-4132-9c03-474d49e10195|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|IAM Policy On User
e4239438-e639-44aa-adb8-866e400e3ade|Medium|Access Control|IAM policies should be applied to groups and not to users (read more)|Documentation
| +|SQS Queue Policy Allows NotAction
4fbfee74-8186-40d5-a24e-4baa76a855de|Medium|Access Control|AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited (read more)|Documentation
| +|Public Lambda via API Gateway
57b12981-3816-4c31-b190-a1e614361dd2|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|EC2 Network ACL Ineffective Denied Traffic
2623d682-dccb-44cd-99d0-54d9fd62f8f2|Medium|Access Control|Ineffective deny rules. A deny rule should be applied to all IP addresses. (read more)|Documentation
| +|SQS Policy With Public Access
9b6a3f5b-5fd6-40ee-9bc0-ed604911212d|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|IAM Policies Attached To User
edc95c10-7366-4f30-9b4b-f995c84eceb5|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
5c666ed9-b586-49ab-9873-c495a833b705|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|KMS Allows Wildcard Principal
f6049677-ec4a-43af-8779-5190b6d03cba|Medium|Access Control|KMS Should not allow Principal parameter to be set as * (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
75be209d-1948-41f6-a8c8-e22dd0121134|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|CMK Is Unusable
2844c749-bd78-4cd1-90e8-b179df827602|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined. (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
ad21e616-5026-4b9d-990d-5b007bfe679c|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty. (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
cfdef2e5-1fe4-4ef4-bea8-c56e08963150|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|EBS Volume Not Attached To Instances
1819ac03-542b-4026-976b-f37addd59f3b|Medium|Availability|EBS Volumes that are unattached to instances may contain sensitive data (read more)|Documentation
| +|ECS Service Without Running Tasks
79d745f0-d5f3-46db-9504-bef73e9fd528|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Low RDS Backup Retention Period
e649a218-d099-4550-86a4-1231e1fcb60d|Medium|Backup|AWS RDS backup retention policy should be at least 7 days (read more)|Documentation
| +|Stack Retention Disabled
fe974ae9-858e-4991-bbd5-e040a834679f|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|RDS Multi-AZ Deployment Disabled
2b1d4935-9acf-48a7-8466-10d18bf51a69|Medium|Backup|AWS RDS Instance should have a multi-az deployment (read more)|Documentation
| +|RDS With Backup Disabled
8c415f6f-7b90-4a27-a44a-51047e1506f9|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|IAM Password Without Lowercase Letter
f4cf35d6-da92-48de-ab70-57be2b2e6497|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM User Without Password Reset
a964d6e3-8e1e-4d93-8120-61fa640dd55a|Medium|Best Practices|IAM User Login Profile should exist and have PasswordResetRequired property set to true (read more)|Documentation
| +|IAM Password Without Symbol
d72a7869-e8b9-4e12-bcd2-e8be10b39fa7|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|IAM Managed Policy Applied to a User
0e5872b4-19a0-4165-8b2f-56d9e14b909f|Medium|Best Practices|Make sure that any managed IAM policies are implemented in a group and not in a user. (read more)|Documentation
| +|Cognito UserPool Without MFA
74a18d1a-cf02-4a31-8791-ed0967ad7fdc|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| +|IAM Password Without Number
839f238f-2e3a-4a72-b945-8abdf91af955|Medium|Best Practices|IAM user resource Login Profile Password should have at least one number (read more)|Documentation
| +|ECS No Load Balancer Attached
fb2b0ecf-1492-491a-a70d-ba1df579175d|Medium|Best Practices|Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer. (read more)|Documentation
| +|IAM Password Without Uppercase Letter
445020f6-b69e-4484-847f-02d4b7768902|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|IAM Password Without Minimum Length
b1b20ae3-8fa7-4af5-a74d-a2145920fcb1|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|CodeBuild Not Encrypted
d7467bb6-3ed1-4c82-8095-5e7a818d0aad|Medium|Encryption|CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
d926aa95-0a04-4abc-b20c-acf54afe38a1|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|SageMaker EndPoint Config Should Specify KmsKeyId Attribute
44034eda-1c3f-486a-831d-e09a7dd94354|Medium|Encryption|KmsKeyId attribute should be defined (read more)|Documentation
| +|Workspace Without Encryption
89827c57-5a8a-49eb-9731-976a606d70db|Medium|Encryption|Workspaces should have encryption enabled (read more)|Documentation
| +|Default KMS Key Usage
e52395b4-250b-4c60-81d5-2e58c1d37abc|Medium|Encryption|When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
86a248ab-0e01-4564-a82a-878303e253bb|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|KMS Key Rotation Disabled
235ca980-eb71-48f4-9030-df0c371029eb|Medium|Encryption|EnableKeyRotation should not be false or undefined (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
316278b3-87ac-444c-8f8f-a733a28da60f|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| +|SQS With SSE Disabled
12726829-93ed-4d51-9cbe-13423f4299e1|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
bf4473f1-c8a2-4b1b-8134-bd32efabab93|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|Alexa Skill Plaintext Client Secret Exposed
3c3b7a58-b018-4d07-9444-d9ee7156e111|Medium|Encryption|Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information (read more)|Documentation
| +|Unscanned ECR Image
9025b2b3-e554-4842-ba87-db7aeec36d35|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|API Gateway With Invalid Compression
d6653eee-2d4d-4e6a-976f-6794a497999a|Medium|Encryption|API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|EBS Volume Encryption Disabled
80b7ac3f-d2b7-4577-9b10-df7913497162|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
1b6322d9-c755-4f8c-b804-32c19250f2d9|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|IAM Group Inline Policies
a58d1a2d-4078-4b80-855b-84cc3f7f4540|Medium|Encryption|IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted (read more)|Documentation
| +|EMR Security Configuration Encryption Disabled
5b033ec8-f079-4323-b5c8-99d4620433a9|Medium|Encryption|EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. (read more)|Documentation
| +|Memcached Disabled
dd0971a6-09c3-4168-8474-a7ef8fbfd99d|Medium|Encryption|Check if the Memcached is disabled on the ElastiCache (read more)|Documentation
| +|RDS Storage Encryption Disabled
65844ba3-03a1-40a8-b3dd-919f122e8c95|Medium|Encryption|RDS DBCluster should have storage encrypted set to true (read more)|Documentation
| +|Lambda Functions Without Unique IAM Roles
ae03f542-1423-402f-9cef-c834e7ee9583|Medium|Insecure Configurations|AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Inline Policies Are Attached To ECS Service
9e8c89b3-7997-4d15-93e4-7911b9db99fd|Medium|Insecure Configurations|Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies. (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
68b6a789-82f8-4cfd-85de-e95332fe6a61|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| +|EMR Cluster Without Security Configuration
48af92a5-c89b-4936-bc62-1086fe2bab23|Medium|Insecure Configurations|EMR Cluster should have security configuration defined. (read more)|Documentation
| +|SageMaker Enabling Internet Access
88d55d94-315d-4564-beee-d2d725feab11|Medium|Insecure Configurations|SageMaker must have disabled internet access and root access for Creating Notebook Instances. (read more)|Documentation
| +|Lambda Function Without Tags
8df8e857-bd59-44fa-9f4c-d77594b95b46|Medium|Insecure Configurations|AWS Lambda Functions must have associated tags. (read more)|Documentation
| +|ECR Image Tag Not Immutable
33f41d31-86b1-46a4-81f7-9c9a671f59ac|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|GitHub Repository Set To Public
5906092d-5f74-490d-9a03-78febe0f65e1|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| +|API Gateway Without SSL Certificate
ed4c48b8-eccc-4881-95c1-09fdae23db25|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|IAM User Has Too Many Access Keys
48677914-6fdf-40ec-80c4-2b0e94079f54|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|IAM User LoginProfile Password Is In Plaintext
06adef8c-c284-4de7-aad2-af43b07a8ca1|Medium|Insecure Configurations|IAM User LoginProfile Password must not be a plaintext string (read more)|Documentation
| +|API Gateway With Open Access
1056dfbb-5802-4762-bf2b-8b9b9684b1b0|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|Instance With No VPC
8a6d36cd-0bc6-42b7-92c4-67acc8576861|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|RouterTable with Default Routing
4f0908b9-eb66-433f-9145-134274e1e944|Medium|Insecure Defaults|NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables. (read more)|Documentation
| +|S3 Bucket Should Have Bucket Policy
37fa8188-738b-42c8-bf82-6334ea567738|Medium|Insecure Defaults|Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated (read more)|Documentation
| +|EC2 Permissive Network ACL Protocols
03879981-efa2-47a0-a818-c843e1441b88|Medium|Networking and Firewall|To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). (read more)|Documentation
| +|Security Group Egress With Port Range
dae9c373-8287-462f-8746-6f93dad93610|Medium|Networking and Firewall|AWS Security Group Egress should have a single port (read more)|Documentation
| +|VPC Without Network Firewall
3e293410-d5b8-411f-85fd-7d26294f20c9|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|ELB With Security Group Without Inbound Rules
e200a6f3-c589-49ec-9143-7421d4a2c845|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|GameLift Fleet EC2 InboundPermissions With Port Range
43356255-495d-4148-ad8d-f6af5eac09dd|Medium|Networking and Firewall|AWS GameLift Fleet EC2InboundPermissions should have a single port (read more)|Documentation
| +|Security Group Egress With All Protocols
ee464fc2-54a6-4e22-b10a-c6dcd2474d0c|Medium|Networking and Firewall|AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| +|ALB Is Not Integrated With WAF
105ba098-1e34-48cd-b0f2-a8a43a51bf9b|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
4a8daf95-709d-4a36-9132-d3e19878fa34|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|API Gateway without WAF
fcbf9019-566c-4832-a65c-af00d8137d2b|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|Security Group Ingress With All Protocols
1a427b25-2e9e-4298-9530-0499a55e736b|Medium|Networking and Firewall|AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports (read more)|Documentation
| +|TCP/UDP Protocol Network ACL Entry Allows All Ports
f57f849c-883b-4cb7-85e7-f7b199dff163|Medium|Networking and Firewall|TCP/UDP protocol AWS Network ACL Entry should not allow all ports (read more)|Documentation
| +|ELB With Security Group Without Outbound Rules
01d5a458-a6c4-452a-ac50-054d59275b7c|Medium|Networking and Firewall|An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules (read more)|Documentation
| +|Security Groups Without VPC Attached
493d9591-6249-47bf-8dc0-5c10161cc558|Medium|Networking and Firewall|Security Groups must have a VPC. (read more)|Documentation
| +|Security Group Egress CIDR Open To World
1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a|Medium|Networking and Firewall|AWS Security Group Egress CIDR should not be open to the world (read more)|Documentation
| +|Security Group Ingress With Port Range
87482183-a8e7-4e42-a566-7a23ec231c16|Medium|Networking and Firewall|AWS Security Group Ingress should have a single port (read more)|Documentation
| +|S3 Bucket Without Versioning
a227ec01-f97a-4084-91a4-47b350c1db54|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|API Gateway Deployment Without Access Log Setting
06ec63e3-9f72-4fe2-a218-2eb9200b8db5|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
65d07da5-9af5-44df-8983-52d2e6f24c44|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudWatch Logging Disabled
0f0fb06b-0f2f-4374-8588-f2c7c348c7a0|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| +|S3 Bucket Logging Disabled
4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|API Gateway V2 Stage Access Logging Settings Not Defined
80d45af4-4920-4236-a56e-b7ef419d1941|Medium|Observability|API Gateway V2 Stage should have Access Logging Settings defined. (read more)|Documentation
| +|MQ Broker Logging Disabled
e519ed6a-8328-4b69-8eb7-8fa549ac3050|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|ELBv2 ALB Access Log Disabled
c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621|Medium|Observability|ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer. (read more)|Documentation
| +|Stack Notifications Disabled
837e033c-4717-40bd-807e-6abaa30161b7|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|CloudTrail Multi Region Disabled
058ac855-989f-4378-ba4d-52d004020da7|Medium|Observability|CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true (read more)|Documentation
| +|ELB Access Log Disabled
ee12ad32-2863-4c0f-b13f-28272d115028|Medium|Observability|ELB should have access log enabled (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
3e09413f-471e-40f3-8626-990c79ae63f3|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|GuardDuty Detector Disabled
a25cd877-375c-4121-a640-730929936fac|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|Redshift Cluster Logging Disabled
3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| +|CloudFront Logging Disabled
de77cd9f-0e8b-46cc-b4a4-b6b436838642|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined (read more)|Documentation
| +|API Gateway X-Ray Disabled
4ab10c48-bedb-4deb-8f3b-ff12783b61de|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|ElasticSearch Without Slow Logs
086ea2eb-14a6-4fd4-914b-38e0bc8703e8|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| +|CloudWatch Metrics Disabled
5d3c1807-acb3-4bb0-be4e-0440230feeaf|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|MSK Cluster Logging Disabled
fc7c2c15-f5d0-4b80-adb2-c89019f8f62b|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| +|Directory Service Microsoft AD Password Set to Plaintext or Default Ref
06b9f52a-8cd5-459b-bdc6-21a22521e1be|Medium|Secret Management|Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|High Access Key Rotation Period
800fa019-49dd-421b-9042-7331fdd83fa2|Medium|Secret Management|ConfigRule should enforce access keys to be rotated within 90 days. (read more)|Documentation
| +|Amplify App Access Token Exposed
73980e43-f399-4fcc-a373-658228f7adf7|Medium|Secret Management|Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|Amplify App Basic Auth Config Password Exposed
71493c8b-3014-404c-9802-078b74496fb7|Medium|Secret Management|Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|DocDB Cluster Master Password In Plaintext
39423ce4-9011-46cd-b6b1-009edcd9385d|Medium|Secret Management|DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value. (read more)|Documentation
| +|DMS Endpoint MongoDB Settings Password Exposed
f988a17f-1139-46a3-8928-f27eafd8b024|Medium|Secret Management|DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Amplify Branch Basic Auth Config Password Exposed
dfb56e5d-ee68-446e-b32a-657b62befe69|Medium|Secret Management|Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|EBS Volume Without KmsKeyId
b7063015-6c31-4658-a8e7-14f98f37fd42|Medium|Secret Management|EBS Volume should specify a KmsKeyId value (read more)|Documentation
| +|RefreshToken Is Exposed
5b48c507-0d1f-41b0-a630-76817c6b4189|Medium|Secret Management|Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string (read more)|Documentation
| +|Amplify App OAuth Token Exposed
03b38885-8f4e-480c-a0e4-12c1affd15db|Medium|Secret Management|Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|DMS Endpoint Password Exposed
5f700072-b7ce-4e84-b3f3-497bf1c24a4d|Medium|Secret Management|DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Directory Service Simple AD Password Exposed
6685d912-d81f-4cfa-95ad-e316ea31c989|Medium|Secret Management|DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. (read more)|Documentation
| +|Secrets Manager Should Specify KmsKeyId
c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22|Medium|Secret Management|Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account (read more)|Documentation
| +|SNS Topic Without KmsMasterKeyId
9d13b150-a2ab-42a1-b6f4-142e41f81e52|Medium|Secret Management|KmsMasterKeyId attribute should not be undefined (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
2564172f-c92b-4261-9acd-464aed511696|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
f80e3aa7-7b34-4185-954e-440a6894dde6|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|IAM Group Without Users
8f957abd-9703-413d-87d3-c578950a753c|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|IAM User With No Group
06933df4-0ea7-461c-b9b5-104d27390e0e|Low|Access Control|A IAM user should belong to a group (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
e835bd0d-65da-49f7-b6d1-b646da8727e6|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
08b81bb3-0985-4023-8602-b606ad81d279|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|Support Has No Role Associated
d71b5fd7-9020-4b2d-9ec8-b3839faa2744|Low|Access Control|Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed. (read more)|Documentation
| +|VPC Attached With Too Many Gateways
97e94d17-e2c7-4109-a53b-6536ac1bb64e|Low|Availability|The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC (read more)|Documentation
| +|RDS DB Instance With Deletion Protection Disabled
2c161e58-cb52-454f-abea-6470c37b5e6e|Low|Backup|RDS DBInstance should have deletion protection set to true (read more)|Documentation
| +|CDN Configuration Is Missing
e4f54ff4-d352-40e8-a096-5141073c37a2|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|Geo Restriction Disabled
7f8843f0-9ea5-42b4-a02b-753055113195|Low|Best Practices|Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content (read more)|Documentation
| +|Lambda Permission Misconfigured
9b83114b-b2a1-4534-990d-06da015e47aa|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
8d29754a-2a18-460d-a1ba-9509f8d359da|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
f0104061-8bfc-4b45-8a7d-630eb502f281|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true. (read more)|Documentation
| +|IAM Policies Without Groups
5e7acff5-095b-40ac-9073-ac2e4ad8a512|Low|Best Practices|IAM policy should not apply directly to users, should be with a group (read more)|Documentation
| +|Security Group Ingress Has CIDR Not Recommended
a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd|Low|Best Practices|AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6 (read more)|Documentation
| +|DynamoDB With Not Recommented Table Billing Mode
c333e906-8d8b-4275-b999-78b6318f8dc6|Low|Build Process|Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED (read more)|Documentation
| +|EFS Without Tags
08e39832-5e42-4304-98a0-aa5b43393162|Low|Build Process|Amazon Elastic Filesystem should have filesystem tags associated (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
050a9ba8-d1cb-4c61-a5e8-8805a70d3b85|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|S3 Bucket Without Ignore Public ACL
6c8d51af-218d-4bfb-94a9-94eabaa0703a|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|Lambda Function Without Dead Letter Queue
c2eae442-d3ba-4cb1-84ca-1db4f80eae3d|Low|Insecure Configurations|AWS Lambda Function should be configured for a Dead Letter Queue(DLQ) (read more)|Documentation
| +|API Gateway Cache Cluster Disabled
52790cad-d60d-41d5-8483-146f9f21208d|Low|Insecure Configurations|AWS API Gateway should have cache clustering enabled (read more)|Documentation
| +|Wildcard In ACM Certificate Domain Name
cc8b294f-006f-4f8f-b5bb-0a9140c33131|Low|Insecure Configurations|ACM Certificate should not use wildcards (*) in the domain name (read more)|Documentation
| +|EC2 Instance Using Default VPC
e42a3ef0-5325-4667-84bf-075ba1c9d58e|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|Shield Advanced Not In Use
ad7444cf-817a-4765-a79e-2145f7981faf|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|Redshift Using Default Port
a478af30-8c3a-404d-aa64-0b673cee509a|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|EMR Without VPC
bf89373a-be40-4c04-99f5-746742dfd7f3|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|ElastiCache Without VPC
ba766c53-fe71-4bbb-be35-b6803f2ef13e|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudFront Without WAF
0f139403-303f-467c-96bd-e717e6cfd62d|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|EC2 Network ACL Duplicate Rule
045ddb54-cfc5-4abb-9e05-e427b2bc96fe|Low|Networking and Firewall|A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress (read more)|Documentation
| +|RDS Using Default Port
1fe9d958-ddce-4228-a124-05265a959a8b|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|ElastiCache Using Default Port
323db967-c68e-44e6-916c-a777f95af34b|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
783860a3-6dca-4c8b-81d0-7b62769ccbca|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|ECS Task Definition HealthCheck Missing
d24389b4-b209-4ff0-8345-dc7a4569dcdd|Low|Observability|Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
2a3560fe-52ca-4443-b34f-bf0ed5eb74c8|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|VPC FlowLogs Disabled
f6d299d2-21eb-41cc-b1e1-fe12d857500b|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
9488c451-074e-4cd3-aee3-7db6104f542c|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active' (read more)|Documentation
| +|ECS Task Definition Invalid CPU or Memory
f4c9b5f5-68b8-491f-9e48-4f96644a1d51|Low|Resource Management|In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error (read more)|Documentation
| +|VPC Without Attached Subnet
3b3b4411-ad1f-40e7-b257-a78a6bb9673a|Low|Resource Management|VPCs without attached subnets may indicate that they are not being used (read more)|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
7f8f1b60-43df-4c28-aa21-fb836dbd8071|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|SDB Domain Declared As A Resource
6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d|Low|Resource Management|SimpleDB Domain resource should not be declared (read more)|Documentation
| +|EC2 Not EBS Optimized
8dd0ff1f-0da4-48df-9bb3-7f338ae36a40|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Security Group Rule Without Description
5e6c9c68-8a82-408e-8749-ddad78cbb9c5|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| ### AWS_BOM Bellow are listed queries related with CloudFormation AWS_BOM: @@ -283,15 +283,15 @@ Bellow are listed queries related with CloudFormation AWS_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance|Documentation
| -|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS EFS
ef05a925-8568-4054-8ff1-f5ba82631c16|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| +|BOM - AWS MQ
209189f3-c879-48a7-9703-fbcfa96d0cef|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS SNS
42e7dca3-8cce-4325-8df0-108888259136|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS SQS
59a849c2-1127-4023-85a5-ef906dcd458c|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS EBS
0b0556ea-9cd9-476f-862e-20679dda752b|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS Elasticache
c689f51b-9203-43b3-9d8b-caed123f706c|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS Kinesis
d53323be-dde6-4457-9a43-42df737e71d2|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS Cassandra
124b173b-e06d-48a6-8acd-f889443d97a4|Trace|Bill Of Materials|A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance (read more)|Documentation
| +|BOM - AWS S3 Buckets
b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS DynamoDB
4e67c0ae-38a0-47f4-a50c-f0c9b75826df|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| +|BOM - AWS RDS
6ef03ff6-a2bd-483c-851f-631f248bc0ea|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS MSK
2730c169-51d7-4ae7-99b5-584379eff1bb|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| diff --git a/docs/queries/cloudformation-queries/aws/0104165b-02d5-426f-abc9-91fb48189899.md b/docs/queries/cloudformation-queries/aws/0104165b-02d5-426f-abc9-91fb48189899.md new file mode 100644 index 00000000000..98201a57663 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/0104165b-02d5-426f-abc9-91fb48189899.md @@ -0,0 +1,258 @@ +--- +title: DB Security Group Open To Large Scope +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0104165b-02d5-426f-abc9-91fb48189899 +- **Query name:** DB Security Group Open To Large Scope +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope) + +### Description +The IP address in a DB Security Group must not have more than 256 hosts.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +Resources: + DBinstance1: + Type: AWS::RDS::DBInstance + Properties: + DBSecurityGroups: + - + Ref: "DbSecurity" + AllocatedStorage: "5" + DBInstanceClass: "db.t3.small" + Engine: "MySQL" + MasterUsername: "YourName" + MasterUserPassword: "YourPassword" + DeletionPolicy: "Snapshot" + DbSecurity: + Type: AWS::RDS::DBSecurityGroup + Properties: + GroupDescription: "Ingress for Amazon EC2 security group" + DBSecurityGroupIngress: + CIDRIP: 1.2.3.4/23 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +Resources: + DBinstance2: + Type: AWS::RDS::DBInstance + Properties: + DBSecurityGroups: + - + Ref: "DbSecurityByEC2SecurityGroup1" + AllocatedStorage: "5" + DBInstanceClass: "db.t3.small" + Engine: "MySQL" + MasterUsername: "YourName" + MasterUserPassword: "YourPassword" + DeletionPolicy: "Snapshot" + DbSecurityByEC2SecurityGroup1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Ingress for Amazon EC2 security group" + SecurityGroupIngress: + CidrIp: 1.2.3.4/23 + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="18" +Resources: + DBinstance3: + Type: AWS::RDS::DBInstance + Properties: + DBSecurityGroups: + - + Ref: "DbSecurityByEC2SecurityGroup2" + AllocatedStorage: "5" + DBInstanceClass: "db.t3.small" + Engine: "MySQL" + MasterUsername: "YourName" + MasterUserPassword: "YourPassword" + DeletionPolicy: "Snapshot" + DbSecurityByEC2SecurityGroup2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Ingress for Amazon EC2 security group" + SecurityGroupIngress: + CidrIpv6: 2001:db8:a::123/64 + +``` +
Postitive test num. 4 - json file + +```json hl_lines="23" +{ + "Resources": { + "DBinstance1": { + "DeletionPolicy": "Snapshot", + "Type": "AWS::RDS::DBInstance", + "Properties": { + "DBInstanceClass": "db.t3.small", + "Engine": "MySQL", + "MasterUsername": "YourName", + "MasterUserPassword": "YourPassword", + "DBSecurityGroups": [ + { + "Ref": "DbSecurity" + } + ], + "AllocatedStorage": "5" + } + }, + "DbSecurity": { + "Type": "AWS::RDS::DBSecurityGroup", + "Properties": { + "GroupDescription": "Ingress for Amazon EC2 security group", + "DBSecurityGroupIngress": { + "CIDRIP": "1.2.3.4/23" + } + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="23" +{ + "Resources": { + "DBinstance2": { + "DeletionPolicy": "Snapshot", + "Type": "AWS::RDS::DBInstance", + "Properties": { + "DBSecurityGroups": [ + { + "Ref": "DbSecurityByEC2SecurityGroup1" + } + ], + "AllocatedStorage": "5", + "DBInstanceClass": "db.t3.small", + "Engine": "MySQL", + "MasterUsername": "YourName", + "MasterUserPassword": "YourPassword" + } + }, + "DbSecurityByEC2SecurityGroup1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Ingress for Amazon EC2 security group", + "SecurityGroupIngress": { + "CidrIp": "1.2.3.4/23" + } + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="23" +{ + "Resources": { + "DBinstance3": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "MasterUsername": "YourName", + "MasterUserPassword": "YourPassword", + "DBSecurityGroups": [ + { + "Ref": "DbSecurityByEC2SecurityGroup2" + } + ], + "AllocatedStorage": "5", + "DBInstanceClass": "db.t3.small", + "Engine": "MySQL" + }, + "DeletionPolicy": "Snapshot" + }, + "DbSecurityByEC2SecurityGroup2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Ingress for Amazon EC2 security group", + "SecurityGroupIngress": { + "CidrIpv6": "2001:db8:a::123/64" + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + DBinstance: + Type: AWS::RDS::DBInstance + Properties: + DBSecurityGroups: + - + Ref: "DbSecurityByEC2SecurityGroup" + AllocatedStorage: "5" + DBInstanceClass: "db.t3.small" + Engine: "MySQL" + MasterUsername: "YourName" + MasterUserPassword: "YourPassword" + DeletionPolicy: "Snapshot" + DbSecurityByEC2SecurityGroup: + Type: AWS::RDS::DBSecurityGroup + Properties: + GroupDescription: "Ingress for Amazon EC2 security group" + DBSecurityGroupIngress: + CIDRIP: 1.2.3.4/28 +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "DBinstance": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "MasterUsername": "YourName", + "MasterUserPassword": "YourPassword", + "DBSecurityGroups": [ + { + "Ref": "DbSecurityByEC2SecurityGroup" + } + ], + "AllocatedStorage": "5", + "DBInstanceClass": "db.t3.small", + "Engine": "MySQL" + }, + "DeletionPolicy": "Snapshot" + }, + "DbSecurityByEC2SecurityGroup": { + "Type": "AWS::RDS::DBSecurityGroup", + "Properties": { + "GroupDescription": "Ingress for Amazon EC2 security group", + "DBSecurityGroupIngress": { + "CIDRIP": "1.2.3.4/28" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/01986452-bdd8-4aaa-b5df-d6bf61d616ff.md b/docs/queries/cloudformation-queries/aws/01986452-bdd8-4aaa-b5df-d6bf61d616ff.md new file mode 100644 index 00000000000..58fe99ea486 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/01986452-bdd8-4aaa-b5df-d6bf61d616ff.md @@ -0,0 +1,635 @@ +--- +title: ECS Service Admin Role Is Present +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 01986452-bdd8-4aaa-b5df-d6bf61d616ff +- **Query name:** ECS Service Admin Role Is Present +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ecs_service_admin_role_is_present) + +### Description +ECS Services must not have Admin roles, which means the attribute 'role' must not be an admin role
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="87" +#this is a problematic code where the query should report a result(s) +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating ECS service +Parameters: + AppName: + Type: String + Description: Name of app requiring ELB exposure + Default: simple-app + AppContainerPort: + Type: Number + Description: Container port of app requiring ELB exposure + Default: '80' + AppHostPort: + Type: Number + Description: Host port of app requiring ELB exposure + Default: '80' + ServiceName: + Type: String + LoadBalancerName: + Type: String + HealthCheckGracePeriodSeconds: + Type: String +Resources: + cluster: + Type: AWS::ECS::Cluster + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: !Ref AppName + MountPoints: + - SourceVolume: my-vol + ContainerPath: /var/www/my-vol + Image: amazon/amazon-ecs-sample + Cpu: '10' + PortMappings: + - ContainerPort: !Ref AppContainerPort + HostPort: !Ref AppHostPort + EntryPoint: + - /usr/sbin/apache2 + - '-D' + - FOREGROUND + Memory: '500' + Essential: true + - Name: busybox + Image: busybox + Cpu: '10' + EntryPoint: + - sh + - '-c' + Memory: '500' + Command: + - >- + /bin/sh -c "while true; do /bin/date > /var/www/my-vol/date; sleep + 1; done" + Essential: false + VolumesFrom: + - SourceContainer: !Ref AppName + Volumes: + - Host: + SourcePath: /var/lib/docker/vfs/dir/ + Name: my-vol + service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref cluster + DeploymentConfiguration: + MaximumPercent: 200 + MinimumHealthyPercent: 100 + DesiredCount: 0 + HealthCheckGracePeriodSeconds: !Ref HealthCheckGracePeriodSeconds + LoadBalancers: + - ContainerName: !Ref AppName + ContainerPort: !Ref AppContainerPort + LoadBalancerName: !Ref elb + PlacementStrategies: + - Type: binpack + Field: memory + - Type: spread + Field: host + PlacementConstraints: + - Type: memberOf + Expression: 'attribute:ecs.availability-zone != us-east-1d' + - Type: distinctInstance + TaskDefinition: !Ref taskdefinition + ServiceName: !Ref ServiceName + Role: AdminRole + elb: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + LoadBalancerName: !Ref LoadBalancerName + Listeners: + - InstancePort: !Ref AppHostPort + LoadBalancerPort: '80' + Protocol: HTTP + Subnets: + - !Ref Subnet1 + DependsOn: GatewayAttachment + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/24 + Subnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.0.0/25 + InternetGateway: + Type: AWS::EC2::InternetGateway + GatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref VPC +Outputs: + Cluster: + Value: !Ref cluster +``` +```json title="Postitive test num. 2 - json file" hl_lines="66" +{ + "Parameters": { + "HealthCheckGracePeriodSeconds": { + "Type": "String" + }, + "AppName": { + "Default": "simple-app", + "Type": "String", + "Description": "Name of app requiring ELB exposure" + }, + "AppContainerPort": { + "Default": "80", + "Type": "Number", + "Description": "Container port of app requiring ELB exposure" + }, + "AppHostPort": { + "Type": "Number", + "Description": "Host port of app requiring ELB exposure", + "Default": "80" + }, + "ServiceName": { + "Type": "String" + }, + "LoadBalancerName": { + "Type": "String" + } + }, + "Resources": { + "service": { + "Properties": { + "DeploymentConfiguration": { + "MaximumPercent": 200, + "MinimumHealthyPercent": 100 + }, + "DesiredCount": 0, + "HealthCheckGracePeriodSeconds": "HealthCheckGracePeriodSeconds", + "ServiceName": "ServiceName", + "Cluster": "cluster", + "LoadBalancers": [ + { + "ContainerName": "AppName", + "ContainerPort": "AppContainerPort", + "LoadBalancerName": "elb" + } + ], + "PlacementStrategies": [ + { + "Type": "binpack", + "Field": "memory" + }, + { + "Type": "spread", + "Field": "host" + } + ], + "PlacementConstraints": [ + { + "Type": "memberOf", + "Expression": "attribute:ecs.availability-zone != us-east-1d" + }, + { + "Type": "distinctInstance" + } + ], + "TaskDefinition": "taskdefinition", + "Role": "AdminRole" + }, + "Type": "AWS::ECS::Service" + }, + "elb": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "LoadBalancerName": "LoadBalancerName", + "Listeners": [ + { + "InstancePort": "AppHostPort", + "LoadBalancerPort": "80", + "Protocol": "HTTP" + } + ], + "Subnets": [ + "Subnet1" + ] + }, + "DependsOn": "GatewayAttachment" + }, + "VPC": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/24" + } + }, + "Subnet1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": "VPC", + "CidrBlock": "10.0.0.0/25" + } + }, + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway" + }, + "GatewayAttachment": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "InternetGatewayId": "InternetGateway", + "VpcId": "VPC" + } + }, + "cluster": { + "Type": "AWS::ECS::Cluster" + }, + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": "10", + "PortMappings": [ + { + "HostPort": "AppHostPort", + "ContainerPort": "AppContainerPort" + } + ], + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": "500", + "Essential": true, + "Name": "AppName" + }, + { + "Command": [ + "/bin/sh -c \"while true; do /bin/date \u003e /var/www/my-vol/date; sleep 1; done\"" + ], + "Essential": false, + "VolumesFrom": [ + { + "SourceContainer": "AppName" + } + ], + "Name": "busybox", + "Image": "busybox", + "Cpu": "10", + "EntryPoint": [ + "sh", + "-c" + ], + "Memory": "500" + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ] + } + } + }, + "Outputs": { + "Cluster": { + "Value": "cluster" + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating ECS service" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating ECS service +Parameters: + AppName: + Type: String + Description: Name of app requiring ELB exposure + Default: simple-app + AppContainerPort: + Type: Number + Description: Container port of app requiring ELB exposure + Default: '80' + AppHostPort: + Type: Number + Description: Host port of app requiring ELB exposure + Default: '80' + ServiceName: + Type: String + LoadBalancerName: + Type: String + HealthCheckGracePeriodSeconds: + Type: String +Resources: + cluster: + Type: AWS::ECS::Cluster + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: !Ref AppName + MountPoints: + - SourceVolume: my-vol + ContainerPath: /var/www/my-vol + Image: amazon/amazon-ecs-sample + Cpu: '10' + PortMappings: + - ContainerPort: !Ref AppContainerPort + HostPort: !Ref AppHostPort + EntryPoint: + - /usr/sbin/apache2 + - '-D' + - FOREGROUND + Memory: '500' + Essential: true + - Name: busybox + Image: busybox + Cpu: '10' + EntryPoint: + - sh + - '-c' + Memory: '500' + Command: + - >- + /bin/sh -c "while true; do /bin/date > /var/www/my-vol/date; sleep + 1; done" + Essential: false + VolumesFrom: + - SourceContainer: !Ref AppName + Volumes: + - Host: + SourcePath: /var/lib/docker/vfs/dir/ + Name: my-vol + service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref cluster + DeploymentConfiguration: + MaximumPercent: 200 + MinimumHealthyPercent: 100 + DesiredCount: 0 + HealthCheckGracePeriodSeconds: !Ref HealthCheckGracePeriodSeconds + LoadBalancers: + - ContainerName: !Ref AppName + ContainerPort: !Ref AppContainerPort + LoadBalancerName: !Ref elb + PlacementStrategies: + - Type: binpack + Field: memory + - Type: spread + Field: host + PlacementConstraints: + - Type: memberOf + Expression: 'attribute:ecs.availability-zone != us-east-1d' + - Type: distinctInstance + TaskDefinition: !Ref taskdefinition + ServiceName: !Ref ServiceName + Role: Role + elb: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + LoadBalancerName: !Ref LoadBalancerName + Listeners: + - InstancePort: !Ref AppHostPort + LoadBalancerPort: '80' + Protocol: HTTP + Subnets: + - !Ref Subnet1 + DependsOn: GatewayAttachment + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/24 + Subnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.0.0/25 + InternetGateway: + Type: AWS::EC2::InternetGateway + GatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref VPC +Outputs: + Cluster: + Value: !Ref cluster +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating ECS service", + "Parameters": { + "LoadBalancerName": { + "Type": "String" + }, + "HealthCheckGracePeriodSeconds": { + "Type": "String" + }, + "AppName": { + "Type": "String", + "Description": "Name of app requiring ELB exposure", + "Default": "simple-app" + }, + "AppContainerPort": { + "Type": "Number", + "Description": "Container port of app requiring ELB exposure", + "Default": "80" + }, + "AppHostPort": { + "Type": "Number", + "Description": "Host port of app requiring ELB exposure", + "Default": "80" + }, + "ServiceName": { + "Type": "String" + } + }, + "Resources": { + "cluster": { + "Type": "AWS::ECS::Cluster" + }, + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Essential": true, + "Name": "AppName", + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": "10", + "PortMappings": [ + { + "ContainerPort": "AppContainerPort", + "HostPort": "AppHostPort" + } + ], + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": "500" + }, + { + "Name": "busybox", + "Image": "busybox", + "Cpu": "10", + "EntryPoint": [ + "sh", + "-c" + ], + "Memory": "500", + "Command": [ + "/bin/sh -c \"while true; do /bin/date \u003e /var/www/my-vol/date; sleep 1; done\"" + ], + "Essential": false, + "VolumesFrom": [ + { + "SourceContainer": "AppName" + } + ] + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ] + } + }, + "service": { + "Type": "AWS::ECS::Service", + "Properties": { + "Role": "Role", + "HealthCheckGracePeriodSeconds": "HealthCheckGracePeriodSeconds", + "LoadBalancers": [ + { + "ContainerName": "AppName", + "ContainerPort": "AppContainerPort", + "LoadBalancerName": "elb" + } + ], + "PlacementStrategies": [ + { + "Type": "binpack", + "Field": "memory" + }, + { + "Type": "spread", + "Field": "host" + } + ], + "PlacementConstraints": [ + { + "Type": "memberOf", + "Expression": "attribute:ecs.availability-zone != us-east-1d" + }, + { + "Type": "distinctInstance" + } + ], + "TaskDefinition": "taskdefinition", + "Cluster": "cluster", + "DeploymentConfiguration": { + "MaximumPercent": 200, + "MinimumHealthyPercent": 100 + }, + "DesiredCount": 0, + "ServiceName": "ServiceName" + } + }, + "elb": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "Listeners": [ + { + "InstancePort": "AppHostPort", + "LoadBalancerPort": "80", + "Protocol": "HTTP" + } + ], + "Subnets": [ + "Subnet1" + ], + "LoadBalancerName": "LoadBalancerName" + }, + "DependsOn": "GatewayAttachment" + }, + "VPC": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/24" + } + }, + "Subnet1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": "VPC", + "CidrBlock": "10.0.0.0/25" + } + }, + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway" + }, + "GatewayAttachment": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "InternetGatewayId": "InternetGateway", + "VpcId": "VPC" + } + } + }, + "Outputs": { + "Cluster": { + "Value": "cluster" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/01d5a458-a6c4-452a-ac50-054d59275b7c.md b/docs/queries/cloudformation-queries/aws/01d5a458-a6c4-452a-ac50-054d59275b7c.md new file mode 100644 index 00000000000..3ffdf4eb1fe --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/01d5a458-a6c4-452a-ac50-054d59275b7c.md @@ -0,0 +1,116 @@ +--- +title: ELB With Security Group Without Outbound Rules +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 01d5a458-a6c4-452a-ac50-054d59275b7c +- **Query name:** ELB With Security Group Without Outbound Rules +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elb_with_security_group_without_outbound_rules) + +### Description +An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupegress) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + sgwithoutegress: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Limits security group egress traffic + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + SecurityGroups: + - sgwithoutegress +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "sgwithoutegress": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Limits security group egress traffic" + } + }, + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "SecurityGroups": [ + "sgwithoutegress" + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + sgwithegress: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + SecurityGroups: + - sgwithegress +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "sgwithegress": { + "Properties": { + "GroupDescription": "Limits security group egress traffic", + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ] + }, + "Type": "AWS::EC2::SecurityGroup" + }, + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "SecurityGroups": [ + "sgwithegress" + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/027a4b7a-8a59-4938-a04f-ed532512cf45.md b/docs/queries/cloudformation-queries/aws/027a4b7a-8a59-4938-a04f-ed532512cf45.md new file mode 100644 index 00000000000..7ac1222391b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/027a4b7a-8a59-4938-a04f-ed532512cf45.md @@ -0,0 +1,218 @@ +--- +title: ECS Task Definition Network Mode Not Recommended +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 027a4b7a-8a59-4938-a04f-ed532512cf45 +- **Query name:** ECS Task Definition Network Mode Not Recommended +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ecs_task_definition_network_mode_not_recommended) + +### Description +Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-networkmode) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + NetworkMode: none + ContainerDefinitions: + - Name: + Ref: "AppName" + MountPoints: + - SourceVolume: "my-vol" + ContainerPath: "/var/www/my-vol" + Image: "amazon/amazon-ecs-sample" + Cpu: 256 + PortMappings: + - ContainerPort: + Ref: "AppContainerPort" + HostPort: + Ref: "AppHostPort" + EntryPoint: + - "/usr/sbin/apache2" + - "-D" + - "FOREGROUND" + Memory: 512 + Essential: true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": 256, + "PortMappings": [ + { + "HostPort": { + "Ref": "AppHostPort" + }, + "ContainerPort": { + "Ref": "AppContainerPort" + } + } + ], + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": 512, + "Essential": true, + "Name": { + "Ref": "AppName" + } + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + NetworkMode: awsvpc + ContainerDefinitions: + - Name: + Ref: "AppName" + MountPoints: + - SourceVolume: "my-vol" + ContainerPath: "/var/www/my-vol" + Image: "amazon/amazon-ecs-sample" + Cpu: 256 + PortMappings: + - ContainerPort: + Ref: "AppContainerPort" + HostPort: + Ref: "AppHostPort" + EntryPoint: + - "/usr/sbin/apache2" + - "-D" + - "FOREGROUND" + HealthCheck: + Command: + - CMD-SHELL + - curl -f http://localhost:8080/ || exit 1 + Interval: 30 + Retries: 3 + StartPeriod: 1 + Timeout: 5 + Memory: 512 + Essential: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ], + "NetworkMode": "awsvpc", + "ContainerDefinitions": [ + { + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": 512, + "PortMappings": [ + { + "ContainerPort": { + "Ref": "AppContainerPort" + }, + "HostPort": { + "Ref": "AppHostPort" + } + } + ], + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": 256, + "HealthCheck": { + "Command": [ + "CMD-SHELL", + "curl -f http://localhost:8080/ || exit 1" + ], + "Interval": 30, + "Retries": 3, + "StartPeriod": 1, + "Timeout": 5 + }, + "Essential": true, + "Name": { + "Ref": "AppName" + } + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/03879981-efa2-47a0-a818-c843e1441b88.md b/docs/queries/cloudformation-queries/aws/03879981-efa2-47a0-a818-c843e1441b88.md new file mode 100644 index 00000000000..b8478021045 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/03879981-efa2-47a0-a818-c843e1441b88.md @@ -0,0 +1,150 @@ +--- +title: EC2 Permissive Network ACL Protocols +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 03879981-efa2-47a0-a818-c843e1441b88 +- **Query name:** EC2 Permissive Network ACL Protocols +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ec2_permissive_network_acl_protocols) + +### Description +To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + MyNACL: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: vpc-1122334455aabbccd + Tags: + - Key: Name + Value: NACLforSSHTraffic + OutboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: -1 + Egress: true + RuleAction: allow + CidrBlock: 0.0.0.0/0 +``` +```json title="Postitive test num. 2 - json file" hl_lines="24" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "MyNACL": { + "Type": "AWS::EC2::NetworkAcl", + "Properties": { + "VpcId": "vpc-1122334455aabbccd", + "Tags": [ + { + "Key": "Name", + "Value": "NACLforSSHTraffic" + } + ] + } + }, + "OutboundRule": { + "Properties": { + "CidrBlock": "0.0.0.0/0", + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": -1, + "Egress": true, + "RuleAction": "allow" + }, + "Type": "AWS::EC2::NetworkAclEntry" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + MyNACL: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: vpc-1122334455aabbccd + Tags: + - Key: Name + Value: NACLforSSHTraffic + InboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 172.16.0.0/24 + PortRange: + From: 22 + To: 22 +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "InboundRule": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "CidrBlock": "172.16.0.0/24", + "PortRange": { + "To": 22, + "From": 22 + }, + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow" + } + }, + "MyNACL": { + "Properties": { + "VpcId": "vpc-1122334455aabbccd", + "Tags": [ + { + "Key": "Name", + "Value": "NACLforSSHTraffic" + } + ] + }, + "Type": "AWS::EC2::NetworkAcl" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/03b38885-8f4e-480c-a0e4-12c1affd15db.md b/docs/queries/cloudformation-queries/aws/03b38885-8f4e-480c-a0e4-12c1affd15db.md new file mode 100644 index 00000000000..cf162de2c0e --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/03b38885-8f4e-480c-a0e4-12c1affd15db.md @@ -0,0 +1,313 @@ +--- +title: Amplify App OAuth Token Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 03b38885-8f4e-480c-a0e4-12c1affd15db +- **Query name:** Amplify App OAuth Token Exposed +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/amplify_app_oauth_token_exposed) + +### Description +Amplify App OAuth Token must not be a plaintext string or a Ref to a Parameter with a Default value.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-amplify-app-basicauthconfig.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +Resources: + NewAmpApp-1: + Type: AWS::Amplify::App + Properties: + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + Repository: String + OauthToken: 'CqGZthigPO55H3fi1_6wrP9jmdivueS7lYd7Lg2styBfjsK5eQ5C2qg_gONQgzyvvVojXY0JyMkRdm71y3nTFl1ZYOgJSNLshvWnm9QoEJrInp_xr-o-9RgZHhrGp5X9dCZVYsYF1WHqj5p75O37IKc8Rv6yO9kGw1flCbT4xbeLTDItX71jRzuAHYNKGPKkxrhIuQ-w9MyKYZ0a3pYT4lWZzWVFoMu9G-smC4qrww5grWCUevE9LuNEZgSijFgRK9QPo8PxMt427lGyK-FkoB8x4qllQ1aCG9_mz2t6A1nRxXY7-Jq9ONkmNoUHiTenEUUaPQcz4RFzrkTE-GaUNP_yK2tNR2i5-TQ4tcI8hQW0aaAsWBPoxd_ZXNty9AhRpshU9WUy32yIHj47jMYCpA' + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +Parameters: + ParentPassword: + Description: 'Password' + Type: String + Default: 'CqGZthigPO55H3fi1_6wrP9jmdivueS7lYd7Lg2styBfjsK5eQ5C2qg_gONQgzyvvVojXY0JyMkRdm71y3nTFl1ZYOgJSNLshvWnm9QoEJrInp_xr-o-9RgZHhrGp5X9dCZVYsYF1WHqj5p75O37IKc8Rv6yO9kGw1flCbT4xbeLTDItX71jRzuAHYNKGPKkxrhIuQ-w9MyKYZ0a3pYT4lWZzWVFoMu9G-smC4qrww5grWCUevE9LuNEZgSijFgRK9QPo8PxMt427lGyK-FkoB8x4qllQ1aCG9_mz2t6A1nRxXY7-Jq9ONkmNoUHiTenEUUaPQcz4RFzrkTE-GaUNP_yK2tNR2i5-TQ4tcI8hQW0aaAsWBPoxd_ZXNty9AhRpshU9WUy32yIHj47jMYCpA' + ParentUsername: + Description: 'Username' + Type: String + Default: "" +Resources: + NewAmpApp-4: + Type: AWS::Amplify::App + Properties: + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: !Ref ParentPassword + Repository: String + BasicAuthConfig: + EnableBasicAuth: true + Password: !Ref ParentPassword + Username: !Ref ParentUsername + +``` +```json title="Postitive test num. 3 - json file" hl_lines="5" +{ + "Resources": { + "NewAmpApp-1": { + "Type": "AWS::Amplify::App", + "Properties": { + "Name": "NewAmpApp", + "Repository": "String", + "OauthToken": "CqGZthigPO55H3fi1_6wrP9jmdivueS7lYd7Lg2styBfjsK5eQ5C2qg_gONQgzyvvVojXY0JyMkRdm71y3nTFl1ZYOgJSNLshvWnm9QoEJrInp_xr-o-9RgZHhrGp5X9dCZVYsYF1WHqj5p75O37IKc8Rv6yO9kGw1flCbT4xbeLTDItX71jRzuAHYNKGPKkxrhIuQ-w9MyKYZ0a3pYT4lWZzWVFoMu9G-smC4qrww5grWCUevE9LuNEZgSijFgRK9QPo8PxMt427lGyK-FkoB8x4qllQ1aCG9_mz2t6A1nRxXY7-Jq9ONkmNoUHiTenEUUaPQcz4RFzrkTE-GaUNP_yK2tNR2i5-TQ4tcI8hQW0aaAsWBPoxd_ZXNty9AhRpshU9WUy32yIHj47jMYCpA", + "BuildSpec": "String", + "CustomHeaders": "String", + "Description": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String" + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="11" +{ + "Parameters": { + "ParentUsername": { + "Description": "Username", + "Type": "String", + "Default": "" + }, + "ParentPassword": { + "Description": "Password", + "Type": "String", + "Default": "CqGZthigPO55H3fi1_6wrP9jmdivueS7lYd7Lg2styBfjsK5eQ5C2qg_gONQgzyvvVojXY0JyMkRdm71y3nTFl1ZYOgJSNLshvWnm9QoEJrInp_xr-o-9RgZHhrGp5X9dCZVYsYF1WHqj5p75O37IKc8Rv6yO9kGw1flCbT4xbeLTDItX71jRzuAHYNKGPKkxrhIuQ-w9MyKYZ0a3pYT4lWZzWVFoMu9G-smC4qrww5grWCUevE9LuNEZgSijFgRK9QPo8PxMt427lGyK-FkoB8x4qllQ1aCG9_mz2t6A1nRxXY7-Jq9ONkmNoUHiTenEUUaPQcz4RFzrkTE-GaUNP_yK2tNR2i5-TQ4tcI8hQW0aaAsWBPoxd_ZXNty9AhRpshU9WUy32yIHj47jMYCpA" + } + }, + "Resources": { + "NewAmpApp-4": { + "Type": "AWS::Amplify::App", + "Properties": { + "Repository": "String", + "BasicAuthConfig": { + "EnableBasicAuth": true, + "Password": "ParentPassword", + "Username": "ParentUsername" + }, + "OauthToken": "ParentPassword", + "BuildSpec": "String", + "CustomHeaders": "String", + "Description": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String", + "Name": "NewAmpApp" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + NewAmpApp-2: + Type: AWS::Amplify::App + Properties: + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + Repository: String + OauthToken: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' + MyAmpAppSecretManagerRotater: + Type: AWS::SecretsManager::Secret + Properties: + Description: 'This is my amp app instance secret' + GenerateSecretString: + SecretStringTemplate: '{"username": "admin"}' + GenerateStringKey: 'password' + PasswordLength: 16 + ExcludeCharacters: '"@/\' + +``` +```yaml title="Negative test num. 2 - yaml file" + +Parameters: + ParentPassword: + Description: 'Password' + Type: String + ParentUsername: + Description: 'Username' + Type: String +Resources: + NewAmpApp-1: + Type: AWS::Amplify::App + Properties: + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + Repository: String + OauthToken: !Ref ParentPassword + + +``` +```yaml title="Negative test num. 3 - yaml file" + +Parameters: + ParentPassword: + Description: 'Password' + Type: String + Default: "" + ParentUsername: + Description: 'Username' + Type: String + Default: "" +Resources: + NewAmpApp-4: + Type: AWS::Amplify::App + Properties: + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + Repository: String + OauthToken: !Ref ParentPassword + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "NewAmpApp-2": { + "Type": "AWS::Amplify::App", + "Properties": { + "Name": "NewAmpApp", + "Repository": "String", + "OauthToken": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}", + "BuildSpec": "String", + "CustomHeaders": "String", + "Description": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String" + } + }, + "MyAmpAppSecretManagerRotater": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "Description": "This is my amp app instance secret", + "GenerateSecretString": { + "SecretStringTemplate": "{\"username\": \"admin\"}", + "GenerateStringKey": "password", + "PasswordLength": 16, + "ExcludeCharacters": "\"@/\\" + } + } + } + } +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "Parameters": { + "ParentPassword": { + "Description": "Password", + "Type": "String" + }, + "ParentUsername": { + "Description": "Username", + "Type": "String" + } + }, + "Resources": { + "NewAmpApp-1": { + "Type": "AWS::Amplify::App", + "Properties": { + "BuildSpec": "String", + "CustomHeaders": "String", + "Description": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String", + "Name": "NewAmpApp", + "Repository": "String", + "OauthToken": "ParentPassword" + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "Parameters": { + "ParentPassword": { + "Description": "Password", + "Type": "String", + "Default": "" + }, + "ParentUsername": { + "Description": "Username", + "Type": "String", + "Default": "" + } + }, + "Resources": { + "NewAmpApp-4": { + "Type": "AWS::Amplify::App", + "Properties": { + "BuildSpec": "String", + "CustomHeaders": "String", + "Description": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String", + "Name": "NewAmpApp", + "Repository": "String", + "OauthToken": "ParentPassword" + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/045ddb54-cfc5-4abb-9e05-e427b2bc96fe.md b/docs/queries/cloudformation-queries/aws/045ddb54-cfc5-4abb-9e05-e427b2bc96fe.md new file mode 100644 index 00000000000..5da80c5cf38 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/045ddb54-cfc5-4abb-9e05-e427b2bc96fe.md @@ -0,0 +1,246 @@ +--- +title: EC2 Network ACL Duplicate Rule +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 045ddb54-cfc5-4abb-9e05-e427b2bc96fe +- **Query name:** EC2 Network ACL Duplicate Rule +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ec2_network_acl_duplicate_rule) + +### Description +A Network ACL's rule numbers cannot be repeated unless one is egress and the other is ingress
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html#cfn-ec2-networkaclentry-rulenumber) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="25 12 52 39" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + MyNACL: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: vpc-1122334455aabbccd + InboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + Egress: true + RuleAction: allow + CidrBlock: 172.16.0.0/24 + PortRange: + From: 22 + To: 22 + OutboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: -1 + Egress: true + RuleAction: allow + CidrBlock: 0.0.0.0/0 + MyNACL2: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: vpc-1122334455aabbccdd + InboundRule2: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL2 + RuleNumber: "112" + Protocol: 6 + Ingress: true + RuleAction: allow + CidrBlock: 172.16.0.0/24 + PortRange: + From: 22 + To: 22 + OutboundRule2: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL2 + RuleNumber: "112" + Protocol: -1 + Ingress: true + RuleAction: allow + CidrBlock: 0.0.0.0/0 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="33 23 57 71" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyNACL": { + "Properties": { + "VpcId": "vpc-1122334455aabbccd" + }, + "Type": "AWS::EC2::NetworkAcl" + }, + "InboundRule": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "Egress": true, + "RuleAction": "allow", + "CidrBlock": "172.16.0.0/24", + "PortRange": { + "From": 22, + "To": 22 + }, + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6 + } + }, + "OutboundRule": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": -1, + "Egress": true, + "RuleAction": "allow", + "CidrBlock": "0.0.0.0/0" + } + }, + "MyNACL2": { + "Type": "AWS::EC2::NetworkAcl", + "Properties": { + "VpcId": "vpc-1122334455aabbccdd" + } + }, + "InboundRule2": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "CidrBlock": "172.16.0.0/24", + "PortRange": { + "From": 22, + "To": 22 + }, + "NetworkAclId": { + "Ref": "MyNACL2" + }, + "RuleNumber": "112", + "Protocol": 6, + "Ingress": true, + "RuleAction": "allow" + } + }, + "OutboundRule2": { + "Properties": { + "Ingress": true, + "RuleAction": "allow", + "CidrBlock": "0.0.0.0/0", + "NetworkAclId": { + "Ref": "MyNACL2" + }, + "RuleNumber": "112", + "Protocol": -1 + }, + "Type": "AWS::EC2::NetworkAclEntry" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + MyNACL: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: vpc-1122334455aabbccd + InboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 172.16.0.0/24 + PortRange: + From: 22 + To: 22 + OutboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: -1 + Egress: true + RuleAction: allow + CidrBlock: 0.0.0.0/0 + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyNACL": { + "Type": "AWS::EC2::NetworkAcl", + "Properties": { + "VpcId": "vpc-1122334455aabbccd" + } + }, + "InboundRule": { + "Properties": { + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow", + "CidrBlock": "172.16.0.0/24", + "PortRange": { + "From": 22, + "To": 22 + } + }, + "Type": "AWS::EC2::NetworkAclEntry" + }, + "OutboundRule": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": -1, + "Egress": true, + "RuleAction": "allow", + "CidrBlock": "0.0.0.0/0" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/050a9ba8-d1cb-4c61-a5e8-8805a70d3b85.md b/docs/queries/cloudformation-queries/aws/050a9ba8-d1cb-4c61-a5e8-8805a70d3b85.md new file mode 100644 index 00000000000..97df4f952dc --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/050a9ba8-d1cb-4c61-a5e8-8805a70d3b85.md @@ -0,0 +1,405 @@ +--- +title: CloudTrail Log Files Not Encrypted With KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 050a9ba8-d1cb-4c61-a5e8-8805a70d3b85 +- **Query name:** CloudTrail Log Files Not Encrypted With KMS +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudtrail_log_files_not_encrypted_with_kms) + +### Description +Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-kmskeyid) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="62" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + S3Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: {} + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: + Ref: S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AWSCloudTrailAclCheck" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:GetBucketAcl" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket} + - Sid: "AWSCloudTrailWrite" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:PutObject" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: "bucket-owner-full-control" + Topic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Ref: OperatorEmail + Protocol: email + TopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - Ref: "Topic" + PolicyDocument: + Version: "2008-10-17" + Statement: + - Sid: "AWSCloudTrailSNSPolicy" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Resource: "*" + Action: "SNS:Publish" + myTrail: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="53" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Description": "Email address to notify when new logs are published.", + "Type": "String" + } + }, + "Resources": { + "Topic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "OperatorEmail" + }, + "Protocol": "email" + } + ] + } + }, + "TopicPolicy": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "Topics": [ + { + "Ref": "Topic" + } + ], + "PolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailSNSPolicy", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Resource": "*", + "Action": "SNS:Publish" + } + ] + } + } + }, + "myTrail": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": true, + "IsMultiRegionTrail": true + } + }, + "S3Bucket": { + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket", + "Properties": {} + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "S3Bucket" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::${S3Bucket}" + }, + { + "Sid": "AWSCloudTrailWrite", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + } + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + S3Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: {} + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: + Ref: S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AWSCloudTrailAclCheck" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:GetBucketAcl" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket} + - Sid: "AWSCloudTrailWrite" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:PutObject" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: "bucket-owner-full-control" + Topic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Ref: OperatorEmail + Protocol: email + TopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - Ref: "Topic" + PolicyDocument: + Version: "2008-10-17" + Statement: + - Sid: "AWSCloudTrailSNSPolicy" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Resource: "*" + Action: "SNS:Publish" + myTrail: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + KMSKeyId: arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012 + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Description": "Email address to notify when new logs are published.", + "Type": "String" + } + }, + "Resources": { + "TopicPolicy": { + "Properties": { + "Topics": [ + { + "Ref": "Topic" + } + ], + "PolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailSNSPolicy", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Resource": "*", + "Action": "SNS:Publish" + } + ] + } + }, + "Type": "AWS::SNS::TopicPolicy" + }, + "myTrail": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "KMSKeyId": "arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012", + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": true, + "IsMultiRegionTrail": true + } + }, + "S3Bucket": { + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket", + "Properties": {} + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "S3Bucket" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::${S3Bucket}" + }, + { + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + }, + "Sid": "AWSCloudTrailWrite", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + } + } + ] + } + } + }, + "Topic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "OperatorEmail" + }, + "Protocol": "email" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/058ac855-989f-4378-ba4d-52d004020da7.md b/docs/queries/cloudformation-queries/aws/058ac855-989f-4378-ba4d-52d004020da7.md new file mode 100644 index 00000000000..919f8954f80 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/058ac855-989f-4378-ba4d-52d004020da7.md @@ -0,0 +1,435 @@ +--- +title: CloudTrail Multi Region Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 058ac855-989f-4378-ba4d-52d004020da7 +- **Query name:** CloudTrail Multi Region Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudtrail_multi_region_disabled) + +### Description +CloudTrail multi region should be enabled, which means attribute 'IsMultiRegionTrail' should be set to true
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-ismultiregiontrail) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="76 70" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + S3Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: {} + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: + Ref: S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AWSCloudTrailAclCheck" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:GetBucketAcl" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket} + - Sid: "AWSCloudTrailWrite" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:PutObject" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: "bucket-owner-full-control" + Topic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Ref: OperatorEmail + Protocol: email + TopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - Ref: "Topic" + PolicyDocument: + Version: "2008-10-17" + Statement: + - Sid: "AWSCloudTrailSNSPolicy" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Resource: "*" + Action: "SNS:Publish" + myTrail: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: false + myTrail2: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="32 17" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Description": "Email address to notify when new logs are published.", + "Type": "String" + } + }, + "Resources": { + "myTrail": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "IsMultiRegionTrail": false, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": true + } + }, + "myTrail2": { + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": true + }, + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ] + }, + "S3Bucket": { + "Properties": {}, + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket" + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Resource": "arn:aws:s3:::${S3Bucket}", + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl" + }, + { + "Sid": "AWSCloudTrailWrite", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + } + } + ] + }, + "Bucket": { + "Ref": "S3Bucket" + } + } + }, + "Topic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "OperatorEmail" + }, + "Protocol": "email" + } + ] + } + }, + "TopicPolicy": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "PolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Resource": "*", + "Action": "SNS:Publish", + "Sid": "AWSCloudTrailSNSPolicy", + "Effect": "Allow" + } + ] + }, + "Topics": [ + { + "Ref": "Topic" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + S3Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: {} + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: + Ref: S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AWSCloudTrailAclCheck" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:GetBucketAcl" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket} + - Sid: "AWSCloudTrailWrite" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:PutObject" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: "bucket-owner-full-control" + Topic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Ref: OperatorEmail + Protocol: email + TopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - Ref: "Topic" + PolicyDocument: + Version: "2008-10-17" + Statement: + - Sid: "AWSCloudTrailSNSPolicy" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Resource: "*" + Action: "SNS:Publish" + myTrail: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Description": "Email address to notify when new logs are published.", + "Type": "String" + } + }, + "Resources": { + "TopicPolicy": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "Topics": [ + { + "Ref": "Topic" + } + ], + "PolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Resource": "*", + "Action": "SNS:Publish", + "Sid": "AWSCloudTrailSNSPolicy" + } + ] + } + } + }, + "myTrail": { + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": true, + "IsMultiRegionTrail": true + }, + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ] + }, + "S3Bucket": { + "Properties": {}, + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket" + }, + "BucketPolicy": { + "Properties": { + "Bucket": { + "Ref": "S3Bucket" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::${S3Bucket}", + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow" + }, + { + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + }, + "Sid": "AWSCloudTrailWrite" + } + ] + } + }, + "Type": "AWS::S3::BucketPolicy" + }, + "Topic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "OperatorEmail" + }, + "Protocol": "email" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/06933df4-0ea7-461c-b9b5-104d27390e0e.md b/docs/queries/cloudformation-queries/aws/06933df4-0ea7-461c-b9b5-104d27390e0e.md new file mode 100644 index 00000000000..92bae34aecb --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/06933df4-0ea7-461c-b9b5-104d27390e0e.md @@ -0,0 +1,283 @@ +--- +title: IAM User With No Group +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 06933df4-0ea7-461c-b9b5-104d27390e0e +- **Query name:** IAM User With No Group +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_user_with_no_group) + +### Description +A IAM user should belong to a group
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-policy) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + MyUser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + Tags: + - QAUser + UserName: TestUser + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + emptyGroup: + Type: AWS::IAM::User + Properties: + Groups: [] + Path: "/" + LoginProfile: + Password: myP@ssW0rd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + Tags: + - QAUser + UserName: TestUser + +``` +```json title="Postitive test num. 3 - json file" hl_lines="5" +{ + "Resources": { + "MyUser": { + "Type": "AWS::IAM::User", + "Properties": { + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ], + "Effect": "Allow" + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + } + ], + "Tags": [ + "QAUser" + ], + "UserName": "TestUser", + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="8" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "emptyGroup": { + "Type": "AWS::IAM::User", + "Properties": { + "Groups": [], + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + } + ], + "Tags": [ + "QAUser" + ], + "UserName": "TestUser" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + addUserToGroup2: + Type: AWS::IAM::User + Properties: + Groups: + - QAGroup + LoginProfile: + Password: myP@ssW0rd + Path: "/" + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + Tags: + - QAUser + UserName: TestUser + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "addUserToGroup2": { + "Type": "AWS::IAM::User", + "Properties": { + "Groups": [ + "QAGroup" + ], + "LoginProfile": { + "Password": "myP@ssW0rd" + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + } + ], + "Tags": [ + "QAUser" + ], + "UserName": "TestUser" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/06adef8c-c284-4de7-aad2-af43b07a8ca1.md b/docs/queries/cloudformation-queries/aws/06adef8c-c284-4de7-aad2-af43b07a8ca1.md new file mode 100644 index 00000000000..b2a13a75bbb --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/06adef8c-c284-4de7-aad2-af43b07a8ca1.md @@ -0,0 +1,268 @@ +--- +title: IAM User LoginProfile Password Is In Plaintext +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 06adef8c-c284-4de7-aad2-af43b07a8ca1 +- **Query name:** IAM User LoginProfile Password Is In Plaintext +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_user_login_profile_password_is_in_plaintext) + +### Description +IAM User LoginProfile Password must not be a plaintext string
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + PasswordResetRequired: false + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "LoginProfile": { + "Password": "myP@ssW0rd", + "PasswordResetRequired": false + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + } + ], + "Path": "/" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myTopuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: + - !Ref NoEcho + PasswordResetRequired: false + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + +``` +```yaml title="Negative test num. 2 - yaml file" + +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myNewuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: + - !Ref secretsmanager + PasswordResetRequired: false + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + +``` +```json title="Negative test num. 3 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myTopuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": [ + "NoEcho" + ], + "PasswordResetRequired": false + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + } + ] + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "myNewuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": [ + "secretsmanager" + ], + "PasswordResetRequired": false + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template" +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/06b9f52a-8cd5-459b-bdc6-21a22521e1be.md b/docs/queries/cloudformation-queries/aws/06b9f52a-8cd5-459b-bdc6-21a22521e1be.md new file mode 100644 index 00000000000..d7fef6966da --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/06b9f52a-8cd5-459b-bdc6-21a22521e1be.md @@ -0,0 +1,334 @@ +--- +title: Directory Service Microsoft AD Password Set to Plaintext or Default Ref +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 06b9f52a-8cd5-459b-bdc6-21a22521e1be +- **Query name:** Directory Service Microsoft AD Password Set to Plaintext or Default Ref +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/directory_service_microsoft_ad_password_set_to_plaintext_or_default_ref) + +### Description +Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-directoryservice-microsoftad.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +Parameters: + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username!' +Resources: + NewAmpApp-2: + Type: AWS::DirectoryService::MicrosoftAD + Properties: + CreateAlias: true + Edition: String + EnableSso: true + Name: String + Password: 'asDjskjs73!!' + ShortName: String + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="9" +Resources: + NewAmpApp: + Type: AWS::DirectoryService::MicrosoftAD + Properties: + CreateAlias: true + Edition: String + EnableSso: true + Name: String + Password: 'asDjskjs73!!' + ShortName: String + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + Default: 'asDjskjs73!' + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username!' +Resources: + NewAmpApp-1: + Type: AWS::DirectoryService::MicrosoftAD + Properties: + CreateAlias: true + EnableSso: true + Edition: String + Name: String + Password: !Ref ParentMasterPassword + ShortName: String + + +``` +
Postitive test num. 4 - json file + +```json hl_lines="17" +{ + "Parameters": { + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username!" + } + }, + "Resources": { + "NewAmpApp-2": { + "Type": "AWS::DirectoryService::MicrosoftAD", + "Properties": { + "CreateAlias": true, + "Edition": "String", + "EnableSso": true, + "Name": "String", + "Password": "asDjskjs73!!", + "ShortName": "String" + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="11" +{ + "Resources": { + "NewAmpApp": { + "Type": "AWS::DirectoryService::MicrosoftAD", + "Properties": { + "ShortName": "String", + "CreateAlias": true, + "Edition": "String", + "EnableSso": true, + "Name": "String", + "Password": "asDjskjs73!!" + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="5" +{ + "Parameters": { + "ParentMasterPassword": { + "Type": "String", + "Default": "asDjskjs73!", + "Description": "Password" + }, + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username!" + } + }, + "Resources": { + "NewAmpApp-1": { + "Type": "AWS::DirectoryService::MicrosoftAD", + "Properties": { + "Edition": "String", + "Name": "String", + "Password": "ParentMasterPassword", + "ShortName": "String", + "CreateAlias": true, + "EnableSso": true + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + Default: '' + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username!' +Resources: + NewAmpApp-1: + Type: AWS::DirectoryService::MicrosoftAD + Properties: + CreateAlias: true + Edition: String + EnableSso: true + Name: String + Password: !Ref ParentMasterPassword + ShortName: String + +``` +```yaml title="Negative test num. 2 - yaml file" + +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username' +Resources: + NewAmpApp-1: + Type: AWS::DirectoryService::MicrosoftAD + Properties: + CreateAlias: true + Edition: String + EnableSso: true + Name: String + Password: !Ref ParentMasterPassword + ShortName: String + +``` +```yaml title="Negative test num. 3 - yaml file" + +Resources: + NewAmpApp-2: + Type: AWS::DirectoryService::MicrosoftAD + Properties: + CreateAlias: true + Edition: String + EnableSso: true + Name: String + Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' + ShortName: String + MyAmpAppSecretManagerRotater: + Type: AWS::SecretsManager::Secret + Properties: + Description: 'This is my amp app instance secret' + GenerateSecretString: + SecretStringTemplate: '{"username": "admin"}' + GenerateStringKey: 'password' + PasswordLength: 16 + ExcludeCharacters: '"@/\' + +``` +
Negative test num. 4 - json file + +```json +{ + "Parameters": { + "ParentMasterPassword": { + "Description": "Password", + "Type": "String", + "Default": "" + }, + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username!" + } + }, + "Resources": { + "NewAmpApp-1": { + "Type": "AWS::DirectoryService::MicrosoftAD", + "Properties": { + "ShortName": "String", + "CreateAlias": true, + "Edition": "String", + "EnableSso": true, + "Name": "String", + "Password": "ParentMasterPassword" + } + } + } +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "Parameters": { + "ParentMasterPassword": { + "Description": "Password", + "Type": "String" + }, + "ParentMasterUsername": { + "Type": "String", + "Default": "username", + "Description": "username" + } + }, + "Resources": { + "NewAmpApp-1": { + "Type": "AWS::DirectoryService::MicrosoftAD", + "Properties": { + "CreateAlias": true, + "Edition": "String", + "EnableSso": true, + "Name": "String", + "Password": "ParentMasterPassword", + "ShortName": "String" + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "Resources": { + "NewAmpApp-2": { + "Properties": { + "CreateAlias": true, + "Edition": "String", + "EnableSso": true, + "Name": "String", + "Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}", + "ShortName": "String" + }, + "Type": "AWS::DirectoryService::MicrosoftAD" + }, + "MyAmpAppSecretManagerRotater": { + "Properties": { + "Description": "This is my amp app instance secret", + "GenerateSecretString": { + "SecretStringTemplate": "{\"username\": \"admin\"}", + "GenerateStringKey": "password", + "PasswordLength": 16, + "ExcludeCharacters": "\"@/\\" + } + }, + "Type": "AWS::SecretsManager::Secret" + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/06ec63e3-9f72-4fe2-a218-2eb9200b8db5.md b/docs/queries/cloudformation-queries/aws/06ec63e3-9f72-4fe2-a218-2eb9200b8db5.md new file mode 100644 index 00000000000..7ec15c6ec45 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/06ec63e3-9f72-4fe2-a218-2eb9200b8db5.md @@ -0,0 +1,375 @@ +--- +title: API Gateway Deployment Without Access Log Setting +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 06ec63e3-9f72-4fe2-a218-2eb9200b8db5 +- **Query name:** API Gateway Deployment Without Access Log Setting +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_deployment_without_access_log_setting) + +### Description +API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="29" +AWSTemplateFormatVersion: "2010-09-09" +Description: "ApiGateway" +Resources: + GreetingApiProdStage: + DependsOn: + - ApiGatewayAccount + Type: AWS::ApiGateway::Stage + Properties: + DeploymentId: + Ref: ApiDeployment + MethodSettings: + - DataTraceEnabled: true + HttpMethod: "*" + LoggingLevel: INFO + ResourcePath: "/*" + RestApiId: + Ref: GreetingApi + StageName: prod + Variables: + LambdaAlias: PROD + ApiDeployment: + Type: AWS::ApiGateway::Deployment + DependsOn: + - GreetingRequest + Properties: + RestApiId: + Ref: GreetingApi + StageName: DummyStage + StageDescription: + CacheClusterEnabled: false + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +AWSTemplateFormatVersion: "2010-09-09" +Description: "ApiGateway" +Resources: + GreetingApiProdStage1: + DependsOn: + - ApiGatewayAccount + Type: AWS::ApiGateway::Stage + Properties: + DeploymentId: + Ref: ApiDeployment + MethodSettings: + - DataTraceEnabled: true + HttpMethod: "*" + LoggingLevel: INFO + ResourcePath: "/*" + RestApiId: + Ref: GreetingApi + StageName: prod + Variables: + LambdaAlias: PROD + ApiDeployment1: + Type: AWS::ApiGateway::Deployment + DependsOn: + - GreetingRequest + Properties: + RestApiId: + Ref: GreetingApi + StageName: DummyStage + + + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="21" +AWSTemplateFormatVersion: "2010-09-09" +Description: "ApiGateway" +Resources: + GreetingApiProdStage2: + DependsOn: + - ApiGatewayAccount + Type: AWS::ApiGateway::Stage + Properties: + DeploymentId: + Ref: ApiDeployment + MethodSettings: + - DataTraceEnabled: true + HttpMethod: "*" + LoggingLevel: INFO + ResourcePath: "/*" + RestApiId: + Ref: GreetingApi + StageName: prod + Variables: + LambdaAlias: PROD + ApiDeployment2: + Type: AWS::ApiGateway::Deployment + DependsOn: + - GreetingRequest + Properties: + RestApiId: + Ref: GreetingApi + StageName: DummyStage + +``` +
Postitive test num. 4 - json file + +```json hl_lines="15" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "ApiGateway", + "Resources": { + "ApiDeployment": { + "Type": "AWS::ApiGateway::Deployment", + "DependsOn": [ + "GreetingRequest" + ], + "Properties": { + "RestApiId": { + "Ref": "GreetingApi" + }, + "StageName": "DummyStage", + "StageDescription": { + "CacheClusterEnabled": false + } + } + }, + "GreetingApiProdStage": { + "DependsOn": [ + "ApiGatewayAccount" + ], + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "prod", + "Variables": { + "LambdaAlias": "PROD" + }, + "DeploymentId": { + "Ref": "ApiDeployment" + }, + "MethodSettings": [ + { + "HttpMethod": "*", + "LoggingLevel": "INFO", + "ResourcePath": "/*", + "DataTraceEnabled": true + } + ], + "RestApiId": { + "Ref": "GreetingApi" + } + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="31" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "ApiGateway", + "Resources": { + "GreetingApiProdStage1": { + "DependsOn": [ + "ApiGatewayAccount" + ], + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "DeploymentId": { + "Ref": "ApiDeployment" + }, + "MethodSettings": [ + { + "LoggingLevel": "INFO", + "ResourcePath": "/*", + "DataTraceEnabled": true, + "HttpMethod": "*" + } + ], + "RestApiId": { + "Ref": "GreetingApi" + }, + "StageName": "prod", + "Variables": { + "LambdaAlias": "PROD" + } + } + }, + "ApiDeployment1": { + "Type": "AWS::ApiGateway::Deployment", + "DependsOn": [ + "GreetingRequest" + ], + "Properties": { + "RestApiId": { + "Ref": "GreetingApi" + }, + "StageName": "DummyStage" + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="31" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "ApiGateway", + "Resources": { + "GreetingApiProdStage2": { + "DependsOn": [ + "ApiGatewayAccount" + ], + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "MethodSettings": [ + { + "DataTraceEnabled": true, + "HttpMethod": "*", + "LoggingLevel": "INFO", + "ResourcePath": "/*" + } + ], + "RestApiId": { + "Ref": "GreetingApi" + }, + "StageName": "prod", + "Variables": { + "LambdaAlias": "PROD" + }, + "DeploymentId": { + "Ref": "ApiDeployment" + } + } + }, + "ApiDeployment2": { + "Type": "AWS::ApiGateway::Deployment", + "DependsOn": [ + "GreetingRequest" + ], + "Properties": { + "RestApiId": { + "Ref": "GreetingApi" + }, + "StageName": "DummyStage" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "ApiGateway" +Resources: + GreetingApiProdStage: + DependsOn: + - ApiGatewayAccount + Type: AWS::ApiGateway::Stage + Properties: + DeploymentId: + Ref: ApiDeployment + MethodSettings: + - DataTraceEnabled: true + HttpMethod: "*" + LoggingLevel: INFO + ResourcePath: "/*" + RestApiId: + Ref: GreetingApi + StageName: prod + Variables: + LambdaAlias: PROD + ApiDeployment: + Type: AWS::ApiGateway::Deployment + DependsOn: + - GreetingRequest + Properties: + RestApiId: + Ref: GreetingApi + StageName: DummyStage + StageDescription: + AccessLogSetting: + DestinationArn: "dest" + Format: "format" + + + + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "GreetingApiProdStage": { + "DependsOn": [ + "ApiGatewayAccount" + ], + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "Variables": { + "LambdaAlias": "PROD" + }, + "DeploymentId": { + "Ref": "ApiDeployment" + }, + "MethodSettings": [ + { + "HttpMethod": "*", + "LoggingLevel": "INFO", + "ResourcePath": "/*", + "DataTraceEnabled": true + } + ], + "RestApiId": { + "Ref": "GreetingApi" + }, + "StageName": "prod" + } + }, + "ApiDeployment": { + "Type": "AWS::ApiGateway::Deployment", + "DependsOn": [ + "GreetingRequest" + ], + "Properties": { + "RestApiId": { + "Ref": "GreetingApi" + }, + "StageName": "DummyStage", + "StageDescription": { + "AccessLogSetting": { + "DestinationArn": "dest", + "Format": "format" + } + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "ApiGateway" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/07dda8de-d90d-469e-9b37-1aca53526ced.md b/docs/queries/cloudformation-queries/aws/07dda8de-d90d-469e-9b37-1aca53526ced.md new file mode 100644 index 00000000000..0f40957338b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/07dda8de-d90d-469e-9b37-1aca53526ced.md @@ -0,0 +1,442 @@ +--- +title: S3 Bucket ACL Allows Read Or Write to All Users +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 07dda8de-d90d-469e-9b37-1aca53526ced +- **Query name:** S3 Bucket ACL Allows Read Or Write to All Users +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_or_write_to_all_users) + +### Description +S3 Buckets should not be readable and writable to all users
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts01: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicReadWrite + BucketName: jenkins-artifacts + Tags: + - Key: CostCenter + Value: ITEngineering + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + StaticPage01: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicReadWrite + BucketName: public-read-static-page01 + WebsiteConfiguration: + ErrorDocument: 404.html + IndexDocument: index.html + Tags: + - Key: CostCenter + Value: ITEngineering + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts02: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicReadWrite + BucketName: jenkins-artifacts-block-public + PublicAccessBlockConfiguration: + BlockPublicPolicy: false + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: ITEngineering + - Key: Type + Value: CICD + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + S3BucketForWebsiteContent: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicReadWrite + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="13" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts01": { + "Properties": { + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + } + ], + "AccessControl": "PublicReadWrite", + "BucketName": "jenkins-artifacts" + }, + "Type": "AWS::S3::Bucket" + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="8" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "StaticPage01": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "PublicReadWrite", + "BucketName": "public-read-static-page01", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "404.html" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + } + ] + } + } + } +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="8" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts02": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "PublicReadWrite", + "BucketName": "jenkins-artifacts-block-public", + "PublicAccessBlockConfiguration": { + "BlockPublicPolicy": false + }, + "VersioningConfiguration": { + "Status": "Enabled" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + }, + { + "Key": "Type", + "Value": "CICD" + } + ] + } + } + } +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="8" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "S3BucketForWebsiteContent": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "PublicReadWrite", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "error.html" + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts03: + Type: AWS::S3::Bucket + Properties: + AccessControl: BucketOwnerFullControl + BucketName: jenkins-artifacts + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: ITEngineering + - Key: Type + Value: CICD + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts04: + Type: AWS::S3::Bucket + Properties: + AccessControl: Private + BucketName: jenkins-secret-artifacts + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: '' + +``` +```yaml title="Negative test num. 3 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts05: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicRead + BucketName: jenkins-secret-artifacts2 + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: ITEngineering + +``` +
Negative test num. 4 - yaml file + +```yaml +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + StaticPage03: + Type: AWS::S3::Bucket + Properties: + AccessControl: AuthenticatedRead + BucketName: public-read-static-page + WebsiteConfiguration: + ErrorDocument: 404.html + IndexDocument: index.html + Tags: + - Key: CostCenter + Value: ITEngineering +Outputs: + WebsiteURL: + Value: + Fn::GetAtt: + - StaticPage03 + - WebsiteURL + Description: URL for website hosted on S3 + S3BucketSecureURL: + Value: + Fn::Join: + - "" + - - https:// + - Fn::GetAtt: + - StaticPage03 + - DomainName + Description: Name of S3 bucket to hold website content + +``` +
+
Negative test num. 5 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts03": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "jenkins-artifacts", + "VersioningConfiguration": { + "Status": "Enabled" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + }, + { + "Value": "CICD", + "Key": "Type" + } + ], + "AccessControl": "BucketOwnerFullControl" + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts04": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "CostCenter", + "Value": "" + } + ], + "AccessControl": "Private", + "BucketName": "jenkins-secret-artifacts", + "VersioningConfiguration": { + "Status": "Enabled" + } + } + } + } +} + +``` +
+
Negative test num. 7 - json file + +```json +{ + "Resources": { + "JenkinsArtifacts05": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "PublicRead", + "BucketName": "jenkins-secret-artifacts2", + "VersioningConfiguration": { + "Status": "Enabled" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket" +} + +``` +
+
Negative test num. 8 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "StaticPage03": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + } + ], + "AccessControl": "AuthenticatedRead", + "BucketName": "public-read-static-page", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "404.html" + } + } + } + }, + "Outputs": { + "WebsiteURL": { + "Value": { + "Fn::GetAtt": [ + "StaticPage03", + "WebsiteURL" + ] + }, + "Description": "URL for website hosted on S3" + }, + "S3BucketSecureURL": { + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Fn::GetAtt": [ + "StaticPage03", + "DomainName" + ] + } + ] + ] + }, + "Description": "Name of S3 bucket to hold website content" + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md b/docs/queries/cloudformation-queries/aws/086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md new file mode 100644 index 00000000000..869035fe16b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/086ea2eb-14a6-4fd4-914b-38e0bc8703e8.md @@ -0,0 +1,464 @@ +--- +title: ElasticSearch Without Slow Logs +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 086ea2eb-14a6-4fd4-914b-38e0bc8703e8 +- **Query name:** ElasticSearch Without Slow Logs +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elasticsearch_without_slow_logs) + +### Description +Ensure that AWS Elasticsearch enables support for slow logs
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-logpublishingoptions) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="34" +AWSTemplateFormatVersion: "2010-09-09" +Description: ElasticsearchDomain resource +Resources: + ElasticsearchDomain: + Type: "AWS::Elasticsearch::Domain" + Properties: + DomainName: + Ref: DomainName + ElasticsearchVersion: + Ref: ElasticsearchVersion + ElasticsearchClusterConfig: + InstanceCount: "1" + InstanceType: + Ref: InstanceType + EBSOptions: + EBSEnabled: "true" + Iops: 0 + VolumeSize: 10 + VolumeType: standard + SnapshotOptions: + AutomatedSnapshotStartHour: "0" + AccessPolicies: + Version: "2012-10-17" + Statement: + - Effect: Deny + Principal: + AWS: "*" + Action: "es:*" + Resource: "*" + LogPublishingOptions: + SEARCH_SLOW_LOGS: + CloudWatchLogsLogGroupArn: >- + arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs + Enabled: "false" + INDEX_SLOW_LOGS: + CloudWatchLogsLogGroupArn: >- + arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs + Enabled: "true" + AdvancedOptions: + rest.action.multi.allow_explicit_index: "true" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +AWSTemplateFormatVersion: "2010-09-09" +Description: ElasticsearchDomain resource +Resources: + ElasticsearchDomain: + Type: "AWS::Elasticsearch::Domain" + Properties: + DomainName: + Ref: DomainName + ElasticsearchVersion: + Ref: ElasticsearchVersion + ElasticsearchClusterConfig: + InstanceCount: "1" + InstanceType: + Ref: InstanceType + EBSOptions: + EBSEnabled: "true" + Iops: 0 + VolumeSize: 10 + VolumeType: standard + SnapshotOptions: + AutomatedSnapshotStartHour: "0" + AccessPolicies: + Version: "2012-10-17" + Statement: + - Effect: Deny + Principal: + AWS: "*" + Action: "es:*" + Resource: "*" + LogPublishingOptions: + ES_APPLICATION_LOGS: + CloudWatchLogsLogGroupArn: >- + arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs + Enabled: "true" + AdvancedOptions: + rest.action.multi.allow_explicit_index: "true" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: ElasticsearchDomain resource +Resources: + ElasticsearchDomain: + Type: "AWS::Elasticsearch::Domain" + Properties: + DomainName: + Ref: DomainName + ElasticsearchVersion: + Ref: ElasticsearchVersion + ElasticsearchClusterConfig: + InstanceCount: "1" + InstanceType: + Ref: InstanceType + EBSOptions: + EBSEnabled: "true" + Iops: 0 + VolumeSize: 10 + VolumeType: standard + SnapshotOptions: + AutomatedSnapshotStartHour: "0" + AccessPolicies: + Version: "2012-10-17" + Statement: + - Effect: Deny + Principal: + AWS: "*" + Action: "es:*" + Resource: "*" + AdvancedOptions: + rest.action.multi.allow_explicit_index: "true" + +``` +
Postitive test num. 4 - json file + +```json hl_lines="44" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "ElasticsearchDomain resource", + "Resources": { + "ElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "DomainName": { + "Ref": "DomainName" + }, + "ElasticsearchVersion": { + "Ref": "ElasticsearchVersion" + }, + "ElasticsearchClusterConfig": { + "InstanceCount": "1", + "InstanceType": { + "Ref": "InstanceType" + } + }, + "EBSOptions": { + "Iops": 0, + "VolumeSize": 10, + "VolumeType": "standard", + "EBSEnabled": "true" + }, + "SnapshotOptions": { + "AutomatedSnapshotStartHour": "0" + }, + "AccessPolicies": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "es:*", + "Resource": "*", + "Effect": "Deny", + "Principal": { + "AWS": "*" + } + } + ] + }, + "LogPublishingOptions": { + "SEARCH_SLOW_LOGS": { + "Enabled": "false", + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs" + } + }, + "AdvancedOptions": { + "rest.action.multi.allow_explicit_index": "true" + } + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="42" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "ElasticsearchDomain resource", + "Resources": { + "ElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "DomainName": { + "Ref": "DomainName" + }, + "ElasticsearchVersion": { + "Ref": "ElasticsearchVersion" + }, + "ElasticsearchClusterConfig": { + "InstanceCount": "1", + "InstanceType": { + "Ref": "InstanceType" + } + }, + "EBSOptions": { + "Iops": 0, + "VolumeSize": 10, + "VolumeType": "standard", + "EBSEnabled": "true" + }, + "SnapshotOptions": { + "AutomatedSnapshotStartHour": "0" + }, + "AccessPolicies": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "es:*", + "Resource": "*", + "Effect": "Deny", + "Principal": { + "AWS": "*" + } + } + ] + }, + "LogPublishingOptions": { + "ES_APPLICATION_LOGS": { + "Enabled": "true", + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs" + } + }, + "AdvancedOptions": { + "rest.action.multi.allow_explicit_index": "true" + } + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "ElasticsearchDomain resource", + "Resources": { + "ElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "EBSOptions": { + "EBSEnabled": "true", + "Iops": 0, + "VolumeSize": 10, + "VolumeType": "standard" + }, + "SnapshotOptions": { + "AutomatedSnapshotStartHour": "0" + }, + "AccessPolicies": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Action": "es:*", + "Resource": "*" + } + ] + }, + "AdvancedOptions": { + "rest.action.multi.allow_explicit_index": "true" + }, + "DomainName": { + "Ref": "DomainName" + }, + "ElasticsearchVersion": { + "Ref": "ElasticsearchVersion" + }, + "ElasticsearchClusterConfig": { + "InstanceCount": "1", + "InstanceType": { + "Ref": "InstanceType" + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: ElasticsearchDomain resource +Resources: + ElasticsearchDomain: + Type: "AWS::Elasticsearch::Domain" + Properties: + DomainName: + Ref: DomainName + ElasticsearchVersion: + Ref: ElasticsearchVersion + ElasticsearchClusterConfig: + InstanceCount: "1" + InstanceType: + Ref: InstanceType + EBSOptions: + EBSEnabled: "true" + Iops: 0 + VolumeSize: 10 + VolumeType: standard + SnapshotOptions: + AutomatedSnapshotStartHour: "0" + AccessPolicies: + Version: "2012-10-17" + Statement: + - Effect: Deny + Principal: + AWS: "*" + Action: "es:*" + Resource: "*" + LogPublishingOptions: + SEARCH_SLOW_LOGS: + CloudWatchLogsLogGroupArn: >- + arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs + Enabled: "true" + INDEX_SLOW_LOGS: + CloudWatchLogsLogGroupArn: >- + arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs + Enabled: "true" + AdvancedOptions: + rest.action.multi.allow_explicit_index: "true" + +``` +```json title="Negative test num. 2 - json file" +{ + "document": [ + { + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "ElasticsearchDomain resource", + "Resources": { + "ElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "AdvancedOptions": { + "rest.action.multi.allow_explicit_index": "true" + }, + "DomainName": { + "Ref": "DomainName" + }, + "ElasticsearchVersion": { + "Ref": "ElasticsearchVersion" + }, + "ElasticsearchClusterConfig": { + "InstanceCount": "1", + "InstanceType": { + "Ref": "InstanceType" + } + }, + "EBSOptions": { + "Iops": 0, + "VolumeSize": 10, + "VolumeType": "standard", + "EBSEnabled": "true" + }, + "SnapshotOptions": { + "AutomatedSnapshotStartHour": "0" + }, + "AccessPolicies": { + "Statement": [ + { + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Action": "es:*", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "LogPublishingOptions": { + "SEARCH_SLOW_LOGS": { + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs", + "Enabled": "true" + }, + "INDEX_SLOW_LOGS": { + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs", + "Enabled": "true" + } + } + } + } + }, + "id": "c886b8d1-8c44-4f23-ba01-6e30a2f5be7b", + "file": "C:\\Users\\pedrom\\Desktop\\Data\\yaml\\yaml.yaml" + } + ] +} + +``` +```yaml title="Negative test num. 3 - yaml file" +Resources: + ProductionElasticsearch: + Type: AWS::Elasticsearch::Domain + Properties: + EBSOptions: + EBSEnabled: true + VolumeSize: 70 + VolumeType: gp2 + ElasticsearchClusterConfig: + DedicatedMasterCount: 3 + DedicatedMasterEnabled: true + DedicatedMasterType: omitted + InstanceCount: 3 + InstanceType: omitted + ZoneAwarenessConfig: + AvailabilityZoneCount: 3 + ZoneAwarenessEnabled: true + ElasticsearchVersion: omitted + LogPublishingOptions: + "INDEX_SLOW_LOGS": + CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchIndexSlowLogs.Arn + Enabled: true + "SEARCH_SLOW_LOGS": + CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchSearchSlowLogs.Arn + Enabled: true + "ES_APPLICATION_LOGS": + CloudWatchLogsLogGroupArn: !GetAtt ProductionElasticsearchApplicationLogs.Arn + Enabled: true + +``` diff --git a/docs/queries/cloudformation-queries/aws/08b81bb3-0985-4023-8602-b606ad81d279.md b/docs/queries/cloudformation-queries/aws/08b81bb3-0985-4023-8602-b606ad81d279.md new file mode 100644 index 00000000000..fa4b2fe1899 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/08b81bb3-0985-4023-8602-b606ad81d279.md @@ -0,0 +1,137 @@ +--- +title: EC2 Instance Using Default Security Group +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 08b81bb3-0985-4023-8602-b606ad81d279 +- **Query name:** EC2 Instance Using Default Security Group +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ec2_instance_using_default_security_group) + +### Description +EC2 instances should not use default security group(s)
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-securitygroups) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" + Resources: + MyEC2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: "ami-79fd7eee" + KeyName: "testkey" + SecurityGroups: + - !Ref default + BlockDeviceMappings: + - DeviceName: "/dev/sdm" + Ebs: + VolumeType: "io1" + Iops: "200" + DeleteOnTermination: "false" + VolumeSize: "20" + - DeviceName: "/dev/sdk" + NoDevice: {} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="23" +{ + "Resources": { + "MyEC2Instance": { + "Properties": { + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sdm", + "Ebs": { + "DeleteOnTermination": "false", + "Iops": "200", + "VolumeSize": "20", + "VolumeType": "io1" + } + }, + { + "DeviceName": "/dev/sdk", + "NoDevice": {} + } + ], + "ImageId": "ami-79fd7eee", + "KeyName": "testkey", + "SecurityGroups": [ + "default" + ] + }, + "Type": "AWS::EC2::Instance" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" + Resources: + MyEC2Instancee: + Type: AWS::EC2::Instance + Properties: + ImageId: "ami-79fd7eee" + KeyName: "testkey" + SecurityGroups: + - !Ref my_sg + BlockDeviceMappings: + - DeviceName: "/dev/sdm" + Ebs: + VolumeType: "io1" + Iops: "200" + DeleteOnTermination: "false" + VolumeSize: "20" + - DeviceName: "/dev/sdk" + NoDevice: {} + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyEC2Instancee": { + "Properties": { + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sdm", + "Ebs": { + "DeleteOnTermination": "false", + "Iops": "200", + "VolumeSize": "20", + "VolumeType": "io1" + } + }, + { + "DeviceName": "/dev/sdk", + "NoDevice": {} + } + ], + "ImageId": "ami-79fd7eee", + "KeyName": "testkey", + "SecurityGroups": [ + "my_sg" + ] + }, + "Type": "AWS::EC2::Instance" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/08e39832-5e42-4304-98a0-aa5b43393162.md b/docs/queries/cloudformation-queries/aws/08e39832-5e42-4304-98a0-aa5b43393162.md new file mode 100644 index 00000000000..551aab16c17 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/08e39832-5e42-4304-98a0-aa5b43393162.md @@ -0,0 +1,259 @@ +--- +title: EFS Without Tags +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 08e39832-5e42-4304-98a0-aa5b43393162 +- **Query name:** EFS Without Tags +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/efs_without_tags) + +### Description +Amazon Elastic Filesystem should have filesystem tags associated
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +AWSTemplateFormatVersion: '2010-09-09' +Description: Create Elastic File System +Parameters: + Owner: + Type: String + Default: FirstName LastName + Project: + Type: String + Default: EFS Mount + VPC: + Type: AWS::EC2::VPC::Id + Subnet1: + Type: AWS::EC2::Subnet::Id +Resources: + FileSystem: + Type: AWS::EFS::FileSystem + Properties: + Encrypted: true + PerformanceMode: generalPurpose + MountTarget1: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref FileSystem + SubnetId: !Ref Subnet1 + SecurityGroups: + - !Ref EfsSecurityGroup + EfsSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Instance to EFS Mount Access + VpcId: !Ref VPC + Tags: + - Key: Name + Value: !Ref AWS::StackName + - Key: Owner + Value: !Ref Owner + - Key: Project + Value: !Ref Project + +``` +```json title="Postitive test num. 2 - json file" hl_lines="40" +{ + "Parameters": { + "Project": { + "Default": "EFS Mount", + "Type": "String" + }, + "VPC": { + "Type": "AWS::EC2::VPC::Id" + }, + "Subnet1": { + "Type": "AWS::EC2::Subnet::Id" + }, + "Owner": { + "Type": "String", + "Default": "FirstName LastName" + } + }, + "Resources": { + "EfsSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Instance to EFS Mount Access", + "VpcId": "VPC", + "Tags": [ + { + "Key": "Name", + "Value": "AWS::StackName" + }, + { + "Key": "Owner", + "Value": "Owner" + }, + { + "Key": "Project", + "Value": "Project" + } + ] + } + }, + "FileSystem": { + "Type": "AWS::EFS::FileSystem", + "Properties": { + "Encrypted": true, + "PerformanceMode": "generalPurpose" + } + }, + "MountTarget1": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "FileSystem", + "SubnetId": "Subnet1", + "SecurityGroups": [ + "EfsSecurityGroup" + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create Elastic File System" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" + +AWSTemplateFormatVersion: '2010-09-09' +Description: Create Elastic File System +Parameters: + Owner: + Type: String + Default: FirstName LastName + Project: + Type: String + Default: EFS Mount + VPC: + Type: AWS::EC2::VPC::Id + Subnet1: + Type: AWS::EC2::Subnet::Id +Resources: + FileSystem: + Type: AWS::EFS::FileSystem + Properties: + FileSystemTags: + - Key: Name + Value: !Ref AWS::StackName + - Key: Owner + Value: !Ref Owner + - Key: Project + Value: !Ref Project + MountTarget1: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref FileSystem + SubnetId: !Ref Subnet1 + SecurityGroups: + - !Ref EfsSecurityGroup + EfsSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Instance to EFS Mount Access + VpcId: !Ref VPC + Tags: + - Key: Name + Value: !Ref AWS::StackName + - Key: Owner + Value: !Ref Owner + - Key: Project + Value: !Ref Project + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create Elastic File System", + "Parameters": { + "VPC": { + "Type": "AWS::EC2::VPC::Id" + }, + "Subnet1": { + "Type": "AWS::EC2::Subnet::Id" + }, + "Owner": { + "Type": "String", + "Default": "FirstName LastName" + }, + "Project": { + "Type": "String", + "Default": "EFS Mount" + } + }, + "Resources": { + "EfsSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "AWS::StackName" + }, + { + "Key": "Owner", + "Value": "Owner" + }, + { + "Key": "Project", + "Value": "Project" + } + ], + "GroupDescription": "Instance to EFS Mount Access", + "VpcId": "VPC" + } + }, + "FileSystem": { + "Type": "AWS::EFS::FileSystem", + "Properties": { + "FileSystemTags": [ + { + "Key": "Name", + "Value": "AWS::StackName" + }, + { + "Key": "Owner", + "Value": "Owner" + }, + { + "Key": "Project", + "Value": "Project" + } + ] + } + }, + "MountTarget1": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "FileSystem", + "SubnetId": "Subnet1", + "SecurityGroups": [ + "EfsSecurityGroup" + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/0a994e04-c6dc-471d-817e-d37451d18a3b.md b/docs/queries/cloudformation-queries/aws/0a994e04-c6dc-471d-817e-d37451d18a3b.md new file mode 100644 index 00000000000..e8ffb6fe376 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/0a994e04-c6dc-471d-817e-d37451d18a3b.md @@ -0,0 +1,104 @@ +--- +title: Serverless API Access Logging Setting Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0a994e04-c6dc-471d-817e-d37451d18a3b +- **Query name:** Serverless API Access Logging Setting Undefined +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_sam/serverless_api_access_logging_setting_undefined) + +### Description +AWS Serverless API/AWS Serverless HTTP API should have Access Logging Setting(s) defined
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-accesslogsetting.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + CacheClusterEnabled: true + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + HttpApi: + Type: AWS::Serverless::HttpApi + Properties: + StageName: !Ref StageName + Tags: + Tag: Value + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi2: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + CacheClusterEnabled: true + AccessLogSetting: + DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group' + Format: >- + {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp", + "caller":"$context.identity.caller", + "user":"$context.identity.user","requestTime":"$context.requestTime", + "eventType":"$context.eventType","routeKey":"$context.routeKey", + "status":"$context.status","connectionId":"$context.connectionId"} + + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + HttpApi2: + Type: AWS::Serverless::HttpApi + Properties: + StageName: !Ref StageName + Tags: + Tag: Value + AccessLogSettings: + DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group' + Format: >- + {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp", + "caller":"$context.identity.caller", + "user":"$context.identity.user","requestTime":"$context.requestTime", + "eventType":"$context.eventType","routeKey":"$context.routeKey", + "status":"$context.status","connectionId":"$context.connectionId"} + + + +``` diff --git a/docs/queries/cloudformation-queries/aws/0b0556ea-9cd9-476f-862e-20679dda752b.md b/docs/queries/cloudformation-queries/aws/0b0556ea-9cd9-476f-862e-20679dda752b.md new file mode 100644 index 00000000000..c7139420a94 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/0b0556ea-9cd9-476f-862e-20679dda752b.md @@ -0,0 +1,186 @@ +--- +title: BOM - AWS EBS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0b0556ea-9cd9-476f-862e-20679dda752b +- **Query name:** BOM - AWS EBS +- **Platform:** CloudFormation +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_bom/ebs) + +### Description +A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Volume" +Resources: + NewVolume: + Type: AWS::EC2::Volume + Properties: + Size: 100 + Encrypted: true + AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone + Tags: + - Key: MyTag + Value: TagValue + DeletionPolicy: Snapshot + +``` +```json title="Postitive test num. 2 - json file" hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Volume", + "Resources": { + "NewVolume": { + "Type": "AWS::EC2::Volume", + "Properties": { + "Encrypted": true, + "AvailabilityZone": "Ec2Instance.AvailabilityZone", + "Tags": [ + { + "Key": "MyTag", + "Value": "TagValue" + } + ], + "Size": 100 + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Volume" +Resources: + NewVolume: + Type: AWS::EC2::Volume + Properties: + Size: 100 + Encrypted: false + AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone + Tags: + - Key: Name + Value: NewVolume + DeletionPolicy: Snapshot + +``` +
Postitive test num. 4 - json file + +```json hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Volume", + "Resources": { + "NewVolume": { + "Type": "AWS::EC2::Volume", + "Properties": { + "Encrypted": false, + "AvailabilityZone": "Ec2Instance.AvailabilityZone", + "Tags": [ + { + "Key": "Name", + "Value": "NewVolume" + } + ], + "Size": 100 + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Volume" +Resources: + NewVolume: + Type: AWS::EC2::Volume + Properties: + Size: 100 + AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone + Tags: + - Key: Name + Value: NewVolume + DeletionPolicy: Snapshot + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Volume", + "Resources": { + "NewVolume": { + "Type": "AWS::EC2::Volume", + "Properties": { + "AvailabilityZone": "Ec2Instance.AvailabilityZone", + "Tags": [ + { + "Key": "Name", + "Value": "NewVolume" + } + ], + "Size": 100 + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": "true" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/0ce1ba20-8ba8-4364-836f-40c24b8cb0ab.md b/docs/queries/cloudformation-queries/aws/0ce1ba20-8ba8-4364-836f-40c24b8cb0ab.md new file mode 100644 index 00000000000..a0ff971097c --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/0ce1ba20-8ba8-4364-836f-40c24b8cb0ab.md @@ -0,0 +1,132 @@ +--- +title: MSK Broker Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0ce1ba20-8ba8-4364-836f-40c24b8cb0ab +- **Query name:** MSK Broker Is Publicly Accessible +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/msk_broker_is_publicly_accessible) + +### Description +Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-msk-cluster-publicaccess.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +AWSTemplateFormatVersion: "2010-09-09" +Description: MSK Cluster with required properties. +Resources: + TestCluster: + Type: "AWS::MSK::Cluster" + Properties: + ClusterName: ClusterWithRequiredProperties + KafkaVersion: 2.2.1 + NumberOfBrokerNodes: 3 + BrokerNodeGroupInfo: + InstanceType: kafka.m5.large + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + ConnectivityInfo: + PublicAccess: + Type: SERVICE_PROVIDED_EIPS + +``` +```json title="Postitive test num. 2 - json file" hl_lines="15" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "MSK Cluster with required properties.", + "Resources": { + "TestCluster": { + "Properties": { + "BrokerNodeGroupInfo": { + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ], + "ConnectivityInfo": { + "PublicAccess": { + "Type": "SERVICE_PROVIDED_EIPS" + } + }, + "InstanceType": "kafka.m5.large" + }, + "ClusterName": "ClusterWithRequiredProperties", + "KafkaVersion": "2.2.1", + "NumberOfBrokerNodes": 3 + }, + "Type": "AWS::MSK::Cluster" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: MSK Cluster with required properties. +Resources: + TestCluster0: + Type: "AWS::MSK::Cluster" + Properties: + ClusterName: ClusterWithRequiredProperties + KafkaVersion: 2.2.1 + NumberOfBrokerNodes: 3 + BrokerNodeGroupInfo: + InstanceType: kafka.m5.large + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "MSK Cluster with required properties.", + "Resources": { + "TestCluster": { + "Properties": { + "BrokerNodeGroupInfo": { + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ], + "ConnectivityInfo": { + "PublicAccess": { + "Type": "DISABLED" + } + }, + "InstanceType": "kafka.m5.large" + }, + "ClusterName": "ClusterWithRequiredProperties", + "KafkaVersion": "2.2.1", + "NumberOfBrokerNodes": 3 + }, + "Type": "AWS::MSK::Cluster" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/0e5872b4-19a0-4165-8b2f-56d9e14b909f.md b/docs/queries/cloudformation-queries/aws/0e5872b4-19a0-4165-8b2f-56d9e14b909f.md new file mode 100644 index 00000000000..4021adb5c6f --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/0e5872b4-19a0-4165-8b2f-56d9e14b909f.md @@ -0,0 +1,101 @@ +--- +title: IAM Managed Policy Applied to a User +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0e5872b4-19a0-4165-8b2f-56d9e14b909f +- **Query name:** IAM Managed Policy Applied to a User +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_managed_policy_applied_to_a_user) + +### Description +Make sure that any managed IAM policies are implemented in a group and not in a user.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html#cfn-iam-managedpolicy-groups) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +Resources: + CreateTestDBPolicy: + Type: 'AWS::IAM::ManagedPolicy' + Properties: + Description: Policy for creating a test database + Path: / + PolicyDocument: + Version: 2012-10-17 + Statement: [] + Users: + - TestUser +``` +```json title="Postitive test num. 2 - json file" hl_lines="11" +{ + "Resources": { + "CreateTestDBPolicy": { + "Type": "AWS::IAM::ManagedPolicy", + "Properties": { + "Path": "/", + "PolicyDocument": { + "Statement": [], + "Version": "2012-10-17T00:00:00Z" + }, + "Users": [ + "TestUser" + ], + "Description": "Policy for creating a test database" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + CreateTestDBPolicy: + Type: 'AWS::IAM::ManagedPolicy' + Properties: + Description: Policy for creating a test database + Path: / + PolicyDocument: + Version: 2012-10-17 + Statement: [] + Groups: + - TestGroup +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "CreateTestDBPolicy": { + "Type": "AWS::IAM::ManagedPolicy", + "Properties": { + "Path": "/", + "PolicyDocument": { + "Statement": [], + "Version": "2012-10-17T00:00:00Z" + }, + "Groups": [ + "TestGroup" + ], + "Description": "Policy for creating a test database" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/0f0fb06b-0f2f-4374-8588-f2c7c348c7a0.md b/docs/queries/cloudformation-queries/aws/0f0fb06b-0f2f-4374-8588-f2c7c348c7a0.md new file mode 100644 index 00000000000..b44c61daa55 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/0f0fb06b-0f2f-4374-8588-f2c7c348c7a0.md @@ -0,0 +1,88 @@ +--- +title: CloudWatch Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0f0fb06b-0f2f-4374-8588-f2c7c348c7a0 +- **Query name:** CloudWatch Logging Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudwatch_logging_disabled) + +### Description +Check if CloudWatch logging is disabled for Route53 hosted zones
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-hostedzone.html#cfn-route53-hostedzone-queryloggingconfig) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + HostedZone3: + Type: AWS::Route53::HostedZone + Properties: + Name: "HostedZone" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "HostedZone4": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "HostedZone" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + HostedZone: + Type: AWS::Route53::HostedZone + Properties: + Name: "HostedZone" + QueryLoggingConfig: + CloudWatchLogsLogGroupArn: "SomeCloudWatchLogGroupArn" + +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "Router53", + "Resources": { + "HostedZone2": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "HostedZone", + "QueryLoggingConfig": { + "CloudWatchLogsLogGroupArn": "SomeCloudWatchLogGroupArn" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/0f139403-303f-467c-96bd-e717e6cfd62d.md b/docs/queries/cloudformation-queries/aws/0f139403-303f-467c-96bd-e717e6cfd62d.md new file mode 100644 index 00000000000..f41e82ff96b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/0f139403-303f-467c-96bd-e717e6cfd62d.md @@ -0,0 +1,185 @@ +--- +title: CloudFront Without WAF +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0f139403-303f-467c-96bd-e717e6cfd62d +- **Query name:** CloudFront Without WAF +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudfront_without_waf) + +### Description +All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-webaclid) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + cloudfrontdistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: string-value + LambdaFunctionARN: string-value + DefaultCacheBehavior: + LambdaFunctionAssociations: + - EventType: string-value + LambdaFunctionARN: string-value + IPV6Enabled: boolean-value + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: integer-value + OriginReadTimeout: integer-value + Tags: + - Key: string-value + Value: string-value + +``` +```json title="Postitive test num. 2 - json file" hl_lines="13" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "cloudfrontdistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "Tags": [ + { + "Key": "string-value", + "Value": "string-value" + } + ], + "DistributionConfig": { + "Enabled": true, + "CacheBehaviors": [ + { + "LambdaFunctionAssociations": [ + { + "EventType": "string-value", + "LambdaFunctionARN": "string-value" + } + ] + } + ], + "DefaultCacheBehavior": { + "LambdaFunctionAssociations": [ + { + "EventType": "string-value", + "LambdaFunctionARN": "string-value" + } + ] + }, + "IPV6Enabled": "boolean-value", + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": "integer-value", + "OriginReadTimeout": "integer-value" + } + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + cloudfrontdistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: string-value + LambdaFunctionARN: string-value + DefaultCacheBehavior: + LambdaFunctionAssociations: + - EventType: string-value + LambdaFunctionARN: string-value + IPV6Enabled: boolean-value + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: integer-value + OriginReadTimeout: integer-value + WebACLId: string-value + Tags: + - Key: string-value + Value: string-value + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "cloudfrontdistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": true, + "CacheBehaviors": [ + { + "LambdaFunctionAssociations": [ + { + "EventType": "string-value", + "LambdaFunctionARN": "string-value" + } + ] + } + ], + "DefaultCacheBehavior": { + "LambdaFunctionAssociations": [ + { + "EventType": "string-value", + "LambdaFunctionARN": "string-value" + } + ] + }, + "IPV6Enabled": "boolean-value", + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": "integer-value", + "OriginReadTimeout": "integer-value" + } + } + ], + "WebACLId": "string-value" + }, + "Tags": [ + { + "Value": "string-value", + "Key": "string-value" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/1056dfbb-5802-4762-bf2b-8b9b9684b1b0.md b/docs/queries/cloudformation-queries/aws/1056dfbb-5802-4762-bf2b-8b9b9684b1b0.md new file mode 100644 index 00000000000..37937692824 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/1056dfbb-5802-4762-bf2b-8b9b9684b1b0.md @@ -0,0 +1,115 @@ +--- +title: API Gateway With Open Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1056dfbb-5802-4762-bf2b-8b9b9684b1b0 +- **Query name:** API Gateway With Open Access +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_with_open_access) + +### Description +API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + MockMethod: + Type: 'AWS::ApiGateway::Method' + Properties: + RestApiId: !Ref MyApi + ResourceId: !GetAtt + - MyApi + - RootResourceId + HttpMethod: GET + AuthorizationType: NONE + Integration: + Type: MOCK + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "MockMethod": { + "Type": "AWS::ApiGateway::Method", + "Properties": { + "RestApiId": "MyApi", + "ResourceId": [ + "MyApi", + "RootResourceId" + ], + "HttpMethod": "GET", + "AuthorizationType": "NONE", + "Integration": { + "Type": "MOCK" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + MockMethod: + Type: 'AWS::ApiGateway::Method' + Properties: + RestApiId: !Ref MyApi + ResourceId: !GetAtt + - MyApi + - RootResourceId + HttpMethod: OPTIONS + AuthorizationType: NONE + Integration: + Type: MOCK + +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "Router53", + "Resources": { + "MockMethod": { + "Type": "AWS::ApiGateway::Method", + "Properties": { + "RestApiId": "MyApi", + "ResourceId": [ + "MyApi", + "RootResourceId" + ], + "HttpMethod": "OPTIONS", + "AuthorizationType": "NONE", + "Integration": { + "Type": "MOCK" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/105ba098-1e34-48cd-b0f2-a8a43a51bf9b.md b/docs/queries/cloudformation-queries/aws/105ba098-1e34-48cd-b0f2-a8a43a51bf9b.md new file mode 100644 index 00000000000..ceb0c63f0a4 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/105ba098-1e34-48cd-b0f2-a8a43a51bf9b.md @@ -0,0 +1,180 @@ +--- +title: ALB Is Not Integrated With WAF +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 105ba098-1e34-48cd-b0f2-a8a43a51bf9b +- **Query name:** ALB Is Not Integrated With WAF +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf) + +### Description +All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webaclassociation.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MyLoadBalancer22: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: "80" + InstanceProtocol: HTTP + LoadBalancerPort: "443" + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + Scheme: internet-facing + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MyLoadBalancerV2: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: myloadbalancerv2 + Scheme: internet-facing + +``` +```json title="Postitive test num. 3 - json file" hl_lines="4" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MyLoadBalancer22222222": { + "Properties": { + "Listeners": [ + { + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", + "InstancePort": "80", + "InstanceProtocol": "HTTP", + "LoadBalancerPort": "443", + "Protocol": "HTTPS", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ] + } + ], + "Scheme": "internet-facing", + "AvailabilityZones": [ + "us-east-2a" + ], + "CrossZone": true + }, + "Type": "AWS::ElasticLoadBalancing::LoadBalancer" + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="4" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MyLoadBalancerV22222": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "Scheme": "internet-facing", + "Name": "myloadbalancerv2" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MyLoadBalancer9: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: '80' + InstanceProtocol: HTTP + LoadBalancerPort: '443' + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + Scheme: internet-facing + MyWebACLAssociation: + Type: "AWS::WAFRegional::WebACLAssociation" + Properties: + ResourceArn: + Ref: MyLoadBalancer9 + WebACLId: + Ref: MyWebACL + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MyLoadBalancer8": { + "Properties": { + "Listeners": [ + { + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ], + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", + "InstancePort": "80", + "InstanceProtocol": "HTTP", + "LoadBalancerPort": "443", + "Protocol": "HTTPS" + } + ], + "Scheme": "internet-facing", + "AvailabilityZones": [ + "us-east-2a" + ], + "CrossZone": true + }, + "Type": "AWS::ElasticLoadBalancing::LoadBalancer" + }, + "MyWebACLAssociation": { + "Type": "AWS::WAFRegional::WebACLAssociation", + "Properties": { + "WebACLId": { + "Ref": "MyWebACL" + }, + "ResourceArn": { + "Ref": "MyLoadBalancer8" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/124b173b-e06d-48a6-8acd-f889443d97a4.md b/docs/queries/cloudformation-queries/aws/124b173b-e06d-48a6-8acd-f889443d97a4.md new file mode 100644 index 00000000000..d8112e7b557 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/124b173b-e06d-48a6-8acd-f889443d97a4.md @@ -0,0 +1,70 @@ +--- +title: BOM - AWS Cassandra +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 124b173b-e06d-48a6-8acd-f889443d97a4 +- **Query name:** BOM - AWS Cassandra +- **Platform:** CloudFormation +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_bom/cassandra) + +### Description +A list of Cassandra resources found. Amazon Cassandra is an open-source NoSQL database designed to store data for applications that require fast read and write performance
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + myNewTable1: + Type: 'AWS::Cassandra::Table' + Properties: + KeyspaceName: my_keyspace + TableName: my_table + PartitionKeyColumns: + - ColumnName: Message + ColumnType: ASCII + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myNewTable2: + Type: AWS::Cassandra::Table + Properties: + KeyspaceName: my_keyspace + TableName: my_table + EncryptionSpecification: + EncryptionType: CUSTOMER_MANAGED_KMS_KEY + KmsKeyIdentifier: arn:aws:kms:eu-west-1:5555555555555:key/11111111-1111-111-1111-111111111111 + PointInTimeRecoveryEnabled: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` diff --git a/docs/queries/cloudformation-queries/aws/12726829-93ed-4d51-9cbe-13423f4299e1.md b/docs/queries/cloudformation-queries/aws/12726829-93ed-4d51-9cbe-13423f4299e1.md new file mode 100644 index 00000000000..f716d9d86dd --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/12726829-93ed-4d51-9cbe-13423f4299e1.md @@ -0,0 +1,101 @@ +--- +title: SQS With SSE Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 12726829-93ed-4d51-9cbe-13423f4299e1 +- **Query name:** SQS With SSE Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/sqs_with_sse_disabled) + +### Description +Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-sqs-queue-kmsmasterkeyid) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 4" +Resources: + MyQueue: + Type: AWS::SQS::Queue + Properties: + QueueName: "SampleQueue" + MyQueue2: + Type: AWS::SQS::Queue + Properties: + QueueName: "SampleQueue" + SqsManagedSseEnabled: false + +``` +```json title="Postitive test num. 2 - json file" hl_lines="11 5" +{ + "Resources": { + "MyQueue": { + "Type": "AWS::SQS::Queue", + "Properties": { + "QueueName": "SampleQueue" + } + }, + "MyQueue2": { + "Type": "AWS::SQS::Queue", + "Properties": { + "QueueName": "SampleQueue", + "SqsManagedSseEnabled": "false" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MyQueue: + Type: AWS::SQS::Queue + Properties: + QueueName: "SampleQueue" + KmsMasterKeyId: wewewewewewe + MyQueue2: + Type: AWS::SQS::Queue + Properties: + QueueName: "SampleQueue" + SqsManagedSseEnabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyQueue": { + "Type": "AWS::SQS::Queue", + "Properties": { + "QueueName": "SampleQueue", + "KmsMasterKeyId": "wewewewewewe" + } + }, + "MyQueue2": { + "Type": "AWS::SQS::Queue", + "Properties": { + "QueueName": "SampleQueue", + "SqsManagedSseEnabled": "true" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/1819ac03-542b-4026-976b-f37addd59f3b.md b/docs/queries/cloudformation-queries/aws/1819ac03-542b-4026-976b-f37addd59f3b.md new file mode 100644 index 00000000000..b63999348b2 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/1819ac03-542b-4026-976b-f37addd59f3b.md @@ -0,0 +1,95 @@ +--- +title: EBS Volume Not Attached To Instances +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1819ac03-542b-4026-976b-f37addd59f3b +- **Query name:** EBS Volume Not Attached To Instances +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ebs_volume_not_attached_to_instances) + +### Description +EBS Volumes that are unattached to instances may contain sensitive data
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volumeattachment.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + NewVolume: + Type: AWS::EC2::Volume + Properties: + Size: 100 + AvailabilityZone: us-west-1 +``` +```json title="Postitive test num. 2 - json file" hl_lines="4" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "NewVolume": { + "Type": "AWS::EC2::Volume", + "Properties": { + "AvailabilityZone": "us-west-1", + "Size": 100 + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + NewVolume: + Type: AWS::EC2::Volume + Properties: + Size: 100 + AvailabilityZone: us-west-1 + MountPoint: + Type: AWS::EC2::VolumeAttachment + Properties: + InstanceId: !Ref Ec2Instance + VolumeId: !Ref NewVolume + Device: /dev/sdh +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "NewVolume": { + "Type": "AWS::EC2::Volume", + "Properties": { + "Size": 100, + "AvailabilityZone": "us-west-1" + } + }, + "MountPoint": { + "Type": "AWS::EC2::VolumeAttachment", + "Properties": { + "VolumeId": "NewVolume", + "Device": "/dev/sdh", + "InstanceId": "Ec2Instance" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/1a427b25-2e9e-4298-9530-0499a55e736b.md b/docs/queries/cloudformation-queries/aws/1a427b25-2e9e-4298-9530-0499a55e736b.md new file mode 100644 index 00000000000..59df80e782f --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/1a427b25-2e9e-4298-9530-0499a55e736b.md @@ -0,0 +1,271 @@ +--- +title: Security Group Ingress With All Protocols +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1a427b25-2e9e-4298-9530-0499a55e736b +- **Query name:** Security Group Ingress With All Protocols +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_group_ingress_with_all_protocols) + +### Description +AWS Security Group Ingress should not specify all protocols to prevent allow traffic on all ports
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 35" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: -1 + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + IpProtocol: -1 + FromPort: 0 + ToPort: 65535 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Postitive test num. 2 - json file" hl_lines="11 51" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": -1, + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "SecurityGroupEgress": [ + { + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ], + "GroupDescription": "Allow http to client host" + } + }, + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "ToPort": 65535, + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "IpProtocol": "tcp", + "FromPort": 0 + } + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": -1, + "FromPort": 0, + "ToPort": 65535, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "SecurityGroupEgress": [ + { + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ], + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + } + } + }, + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + } + } + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "ToPort": 65535, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "IpProtocol": "tcp", + "FromPort": 0 + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/1b6322d9-c755-4f8c-b804-32c19250f2d9.md b/docs/queries/cloudformation-queries/aws/1b6322d9-c755-4f8c-b804-32c19250f2d9.md new file mode 100644 index 00000000000..e9d00abaa34 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/1b6322d9-c755-4f8c-b804-32c19250f2d9.md @@ -0,0 +1,105 @@ +--- +title: Config Rule For Encrypted Volumes Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1b6322d9-c755-4f8c-b804-32c19250f2d9 +- **Query name:** Config Rule For Encrypted Volumes Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/config_rule_for_encryption_volumes_disabled) + +### Description +Check if AWS config rules do not identify Encrypted Volumes as a source.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configrule.html#cfn-config-configrule-source) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +Resources: + ConfigRule: + Type: AWS::Config::ConfigRule + Properties: + ConfigRuleName: access-keys-rotated + InputParameters: + maxAccessKeyAge: 100 + Source: + Owner: AWS + SourceIdentifier: ACCESS_KEYS_ROTATED + MaximumExecutionFrequency: TwentyFour_Hours + + +``` +```json title="Postitive test num. 2 - json file" hl_lines="3" +{ + "Resources": { + "ConfigRule": { + "Type": "AWS::Config::ConfigRule", + "Properties": { + "ConfigRuleName": "access-keys-rotated", + "InputParameters": { + "maxAccessKeyAge": 100 + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ACCESS_KEYS_ROTATED" + }, + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + ConfigRule: + Type: AWS::Config::ConfigRule + Properties: + ConfigRuleName: access-keys-rotated + InputParameters: + maxAccessKeyAge: 90 + Source: + Owner: AWS + SourceIdentifier: ENCRYPTED_VOLUMES + MaximumExecutionFrequency: TwentyFour_Hours + + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "ConfigRule": { + "Type": "AWS::Config::ConfigRule", + "Properties": { + "MaximumExecutionFrequency": "TwentyFour_Hours", + "ConfigRuleName": "access-keys-rotated", + "InputParameters": { + "maxAccessKeyAge": 90 + }, + "Source": { + "SourceIdentifier": "ENCRYPTED_VOLUMES", + "Owner": "AWS" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/1c07bfaf-663c-4f6f-b22b-8e2d481e4df5.md b/docs/queries/cloudformation-queries/aws/1c07bfaf-663c-4f6f-b22b-8e2d481e4df5.md new file mode 100644 index 00000000000..2d365e3161a --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/1c07bfaf-663c-4f6f-b22b-8e2d481e4df5.md @@ -0,0 +1,283 @@ +--- +title: CMK Rotation Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1c07bfaf-663c-4f6f-b22b-8e2d481e4df5 +- **Query name:** CMK Rotation Disabled +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cmk_rotation_disabled) + +### Description +Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'EnableKeyRotation' must be set to 'true' when the key is enabled.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5 31" +#this is a problematic code where the query should report a result(s) +Resources: + myKey: + Type: AWS::KMS::Key + Properties: + Enabled: true + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: + Fn::Join: + - '' + - - 'arn:aws:iam::' + - Ref: AWS::AccountId + - :root + Action: kms:* + Resource: '*' + Tags: + - Key: + Ref: Key + Value: + Ref: Value + myKey2: + Type: AWS::KMS::Key + Properties: + Enabled: true + EnableKeyRotation: false + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: + Fn::Join: + - '' + - - 'arn:aws:iam::' + - Ref: AWS::AccountId + - :root + Action: kms:* + Resource: '*' + Tags: + - Key: + Ref: Key + Value: + Ref: Value +Parameters: + Key: + Type: String + Value: + Type: String +``` +```json title="Postitive test num. 2 - json file" hl_lines="49 5" +{ + "Resources": { + "myKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "Enabled": true, + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:aws:iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Action": "kms:*", + "Resource": "*", + "Sid": "Enable IAM User Permissions" + } + ] + }, + "Tags": [ + { + "Key": { + "Ref": "Key" + }, + "Value": { + "Ref": "Value" + } + } + ] + } + }, + "myKey2": { + "Type": "AWS::KMS::Key", + "Properties": { + "Enabled": true, + "EnableKeyRotation": false, + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:aws:iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Action": "kms:*", + "Resource": "*" + } + ] + }, + "Tags": [ + { + "Key": { + "Ref": "Key" + }, + "Value": { + "Ref": "Value" + } + } + ] + } + } + }, + "Parameters": { + "Key": { + "Type": "String" + }, + "Value": { + "Type": "String" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + myKey: + Type: AWS::KMS::Key + Properties: + Enabled: true + EnableKeyRotation: true + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: + Fn::Join: + - '' + - - 'arn:aws:iam::' + - Ref: AWS::AccountId + - :root + Action: kms:* + Resource: '*' + Tags: + - Key: + Ref: Key + Value: + Ref: Value +Parameters: + Key: + Type: String + Value: + Type: String +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "myKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "Enabled": true, + "EnableKeyRotation": true, + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:aws:iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Action": "kms:*", + "Resource": "*" + } + ] + }, + "Tags": [ + { + "Key": { + "Ref": "Key" + }, + "Value": { + "Ref": "Value" + } + } + ] + } + } + }, + "Parameters": { + "Key": { + "Type": "String" + }, + "Value": { + "Type": "String" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md b/docs/queries/cloudformation-queries/aws/1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md new file mode 100644 index 00000000000..f8b0530ba3a --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md @@ -0,0 +1,295 @@ +--- +title: Security Group Egress CIDR Open To World +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a +- **Query name:** Security Group Egress CIDR Open To World +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_group_egress_cidr_open_to_world) + +### Description +AWS Security Group Egress CIDR should not be open to the world
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="27 4" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + CidrIpv6: ::/0 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + CidrIpv6: ::/0 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Postitive test num. 2 - json file" hl_lines="34 5" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80 + } + ], + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + } + } + }, + "OutboundRule": { + "Properties": { + "FromPort": 0, + "ToPort": 65535, + "CidrIpv6": "::/0", + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp" + }, + "Type": "AWS::EC2::SecurityGroupEgress" + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "CidrIpv6": "::/0", + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 192.0.2.0/24 + SecurityGroupEgress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 192.0.2.0/24 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 0 + CidrIpv6: 2001:0DB8:1234::/48 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 0 + CidrIpv6: 2001:0DB8:1234::/48 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "InstanceSecurityGroup": { + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "192.0.2.0/24" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "192.0.2.0/24" + } + ] + }, + "Type": "AWS::EC2::SecurityGroup" + }, + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 0, + "CidrIpv6": "2001:0DB8:1234::/48", + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + } + } + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 0, + "CidrIpv6": "2001:0DB8:1234::/48", + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7.md b/docs/queries/cloudformation-queries/aws/1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7.md new file mode 100644 index 00000000000..720fa7498b8 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7.md @@ -0,0 +1,99 @@ +--- +title: Lambda Permission Principal Is Wildcard +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7 +- **Query name:** Lambda Permission Principal Is Wildcard +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/lambda_permission_principal_is_wildcard) + +### Description +Lambda Permission Principal should not contain a wildcard.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Resources: + s3Permission: + Type: AWS::Lambda::Permission + Properties: + FunctionName: !GetAtt function.Arn + Action: lambda:InvokeFunction + Principal: '*' + SourceAccount: !Ref 'AWS::AccountId' + SourceArn: !GetAtt bucket.Arn + +``` +```json title="Postitive test num. 2 - json file" hl_lines="10" +{ + "Resources": { + "s3Permission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "SourceAccount": "AWS::AccountId", + "SourceArn": "bucket.Arn", + "FunctionName": "function.Arn", + "Action": "lambda:InvokeFunction", + "Principal": "*" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Creates RDS Cluster" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Resources: + s3Permission: + Type: AWS::Lambda::Permission + Properties: + FunctionName: !GetAtt function.Arn + Action: lambda:InvokeFunction + Principal: s3.amazonaws.com + SourceAccount: !Ref 'AWS::AccountId' + SourceArn: !GetAtt bucket.Arn + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Creates RDS Cluster", + "Resources": { + "s3Permission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "FunctionName": "function.Arn", + "Action": "lambda:InvokeFunction", + "Principal": "s3.amazonaws.com", + "SourceAccount": "AWS::AccountId", + "SourceArn": "bucket.Arn" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/1fe9d958-ddce-4228-a124-05265a959a8b.md b/docs/queries/cloudformation-queries/aws/1fe9d958-ddce-4228-a124-05265a959a8b.md new file mode 100644 index 00000000000..5f8139919f4 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/1fe9d958-ddce-4228-a124-05265a959a8b.md @@ -0,0 +1,231 @@ +--- +title: RDS Using Default Port +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1fe9d958-ddce-4228-a124-05265a959a8b +- **Query name:** RDS Using Default Port +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/rds_using_default_port) + +### Description +RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-port) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +Resources: + MyDB: + Type: AWS::RDS::DBInstance + Properties: + DBSecurityGroups: + - Ref: MyDbSecurityByEC2SecurityGroup + - Ref: MyDbSecurityByCIDRIPGroup + AllocatedStorage: '5' + DBInstanceClass: db.t2.small + Engine: oracle-ee + LicenseModel: bring-your-own-license + MasterUsername: master + MasterUserPassword: SecretPassword01 + BackupRetentionPeriod: 7 + Port: 1521 + DeletionPolicy: Snapshot + +``` +```json title="Postitive test num. 2 - json file" hl_lines="21" +{ + "Resources": { + "MyDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "BackupRetentionPeriod": 7, + "DBSecurityGroups": [ + { + "Ref": "MyDbSecurityByEC2SecurityGroup" + }, + { + "Ref": "MyDbSecurityByCIDRIPGroup" + } + ], + "AllocatedStorage": "5", + "DBInstanceClass": "db.t2.small", + "Engine": "oracle-ee", + "LicenseModel": "bring-your-own-license", + "MasterUsername": "master", + "MasterUserPassword": "SecretPassword01", + "Port": 1521 + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="15" +Resources: + MyDB: + Type: AWS::RDS::DBInstance + Properties: + DBSecurityGroups: + - Ref: MyDbSecurityByEC2SecurityGroup + - Ref: MyDbSecurityByCIDRIPGroup + AllocatedStorage: '5' + DBInstanceClass: db.t2.small + Engine: mysql + LicenseModel: bring-your-own-license + MasterUsername: master + MasterUserPassword: SecretPassword01 + BackupRetentionPeriod: 7 + Port: 3306 + DeletionPolicy: Snapshot + +``` +
Postitive test num. 4 - json file + +```json hl_lines="21" +{ + "Resources": { + "MyDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "BackupRetentionPeriod": 7, + "DBSecurityGroups": [ + { + "Ref": "MyDbSecurityByEC2SecurityGroup" + }, + { + "Ref": "MyDbSecurityByCIDRIPGroup" + } + ], + "AllocatedStorage": "5", + "DBInstanceClass": "db.t2.small", + "Engine": "mysql", + "LicenseModel": "bring-your-own-license", + "MasterUsername": "master", + "MasterUserPassword": "SecretPassword01", + "Port": 3306 + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MyDB: + Type: AWS::RDS::DBInstance + Properties: + DBSecurityGroups: + - Ref: MyDbSecurityByEC2SecurityGroup + - Ref: MyDbSecurityByCIDRIPGroup + AllocatedStorage: '5' + DBInstanceClass: db.t2.small + Engine: oracle-ee + LicenseModel: bring-your-own-license + MasterUsername: master + MasterUserPassword: SecretPassword01 + BackupRetentionPeriod: 7 + Port: 1522 + DeletionPolicy: Snapshot + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "BackupRetentionPeriod": 7, + "DBSecurityGroups": [ + { + "Ref": "MyDbSecurityByEC2SecurityGroup" + }, + { + "Ref": "MyDbSecurityByCIDRIPGroup" + } + ], + "AllocatedStorage": "5", + "DBInstanceClass": "db.t2.small", + "Engine": "oracle-ee", + "LicenseModel": "bring-your-own-license", + "MasterUsername": "master", + "MasterUserPassword": "SecretPassword01", + "Port": 1522 + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +Resources: + MyDB: + Type: AWS::RDS::DBInstance + Properties: + DBSecurityGroups: + - Ref: MyDbSecurityByEC2SecurityGroup + - Ref: MyDbSecurityByCIDRIPGroup + AllocatedStorage: '5' + DBInstanceClass: db.t2.small + Engine: mysql + LicenseModel: bring-your-own-license + MasterUsername: master + MasterUserPassword: SecretPassword01 + BackupRetentionPeriod: 7 + Port: 3307 + DeletionPolicy: Snapshot + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "MyDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "BackupRetentionPeriod": 7, + "DBSecurityGroups": [ + { + "Ref": "MyDbSecurityByEC2SecurityGroup" + }, + { + "Ref": "MyDbSecurityByCIDRIPGroup" + } + ], + "AllocatedStorage": "5", + "DBInstanceClass": "db.t2.small", + "Engine": "mysql", + "LicenseModel": "bring-your-own-license", + "MasterUsername": "master", + "MasterUserPassword": "SecretPassword01", + "Port": 3307 + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/209189f3-c879-48a7-9703-fbcfa96d0cef.md b/docs/queries/cloudformation-queries/aws/209189f3-c879-48a7-9703-fbcfa96d0cef.md new file mode 100644 index 00000000000..4756b6d55da --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/209189f3-c879-48a7-9703-fbcfa96d0cef.md @@ -0,0 +1,120 @@ +--- +title: BOM - AWS MQ +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 209189f3-c879-48a7-9703-fbcfa96d0cef +- **Query name:** BOM - AWS MQ +- **Platform:** CloudFormation +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_bom/mq) + +### Description +A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create a basic ActiveMQ broker" +Resources: + BasicBroker: + Type: "AWS::AmazonMQ::Broker" + Properties: + AutoMinorVersionUpgrade: "false" + BrokerName: MyBasicBroker + DeploymentMode: SINGLE_INSTANCE + EncryptionOptions: + UseAwsOwnedKey: true + EngineType: ActiveMQ + EngineVersion: "5.15.0" + HostInstanceType: mq.t2.micro + PubliclyAccessible: true + Users: + - + ConsoleAccess: "true" + Groups: + - MyGroup + Password: + Ref: "BrokerPassword" + Username: + Ref: "BrokerUsername" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create a basic ActiveMQ broker", + "Resources": { + "BasicBroker2": { + "Type": "AWS::AmazonMQ::Broker", + "Properties": { + "BrokerName": "MyBasicBroker", + "DeploymentMode": "SINGLE_INSTANCE", + "EngineType": "ActiveMQ", + "EngineVersion": "5.15.0", + "HostInstanceType": "mq.t2.micro", + "Users": [ + { + "ConsoleAccess": "true", + "Groups": [ + "MyGroup" + ], + "Password": { + "Ref": "BrokerPassword" + }, + "Username": { + "Ref": "BrokerUsername" + } + } + ], + "AutoMinorVersionUpgrade": "false" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": "true" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/219f4c95-aa50-44e0-97de-cf71f4641170.md b/docs/queries/cloudformation-queries/aws/219f4c95-aa50-44e0-97de-cf71f4641170.md new file mode 100644 index 00000000000..7f9734db4ee --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/219f4c95-aa50-44e0-97de-cf71f4641170.md @@ -0,0 +1,442 @@ +--- +title: S3 Bucket ACL Allows Read to All Users +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 219f4c95-aa50-44e0-97de-cf71f4641170 +- **Query name:** S3 Bucket ACL Allows Read to All Users +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_all_users) + +### Description +S3 Buckets should not be readable to all users
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts01: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicRead + BucketName: jenkins-artifacts + Tags: + - Key: CostCenter + Value: ITEngineering + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + StaticPage01: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicRead + BucketName: public-read-static-page01 + WebsiteConfiguration: + ErrorDocument: 404.html + IndexDocument: index.html + Tags: + - Key: CostCenter + Value: ITEngineering + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts02: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicRead + BucketName: jenkins-artifacts-block-public + PublicAccessBlockConfiguration: + BlockPublicPolicy: false + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: ITEngineering + - Key: Type + Value: CICD + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + S3BucketForWebsiteContent: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="13" +{ + "Resources": { + "JenkinsArtifacts01": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "jenkins-artifacts", + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + } + ], + "AccessControl": "PublicRead" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="7" +{ + "Description": "Creating S3 bucket", + "Resources": { + "StaticPage01": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "PublicRead", + "BucketName": "public-read-static-page01", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "404.html" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="8" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts02": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "PublicRead", + "BucketName": "jenkins-artifacts-block-public", + "PublicAccessBlockConfiguration": { + "BlockPublicPolicy": false + }, + "VersioningConfiguration": { + "Status": "Enabled" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + }, + { + "Key": "Type", + "Value": "CICD" + } + ] + } + } + } +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="8" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "S3BucketForWebsiteContent": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "error.html" + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts03: + Type: AWS::S3::Bucket + Properties: + AccessControl: BucketOwnerFullControl + BucketName: jenkins-artifacts + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: ITEngineering + - Key: Type + Value: CICD + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts04: + Type: AWS::S3::Bucket + Properties: + AccessControl: Private + BucketName: jenkins-secret-artifacts + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: ITEngineering + +``` +```yaml title="Negative test num. 3 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts05: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicReadWrite + BucketName: jenkins-secret-artifacts2 + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: ITEngineering + +``` +
Negative test num. 4 - yaml file + +```yaml +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + StaticPage03: + Type: AWS::S3::Bucket + Properties: + AccessControl: AuthenticatedRead + BucketName: public-read-static-page + WebsiteConfiguration: + ErrorDocument: 404.html + IndexDocument: index.html + Tags: + - Key: CostCenter + Value: ITEngineering +Outputs: + WebsiteURL: + Value: + Fn::GetAtt: + - StaticPage03 + - WebsiteURL + Description: URL for website hosted on S3 + S3BucketSecureURL: + Value: + Fn::Join: + - "" + - - https:// + - Fn::GetAtt: + - StaticPage03 + - DomainName + Description: Name of S3 bucket to hold website content + +``` +
+
Negative test num. 5 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts03": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "jenkins-artifacts", + "VersioningConfiguration": { + "Status": "Enabled" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + }, + { + "Key": "Type", + "Value": "CICD" + } + ], + "AccessControl": "BucketOwnerFullControl" + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts04": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "Private", + "BucketName": "jenkins-secret-artifacts", + "VersioningConfiguration": { + "Status": "Enabled" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + } + ] + } + } + } +} + +``` +
+
Negative test num. 7 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts05": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "PublicReadWrite", + "BucketName": "jenkins-secret-artifacts2", + "VersioningConfiguration": { + "Status": "Enabled" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + } + ] + } + } + } +} + +``` +
+
Negative test num. 8 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "StaticPage03": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "AuthenticatedRead", + "BucketName": "public-read-static-page", + "WebsiteConfiguration": { + "ErrorDocument": "404.html", + "IndexDocument": "index.html" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + } + ] + } + } + }, + "Outputs": { + "S3BucketSecureURL": { + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Fn::GetAtt": [ + "StaticPage03", + "DomainName" + ] + } + ] + ] + }, + "Description": "Name of S3 bucket to hold website content" + }, + "WebsiteURL": { + "Value": { + "Fn::GetAtt": [ + "StaticPage03", + "WebsiteURL" + ] + }, + "Description": "URL for website hosted on S3" + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/235ca980-eb71-48f4-9030-df0c371029eb.md b/docs/queries/cloudformation-queries/aws/235ca980-eb71-48f4-9030-df0c371029eb.md new file mode 100644 index 00000000000..53fc04b387e --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/235ca980-eb71-48f4-9030-df0c371029eb.md @@ -0,0 +1,374 @@ +--- +title: KMS Key Rotation Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 235ca980-eb71-48f4-9030-df0c371029eb +- **Query name:** KMS Key Rotation Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/kms_enable_key_rotation_disabled) + +### Description +EnableKeyRotation should not be false or undefined
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 51" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + myKey: + Type: AWS::KMS::Key + Properties: + Description: An example symmetric CMK + EnableKeyRotation: false + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: arn:aws:iam::111122223333:root + Action: kms:* + Resource: '*' + - Sid: Allow administration of the key + Effect: Allow + Principal: + AWS: arn:aws:iam::123456789012:user/Alice + Action: + - kms:Create* + - kms:Describe* + - kms:Enable* + - kms:List* + - kms:Put* + - kms:Update* + - kms:Revoke* + - kms:Disable* + - kms:Get* + - kms:Delete* + - kms:ScheduleKeyDeletion + - kms:CancelKeyDeletion + Resource: '*' + - Sid: Allow use of the key + Effect: Allow + Principal: + AWS: arn:aws:iam::123456789012:user/Bob + Action: + - kms:DescribeKey + - kms:Encrypt + - kms:Decrypt + - kms:ReEncrypt* + - kms:GenerateDataKey + - kms:GenerateDataKeyWithoutPlaintext + Resource: '*' + myKey2: + Type: AWS::KMS::Key + Properties: + Description: An example symmetric CMK + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: arn:aws:iam::111122223333:root + Action: kms:* + Resource: '*' + - Sid: Allow administration of the key + Effect: Allow + Principal: + AWS: arn:aws:iam::123456789012:user/Alice + Action: + - kms:Create* + - kms:Describe* + - kms:Enable* + - kms:List* + - kms:Put* + - kms:Update* + - kms:Revoke* + - kms:Disable* + - kms:Get* + - kms:Delete* + - kms:ScheduleKeyDeletion + - kms:CancelKeyDeletion + Resource: '*' + - Sid: Allow use of the key + Effect: Allow + Principal: + AWS: arn:aws:iam::123456789012:user/Bob + Action: + - kms:DescribeKey + - kms:Encrypt + - kms:Decrypt + - kms:ReEncrypt* + - kms:GenerateDataKey + - kms:GenerateDataKeyWithoutPlaintext + Resource: '*' +``` +```json title="Postitive test num. 2 - json file" hl_lines="65 60" +{ + "Resources": { + "myKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:root" + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/Alice" + }, + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" + ], + "Resource": "*", + "Sid": "Allow administration of the key", + "Effect": "Allow" + }, + { + "Sid": "Allow use of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/Bob" + }, + "Action": [ + "kms:DescribeKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "*" + } + ] + }, + "Description": "An example symmetric CMK", + "EnableKeyRotation": false + } + }, + "myKey2": { + "Type": "AWS::KMS::Key", + "Properties": { + "Description": "An example symmetric CMK", + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:root" + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/Alice" + }, + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" + ], + "Resource": "*", + "Sid": "Allow administration of the key" + }, + { + "Action": [ + "kms:DescribeKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "*", + "Sid": "Allow use of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/Bob" + } + } + ] + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + myKey: + Type: AWS::KMS::Key + Properties: + Description: An example symmetric CMK + EnableKeyRotation: True + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: arn:aws:iam::111122223333:root + Action: kms:* + Resource: '*' + - Sid: Allow administration of the key + Effect: Allow + Principal: + AWS: arn:aws:iam::123456789012:user/Alice + Action: + - kms:Create* + - kms:Describe* + - kms:Enable* + - kms:List* + - kms:Put* + - kms:Update* + - kms:Revoke* + - kms:Disable* + - kms:Get* + - kms:Delete* + - kms:ScheduleKeyDeletion + - kms:CancelKeyDeletion + Resource: '*' + - Sid: Allow use of the key + Effect: Allow + Principal: + AWS: arn:aws:iam::123456789012:user/Bob + Action: + - kms:DescribeKey + - kms:Encrypt + - kms:Decrypt + - kms:ReEncrypt* + - kms:GenerateDataKey + - kms:GenerateDataKeyWithoutPlaintext + Resource: '*' +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "myKey": { + "Properties": { + "EnableKeyRotation": true, + "KeyPolicy": { + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:root" + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" + ], + "Resource": "*", + "Sid": "Allow administration of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/Alice" + } + }, + { + "Sid": "Allow use of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/Bob" + }, + "Action": [ + "kms:DescribeKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "Description": "An example symmetric CMK" + }, + "Type": "AWS::KMS::Key" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/24d932e1-91f0-46ea-836f-fdbd81694151.md b/docs/queries/cloudformation-queries/aws/24d932e1-91f0-46ea-836f-fdbd81694151.md new file mode 100644 index 00000000000..11986356bc9 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/24d932e1-91f0-46ea-836f-fdbd81694151.md @@ -0,0 +1,112 @@ +--- +title: Route53 Record Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 24d932e1-91f0-46ea-836f-fdbd81694151 +- **Query name:** Route53 Record Undefined +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/route53_record_undefined) + +### Description +Route53 HostedZone must have the Record Set defined.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-route53-hostedzone.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + HostedZone: + Type: AWS::Route53::HostedZone + Properties: + Name: "HostedZone" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "HostedZone": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "HostedZone" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + HostedZone: + Type: AWS::Route53::HostedZone + Properties: + Name: "HostedZone" + RecordSet: + Type: AWS::Route53::RecordSet + Properties: + HostedZoneId: !Ref HostedZoneId + Name: !Join ['', [!Ref DomainName, '.', !Ref HostedZoneName, '.']] + Type: CNAME + TTL: '900' + ResourceRecords: + - !Ref DnsEndpoint + +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "Router53", + "Resources": { + "HostedZone": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "HostedZone" + } + }, + "RecordSet": { + "Type": "AWS::Route53::RecordSet", + "Properties": { + "HostedZoneId": "HostedZoneId", + "Name": [ + "", + [ + "DomainName", + ".", + "HostedZoneName", + "." + ] + ], + "Type": "CNAME", + "TTL": "900", + "ResourceRecords": [ + "DnsEndpoint" + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/2564172f-c92b-4261-9acd-464aed511696.md b/docs/queries/cloudformation-queries/aws/2564172f-c92b-4261-9acd-464aed511696.md new file mode 100644 index 00000000000..ce67b16f356 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/2564172f-c92b-4261-9acd-464aed511696.md @@ -0,0 +1,238 @@ +--- +title: Hardcoded AWS Access Key In Lambda +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2564172f-c92b-4261-9acd-464aed511696 +- **Query name:** Hardcoded AWS Access Key In Lambda +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/hardcoded_aws_access_key_in_lambda) + +### Description +Lambda access/secret keys should not be hardcoded
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-environment) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +AWSTemplateFormatVersion: '2010-09-09' +Description: VPC function. +Resources: + LambdaFunction3: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: arn:aws:iam::123456789012:role/lambda-role + Environment: + Variables: + foo: "1234567890123456789012345678901234567890$" + databaseName: lambdadb + databaseUser: admin + Code: + S3Bucket: my-bucket + S3Key: function.zip + Runtime: nodejs12.x + Timeout: 5 + TracingConfig: + Mode: Active + VpcConfig: + SecurityGroupIds: + - sg-085912345678492fb + SubnetIds: + - subnet-071f712345678e7c8 + - subnet-07fd123456788a036 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +AWSTemplateFormatVersion: '2010-09-09' +Description: VPC function. +Resources: + LambdaFunction4: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: arn:aws:iam::123456789012:role/lambda-role + Environment: + Variables: + foo: "12345678901234567890123456789012345678901234567890123456789012345678901234567890$" + Code: + S3Bucket: my-bucket + S3Key: function.zip + Runtime: nodejs12.x + Timeout: 5 + TracingConfig: + Mode: Active + VpcConfig: + SecurityGroupIds: + - sg-085912345678492fb + SubnetIds: + - subnet-071f712345678e7c8 + - subnet-07fd123456788a036 + +``` +```json title="Postitive test num. 3 - json file" hl_lines="29" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "VPC function.", + "Resources": { + "LambdaFunction5": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": "my-bucket", + "S3Key": "function.zip" + }, + "Runtime": "nodejs12.x", + "Timeout": 5, + "TracingConfig": { + "Mode": "Active" + }, + "VpcConfig": { + "SecurityGroupIds": [ + "sg-085912345678492fb" + ], + "SubnetIds": [ + "subnet-071f712345678e7c8", + "subnet-07fd123456788a036" + ] + }, + "Handler": "index.handler", + "Role": "arn:aws:iam::123456789012:role/lambda-role", + "Environment": { + "Variables": { + "foo": "1234567890123456789012345678901234567890$", + "databaseName": "lambdadb", + "databaseUser": "admin" + } + } + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="29" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "VPC function.", + "Resources": { + "LambdaFunction6": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": "my-bucket", + "S3Key": "function.zip" + }, + "Runtime": "nodejs12.x", + "Timeout": 5, + "TracingConfig": { + "Mode": "Active" + }, + "VpcConfig": { + "SecurityGroupIds": [ + "sg-085912345678492fb" + ], + "SubnetIds": [ + "subnet-071f712345678e7c8", + "subnet-07fd123456788a036" + ] + }, + "Handler": "index.handler", + "Role": "arn:aws:iam::123456789012:role/lambda-role", + "Environment": { + "Variables": { + "foo": "12345678901234567890123456789012345678901234567890123456789012345678901234567890$" + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Description: VPC function. +Resources: + LambdaFunction: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: arn:aws:iam::123456789012:role/lambda-role + Environment: + Variables: + foo: "test" + Code: + S3Bucket: my-bucket + S3Key: function.zip + Runtime: nodejs12.x + Timeout: 5 + TracingConfig: + Mode: Active + VpcConfig: + SecurityGroupIds: + - sg-085912345678492fb + SubnetIds: + - subnet-071f712345678e7c8 + - subnet-07fd123456788a036 + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "VPC function.", + "Resources": { + "LambdaFunction2": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": "my-bucket", + "S3Key": "function.zip" + }, + "Runtime": "nodejs12.x", + "Timeout": 5, + "TracingConfig": { + "Mode": "Active" + }, + "VpcConfig": { + "SecurityGroupIds": [ + "sg-085912345678492fb" + ], + "SubnetIds": [ + "subnet-071f712345678e7c8", + "subnet-07fd123456788a036" + ] + }, + "Handler": "index.handler", + "Role": "arn:aws:iam::123456789012:role/lambda-role", + "Environment": { + "Variables": { + "foo": "test" + } + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/2623d682-dccb-44cd-99d0-54d9fd62f8f2.md b/docs/queries/cloudformation-queries/aws/2623d682-dccb-44cd-99d0-54d9fd62f8f2.md new file mode 100644 index 00000000000..bab08010d43 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/2623d682-dccb-44cd-99d0-54d9fd62f8f2.md @@ -0,0 +1,195 @@ +--- +title: EC2 Network ACL Ineffective Denied Traffic +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2623d682-dccb-44cd-99d0-54d9fd62f8f2 +- **Query name:** EC2 Network ACL Ineffective Denied Traffic +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ec2_network_acl_ineffective_denied_traffic) + +### Description +Ineffective deny rules. A deny rule should be applied to all IP addresses.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +Resources: + MyNACL: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: vpc-1122334455aabbccd + Tags: + - Key: Name + Value: NACLforSSHTraffic + InboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: deny + CidrBlock: 172.16.0.0/24 + PortRange: + From: 22 + To: 22 + OutboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: -1 + Egress: true + RuleAction: deny + CidrBlock: 0.0.0.0/0 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="20" +{ + "Resources": { + "MyNACL": { + "Type": "AWS::EC2::NetworkAcl", + "Properties": { + "VpcId": "vpc-1122334455aabbccd", + "Tags": [ + { + "Key": "Name", + "Value": "NACLforSSHTraffic" + } + ] + } + }, + "InboundRule": { + "Properties": { + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "deny", + "CidrBlock": "172.16.0.0/24", + "PortRange": { + "From": 22, + "To": 22 + }, + "NetworkAclId": { + "Ref": "MyNACL" + } + }, + "Type": "AWS::EC2::NetworkAclEntry" + }, + "OutboundRule": { + "Properties": { + "RuleAction": "deny", + "CidrBlock": "0.0.0.0/0", + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": -1, + "Egress": true + }, + "Type": "AWS::EC2::NetworkAclEntry" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MyNACL: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: vpc-1122334455aabbccd + Tags: + - Key: Name + Value: NACLforSSHTraffic + InboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 172.16.0.0/24 + PortRange: + From: 22 + To: 22 + OutboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: -1 + Egress: true + RuleAction: allow + CidrBlock: 0.0.0.0/0 + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyNACL": { + "Properties": { + "VpcId": "vpc-1122334455aabbccd", + "Tags": [ + { + "Key": "Name", + "Value": "NACLforSSHTraffic" + } + ] + }, + "Type": "AWS::EC2::NetworkAcl" + }, + "InboundRule": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "RuleAction": "allow", + "CidrBlock": "172.16.0.0/24", + "PortRange": { + "From": 22, + "To": 22 + }, + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6 + } + }, + "OutboundRule": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": -1, + "Egress": true, + "RuleAction": "allow", + "CidrBlock": "0.0.0.0/0" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/2730c169-51d7-4ae7-99b5-584379eff1bb.md b/docs/queries/cloudformation-queries/aws/2730c169-51d7-4ae7-99b5-584379eff1bb.md new file mode 100644 index 00000000000..f14495b6798 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/2730c169-51d7-4ae7-99b5-584379eff1bb.md @@ -0,0 +1,167 @@ +--- +title: BOM - AWS MSK +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2730c169-51d7-4ae7-99b5-584379eff1bb +- **Query name:** BOM - AWS MSK +- **Platform:** CloudFormation +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_bom/msk) + +### Description +A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +Description: MSK Cluster with all properties +Resources: + TestCluster: + Type: 'AWS::MSK::Cluster' + Properties: + ClusterName: ClusterWithAllProperties + KafkaVersion: 2.2.1 + NumberOfBrokerNodes: 3 + EnhancedMonitoring: PER_BROKER + EncryptionInfo: + EncryptionAtRest: + DataVolumeKMSKeyId: ReplaceWithKmsKeyArn + EncryptionInTransit: + ClientBroker: TLS + InCluster: true + OpenMonitoring: + Prometheus: + JmxExporter: + EnabledInBroker: "true" + NodeExporter: + EnabledInBroker: "true" + ConfigurationInfo: + Arn: ReplaceWithConfigurationArn + Revision: 1 + ClientAuthentication: + Tls: + CertificateAuthorityArnList: + - ReplaceWithCAArn + Tags: + Environment: Test + Owner: QATeam + BrokerNodeGroupInfo: + BrokerAZDistribution: DEFAULT + InstanceType: kafka.m5.large + SecurityGroups: + - ReplaceWithSecurityGroupId + StorageInfo: + EBSStorageInfo: + VolumeSize: 100 + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + ConnectivityInfo: + PublicAccess: + Type: SERVICE_PROVIDED_EIPS + +``` +```json title="Postitive test num. 2 - json file" hl_lines="4" +{ + "Description": "MSK Cluster with all properties", + "Resources": { + "TestCluster3": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "ClusterName": "ClusterWithAllProperties", + "KafkaVersion": "2.2.1", + "NumberOfBrokerNodes": 3, + "EnhancedMonitoring": "PER_BROKER", + "OpenMonitoring": { + "Prometheus": { + "JmxExporter": { + "EnabledInBroker": "true" + }, + "NodeExporter": { + "EnabledInBroker": "true" + } + } + }, + "ConfigurationInfo": { + "Arn": "ReplaceWithConfigurationArn", + "Revision": 1 + }, + "ClientAuthentication": { + "Tls": { + "CertificateAuthorityArnList": [ + "ReplaceWithCAArn" + ] + } + }, + "Tags": { + "Environment": "Test", + "Owner": "QATeam" + }, + "BrokerNodeGroupInfo": { + "BrokerAZDistribution": "DEFAULT", + "InstanceType": "kafka.m5.large", + "SecurityGroups": [ + "ReplaceWithSecurityGroupId" + ], + "StorageInfo": { + "EBSStorageInfo": { + "VolumeSize": 100 + } + }, + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": "true" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/275a3217-ca37-40c1-a6cf-bb57d245ab32.md b/docs/queries/cloudformation-queries/aws/275a3217-ca37-40c1-a6cf-bb57d245ab32.md new file mode 100644 index 00000000000..6fde026770d --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/275a3217-ca37-40c1-a6cf-bb57d245ab32.md @@ -0,0 +1,171 @@ +--- +title: ALB Listening on HTTP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 275a3217-ca37-40c1-a6cf-bb57d245ab32 +- **Query name:** ALB Listening on HTTP +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/alb_listening_on_http) + +### Description +AWS Application Load Balancer (alb) should not listen on HTTP
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-listener.html#cfn-ec2-elb-listener-protocol) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="25 13" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: '80' + InstanceProtocol: HTTPS + LoadBalancerPort: '443' + Protocol: HTTP + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + Scheme: internal + HTTPlistener: + Type: "AWS::ElasticLoadBalancingV2::Listener" + Properties: + DefaultActions: + - Type: redirect + LoadBalancerArn: !Ref myLoadBalancer + Port: 80 + Protocol: HTTP +``` +```json title="Postitive test num. 2 - json file" hl_lines="9 35" +{ + "Resources": { + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "CrossZone": true, + "Listeners": [ + { + "Protocol": "HTTP", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ], + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", + "InstancePort": "80", + "InstanceProtocol": "HTTPS", + "LoadBalancerPort": "443" + } + ], + "Scheme": "internal", + "AvailabilityZones": [ + "us-east-2a" + ] + } + }, + "HTTPlistener": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "DefaultActions": [ + { + "Type": "redirect" + } + ], + "LoadBalancerArn": "myLoadBalancer", + "Port": 80, + "Protocol": "HTTP" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="16" +Resources: + HTTPlistener: + Type: "AWS::ElasticLoadBalancingV2::Listener" + Properties: + DefaultActions: + - Type: "redirect" + RedirectConfig: + Protocol: "HTTPS" + Port: "443" + Host: "#{host}" + Path: "/#{path}" + Query: "#{query}" + StatusCode: "HTTP_301" + LoadBalancerArn: !Ref myLoadBalancer + Port: 80 + Protocol: "HTTP" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: '80' + InstanceProtocol: HTTPS + LoadBalancerPort: '443' + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + Scheme: internal +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "CrossZone": true, + "Listeners": [ + { + "Protocol": "HTTPS", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ], + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", + "InstancePort": "80", + "InstanceProtocol": "HTTPS", + "LoadBalancerPort": "443" + } + ], + "Scheme": "internal", + "AvailabilityZones": [ + "us-east-2a" + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/2844c749-bd78-4cd1-90e8-b179df827602.md b/docs/queries/cloudformation-queries/aws/2844c749-bd78-4cd1-90e8-b179df827602.md new file mode 100644 index 00000000000..9d53a21af24 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/2844c749-bd78-4cd1-90e8-b179df827602.md @@ -0,0 +1,283 @@ +--- +title: CMK Is Unusable +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2844c749-bd78-4cd1-90e8-b179df827602 +- **Query name:** CMK Is Unusable +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cmk_is_unusable) + +### Description +AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'Enabled' set to true and the attribute 'PendingWindowInDays' must be undefined.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6 31" +#this is a problematic code where the query should report a result(s) +Resources: + myKey: + Type: AWS::KMS::Key + Properties: + Enabled: false + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: + Fn::Join: + - '' + - - 'arn:aws:iam::' + - Ref: AWS::AccountId + - :root + Action: kms:* + Resource: '*' + Tags: + - Key: + Ref: Key + Value: + Ref: Value + myKey2: + Type: AWS::KMS::Key + Properties: + Enabled: true + PendingWindowInDays: 7 + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: + Fn::Join: + - '' + - - 'arn:aws:iam::' + - Ref: AWS::AccountId + - :root + Action: kms:* + Resource: '*' + Tags: + - Key: + Ref: Key + Value: + Ref: Value +Parameters: + Key: + Type: String + Value: + Type: String + +``` +```json title="Postitive test num. 2 - json file" hl_lines="59 6" +{ + "Resources": { + "myKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "Enabled": false, + "KeyPolicy": { + "Id": "key-default-1", + "Statement": [ + { + "Resource": "*", + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:aws:iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Action": "kms:*" + } + ], + "Version": "2012-10-17" + }, + "Tags": [ + { + "Key": { + "Ref": "Key" + }, + "Value": { + "Ref": "Value" + } + } + ] + } + }, + "myKey2": { + "Type": "AWS::KMS::Key", + "Properties": { + "Tags": [ + { + "Key": { + "Ref": "Key" + }, + "Value": { + "Ref": "Value" + } + } + ], + "Enabled": true, + "PendingWindowInDays": 7, + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:aws:iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Action": "kms:*", + "Resource": "*" + } + ] + } + } + }, + "Parameters": { + "Key": { + "Type": "String" + }, + "Value": { + "Type": "String" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + myKey: + Type: AWS::KMS::Key + Properties: + Enabled: true + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: + Fn::Join: + - '' + - - 'arn:aws:iam::' + - Ref: AWS::AccountId + - :root + Action: kms:* + Resource: '*' + Tags: + - Key: + Ref: Key + Value: + Ref: Value +Parameters: + Key: + Type: String + Value: + Type: String + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "myKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "Enabled": true, + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:aws:iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Action": "kms:*", + "Resource": "*" + } + ] + }, + "Tags": [ + { + "Key": { + "Ref": "Key" + }, + "Value": { + "Ref": "Value" + } + } + ] + } + } + }, + "Parameters": { + "Key": { + "Type": "String" + }, + "Value": { + "Type": "String" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/2a3560fe-52ca-4443-b34f-bf0ed5eb74c8.md b/docs/queries/cloudformation-queries/aws/2a3560fe-52ca-4443-b34f-bf0ed5eb74c8.md new file mode 100644 index 00000000000..ef3d30e33d2 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/2a3560fe-52ca-4443-b34f-bf0ed5eb74c8.md @@ -0,0 +1,441 @@ +--- +title: CloudTrail Log File Validation Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2a3560fe-52ca-4443-b34f-bf0ed5eb74c8 +- **Query name:** CloudTrail Log File Validation Disabled +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudtrail_log_file_validation_disabled) + +### Description +CloudTrail log file validation should be enabled to determine whether a log file has not been tampered
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-enablelogfilevalidation) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="77 62" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + S3Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: {} + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: + Ref: S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AWSCloudTrailAclCheck" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:GetBucketAcl" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket} + - Sid: "AWSCloudTrailWrite" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:PutObject" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: "bucket-owner-full-control" + Topic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Ref: OperatorEmail + Protocol: email + TopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - Ref: "Topic" + PolicyDocument: + Version: "2008-10-17" + Statement: + - Sid: "AWSCloudTrailSNSPolicy" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Resource: "*" + Action: "SNS:Publish" + myTrail: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: true + myTrail2: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + EnableLogFileValidation: false + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="108 87" +{ + "Resources": { + "S3Bucket": { + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket", + "Properties": {} + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "S3Bucket" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::${S3Bucket}" + }, + { + "Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + }, + "Sid": "AWSCloudTrailWrite", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:PutObject" + } + ] + } + } + }, + "Topic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "OperatorEmail" + }, + "Protocol": "email" + } + ] + } + }, + "TopicPolicy": { + "Properties": { + "Topics": [ + { + "Ref": "Topic" + } + ], + "PolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailSNSPolicy", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Resource": "*", + "Action": "SNS:Publish" + } + ] + } + }, + "Type": "AWS::SNS::TopicPolicy" + }, + "myTrail": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "IsMultiRegionTrail": true, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": true + } + }, + "myTrail2": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "EnableLogFileValidation": false, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": true, + "IsMultiRegionTrail": true + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Description": "Email address to notify when new logs are published.", + "Type": "String" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + S3Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: {} + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: + Ref: S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AWSCloudTrailAclCheck" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:GetBucketAcl" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket} + - Sid: "AWSCloudTrailWrite" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:PutObject" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: "bucket-owner-full-control" + Topic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Ref: OperatorEmail + Protocol: email + TopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - Ref: "Topic" + PolicyDocument: + Version: "2008-10-17" + Statement: + - Sid: "AWSCloudTrailSNSPolicy" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Resource: "*" + Action: "SNS:Publish" + myTrail: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + EnableLogFileValidation: true + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Type": "String", + "Description": "Email address to notify when new logs are published." + } + }, + "Resources": { + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "S3Bucket" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::${S3Bucket}", + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow" + }, + { + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + }, + "Sid": "AWSCloudTrailWrite" + } + ] + } + } + }, + "Topic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "OperatorEmail" + }, + "Protocol": "email" + } + ] + } + }, + "TopicPolicy": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "Topics": [ + { + "Ref": "Topic" + } + ], + "PolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailSNSPolicy", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Resource": "*", + "Action": "SNS:Publish" + } + ] + } + } + }, + "myTrail": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "IsLogging": true, + "IsMultiRegionTrail": true, + "EnableLogFileValidation": true, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + } + } + }, + "S3Bucket": { + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket", + "Properties": {} + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/2b1d4935-9acf-48a7-8466-10d18bf51a69.md b/docs/queries/cloudformation-queries/aws/2b1d4935-9acf-48a7-8466-10d18bf51a69.md new file mode 100644 index 00000000000..d90442df5d1 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/2b1d4935-9acf-48a7-8466-10d18bf51a69.md @@ -0,0 +1,1017 @@ +--- +title: RDS Multi-AZ Deployment Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2b1d4935-9acf-48a7-8466-10d18bf51a69 +- **Query name:** RDS Multi-AZ Deployment Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/rds_multi_az_deployment_disabled) + +### Description +AWS RDS Instance should have a multi-az deployment
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="128 148" +AWSTemplateFormatVersion: 2010-09-09 +Description: "AWS CloudFormation Sample Template RDS_MySQL_With_Read_Replica: + Sample template showing how to create a highly-available, RDS DBInstance with + a read replica. **WARNING** This template creates an Amazon Relational + Database Service database instance and Amazon CloudWatch alarms. You will be + billed for the AWS resources used if you create a stack from this template." +Parameters: + DBName: + Default: MyDatabase + Description: The database name + Type: String + MinLength: "1" + MaxLength: "64" + AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBUser: + NoEcho: "true" + Description: The database admin account username + Type: String + MinLength: "1" + MaxLength: "16" + AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: "true" + Description: The database admin account password + Type: String + MinLength: "1" + MaxLength: "41" + AllowedPattern: "[a-zA-Z0-9]+" + ConstraintDescription: must contain only alphanumeric characters. + DBAllocatedStorage: + Default: "5" + Description: The size of the database (Gb) + Type: Number + MinValue: "5" + MaxValue: "1024" + ConstraintDescription: must be between 5 and 1024Gb. + DBInstanceClass: + Description: The database instance type + Type: String + Default: db.t2.small + AllowedValues: + - db.t1.micro + - db.m1.small + - db.m1.medium + - db.m1.large + - db.m1.xlarge + - db.m2.xlarge + - db.m2.2xlarge + - db.m2.4xlarge + - db.m3.medium + - db.m3.large + - db.m3.xlarge + - db.m3.2xlarge + - db.m4.large + - db.m4.xlarge + - db.m4.2xlarge + - db.m4.4xlarge + - db.m4.10xlarge + - db.r3.large + - db.r3.xlarge + - db.r3.2xlarge + - db.r3.4xlarge + - db.r3.8xlarge + - db.m2.xlarge + - db.m2.2xlarge + - db.m2.4xlarge + - db.cr1.8xlarge + - db.t2.micro + - db.t2.small + - db.t2.medium + - db.t2.large + ConstraintDescription: must select a valid database instance type. + EC2SecurityGroup: + Description: The EC2 security group that contains instances that need access to + the database + Default: default + Type: String + AllowedPattern: "[a-zA-Z0-9\\-]+" + ConstraintDescription: must be a valid security group name. +Conditions: + Is-EC2-VPC: + Fn::Or: + - Fn::Equals: + - Ref: AWS::Region + - eu-central-1 + - Fn::Equals: + - Ref: AWS::Region + - cn-north-1 + Is-EC2-Classic: + Fn::Not: + - Condition: Is-EC2-VPC +Resources: + DBEC2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Condition: Is-EC2-VPC + Properties: + GroupDescription: Open database for access + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 3306 + ToPort: 3306 + SourceSecurityGroupName: + Ref: EC2SecurityGroup + DBSecurityGroup: + Type: AWS::RDS::DBSecurityGroup + Condition: Is-EC2-Classic + Properties: + DBSecurityGroupIngress: + - EC2SecurityGroupName: + Ref: EC2SecurityGroup + GroupDescription: database access + MasterDB: + Type: AWS::RDS::DBInstance + Properties: + DBName: + Ref: DBName + AllocatedStorage: + Ref: DBAllocatedStorage + DBInstanceClass: + Ref: DBInstanceClass + Engine: MySQL + MasterUsername: + Ref: DBUser + MasterUserPassword: + Ref: DBPassword + MultiAZ: false + Tags: + - Key: Name + Value: Master Database + VPCSecurityGroups: + Fn::If: + - Is-EC2-VPC + - - Fn::GetAtt: + - DBEC2SecurityGroup + - GroupId + - Ref: AWS::NoValue + DBSecurityGroups: + Fn::If: + - Is-EC2-Classic + - - Ref: DBSecurityGroup + - Ref: AWS::NoValue + DeletionPolicy: Snapshot + UpdateReplacePolicy: Snapshot + ReplicaDB: + Type: AWS::RDS::DBInstance + Properties: + SourceDBInstanceIdentifier: + Ref: MasterDB + DBInstanceClass: + Ref: DBInstanceClass + Tags: + - Key: Name + Value: Read Replica Database +Outputs: + EC2Platform: + Description: Platform in which this stack is deployed + Value: + Fn::If: + - Is-EC2-VPC + - EC2-VPC + - EC2-Classic + MasterJDBCConnectionString: + Description: JDBC connection string for the master database + Value: + Fn::Join: + - "" + - - jdbc:mysql:// + - Fn::GetAtt: + - MasterDB + - Endpoint.Address + - ":" + - Fn::GetAtt: + - MasterDB + - Endpoint.Port + - / + - Ref: DBName + ReplicaJDBCConnectionString: + Description: JDBC connection string for the replica database + Value: + Fn::Join: + - "" + - - jdbc:mysql:// + - Fn::GetAtt: + - ReplicaDB + - Endpoint.Address + - ":" + - Fn::GetAtt: + - ReplicaDB + - Endpoint.Port + - / + - Ref: DBName + +``` +```json title="Postitive test num. 2 - json file" hl_lines="89 124" +{ + "Conditions": { + "Is-EC2-VPC": { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "cn-north-1" + ] + } + ] + }, + "Is-EC2-Classic": { + "Fn::Not": [ + { + "Condition": "Is-EC2-VPC" + } + ] + } + }, + "Resources": { + "DBEC2SecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Condition": "Is-EC2-VPC", + "Properties": { + "GroupDescription": "Open database for access", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 3306, + "ToPort": 3306, + "SourceSecurityGroupName": { + "Ref": "EC2SecurityGroup" + } + } + ] + } + }, + "DBSecurityGroup": { + "Type": "AWS::RDS::DBSecurityGroup", + "Condition": "Is-EC2-Classic", + "Properties": { + "GroupDescription": "database access", + "DBSecurityGroupIngress": [ + { + "EC2SecurityGroupName": { + "Ref": "EC2SecurityGroup" + } + } + ] + } + }, + "MasterDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "DBSecurityGroups": { + "Fn::If": [ + "Is-EC2-Classic", + [ + { + "Ref": "DBSecurityGroup" + } + ], + { + "Ref": "AWS::NoValue" + } + ] + }, + "DBName": { + "Ref": "DBName" + }, + "DBInstanceClass": { + "Ref": "DBInstanceClass" + }, + "Engine": "MySQL", + "MasterUserPassword": { + "Ref": "DBPassword" + }, + "MultiAZ": false, + "AllocatedStorage": { + "Ref": "DBAllocatedStorage" + }, + "MasterUsername": { + "Ref": "DBUser" + }, + "Tags": [ + { + "Key": "Name", + "Value": "Master Database" + } + ], + "VPCSecurityGroups": { + "Fn::If": [ + "Is-EC2-VPC", + [ + { + "Fn::GetAtt": [ + "DBEC2SecurityGroup", + "GroupId" + ] + } + ], + { + "Ref": "AWS::NoValue" + } + ] + } + }, + "DeletionPolicy": "Snapshot", + "UpdateReplacePolicy": "Snapshot" + }, + "ReplicaDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "SourceDBInstanceIdentifier": { + "Ref": "MasterDB" + }, + "DBInstanceClass": { + "Ref": "DBInstanceClass" + }, + "Tags": [ + { + "Key": "Name", + "Value": "Read Replica Database" + } + ] + } + } + }, + "Outputs": { + "ReplicaJDBCConnectionString": { + "Description": "JDBC connection string for the replica database", + "Value": { + "Fn::Join": [ + "", + [ + "jdbc:mysql://", + { + "Fn::GetAtt": [ + "ReplicaDB", + "Endpoint.Address" + ] + }, + ":", + { + "Fn::GetAtt": [ + "ReplicaDB", + "Endpoint.Port" + ] + }, + "/", + { + "Ref": "DBName" + } + ] + ] + } + }, + "EC2Platform": { + "Description": "Platform in which this stack is deployed", + "Value": { + "Fn::If": [ + "Is-EC2-VPC", + "EC2-VPC", + "EC2-Classic" + ] + } + }, + "MasterJDBCConnectionString": { + "Description": "JDBC connection string for the master database", + "Value": { + "Fn::Join": [ + "", + [ + "jdbc:mysql://", + { + "Fn::GetAtt": [ + "MasterDB", + "Endpoint.Address" + ] + }, + ":", + { + "Fn::GetAtt": [ + "MasterDB", + "Endpoint.Port" + ] + }, + "/", + { + "Ref": "DBName" + } + ] + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "AWS CloudFormation Sample Template RDS_MySQL_With_Read_Replica: Sample template showing how to create a highly-available, RDS DBInstance with a read replica. **WARNING** This template creates an Amazon Relational Database Service database instance and Amazon CloudWatch alarms. You will be billed for the AWS resources used if you create a stack from this template.", + "Parameters": { + "DBAllocatedStorage": { + "MaxValue": "1024", + "ConstraintDescription": "must be between 5 and 1024Gb.", + "Default": "5", + "Description": "The size of the database (Gb)", + "Type": "Number", + "MinValue": "5" + }, + "DBInstanceClass": { + "AllowedValues": [ + "db.t1.micro", + "db.m1.small", + "db.m1.medium", + "db.m1.large", + "db.m1.xlarge", + "db.m2.xlarge", + "db.m2.2xlarge", + "db.m2.4xlarge", + "db.m3.medium", + "db.m3.large", + "db.m3.xlarge", + "db.m3.2xlarge", + "db.m4.large", + "db.m4.xlarge", + "db.m4.2xlarge", + "db.m4.4xlarge", + "db.m4.10xlarge", + "db.r3.large", + "db.r3.xlarge", + "db.r3.2xlarge", + "db.r3.4xlarge", + "db.r3.8xlarge", + "db.m2.xlarge", + "db.m2.2xlarge", + "db.m2.4xlarge", + "db.cr1.8xlarge", + "db.t2.micro", + "db.t2.small", + "db.t2.medium", + "db.t2.large" + ], + "ConstraintDescription": "must select a valid database instance type.", + "Description": "The database instance type", + "Type": "String", + "Default": "db.t2.small" + }, + "EC2SecurityGroup": { + "AllowedPattern": "[a-zA-Z0-9\\-]+", + "ConstraintDescription": "must be a valid security group name.", + "Description": "The EC2 security group that contains instances that need access to the database", + "Default": "default", + "Type": "String" + }, + "DBName": { + "Default": "MyDatabase", + "Description": "The database name", + "Type": "String", + "MinLength": "1", + "MaxLength": "64", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters." + }, + "DBUser": { + "NoEcho": "true", + "Description": "The database admin account username", + "Type": "String", + "MinLength": "1", + "MaxLength": "16", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters." + }, + "DBPassword": { + "NoEcho": "true", + "Description": "The database admin account password", + "Type": "String", + "MinLength": "1", + "MaxLength": "41", + "AllowedPattern": "[a-zA-Z0-9]+", + "ConstraintDescription": "must contain only alphanumeric characters." + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: "AWS CloudFormation Sample Template RDS_MySQL_With_Read_Replica: + Sample template showing how to create a highly-available, RDS DBInstance with + a read replica. **WARNING** This template creates an Amazon Relational + Database Service database instance and Amazon CloudWatch alarms. You will be + billed for the AWS resources used if you create a stack from this template." +Parameters: + DBName: + Default: MyDatabase + Description: The database name + Type: String + MinLength: "1" + MaxLength: "64" + AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBUser: + NoEcho: "true" + Description: The database admin account username + Type: String + MinLength: "1" + MaxLength: "16" + AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: "true" + Description: The database admin account password + Type: String + MinLength: "1" + MaxLength: "41" + AllowedPattern: "[a-zA-Z0-9]+" + ConstraintDescription: must contain only alphanumeric characters. + DBAllocatedStorage: + Default: "5" + Description: The size of the database (Gb) + Type: Number + MinValue: "5" + MaxValue: "1024" + ConstraintDescription: must be between 5 and 1024Gb. + DBInstanceClass: + Description: The database instance type + Type: String + Default: db.t2.small + AllowedValues: + - db.t1.micro + - db.m1.small + - db.m1.medium + - db.m1.large + - db.m1.xlarge + - db.m2.xlarge + - db.m2.2xlarge + - db.m2.4xlarge + - db.m3.medium + - db.m3.large + - db.m3.xlarge + - db.m3.2xlarge + - db.m4.large + - db.m4.xlarge + - db.m4.2xlarge + - db.m4.4xlarge + - db.m4.10xlarge + - db.r3.large + - db.r3.xlarge + - db.r3.2xlarge + - db.r3.4xlarge + - db.r3.8xlarge + - db.m2.xlarge + - db.m2.2xlarge + - db.m2.4xlarge + - db.cr1.8xlarge + - db.t2.micro + - db.t2.small + - db.t2.medium + - db.t2.large + ConstraintDescription: must select a valid database instance type. + EC2SecurityGroup: + Description: The EC2 security group that contains instances that need access to + the database + Default: default + Type: String + AllowedPattern: "[a-zA-Z0-9\\-]+" + ConstraintDescription: must be a valid security group name. +Conditions: + Is-EC2-VPC: + Fn::Or: + - Fn::Equals: + - Ref: AWS::Region + - eu-central-1 + - Fn::Equals: + - Ref: AWS::Region + - cn-north-1 + Is-EC2-Classic: + Fn::Not: + - Condition: Is-EC2-VPC +Resources: + DBEC2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Condition: Is-EC2-VPC + Properties: + GroupDescription: Open database for access + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 3306 + ToPort: 3306 + SourceSecurityGroupName: + Ref: EC2SecurityGroup + DBSecurityGroup: + Type: AWS::RDS::DBSecurityGroup + Condition: Is-EC2-Classic + Properties: + DBSecurityGroupIngress: + - EC2SecurityGroupName: + Ref: EC2SecurityGroup + GroupDescription: database access + MasterDB: + Type: AWS::RDS::DBInstance + Properties: + DBName: + Ref: DBName + AllocatedStorage: + Ref: DBAllocatedStorage + DBInstanceClass: + Ref: DBInstanceClass + Engine: MySQL + MasterUsername: + Ref: DBUser + MasterUserPassword: + Ref: DBPassword + MultiAZ: true + Tags: + - Key: Name + Value: Master Database + VPCSecurityGroups: + Fn::If: + - Is-EC2-VPC + - - Fn::GetAtt: + - DBEC2SecurityGroup + - GroupId + - Ref: AWS::NoValue + DBSecurityGroups: + Fn::If: + - Is-EC2-Classic + - - Ref: DBSecurityGroup + - Ref: AWS::NoValue + DeletionPolicy: Snapshot + UpdateReplacePolicy: Snapshot + ReplicaDB: + Type: AWS::RDS::DBInstance + Properties: + SourceDBInstanceIdentifier: + Ref: MasterDB + DBInstanceClass: + Ref: DBInstanceClass + MultiAZ: true + Tags: + - Key: Name + Value: Read Replica Database +Outputs: + EC2Platform: + Description: Platform in which this stack is deployed + Value: + Fn::If: + - Is-EC2-VPC + - EC2-VPC + - EC2-Classic + MasterJDBCConnectionString: + Description: JDBC connection string for the master database + Value: + Fn::Join: + - "" + - - jdbc:mysql:// + - Fn::GetAtt: + - MasterDB + - Endpoint.Address + - ":" + - Fn::GetAtt: + - MasterDB + - Endpoint.Port + - / + - Ref: DBName + ReplicaJDBCConnectionString: + Description: JDBC connection string for the replica database + Value: + Fn::Join: + - "" + - - jdbc:mysql:// + - Fn::GetAtt: + - ReplicaDB + - Endpoint.Address + - ":" + - Fn::GetAtt: + - ReplicaDB + - Endpoint.Port + - / + - Ref: DBName + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "DBEC2SecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Condition": "Is-EC2-VPC", + "Properties": { + "GroupDescription": "Open database for access", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 3306, + "ToPort": 3306, + "SourceSecurityGroupName": { + "Ref": "EC2SecurityGroup" + } + } + ] + } + }, + "DBSecurityGroup": { + "Type": "AWS::RDS::DBSecurityGroup", + "Condition": "Is-EC2-Classic", + "Properties": { + "DBSecurityGroupIngress": [ + { + "EC2SecurityGroupName": { + "Ref": "EC2SecurityGroup" + } + } + ], + "GroupDescription": "database access" + } + }, + "MasterDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "VPCSecurityGroups": { + "Fn::If": [ + "Is-EC2-VPC", + [ + { + "Fn::GetAtt": [ + "DBEC2SecurityGroup", + "GroupId" + ] + } + ], + { + "Ref": "AWS::NoValue" + } + ] + }, + "DBSecurityGroups": { + "Fn::If": [ + "Is-EC2-Classic", + [ + { + "Ref": "DBSecurityGroup" + } + ], + { + "Ref": "AWS::NoValue" + } + ] + }, + "DBName": { + "Ref": "DBName" + }, + "AllocatedStorage": { + "Ref": "DBAllocatedStorage" + }, + "DBInstanceClass": { + "Ref": "DBInstanceClass" + }, + "MasterUserPassword": { + "Ref": "DBPassword" + }, + "MultiAZ": true, + "Engine": "MySQL", + "MasterUsername": { + "Ref": "DBUser" + }, + "Tags": [ + { + "Key": "Name", + "Value": "Master Database" + } + ] + }, + "DeletionPolicy": "Snapshot", + "UpdateReplacePolicy": "Snapshot" + }, + "ReplicaDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "SourceDBInstanceIdentifier": { + "Ref": "MasterDB" + }, + "DBInstanceClass": { + "Ref": "DBInstanceClass" + }, + "MultiAZ": true, + "Tags": [ + { + "Key": "Name", + "Value": "Read Replica Database" + } + ] + } + } + }, + "Outputs": { + "EC2Platform": { + "Description": "Platform in which this stack is deployed", + "Value": { + "Fn::If": [ + "Is-EC2-VPC", + "EC2-VPC", + "EC2-Classic" + ] + } + }, + "MasterJDBCConnectionString": { + "Description": "JDBC connection string for the master database", + "Value": { + "Fn::Join": [ + "", + [ + "jdbc:mysql://", + { + "Fn::GetAtt": [ + "MasterDB", + "Endpoint.Address" + ] + }, + ":", + { + "Fn::GetAtt": [ + "MasterDB", + "Endpoint.Port" + ] + }, + "/", + { + "Ref": "DBName" + } + ] + ] + } + }, + "ReplicaJDBCConnectionString": { + "Description": "JDBC connection string for the replica database", + "Value": { + "Fn::Join": [ + "", + [ + "jdbc:mysql://", + { + "Fn::GetAtt": [ + "ReplicaDB", + "Endpoint.Address" + ] + }, + ":", + { + "Fn::GetAtt": [ + "ReplicaDB", + "Endpoint.Port" + ] + }, + "/", + { + "Ref": "DBName" + } + ] + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "AWS CloudFormation Sample Template RDS_MySQL_With_Read_Replica: Sample template showing how to create a highly-available, RDS DBInstance with a read replica. **WARNING** This template creates an Amazon Relational Database Service database instance and Amazon CloudWatch alarms. You will be billed for the AWS resources used if you create a stack from this template.", + "Parameters": { + "DBName": { + "MaxLength": "64", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.", + "Default": "MyDatabase", + "Description": "The database name", + "Type": "String", + "MinLength": "1" + }, + "DBUser": { + "NoEcho": "true", + "Description": "The database admin account username", + "Type": "String", + "MinLength": "1", + "MaxLength": "16", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters." + }, + "DBPassword": { + "NoEcho": "true", + "Description": "The database admin account password", + "Type": "String", + "MinLength": "1", + "MaxLength": "41", + "AllowedPattern": "[a-zA-Z0-9]+", + "ConstraintDescription": "must contain only alphanumeric characters." + }, + "DBAllocatedStorage": { + "Default": "5", + "Description": "The size of the database (Gb)", + "Type": "Number", + "MinValue": "5", + "MaxValue": "1024", + "ConstraintDescription": "must be between 5 and 1024Gb." + }, + "DBInstanceClass": { + "Type": "String", + "Default": "db.t2.small", + "AllowedValues": [ + "db.t1.micro", + "db.m1.small", + "db.m1.medium", + "db.m1.large", + "db.m1.xlarge", + "db.m2.xlarge", + "db.m2.2xlarge", + "db.m2.4xlarge", + "db.m3.medium", + "db.m3.large", + "db.m3.xlarge", + "db.m3.2xlarge", + "db.m4.large", + "db.m4.xlarge", + "db.m4.2xlarge", + "db.m4.4xlarge", + "db.m4.10xlarge", + "db.r3.large", + "db.r3.xlarge", + "db.r3.2xlarge", + "db.r3.4xlarge", + "db.r3.8xlarge", + "db.m2.xlarge", + "db.m2.2xlarge", + "db.m2.4xlarge", + "db.cr1.8xlarge", + "db.t2.micro", + "db.t2.small", + "db.t2.medium", + "db.t2.large" + ], + "ConstraintDescription": "must select a valid database instance type.", + "Description": "The database instance type" + }, + "EC2SecurityGroup": { + "Default": "default", + "Type": "String", + "AllowedPattern": "[a-zA-Z0-9\\-]+", + "ConstraintDescription": "must be a valid security group name.", + "Description": "The EC2 security group that contains instances that need access to the database" + } + }, + "Conditions": { + "Is-EC2-VPC": { + "Fn::Or": [ + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "eu-central-1" + ] + }, + { + "Fn::Equals": [ + { + "Ref": "AWS::Region" + }, + "cn-north-1" + ] + } + ] + }, + "Is-EC2-Classic": { + "Fn::Not": [ + { + "Condition": "Is-EC2-VPC" + } + ] + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/2c161e58-cb52-454f-abea-6470c37b5e6e.md b/docs/queries/cloudformation-queries/aws/2c161e58-cb52-454f-abea-6470c37b5e6e.md new file mode 100644 index 00000000000..7adc01161c4 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/2c161e58-cb52-454f-abea-6470c37b5e6e.md @@ -0,0 +1,350 @@ +--- +title: RDS DB Instance With Deletion Protection Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2c161e58-cb52-454f-abea-6470c37b5e6e +- **Query name:** RDS DB Instance With Deletion Protection Disabled +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/rds_db_instance_with_deletion_protection_disabled) + +### Description +RDS DBInstance should have deletion protection set to true
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-deletionprotection) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="34" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyKey: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: !Ref DBInstanceType + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + DeletionProtection: false + KmsKeyId: !Ref MyKey +Outputs: + InstanceId: + Description: InstanceId of the newly created RDS Instance + Value: !Ref MyDBSmall + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyKey1: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + MyDBSmall1: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: !Ref DBInstanceType + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + KmsKeyId: !Ref MyKey +Outputs: + InstanceId: + Description: InstanceId of the newly created RDS Instance + Value: !Ref MyDBSmall1 + +``` +```json title="Postitive test num. 3 - json file" hl_lines="49" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "RDS Storage Encrypted", + "Parameters": { + "SourceDBInstanceIdentifier": { + "Type": "String" + }, + "DBInstanceType": { + "Type": "String" + }, + "SourceRegion": { + "Type": "String" + } + }, + "Resources": { + "MyKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1", + "Statement": [ + { + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + }, + "Action": "kms:*", + "Resource": "*", + "Sid": "Enable IAM User Permissions", + "Effect": "Allow" + } + ] + } + } + }, + "MyDBSmall": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "DBInstanceClass": "DBInstanceType", + "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier", + "SourceRegion": "SourceRegion", + "DeletionProtection": false, + "KmsKeyId": "MyKey" + } + } + }, + "Outputs": { + "InstanceId": { + "Description": "InstanceId of the newly created RDS Instance", + "Value": "MyDBSmall" + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="45" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "RDS Storage Encrypted", + "Parameters": { + "SourceDBInstanceIdentifier": { + "Type": "String" + }, + "DBInstanceType": { + "Type": "String" + }, + "SourceRegion": { + "Type": "String" + } + }, + "Resources": { + "MyKey1": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Id": "key-default-1", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + }, + "Action": "kms:*", + "Resource": "*", + "Sid": "Enable IAM User Permissions" + } + ], + "Version": "2012-10-17T00:00:00Z" + } + } + }, + "MyDBSmall1": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "SourceRegion": "SourceRegion", + "KmsKeyId": "MyKey", + "DBInstanceClass": "DBInstanceType", + "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier" + } + } + }, + "Outputs": { + "InstanceId": { + "Description": "InstanceId of the newly created RDS Instance", + "Value": "MyDBSmall1" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyKey: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: !Ref DBInstanceType + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + DeletionProtection: true + KmsKeyId: !Ref MyKey +Outputs: + InstanceId: + Description: InstanceId of the newly created RDS Instance + Value: !Ref MyDBSmall + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "RDS Storage Encrypted", + "Parameters": { + "DBInstanceType": { + "Type": "String" + }, + "SourceRegion": { + "Type": "String" + }, + "SourceDBInstanceIdentifier": { + "Type": "String" + } + }, + "Resources": { + "MyKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + }, + "Action": "kms:*", + "Resource": "*" + } + ], + "Version": "2012-10-17T00:00:00Z" + } + } + }, + "MyDBSmall": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier", + "SourceRegion": "SourceRegion", + "DeletionProtection": true, + "KmsKeyId": "MyKey", + "DBInstanceClass": "DBInstanceType" + } + } + }, + "Outputs": { + "InstanceId": { + "Description": "InstanceId of the newly created RDS Instance", + "Value": "MyDBSmall" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/2ff8e83c-90e1-4d68-a300-6d652112e622.md b/docs/queries/cloudformation-queries/aws/2ff8e83c-90e1-4d68-a300-6d652112e622.md new file mode 100644 index 00000000000..04f42861d56 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/2ff8e83c-90e1-4d68-a300-6d652112e622.md @@ -0,0 +1,581 @@ +--- +title: EFS Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2ff8e83c-90e1-4d68-a300-6d652112e622 +- **Query name:** EFS Not Encrypted +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/efs_not_encrypted) + +### Description +Elastic File System (EFS) must be encrypted
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="49" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create EFS system and Mount Targets for test VPC" +Parameters: + VPC: + Type: String + Description: The VPC identity + Default: vpc-ID + SubnetID1: + Type: String + Description: The subnet where to launch the service + Default: subnet-ID + SubnetID2: + Type: String + Description: the subnet where to Launch the service + Default: subnet-ID + SubnetID3: + Type: String + Description: The subnet where to launch the service + Default: subnet-ID + SubnetID4: + Type: String + Description: the subnet where to Launch the service + Default: subnet-ID +Resources: + EFSSecurityGroup: + Type: "AWS::EC2::SecurityGroup" + Properties: + GroupDescription: "security group for the prod EFS" + GroupName: "test-EFS-SG" + VpcId: !Ref VPC + SecurityGroupIngress: + - SourceSecurityGroupId: sg-ID + Description: "servers to connect to efs" + FromPort: 2049 + IpProtocol: "tcp" + ToPort: 2049 + Tags: + - Key: Environment + Value: prod + - Key: Name + Value: test-VPC-EFS-SG + - Key: Project + Value: ITEngineering + EFSFileSystem01: + Type: AWS::EFS::FileSystem + Properties: + BackupPolicy: + Status: ENABLED + Encrypted: false + LifecyclePolicies: + - TransitionToIA: AFTER_60_DAYS + PerformanceMode: generalPurpose + ThroughputMode: bursting + FileSystemTags: + - Key: Environment + Value: prod + - Key: Name + Value: test-VPC-EFS + - Key: Project + Value: ITEngineering + MountTarget1: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem01 + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID1 + MountTarget2: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem01 + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID2 + MountTarget3: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem01 + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID3 + MountTarget4: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem01 + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID4 +Outputs: + EFS: + Description: The created EFS + Value: !Ref EFSFileSystem01 + EFSMountTarget1: + Description: The EFS MountTarget1 + Value: !Ref MountTarget1 + EFSMountTarget2: + Description: The EFS MountTarget2 + Value: !Ref MountTarget2 + EFSMountTarget3: + Description: The EFS MountTarget3 + Value: !Ref MountTarget3 + EFSMountTarget4: + Description: The EFS MountTarget4 + Value: !Ref MountTarget4 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="90" +{ + "Description": "Create EFS system and Mount Targets for test VPC", + "Parameters": { + "VPC": { + "Type": "String", + "Description": "The VPC identity", + "Default": "vpc-ID" + }, + "SubnetID1": { + "Description": "The subnet where to launch the service", + "Default": "subnet-ID", + "Type": "String" + }, + "SubnetID2": { + "Type": "String", + "Description": "the subnet where to Launch the service", + "Default": "subnet-ID" + }, + "SubnetID3": { + "Default": "subnet-ID", + "Type": "String", + "Description": "The subnet where to launch the service" + }, + "SubnetID4": { + "Description": "the subnet where to Launch the service", + "Default": "subnet-ID", + "Type": "String" + } + }, + "Resources": { + "MountTarget3": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "EFSFileSystem01", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID3" + } + }, + "MountTarget4": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "EFSFileSystem01", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID4" + } + }, + "EFSSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "security group for the prod EFS", + "GroupName": "test-EFS-SG", + "VpcId": "VPC", + "SecurityGroupIngress": [ + { + "ToPort": 2049, + "SourceSecurityGroupId": "sg-ID", + "Description": "servers to connect to efs", + "FromPort": 2049, + "IpProtocol": "tcp" + } + ], + "Tags": [ + { + "Key": "Environment", + "Value": "prod" + }, + { + "Key": "Name", + "Value": "test-VPC-EFS-SG" + }, + { + "Key": "Project", + "Value": "ITEngineering" + } + ] + } + }, + "EFSFileSystem01": { + "Type": "AWS::EFS::FileSystem", + "Properties": { + "BackupPolicy": { + "Status": "ENABLED" + }, + "Encrypted": false, + "LifecyclePolicies": [ + { + "TransitionToIA": "AFTER_60_DAYS" + } + ], + "PerformanceMode": "generalPurpose", + "ThroughputMode": "bursting", + "FileSystemTags": [ + { + "Value": "prod", + "Key": "Environment" + }, + { + "Key": "Name", + "Value": "test-VPC-EFS" + }, + { + "Key": "Project", + "Value": "ITEngineering" + } + ] + } + }, + "MountTarget1": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "EFSFileSystem01", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID1" + } + }, + "MountTarget2": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "SubnetId": "SubnetID2", + "FileSystemId": "EFSFileSystem01", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ] + } + } + }, + "Outputs": { + "EFS": { + "Description": "The created EFS", + "Value": "EFSFileSystem01" + }, + "EFSMountTarget1": { + "Description": "The EFS MountTarget1", + "Value": "MountTarget1" + }, + "EFSMountTarget2": { + "Description": "The EFS MountTarget2", + "Value": "MountTarget2" + }, + "EFSMountTarget3": { + "Description": "The EFS MountTarget3", + "Value": "MountTarget3" + }, + "EFSMountTarget4": { + "Value": "MountTarget4", + "Description": "The EFS MountTarget4" + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create EFS system and Mount Targets for test VPC" +Parameters: + VPC: + Type: String + Description: The VPC identity + Default: vpc-ID + SubnetID1: + Type: String + Description: The subnet where to launch the service + Default: subnet-ID + SubnetID2: + Type: String + Description: the subnet where to Launch the service + Default: subnet-ID + SubnetID3: + Type: String + Description: The subnet where to launch the service + Default: subnet-ID + SubnetID4: + Type: String + Description: the subnet where to Launch the service + Default: subnet-ID +Resources: + EFSSecurityGroup: + Type: "AWS::EC2::SecurityGroup" + Properties: + GroupDescription: "security group for the prod EFS" + GroupName: "test-EFS-SG" + VpcId: !Ref VPC + SecurityGroupIngress: + - SourceSecurityGroupId: sg-ID + Description: "servers to connect to efs" + FromPort: 2049 + IpProtocol: "tcp" + ToPort: 2049 + Tags: + - Key: Environment + Value: prod + - Key: Name + Value: test-VPC-EFS-SG + - Key: Project + Value: ITEngineering + EFSFileSystem: + Type: AWS::EFS::FileSystem + Properties: + BackupPolicy: + Status: ENABLED + Encrypted: true + LifecyclePolicies: + - TransitionToIA: AFTER_60_DAYS + PerformanceMode: generalPurpose + ThroughputMode: bursting + FileSystemTags: + - Key: Environment + Value: prod + - Key: Name + Value: test-VPC-EFS + - Key: Project + Value: ITEngineering + MountTarget1: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID1 + MountTarget2: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID2 + MountTarget3: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID3 + MountTarget4: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID4 +Outputs: + EFS: + Description: The created EFS + Value: !Ref EFSFileSystem + EFSMountTarget1: + Description: The EFS MountTarget1 + Value: !Ref MountTarget1 + EFSMountTarget2: + Description: The EFS MountTarget2 + Value: !Ref MountTarget2 + EFSMountTarget3: + Description: The EFS MountTarget3 + Value: !Ref MountTarget3 + EFSMountTarget4: + Description: The EFS MountTarget4 + Value: !Ref MountTarget4 + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "EFSFileSystem": { + "Type": "AWS::EFS::FileSystem", + "Properties": { + "BackupPolicy": { + "Status": "ENABLED" + }, + "Encrypted": true, + "LifecyclePolicies": [ + { + "TransitionToIA": "AFTER_60_DAYS" + } + ], + "PerformanceMode": "generalPurpose", + "ThroughputMode": "bursting", + "FileSystemTags": [ + { + "Value": "prod", + "Key": "Environment" + }, + { + "Key": "Name", + "Value": "test-VPC-EFS" + }, + { + "Key": "Project", + "Value": "ITEngineering" + } + ] + } + }, + "MountTarget1": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "EFSFileSystem", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID1" + } + }, + "MountTarget2": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID2", + "FileSystemId": "EFSFileSystem" + } + }, + "MountTarget3": { + "Properties": { + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID3", + "FileSystemId": "EFSFileSystem" + }, + "Type": "AWS::EFS::MountTarget" + }, + "MountTarget4": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "EFSFileSystem", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID4" + } + }, + "EFSSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "security group for the prod EFS", + "GroupName": "test-EFS-SG", + "VpcId": "VPC", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "ToPort": 2049, + "SourceSecurityGroupId": "sg-ID", + "Description": "servers to connect to efs", + "FromPort": 2049 + } + ], + "Tags": [ + { + "Key": "Environment", + "Value": "prod" + }, + { + "Key": "Name", + "Value": "test-VPC-EFS-SG" + }, + { + "Key": "Project", + "Value": "ITEngineering" + } + ] + } + } + }, + "Outputs": { + "EFSMountTarget2": { + "Value": "MountTarget2", + "Description": "The EFS MountTarget2" + }, + "EFSMountTarget3": { + "Description": "The EFS MountTarget3", + "Value": "MountTarget3" + }, + "EFSMountTarget4": { + "Description": "The EFS MountTarget4", + "Value": "MountTarget4" + }, + "EFS": { + "Description": "The created EFS", + "Value": "EFSFileSystem" + }, + "EFSMountTarget1": { + "Description": "The EFS MountTarget1", + "Value": "MountTarget1" + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create EFS system and Mount Targets for test VPC", + "Parameters": { + "VPC": { + "Type": "String", + "Description": "The VPC identity", + "Default": "vpc-ID" + }, + "SubnetID1": { + "Default": "subnet-ID", + "Type": "String", + "Description": "The subnet where to launch the service" + }, + "SubnetID2": { + "Type": "String", + "Description": "the subnet where to Launch the service", + "Default": "subnet-ID" + }, + "SubnetID3": { + "Type": "String", + "Description": "The subnet where to launch the service", + "Default": "subnet-ID" + }, + "SubnetID4": { + "Type": "String", + "Description": "the subnet where to Launch the service", + "Default": "subnet-ID" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/316278b3-87ac-444c-8f8f-a733a28da60f.md b/docs/queries/cloudformation-queries/aws/316278b3-87ac-444c-8f8f-a733a28da60f.md new file mode 100644 index 00000000000..ab22021b95d --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/316278b3-87ac-444c-8f8f-a733a28da60f.md @@ -0,0 +1,158 @@ +--- +title: AmazonMQ Broker Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 316278b3-87ac-444c-8f8f-a733a28da60f +- **Query name:** AmazonMQ Broker Encryption Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/amazon_mq_broker_encryption_disabled) + +### Description +AmazonMQ Broker should have Encryption Options defined
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-encryptionoptions) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create a basic ActiveMQ broker" +Resources: + BasicBroker: + Type: "AWS::AmazonMQ::Broker" + Properties: + AutoMinorVersionUpgrade: "false" + BrokerName: MyBasicBroker + DeploymentMode: SINGLE_INSTANCE + EngineType: ActiveMQ + EngineVersion: "5.15.0" + HostInstanceType: mq.t2.micro + PubliclyAccessible: "true" + Users: + - + ConsoleAccess: "true" + Groups: + - MyGroup + Password: + Ref: "BrokerPassword" + Username: + Ref: "BrokerUsername" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create a basic ActiveMQ broker", + "Resources": { + "BasicBroker": { + "Type": "AWS::AmazonMQ::Broker", + "Properties": { + "HostInstanceType": "mq.t2.micro", + "PubliclyAccessible": "true", + "Users": [ + { + "ConsoleAccess": "true", + "Groups": [ + "MyGroup" + ], + "Password": { + "Ref": "BrokerPassword" + }, + "Username": { + "Ref": "BrokerUsername" + } + } + ], + "AutoMinorVersionUpgrade": "false", + "BrokerName": "MyBasicBroker", + "DeploymentMode": "SINGLE_INSTANCE", + "EngineType": "ActiveMQ", + "EngineVersion": "5.15.0" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create a basic ActiveMQ broker" +Resources: + BasicBroker: + Type: "AWS::AmazonMQ::Broker" + Properties: + AutoMinorVersionUpgrade: "false" + BrokerName: MyBasicBroker + DeploymentMode: SINGLE_INSTANCE + EncryptionOptions: + UseAwsOwnedKey: true + EngineType: ActiveMQ + EngineVersion: "5.15.0" + HostInstanceType: mq.t2.micro + PubliclyAccessible: "true" + Users: + - + ConsoleAccess: "true" + Groups: + - MyGroup + Password: + Ref: "BrokerPassword" + Username: + Ref: "BrokerUsername" + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create a basic ActiveMQ broker", + "Resources": { + "BasicBroker": { + "Type": "AWS::AmazonMQ::Broker", + "Properties": { + "BrokerName": "MyBasicBroker", + "DeploymentMode": "SINGLE_INSTANCE", + "EncryptionOptions": { + "UseAwsOwnedKey": true + }, + "EngineType": "ActiveMQ", + "EngineVersion": "5.15.0", + "HostInstanceType": "mq.t2.micro", + "Users": [ + { + "ConsoleAccess": "true", + "Groups": [ + "MyGroup" + ], + "Password": { + "Ref": "BrokerPassword" + }, + "Username": { + "Ref": "BrokerUsername" + } + } + ], + "AutoMinorVersionUpgrade": "false", + "PubliclyAccessible": "true" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/31733ee2-fef0-4e87-9778-65da22a8ecf1.md b/docs/queries/cloudformation-queries/aws/31733ee2-fef0-4e87-9778-65da22a8ecf1.md new file mode 100644 index 00000000000..3e79b5fffa4 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/31733ee2-fef0-4e87-9778-65da22a8ecf1.md @@ -0,0 +1,272 @@ +--- +title: Cloudfront Viewer Protocol Policy Allows HTTP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 31733ee2-fef0-4e87-9778-65da22a8ecf1 +- **Query name:** Cloudfront Viewer Protocol Policy Allows HTTP +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudfront_viewer_protocol_policy_allows_http) + +### Description +Checks if the connection between CloudFront and the viewer is encrypted
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="13 30" +#this is a problematic code where the query should report a result(s) +AWSTemplateFormatVersion: "2010-09-09" +Resources: + cloudfrontdistribution_1: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + DefaultCacheBehavior: + ViewerProtocolPolicy: allow-all + LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + IPV6Enabled: true + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: 60 + OriginReadTimeout: 30 + Tags: + - Key: name + Value: example + cloudfrontdistribution_2: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + CacheBehaviors: + - ViewerProtocolPolicy: allow-all + LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + DefaultCacheBehavior: + LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + IPV6Enabled: true + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: 60 + OriginReadTimeout: 30 + Tags: + - Key: name + Value: example +``` +```json title="Postitive test num. 2 - json file" hl_lines="10 50" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "cloudfrontdistribution_2": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "CacheBehaviors": [ + { + "ViewerProtocolPolicy": "allow-all", + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + } + ], + "DefaultCacheBehavior": { + "LambdaFunctionAssociations": [ + { + "LambdaFunctionARN": "examp", + "EventType": "viewer-request" + } + ] + }, + "IPV6Enabled": true, + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": 60, + "OriginReadTimeout": 30 + } + } + ], + "Tags": [ + { + "Value": "example", + "Key": "name" + } + ] + } + } + }, + "cloudfrontdistribution_1": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "DefaultCacheBehavior": { + "ViewerProtocolPolicy": "allow-all", + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + }, + "IPV6Enabled": true, + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": 60, + "OriginReadTimeout": 30 + } + } + ], + "CacheBehaviors": [ + { + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + } + ] + }, + "Tags": [ + { + "Key": "name", + "Value": "example" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +AWSTemplateFormatVersion: "2010-09-09" +Resources: + cloudfrontdistribution_1: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + DefaultCacheBehavior: + ViewerProtocolPolicy: https-only + LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + IPV6Enabled: true + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: 60 + OriginReadTimeout: 30 + Tags: + - Key: name + Value: example +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "cloudfrontdistribution_1": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "CacheBehaviors": [ + { + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + } + ], + "DefaultCacheBehavior": { + "ViewerProtocolPolicy": "https-only", + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + }, + "IPV6Enabled": true, + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": 60, + "OriginReadTimeout": 30 + } + } + ] + }, + "Tags": [ + { + "Key": "name", + "Value": "example" + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +#this code is a correct code for which the query should not find any result +AWSTemplateFormatVersion: "2010-09-09" +Resources: + cloudfrontdistribution_1: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + DefaultCacheBehavior: + ViewerProtocolPolicy: redirect-to-https + LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + IPV6Enabled: true + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: 60 + OriginReadTimeout: 30 + Tags: + - Key: name + Value: example + +``` diff --git a/docs/queries/cloudformation-queries/aws/323db967-c68e-44e6-916c-a777f95af34b.md b/docs/queries/cloudformation-queries/aws/323db967-c68e-44e6-916c-a777f95af34b.md new file mode 100644 index 00000000000..3d8f5b39576 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/323db967-c68e-44e6-916c-a777f95af34b.md @@ -0,0 +1,247 @@ +--- +title: ElastiCache Using Default Port +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 323db967-c68e-44e6-916c-a777f95af34b +- **Query name:** ElastiCache Using Default Port +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elasticache_using_default_port) + +### Description +ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html#cfn-elasticache-replicationgroup-port) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +Resources: + BasicReplicationGroup: + Type: 'AWS::ElastiCache::ReplicationGroup' + Properties: + AutomaticFailoverEnabled: true + CacheNodeType: cache.r3.large + CacheSubnetGroupName: !Ref CacheSubnetGroup + Engine: redis + EngineVersion: '3.2' + NumNodeGroups: '2' + ReplicasPerNodeGroup: '3' + Port: 6379 + PreferredMaintenanceWindow: 'sun:05:00-sun:09:00' + ReplicationGroupDescription: A sample replication group + SecurityGroupIds: + - !Ref ReplicationGroupSG + SnapshotRetentionLimit: 5 + SnapshotWindow: '10:00-12:00' + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +Resources: + BasicReplicationGroup: + Type: 'AWS::ElastiCache::ReplicationGroup' + Properties: + AutomaticFailoverEnabled: true + CacheNodeType: cache.r3.large + CacheSubnetGroupName: !Ref CacheSubnetGroup + Engine: memcached + EngineVersion: '3.2' + NumNodeGroups: '2' + ReplicasPerNodeGroup: '3' + Port: 11211 + PreferredMaintenanceWindow: 'sun:05:00-sun:09:00' + ReplicationGroupDescription: A sample replication group + SecurityGroupIds: + - !Ref ReplicationGroupSG + SnapshotRetentionLimit: 5 + SnapshotWindow: '10:00-12:00' + +``` +```json title="Postitive test num. 3 - json file" hl_lines="15" +{ + "Resources": { + "BasicReplicationGroup": { + "Type": "AWS::ElastiCache::ReplicationGroup", + "Properties": { + "AutomaticFailoverEnabled": true, + "CacheNodeType": "cache.r3.large", + "CacheSubnetGroupName": { + "Ref": "CacheSubnetGroup" + }, + "Engine": "redis", + "EngineVersion": "3.2", + "NumNodeGroups": "2", + "ReplicasPerNodeGroup": "3", + "Port": 6379, + "PreferredMaintenanceWindow": "sun:05:00-sun:09:00", + "ReplicationGroupDescription": "A sample replication group", + "SecurityGroupIds": [ + { + "Ref": "ReplicationGroupSG" + } + ], + "SnapshotRetentionLimit": 5, + "SnapshotWindow": "10:00-12:00" + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="15" +{ + "Resources": { + "BasicReplicationGroup": { + "Type": "AWS::ElastiCache::ReplicationGroup", + "Properties": { + "AutomaticFailoverEnabled": true, + "CacheNodeType": "cache.r3.large", + "CacheSubnetGroupName": { + "Ref": "CacheSubnetGroup" + }, + "Engine": "memcached", + "EngineVersion": "3.2", + "NumNodeGroups": "2", + "ReplicasPerNodeGroup": "3", + "Port": 11211, + "PreferredMaintenanceWindow": "sun:05:00-sun:09:00", + "ReplicationGroupDescription": "A sample replication group", + "SecurityGroupIds": [ + { + "Ref": "ReplicationGroupSG" + } + ], + "SnapshotRetentionLimit": 5, + "SnapshotWindow": "10:00-12:00" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + BasicReplicationGroup: + Type: 'AWS::ElastiCache::ReplicationGroup' + Properties: + AutomaticFailoverEnabled: true + CacheNodeType: cache.r3.large + CacheSubnetGroupName: !Ref CacheSubnetGroup + Engine: redis + EngineVersion: '3.2' + NumNodeGroups: '2' + ReplicasPerNodeGroup: '3' + Port: 6380 + PreferredMaintenanceWindow: 'sun:05:00-sun:09:00' + ReplicationGroupDescription: A sample replication group + SecurityGroupIds: + - !Ref ReplicationGroupSG + SnapshotRetentionLimit: 5 + SnapshotWindow: '10:00-12:00' + +``` +```yaml title="Negative test num. 2 - yaml file" +Resources: + BasicReplicationGroup: + Type: 'AWS::ElastiCache::ReplicationGroup' + Properties: + AutomaticFailoverEnabled: true + CacheNodeType: cache.r3.large + CacheSubnetGroupName: !Ref CacheSubnetGroup + Engine: memcached + EngineVersion: '3.2' + NumNodeGroups: '2' + ReplicasPerNodeGroup: '3' + Port: 11212 + PreferredMaintenanceWindow: 'sun:05:00-sun:09:00' + ReplicationGroupDescription: A sample replication group + SecurityGroupIds: + - !Ref ReplicationGroupSG + SnapshotRetentionLimit: 5 + SnapshotWindow: '10:00-12:00' + +``` +```json title="Negative test num. 3 - json file" +{ + "Resources": { + "BasicReplicationGroup": { + "Type": "AWS::ElastiCache::ReplicationGroup", + "Properties": { + "AutomaticFailoverEnabled": true, + "CacheNodeType": "cache.r3.large", + "CacheSubnetGroupName": { + "Ref": "CacheSubnetGroup" + }, + "Engine": "redis", + "EngineVersion": "3.2", + "NumNodeGroups": "2", + "ReplicasPerNodeGroup": "3", + "Port": 6380, + "PreferredMaintenanceWindow": "sun:05:00-sun:09:00", + "ReplicationGroupDescription": "A sample replication group", + "SecurityGroupIds": [ + { + "Ref": "ReplicationGroupSG" + } + ], + "SnapshotRetentionLimit": 5, + "SnapshotWindow": "10:00-12:00" + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "BasicReplicationGroup": { + "Type": "AWS::ElastiCache::ReplicationGroup", + "Properties": { + "AutomaticFailoverEnabled": true, + "CacheNodeType": "cache.r3.large", + "CacheSubnetGroupName": { + "Ref": "CacheSubnetGroup" + }, + "Engine": "memcached", + "EngineVersion": "3.2", + "NumNodeGroups": "2", + "ReplicasPerNodeGroup": "3", + "Port": 11212, + "PreferredMaintenanceWindow": "sun:05:00-sun:09:00", + "ReplicationGroupDescription": "A sample replication group", + "SecurityGroupIds": [ + { + "Ref": "ReplicationGroupSG" + } + ], + "SnapshotRetentionLimit": 5, + "SnapshotWindow": "10:00-12:00" + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/33f41d31-86b1-46a4-81f7-9c9a671f59ac.md b/docs/queries/cloudformation-queries/aws/33f41d31-86b1-46a4-81f7-9c9a671f59ac.md new file mode 100644 index 00000000000..f07e486e086 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/33f41d31-86b1-46a4-81f7-9c9a671f59ac.md @@ -0,0 +1,215 @@ +--- +title: ECR Image Tag Not Immutable +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 33f41d31-86b1-46a4-81f7-9c9a671f59ac +- **Query name:** ECR Image Tag Not Immutable +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable) + +### Description +ECR should have an image tag be immutable. This prevents image tags from being overwritten.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="27 5" +Resources: + MyRepository3: + Type: AWS::ECR::Repository + Properties: + ImageTagMutability: "MUTABLE" + RepositoryName: "test-repository" + RepositoryPolicyText: + Version: "2012-10-17" + Statement: + - + Sid: AllowPushPull + Effect: Allow + Principal: + AWS: + - "arn:aws:iam::123456789012:user/Bob" + - "arn:aws:iam::123456789012:user/Alice" + Action: + - "ecr:GetDownloadUrlForLayer" + - "ecr:BatchGetImage" + - "ecr:BatchCheckLayerAvailability" + - "ecr:PutImage" + - "ecr:InitiateLayerUpload" + - "ecr:UploadLayerPart" + - "ecr:CompleteLayerUpload" + MyRepository4: + Type: AWS::ECR::Repository + Properties: + RepositoryName: "test-repository" + RepositoryPolicyText: + Version: "2012-10-17" + Statement: + - + Sid: AllowPushPull + Effect: Allow + Principal: + AWS: + - "arn:aws:iam::123456789012:user/Bob" + - "arn:aws:iam::123456789012:user/Alice" + Action: + - "ecr:GetDownloadUrlForLayer" + - "ecr:BatchGetImage" + - "ecr:BatchCheckLayerAvailability" + - "ecr:PutImage" + - "ecr:InitiateLayerUpload" + - "ecr:UploadLayerPart" + - "ecr:CompleteLayerUpload" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="36 6" +{ + "Resources": { + "MyRepository5": { + "Type": "AWS::ECR::Repository", + "Properties": { + "ImageTagMutability": "MUTABLE", + "RepositoryName": "test-repository", + "RepositoryPolicyText": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AllowPushPull", + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::123456789012:user/Bob", + "arn:aws:iam::123456789012:user/Alice" + ] + }, + "Action": [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload" + ] + } + ] + } + } + }, + "MyRepository6": { + "Type": "AWS::ECR::Repository", + "Properties": { + "RepositoryName": "test-repository", + "RepositoryPolicyText": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AllowPushPull", + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::123456789012:user/Bob", + "arn:aws:iam::123456789012:user/Alice" + ] + }, + "Action": [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload" + ] + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MyRepository: + Type: AWS::ECR::Repository + Properties: + ImageTagMutability: "IMMUTABLE" + RepositoryName: "test-repository" + RepositoryPolicyText: + Version: "2012-10-17" + Statement: + - + Sid: AllowPushPull + Effect: Allow + Principal: + AWS: + - "arn:aws:iam::123456789012:user/Bob" + - "arn:aws:iam::123456789012:user/Alice" + Action: + - "ecr:GetDownloadUrlForLayer" + - "ecr:BatchGetImage" + - "ecr:BatchCheckLayerAvailability" + - "ecr:PutImage" + - "ecr:InitiateLayerUpload" + - "ecr:UploadLayerPart" + - "ecr:CompleteLayerUpload" + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyRepository2": { + "Type": "AWS::ECR::Repository", + "Properties": { + "ImageTagMutability": "IMMUTABLE", + "RepositoryName": "test-repository", + "RepositoryPolicyText": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AllowPushPull", + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::123456789012:user/Bob", + "arn:aws:iam::123456789012:user/Alice" + ] + }, + "Action": [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload" + ] + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/350cd468-0e2c-44ef-9d22-cfb73a62523c.md b/docs/queries/cloudformation-queries/aws/350cd468-0e2c-44ef-9d22-cfb73a62523c.md new file mode 100644 index 00000000000..319ec99181d --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/350cd468-0e2c-44ef-9d22-cfb73a62523c.md @@ -0,0 +1,106 @@ +--- +title: S3 Bucket Without Restriction Of Public Bucket +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 350cd468-0e2c-44ef-9d22-cfb73a62523c +- **Query name:** S3 Bucket Without Restriction Of Public Bucket +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_without_restriction_of_public_bucket) + +### Description +S3 bucket without restriction of public bucket
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 4 21" +Resources: + Bucket11: + Type: AWS::S3::Bucket + Properties: +--- +Resources: + Bucket12: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicPolicy : true +--- +Resources: + Bucket13: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: false + BlockPublicPolicy : true + IgnorePublicAcls : false + RestrictPublicBuckets : false + +``` +```json title="Postitive test num. 2 - json file" hl_lines="10" +{ + "Resources": { + "Bucket1": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": false, + "BlockPublicPolicy": true, + "IgnorePublicAcls": false, + "RestrictPublicBuckets": false + }, + "AccessControl": "Private" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + Bucket1: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls : true + BlockPublicPolicy : true + IgnorePublicAcls : true + RestrictPublicBuckets : true +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Bucket1": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "AccessControl": "Private" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/3609d27c-3698-483a-9402-13af6ae80583.md b/docs/queries/cloudformation-queries/aws/3609d27c-3698-483a-9402-13af6ae80583.md new file mode 100644 index 00000000000..740ae302b4e --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/3609d27c-3698-483a-9402-13af6ae80583.md @@ -0,0 +1,192 @@ +--- +title: S3 Bucket With Unsecured CORS Rule +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3609d27c-3698-483a-9402-13af6ae80583 +- **Query name:** S3 Bucket With Unsecured CORS Rule +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_with_unsecured_cors_rule) + +### Description +If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-cors.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + S3Bucket: + Type: 'AWS::S3::Bucket' + Properties: + AccessControl: PublicRead + CorsConfiguration: + CorsRules: + - AllowedHeaders: + - '*' + AllowedMethods: + - GET + AllowedOrigins: + - '*' + ExposedHeaders: + - Date + Id: myCORSRuleId1 + MaxAge: 3600 + - AllowedMethods: + - DELETE + AllowedOrigins: + - 'http://www.example.com' + - 'http://www.example.net' + ExposedHeaders: + - Connection + - Server + - Date + Id: myCORSRuleId2 + MaxAge: 1800 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "S3Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "PublicRead", + "CorsConfiguration": { + "CorsRules": [ + { + "AllowedHeaders": [ + "*" + ], + "AllowedMethods": [ + "GET" + ], + "AllowedOrigins": [ + "*" + ], + "ExposedHeaders": [ + "Date" + ], + "Id": "myCORSRuleId1", + "MaxAge": 3600 + }, + { + "AllowedMethods": [ + "DELETE" + ], + "AllowedOrigins": [ + "http://www.example.com", + "http://www.example.net" + ], + "ExposedHeaders": [ + "Connection", + "Server", + "Date" + ], + "Id": "myCORSRuleId2", + "MaxAge": 1800 + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + S3Bucket: + Type: 'AWS::S3::Bucket' + Properties: + AccessControl: PublicRead + CorsConfiguration: + CorsRules: + - AllowedMethods: + - GET + AllowedOrigins: + - 'https://s3-website-test.hashicorp.com' + ExposedHeaders: + - Date + Id: myCORSRuleId1 + MaxAge: 3600 + - AllowedMethods: + - DELETE + AllowedOrigins: + - 'http://www.example.com' + - 'http://www.example.net' + ExposedHeaders: + - Connection + - Server + - Date + Id: myCORSRuleId2 + MaxAge: 1800 + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "S3Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "PublicRead", + "CorsConfiguration": { + "CorsRules": [ + { + "AllowedMethods": [ + "GET" + ], + "AllowedOrigins": [ + "https://s3-website-test.hashicorp.com" + ], + "ExposedHeaders": [ + "Date" + ], + "Id": "myCORSRuleId1", + "MaxAge": 3600 + }, + { + "AllowedMethods": [ + "DELETE" + ], + "AllowedOrigins": [ + "http://www.example.com", + "http://www.example.net" + ], + "ExposedHeaders": [ + "Connection", + "Server", + "Date" + ], + "Id": "myCORSRuleId2", + "MaxAge": 1800 + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/3641d5b4-d339-4bc2-bfb9-208fe8d3477f.md b/docs/queries/cloudformation-queries/aws/3641d5b4-d339-4bc2-bfb9-208fe8d3477f.md new file mode 100644 index 00000000000..48d72db0e4e --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/3641d5b4-d339-4bc2-bfb9-208fe8d3477f.md @@ -0,0 +1,188 @@ +--- +title: API Gateway Method Does Not Contains An API Key +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3641d5b4-d339-4bc2-bfb9-208fe8d3477f +- **Query name:** API Gateway Method Does Not Contains An API Key +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_method_does_not_contains_an_api_key) + +### Description +An API Key should be required on a method request.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: "2010-09-09" +Description: ApiGateway +Resources: + MockMethod: + Type: 'AWS::ApiGateway::Method' + Properties: + ApiKeyRequired: false + RestApiId: !Ref MyApi + ResourceId: !GetAtt + - MyApi + - RootResourceId + HttpMethod: GET + AuthorizationType: NONE + Integration: + Type: MOCK + MethodResponses: + - StatusCode : "200" + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: ApiGateway +Resources: + MockMethod1: + Type: 'AWS::ApiGateway::Method' + Properties: + RestApiId: !Ref MyApi + ResourceId: !GetAtt + - MyApi + - RootResourceId + HttpMethod: GET + AuthorizationType: NONE + Integration: + Type: MOCK + MethodResponses: + - StatusCode : "200" + + +``` +```json title="Postitive test num. 3 - json file" hl_lines="13" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "ApiGateway", + "Resources": { + "MockMethod": { + "Type": "AWS::ApiGateway::Method", + "Properties": { + "MethodResponses": [ + { + "StatusCode": "200" + } + ], + "ApiKeyRequired": false, + "RestApiId": "MyApi", + "ResourceId": [ + "MyApi", + "RootResourceId" + ], + "HttpMethod": "GET", + "AuthorizationType": "NONE", + "Integration": { + "Type": "MOCK" + } + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="6" +{ + "Description": "ApiGateway", + "Resources": { + "MockMethod1": { + "Type": "AWS::ApiGateway::Method", + "Properties": { + "ResourceId": [ + "MyApi", + "RootResourceId" + ], + "HttpMethod": "GET", + "AuthorizationType": "NONE", + "Integration": { + "Type": "MOCK" + }, + "MethodResponses": [ + { + "StatusCode": "200" + } + ], + "RestApiId": "MyApi" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: ApiGateway +Resources: + MockMethod: + Type: 'AWS::ApiGateway::Method' + Properties: + ApiKeyRequired: true + RestApiId: !Ref MyApi + ResourceId: !GetAtt + - MyApi + - RootResourceId + HttpMethod: "" + AuthorizationType: NONE + Integration: + Type: MOCK + MethodResponses: + - StatusCode : "200" + + + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "ApiGateway", + "Resources": { + "MockMethod": { + "Type": "AWS::ApiGateway::Method", + "Properties": { + "Integration": { + "Type": "MOCK" + }, + "MethodResponses": [ + { + "StatusCode": "200" + } + ], + "ApiKeyRequired": true, + "RestApiId": "MyApi", + "ResourceId": [ + "MyApi", + "RootResourceId" + ], + "HttpMethod": "", + "AuthorizationType": "NONE" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/37cca703-b74c-48ba-ac81-595b53398e9b.md b/docs/queries/cloudformation-queries/aws/37cca703-b74c-48ba-ac81-595b53398e9b.md new file mode 100644 index 00000000000..d72d4594ced --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/37cca703-b74c-48ba-ac81-595b53398e9b.md @@ -0,0 +1,136 @@ +--- +title: API Gateway Cache Encrypted Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 37cca703-b74c-48ba-ac81-595b53398e9b +- **Query name:** API Gateway Cache Encrypted Disabled +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_cache_encrypted_disabled) + +### Description +'API::Gateway::Deployment' should have 'CacheDataEncrypted' enabled when 'CachingEnabled' is set to true
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-deployment-stagedescription.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +Resources: + Deployment: + Type: 'AWS::ApiGateway::Deployment' + Properties: + RestApiId: !Ref MyApi + Description: My deployment + StageName: DummyStage + StageDescription: + CachingEnabled: true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="11" +{ + "Resources": { + "Deployment": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "My deployment", + "StageName": "DummyStage", + "StageDescription": { + "CachingEnabled": true + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="9" +Resources: + Deployment: + Type: 'AWS::ApiGateway::Deployment' + Properties: + RestApiId: !Ref MyApi + Description: My deployment + StageName: DummyStage + StageDescription: + CacheDataEncrypted: false + CachingEnabled: true + +``` +
Postitive test num. 4 - json file + +```json hl_lines="12" +{ + "Resources": { + "Deployment": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "My deployment", + "StageName": "DummyStage", + "StageDescription": { + "CacheDataEncrypted": false, + "CachingEnabled": true + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + Deployment: + Type: 'AWS::ApiGateway::Deployment' + Properties: + RestApiId: !Ref MyApi + Description: My deployment + StageName: DummyStage + StageDescription: + CacheDataEncrypted: true + CachingEnabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Deployment": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": { + "Ref": "MyApi" + }, + "Description": "My deployment", + "StageName": "DummyStage", + "StageDescription": { + "CacheDataEncrypted": true, + "CachingEnabled": true + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/37fa8188-738b-42c8-bf82-6334ea567738.md b/docs/queries/cloudformation-queries/aws/37fa8188-738b-42c8-bf82-6334ea567738.md new file mode 100644 index 00000000000..b179b75b723 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/37fa8188-738b-42c8-bf82-6334ea567738.md @@ -0,0 +1,595 @@ +--- +title: S3 Bucket Should Have Bucket Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 37fa8188-738b-42c8-bf82-6334ea567738 +- **Query name:** S3 Bucket Should Have Bucket Policy +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_should_have_bucket_policy) + +### Description +Checks if S3 Bucket has the same name as a Bucket Policy, if it has, S3 Bucket has a Bucket Policy associated
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="56 4 31" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + S3Bucket3: + Type: 'AWS::S3::Bucket' + DeletionPolicy: Retain + Properties: + BucketName: docexamplebucket1 + SampleBucketPolicy5: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: + Ref: docexamplebucketfail + PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: + 'Fn::Join': + - '' + - - 'arn:aws:s3:::' + - Ref: docexamplebucket1 + - /* + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + S3Bucket: + Type: 'AWS::S3::Bucket' + DeletionPolicy: Retain + Properties: {} + SampleBucketPolicy2: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: docexamplebucket2 + PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: + 'Fn::Join': + - '' + - - 'arn:aws:s3:::' + - Ref: docexamplebucket + - /* + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + S3Bucket7: + Type: 'AWS::S3::Bucket' + DeletionPolicy: Retain + Properties: + BucketName: docexamplebucket5 + SampleBucketPolicy8: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref docexamplebucketfail2 + PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: + 'Fn::Join': + - '' + - - 'arn:aws:s3:::' + - Ref: docexamplebucket1 + - /* + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="88 42 130" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "SampleBucketPolicy8": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": "docexamplebucketfail2", + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetObject" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "docexamplebucket1" + }, + "/*" + ] + ] + }, + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + }, + "S3Bucket3": { + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Retain", + "Properties": { + "BucketName": "docexamplebucket1" + } + }, + "SampleBucketPolicy5": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "docexamplebucketfail" + }, + "PolicyDocument": { + "Statement": [ + { + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + }, + "Action": [ + "s3:GetObject" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "docexamplebucket1" + }, + "/*" + ] + ] + }, + "Principal": "*" + } + ] + } + } + }, + "S3Bucket": { + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Retain", + "Properties": {} + }, + "SampleBucketPolicy2": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": "docexamplebucket2", + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetObject" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "docexamplebucket" + }, + "/*" + ] + ] + }, + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + }, + "S3Bucket7": { + "DeletionPolicy": "Retain", + "Properties": { + "BucketName": "docexamplebucket5" + }, + "Type": "AWS::S3::Bucket" + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + MyS3Bucket2: + Type: 'AWS::S3::Bucket' + Properties: + AccessControl: PublicRead + MetricsConfigurations: + - Id: EntireBucket + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + RoutingRules: + - RoutingRuleCondition: + HttpErrorCodeReturnedEquals: '404' + KeyPrefixEquals: out1/ + RedirectRule: + HostName: ec2-11-22-333-44.compute-1.amazonaws.com + ReplaceKeyPrefixWith: report-404/ + +``` +
Postitive test num. 4 - json file + +```json hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "MyS3Bucket2": { + "Properties": { + "AccessControl": "PublicRead", + "MetricsConfigurations": [ + { + "Id": "EntireBucket" + } + ], + "WebsiteConfiguration": { + "ErrorDocument": "error.html", + "IndexDocument": "index.html", + "RoutingRules": [ + { + "RedirectRule": { + "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", + "ReplaceKeyPrefixWith": "report-404/" + }, + "RoutingRuleCondition": { + "HttpErrorCodeReturnedEquals": "404", + "KeyPrefixEquals": "out1/" + } + } + ] + } + }, + "Type": "AWS::S3::Bucket" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + S3Bucket: + Type: 'AWS::S3::Bucket' + DeletionPolicy: Retain + Properties: + BucketName: docexamplebucket + SampleBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: docexamplebucket + PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: + 'Fn::Join': + - '' + - - 'arn:aws:s3:::' + - Ref: docexamplebucket + - /* + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + S3Bucket9: + Type: 'AWS::S3::Bucket' + DeletionPolicy: Retain + Properties: + BucketName: docexamplebucket + SampleBucketPolicy10: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref docexamplebucket + PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: + 'Fn::Join': + - '' + - - 'arn:aws:s3:::' + - Ref: docexamplebucket + - /* + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "S3Bucket": { + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Retain", + "Properties": { + "BucketName": "docexamplebucket" + } + }, + "SampleBucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": "docexamplebucket", + "PolicyDocument": { + "Statement": [ + { + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "docexamplebucket" + }, + "/*" + ] + ] + }, + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + }, + "Action": [ + "s3:GetObject" + ], + "Effect": "Allow" + } + ] + } + } + }, + "S3Bucket9": { + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Retain", + "Properties": { + "BucketName": "docexamplebucket" + } + }, + "SampleBucketPolicy10": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + }, + "Action": [ + "s3:GetObject" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "docexamplebucket" + }, + "/*" + ] + ] + } + } + ] + }, + "Bucket": "docexamplebucket" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + MyS3Bucket22: + Type: 'AWS::S3::Bucket' + Properties: + AccessControl: PublicRead + MetricsConfigurations: + - Id: EntireBucket + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + RoutingRules: + - RoutingRuleCondition: + HttpErrorCodeReturnedEquals: '404' + KeyPrefixEquals: out1/ + RedirectRule: + HostName: ec2-11-22-333-44.compute-1.amazonaws.com + ReplaceKeyPrefixWith: report-404/ + SampleBucketPolicy2: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref MyS3Bucket22 + PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: + 'Fn::Join': + - '' + - - 'arn:aws:s3:::' + - Ref: docexamplebucket + - /* + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +
Negative test num. 4 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "MyS3Bucket22": { + "Properties": { + "AccessControl": "PublicRead", + "MetricsConfigurations": [ + { + "Id": "EntireBucket" + } + ], + "WebsiteConfiguration": { + "ErrorDocument": "error.html", + "IndexDocument": "index.html", + "RoutingRules": [ + { + "RedirectRule": { + "HostName": "ec2-11-22-333-44.compute-1.amazonaws.com", + "ReplaceKeyPrefixWith": "report-404/" + }, + "RoutingRuleCondition": { + "HttpErrorCodeReturnedEquals": "404", + "KeyPrefixEquals": "out1/" + } + } + ] + } + }, + "Type": "AWS::S3::Bucket" + }, + "SampleBucketPolicy2": { + "Properties": { + "Bucket": "MyS3Bucket22", + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetObject" + ], + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + }, + "Effect": "Allow", + "Principal": "*", + "Resource": { + "Fn::Join": [ + "", + { + "playbooks": [ + "arn:aws:s3:::", + { + "Ref": "docexamplebucket" + }, + "/*" + ] + } + ] + } + } + ] + } + }, + "Type": "AWS::S3::BucketPolicy" + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/38c64e76-c71e-4d92-a337-60174d1de1c9.md b/docs/queries/cloudformation-queries/aws/38c64e76-c71e-4d92-a337-60174d1de1c9.md new file mode 100644 index 00000000000..90166ef75fd --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/38c64e76-c71e-4d92-a337-60174d1de1c9.md @@ -0,0 +1,1096 @@ +--- +title: S3 Bucket Without SSL In Write Actions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 38c64e76-c71e-4d92-a337-60174d1de1c9 +- **Query name:** S3 Bucket Without SSL In Write Actions +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_without_ssl_in_write_actions) + +### Description +S3 Buckets should enforce encryption of data transfers using Secure Sockets Layer (SSL)
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + S3Bucket: + Type: AWS::S3::Bucket + Properties: + BucketName: S3Bucket + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + PolicyDocument: + Id: MyPolicy + Version: 2012-10-17 + Statement: + - Sid: PublicReadForGetBucketObjects + Effect: Allow + Principal: '*' + Action: 's3:GetObject' + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref S3Bucket + - /* + Bucket: !Ref S3Bucket +Outputs: + WebsiteURL: + Value: !GetAtt + - S3Bucket + - WebsiteURL + Description: URL for website hosted on S3 + S3BucketSecureURL: + Value: !Join + - '' + - - 'https://' + - !GetAtt + - S3Bucket + - DomainName + Description: Name of S3 bucket to hold website content + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + S3Bucket2: + Type: AWS::S3::Bucket + Properties: + BucketName: S3Bucket2 + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + PolicyDocument: + Id: MyPolicy + Version: 2012-10-17 + Statement: + - Sid: EnsureSSL + Effect: Deny + Principal: '*' + Action: 's3:PutObject' + Condition: + Bool: + 'aws:SecureTransport': true + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref S3Bucket2 + - /* + Bucket: !Ref S3Bucket2 +Outputs: + WebsiteURL: + Value: !GetAtt + - S3Bucket2 + - WebsiteURL + Description: URL for website hosted on S3 + S3BucketSecureURL: + Value: !Join + - '' + - - 'https://' + - !GetAtt + - S3Bucket2 + - DomainName + Description: Name of S3 bucket to hold website content + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="3 12" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + S3Bucket3: + Type: AWS::S3::Bucket + Properties: + BucketName: S3Bucket3 + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain + S3Bucket4: + Type: AWS::S3::Bucket + Properties: + BucketName: S3Bucket4 + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + PolicyDocument: + Id: MyPolicy + Version: 2012-10-17 + Statement: + - Sid: EnsureSSL + Effect: Allow + Principal: '*' + Action: 's3:*' + Condition: + Bool: + 'aws:SecureTransport': false + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref S3Bucket3 + - /* + Bucket: !Ref S3Bucket3 +Outputs: + WebsiteURL: + Value: !GetAtt + - S3Bucket3 + - WebsiteURL + Description: URL for website hosted on S3 + S3BucketSecureURL: + Value: !Join + - '' + - - 'https://' + - !GetAtt + - S3Bucket3 + - DomainName + Description: Name of S3 bucket to hold website content + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="3 12" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + S3Bucket5: + Type: AWS::S3::Bucket + Properties: + BucketName: S3Bucket5 + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain + S3Bucket6: + Type: AWS::S3::Bucket + Properties: + BucketName: S3Bucket6 + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain +Outputs: + WebsiteURL: + Value: !GetAtt + - S3Bucket + - WebsiteURL + Description: URL for website hosted on S3 + S3BucketSecureURL: + Value: !Join + - '' + - - 'https://' + - !GetAtt + - S3Bucket + - DomainName + Description: Name of S3 bucket to hold website content + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="30" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "PolicyDocument": { + "Id": "MyPolicy", + "Version": "2012-10-17T00:00:00Z", + "Statement": [ + { + "Sid": "PublicReadForGetBucketObjects", + "Effect": "Allow", + "Principal": "*", + "Action": "s3:GetObject", + "Resource": [ + "", + [ + "arn:aws:s3:::", + "S3Bucket", + "/*" + ] + ] + } + ] + }, + "Bucket": "S3Bucket" + } + }, + "S3Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "S3Bucket", + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "error.html" + } + }, + "DeletionPolicy": "Retain" + } + }, + "Outputs": { + "WebsiteURL": { + "Value": [ + "S3Bucket", + "WebsiteURL" + ], + "Description": "URL for website hosted on S3" + }, + "S3BucketSecureURL": { + "Value": [ + "", + [ + "https://", + [ + "S3Bucket", + "DomainName" + ] + ] + ], + "Description": "Name of S3 bucket to hold website content" + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="4" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "S3Bucket2": { + "Properties": { + "BucketName": "S3Bucket2", + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "error.html" + } + }, + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket" + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "PolicyDocument": { + "Id": "MyPolicy", + "Version": "2012-10-17T00:00:00Z", + "Statement": [ + { + "Sid": "EnsureSSL", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:PutObject", + "Condition": { + "Bool": { + "aws:SecureTransport": true + } + }, + "Resource": [ + "", + [ + "arn:aws:s3:::", + "S3Bucket2", + "/*" + ] + ] + } + ] + }, + "Bucket": "S3Bucket2" + } + } + }, + "Outputs": { + "WebsiteURL": { + "Value": [ + "S3Bucket2", + "WebsiteURL" + ], + "Description": "URL for website hosted on S3" + }, + "S3BucketSecureURL": { + "Value": [ + "", + [ + "https://", + [ + "S3Bucket2", + "DomainName" + ] + ] + ], + "Description": "Name of S3 bucket to hold website content" + } + } +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="47" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "PolicyDocument": { + "Id": "MyPolicy", + "Version": "2012-10-17T00:00:00Z", + "Statement": [ + { + "Sid": "EnsureSSL", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": false + } + }, + "Resource": [ + "", + [ + "arn:aws:s3:::", + "S3Bucket3", + "/*" + ] + ] + } + ] + }, + "Bucket": "S3Bucket3" + } + }, + "S3Bucket3": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "S3Bucket3", + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "error.html" + } + }, + "DeletionPolicy": "Retain" + }, + "S3Bucket4": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "S3Bucket4", + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "error.html" + } + }, + "DeletionPolicy": "Retain" + } + }, + "Outputs": { + "WebsiteURL": { + "Value": [ + "S3Bucket3", + "WebsiteURL" + ], + "Description": "URL for website hosted on S3" + }, + "S3BucketSecureURL": { + "Value": [ + "", + [ + "https://", + [ + "S3Bucket3", + "DomainName" + ] + ] + ], + "Description": "Name of S3 bucket to hold website content" + } + } +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="4 15" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "S3Bucket5": { + "Properties": { + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "error.html" + } + }, + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket" + }, + "S3Bucket6": { + "Properties": { + "BucketName": "S3Bucket6", + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "ErrorDocument": "error.html", + "IndexDocument": "index.html" + } + }, + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket" + } + }, + "Outputs": { + "WebsiteURL": { + "Value": [ + "S3Bucket", + "WebsiteURL" + ], + "Description": "URL for website hosted on S3" + }, + "S3BucketSecureURL": { + "Value": [ + "", + [ + "https://", + [ + "S3Bucket", + "DomainName" + ] + ] + ], + "Description": "Name of S3 bucket to hold website content" + } + } +} + +``` +
+
Postitive test num. 9 - yaml file + +```yaml hl_lines="3" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + S3Bucket33: + Type: AWS::S3::Bucket + Properties: + BucketName: S3Bucket33, + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + PolicyDocument: + Id: MyPolicy + Version: 2012-10-17 + Statement: + Effect: Allow + Principal: '*' + Action: 's3:*' + Condition: + Bool: + 'aws:SecureTransport': false + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref S3Bucket33 + - /* + Bucket: !Ref S3Bucket33 + +``` +
+
Postitive test num. 10 - json file + +```json hl_lines="34" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "BucketPolicy": { + "Properties": { + "Bucket": "S3Bucket33", + "PolicyDocument": { + "Id": "MyPolicy", + "Statement": { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": false + } + }, + "Effect": "Allow", + "Principal": "*", + "Resource": [ + "", + { + "playbooks": [ + "arn:aws:s3:::", + "S3Bucket3", + "/*" + ] + } + ] + }, + "Version": "2012-10-17" + } + }, + "Type": "AWS::S3::BucketPolicy" + }, + "S3Bucket33": { + "DeletionPolicy": "Retain", + "Properties": { + "BucketName": "S3Bucket33", + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "ErrorDocument": "error.html", + "IndexDocument": "index.html" + } + }, + "Type": "AWS::S3::Bucket" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +AWSTemplateFormatVersion: 2010-09-09 +Resources: + S3Bucket: + Type: AWS::S3::Bucket + Properties: + BucketName: S3Bucket + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + PolicyDocument: + Id: MyPolicy + Version: 2012-10-17 + Statement: + - Sid: PublicReadForGetBucketObjects + Effect: Allow + Principal: '*' + Action: 's3:GetObject' + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref S3Bucket + - /* + - Sid: EnsureSSL + Effect: Deny + Principal: '*' + Action: 's3:PutObject' + Condition: + Bool: + 'aws:SecureTransport': false + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref S3Bucket + - /* + Bucket: !Ref S3Bucket +Outputs: + WebsiteURL: + Value: !GetAtt + - S3Bucket + - WebsiteURL + Description: URL for website hosted on S3 + S3BucketSecureURL: + Value: !Join + - '' + - - 'https://' + - !GetAtt + - S3Bucket + - DomainName + Description: Name of S3 bucket to hold website content + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + S3Bucket2: + Type: AWS::S3::Bucket + Properties: + BucketName: S3Bucket2 + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + PolicyDocument: + Id: MyPolicy + Version: 2012-10-17 + Statement: + - Sid: EnsureSSL + Effect: Deny + Principal: '*' + Action: 's3:*' + Condition: + Bool: + 'aws:SecureTransport': false + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref S3Bucket2 + - /* + Bucket: !Ref S3Bucket2 + S3Bucket3: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain + BucketPolicy2: + Type: AWS::S3::BucketPolicy + Properties: + PolicyDocument: + Id: MyPolicy2 + Version: 2012-10-17 + Statement: + - Sid: EnsureSSL + Effect: Deny + Principal: '*' + Action: 's3:*' + Condition: + Bool: + 'aws:SecureTransport': false + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref S3Bucket3 + - /* + Bucket: !Ref S3Bucket3 +Outputs: + WebsiteURL: + Value: !GetAtt + - S3Bucket2 + - WebsiteURL + Description: URL for website hosted on S3 + S3BucketSecureURL: + Value: !Join + - '' + - - 'https://' + - !GetAtt + - S3Bucket2 + - DomainName + Description: Name of S3 bucket to hold website content + +``` +```json title="Negative test num. 3 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "S3Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "S3Bucket", + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "error.html" + } + }, + "DeletionPolicy": "Retain" + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": "S3Bucket", + "PolicyDocument": { + "Id": "MyPolicy", + "Version": "2012-10-17T00:00:00Z", + "Statement": [ + { + "Sid": "PublicReadForGetBucketObjects", + "Effect": "Allow", + "Principal": "*", + "Action": "s3:GetObject", + "Resource": [ + "", + [ + "arn:aws:s3:::", + "S3Bucket", + "/*" + ] + ] + }, + { + "Principal": "*", + "Action": "s3:PutObject", + "Condition": { + "Bool": { + "aws:SecureTransport": false + } + }, + "Resource": [ + "", + [ + "arn:aws:s3:::", + "S3Bucket", + "/*" + ] + ], + "Sid": "EnsureSSL", + "Effect": "Deny" + } + ] + } + } + } + }, + "Outputs": { + "WebsiteURL": { + "Value": [ + "S3Bucket", + "WebsiteURL" + ], + "Description": "URL for website hosted on S3" + }, + "S3BucketSecureURL": { + "Description": "Name of S3 bucket to hold website content", + "Value": [ + "", + [ + "https://", + [ + "S3Bucket", + "DomainName" + ] + ] + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +AWSTemplateFormatVersion: 2010-09-09 +Resources: + S3Bucket33: + Type: AWS::S3::Bucket + Properties: + BucketName: S3Bucket33 + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + PolicyDocument: + Id: MyPolicy + Version: 2012-10-17 + Statement: + Effect: Deny + Principal: '*' + Action: 's3:*' + Condition: + Bool: + 'aws:SecureTransport': false + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref S3Bucket3 + - /* + Bucket: !Ref S3Bucket33 + +``` +
+
Negative test num. 5 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "S3Bucket2": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "S3Bucket2", + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "error.html" + } + }, + "DeletionPolicy": "Retain" + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": "S3Bucket2", + "PolicyDocument": { + "Statement": [ + { + "Condition": { + "Bool": { + "aws:SecureTransport": false + } + }, + "Resource": [ + "", + [ + "arn:aws:s3:::", + "S3Bucket2", + "/*" + ] + ], + "Sid": "EnsureSSL", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:*" + } + ], + "Id": "MyPolicy", + "Version": "2012-10-17T00:00:00Z" + } + } + }, + "S3Bucket3": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "error.html" + } + }, + "DeletionPolicy": "Retain" + }, + "BucketPolicy2": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "PolicyDocument": { + "Version": "2012-10-17T00:00:00Z", + "Statement": [ + { + "Principal": "*", + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": false + } + }, + "Resource": [ + "", + [ + "arn:aws:s3:::", + "S3Bucket3", + "/*" + ] + ], + "Sid": "EnsureSSL", + "Effect": "Deny" + } + ], + "Id": "MyPolicy2" + }, + "Bucket": "S3Bucket3" + } + } + }, + "Outputs": { + "WebsiteURL": { + "Value": [ + "S3Bucket2", + "WebsiteURL" + ], + "Description": "URL for website hosted on S3" + }, + "S3BucketSecureURL": { + "Value": [ + "", + [ + "https://", + [ + "S3Bucket2", + "DomainName" + ] + ] + ], + "Description": "Name of S3 bucket to hold website content" + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "S3Bucket88" + }, + "PolicyDocument": { + "Statement": [ + { + "Condition": { + "Bool": { + "aws:SecureTransport": false + } + }, + "Resource": [ + "", + [ + "arn:aws:s3:::", + "S3Bucket2", + "/*" + ] + ], + "Sid": "EnsureSSL", + "Effect": "Deny", + "Principal": "*", + "Action": "s3:*" + } + ], + "Id": "MyPolicy", + "Version": "2012-10-17T00:00:00Z" + } + } + }, + "S3Bucket88": { + "DeletionPolicy": "Retain", + "Properties": { + "BucketName": "S3Bucket88", + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "ErrorDocument": "error.html", + "IndexDocument": "index.html" + } + }, + "Type": "AWS::S3::Bucket" + } + } +} + +``` +
+
Negative test num. 7 - yaml file + +```yaml +AWSTemplateFormatVersion: 2010-09-09 +Resources: + S3Bucket88: + Type: AWS::S3::Bucket + Properties: + BucketName: S3Bucket88 + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + PolicyDocument: + Id: MyPolicy + Version: 2012-10-17T00:00:00Z + Statement: + Effect: Deny + Principal: '*' + Action: 's3:*' + Condition: + Bool: + 'aws:SecureTransport': false + Bucket: !Ref S3Bucket88 + +``` +
+
Negative test num. 8 - yaml file + +```yaml +AWSTemplateFormatVersion: 2010-09-09 +Resources: + S3Bucket88: + Type: AWS::S3::Bucket + Properties: + BucketName: S3Bucket88 + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + DeletionPolicy: Retain + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + PolicyDocument: + Id: MyPolicy + Version: 2012-10-17T00:00:00Z + Statement: + Effect: Allow + Principal: '*' + Action: 's3:*' + Condition: + Bool: + 'aws:SecureTransport': true + Bucket: !Ref S3Bucket88 + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/39423ce4-9011-46cd-b6b1-009edcd9385d.md b/docs/queries/cloudformation-queries/aws/39423ce4-9011-46cd-b6b1-009edcd9385d.md new file mode 100644 index 00000000000..ebd97f7df5c --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/39423ce4-9011-46cd-b6b1-009edcd9385d.md @@ -0,0 +1,470 @@ +--- +title: DocDB Cluster Master Password In Plaintext +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 39423ce4-9011-46cd-b6b1-009edcd9385d +- **Query name:** DocDB Cluster Master Password In Plaintext +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/docdb_cluster_master_password_in_plaintext) + +### Description +DocDB DB Cluster master user password must not be in a plain text string or referenced in a parameter as a default value.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-docdb-dbcluster.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +Resources: + NewAmpApp: + Type: AWS::DocDB::DBCluster + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: "sample-cluster" + DBClusterParameterGroupName: "default.docdb3.6" + DBSubnetGroupName: "default" + DeletionProtection: true + KmsKeyId: "your-kms-key-id" + MasterUsername: "your-master-username" + MasterUserPassword: 'asDjskjs73!!' + Port: 27017 + PreferredBackupWindow: "07:34-08:04" + PreferredMaintenanceWindow: "sat:04:51-sat:05:21" + SnapshotIdentifier: "sample-cluster-snapshot-id" + StorageEncrypted: true + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + Default: 'asDjskjs73!' +Resources: + NewAmpApp1: + Type: AWS::DocDB::DBCluster + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: "sample-cluster" + DBClusterParameterGroupName: "default.docdb3.6" + DBSubnetGroupName: "default" + DeletionProtection: true + KmsKeyId: "your-kms-key-id" + MasterUsername: "your-master-username" + MasterUserPassword: !Ref ParentMasterPassword + Port: 27017 + PreferredBackupWindow: "07:34-08:04" + PreferredMaintenanceWindow: "sat:04:51-sat:05:21" + SnapshotIdentifier: "sample-cluster-snapshot-id" + StorageEncrypted: true + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +Resources: + NewAmpApp03: + Type: AWS::DocDB::DBCluster + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: "sample-cluster" + DBClusterParameterGroupName: "default.docdb3.6" + DBSubnetGroupName: "default" + DeletionProtection: true + KmsKeyId: "your-kms-key-id" + MasterUsername: "your-master-username" + MasterUserPassword: 'asDjskjs73!!' + Port: 27017 + PreferredBackupWindow: "07:34-08:04" + PreferredMaintenanceWindow: "sat:04:51-sat:05:21" + SnapshotIdentifier: "sample-cluster-snapshot-id" + StorageEncrypted: true + +``` +
Postitive test num. 4 - json file + +```json hl_lines="17" +{ + "Resources": { + "NewAmpApp": { + "Type": "AWS::DocDB::DBCluster", + "Properties": { + "PreferredMaintenanceWindow": "sat:04:51-sat:05:21", + "SnapshotIdentifier": "sample-cluster-snapshot-id", + "DBClusterParameterGroupName": "default.docdb3.6", + "DBSubnetGroupName": "default", + "KmsKeyId": "your-kms-key-id", + "MasterUsername": "your-master-username", + "Port": 27017, + "StorageEncrypted": true, + "BackupRetentionPeriod": 8, + "DBClusterIdentifier": "sample-cluster", + "DeletionProtection": true, + "MasterUserPassword": "asDjskjs73!!", + "PreferredBackupWindow": "07:34-08:04" + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="6" +{ + "Parameters": { + "ParentMasterPassword": { + "Description": "Password", + "Type": "String", + "Default": "asDjskjs73!" + } + }, + "Resources": { + "NewAmpApp1": { + "Type": "AWS::DocDB::DBCluster", + "Properties": { + "KmsKeyId": "your-kms-key-id", + "MasterUsername": "your-master-username", + "PreferredBackupWindow": "07:34-08:04", + "BackupRetentionPeriod": 8, + "DBClusterIdentifier": "sample-cluster", + "DeletionProtection": true, + "MasterUserPassword": "ParentMasterPassword", + "Port": 27017, + "PreferredMaintenanceWindow": "sat:04:51-sat:05:21", + "SnapshotIdentifier": "sample-cluster-snapshot-id", + "StorageEncrypted": true, + "DBClusterParameterGroupName": "default.docdb3.6", + "DBSubnetGroupName": "default" + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="18" +{ + "Resources": { + "NewAmpApp03": { + "Type": "AWS::DocDB::DBCluster", + "Properties": { + "Port": 27017, + "PreferredBackupWindow": "07:34-08:04", + "PreferredMaintenanceWindow": "sat:04:51-sat:05:21", + "DBClusterIdentifier": "sample-cluster", + "DBClusterParameterGroupName": "default.docdb3.6", + "DBSubnetGroupName": "default", + "DeletionProtection": true, + "KmsKeyId": "your-kms-key-id", + "SnapshotIdentifier": "sample-cluster-snapshot-id", + "StorageEncrypted": true, + "BackupRetentionPeriod": 8, + "MasterUsername": "your-master-username", + "MasterUserPassword": "asDjskjs73!!" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + Default: '' +Resources: + NewAmpApp1: + Type: AWS::DocDB::DBCluster + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: "sample-cluster" + DBClusterParameterGroupName: "default.docdb3.6" + DBSubnetGroupName: "default" + DeletionProtection: true + KmsKeyId: "your-kms-key-id" + MasterUsername: "your-master-username" + MasterUserPassword: !Ref ParentMasterPassword + Port: 27017 + PreferredBackupWindow: "07:34-08:04" + PreferredMaintenanceWindow: "sat:04:51-sat:05:21" + SnapshotIdentifier: "sample-cluster-snapshot-id" + StorageEncrypted: true + +``` +```yaml title="Negative test num. 2 - yaml file" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String +Resources: + NewAmpApp1: + Type: AWS::DocDB::DBCluster + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: "sample-cluster" + DBClusterParameterGroupName: "default.docdb3.6" + DBSubnetGroupName: "default" + DeletionProtection: true + KmsKeyId: "your-kms-key-id" + MasterUsername: "your-master-username" + MasterUserPassword: !Ref ParentMasterPassword + Port: 27017 + PreferredBackupWindow: "07:34-08:04" + PreferredMaintenanceWindow: "sat:04:51-sat:05:21" + SnapshotIdentifier: "sample-cluster-snapshot-id" + StorageEncrypted: true + +``` +```yaml title="Negative test num. 3 - yaml file" +Resources: + NewAmpApp2: + Type: AWS::DocDB::DBCluster + Properties: + MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' + Port: 27017 + PreferredBackupWindow: "07:34-08:04" + PreferredMaintenanceWindow: "sat:04:51-sat:05:21" + SnapshotIdentifier: "sample-cluster-snapshot-id" + StorageEncrypted: true + MyAmpAppSecretManagerRotater: + Type: AWS::SecretsManager::Secret + Properties: + Description: 'This is my amp app instance secret' + GenerateSecretString: + SecretStringTemplate: '{"username":"admin"}' + GenerateStringKey: 'password' + PasswordLength: 16 + ExcludeCharacters: '"@/\' + +``` +
Negative test num. 4 - yaml file + +```yaml +Parameters: + ParentAccessToken: + Description: 'Access Token' + Type: String +Resources: + NewAmpApp1: + Type: AWS::Amplify::App + Properties: + AccessToken: !Ref ParentAccessToken + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + +``` +
+
Negative test num. 5 - yaml file + +```yaml +Parameters: + ParentAccessToken: + Description: 'Access Token' + Type: String + Default: "" +Resources: + NewAmpApp4: + Type: AWS::Amplify::App + Properties: + AccessToken: !Ref ParentAccessToken + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + +``` +
+
Negative test num. 6 - json file + +```json +{ + "Parameters": { + "ParentMasterPassword": { + "Description": "Password", + "Type": "String", + "Default": "" + } + }, + "Resources": { + "NewAmpApp1": { + "Properties": { + "BackupRetentionPeriod": 8, + "DBSubnetGroupName": "default", + "KmsKeyId": "your-kms-key-id", + "MasterUsername": "your-master-username", + "Port": 27017, + "SnapshotIdentifier": "sample-cluster-snapshot-id", + "StorageEncrypted": true, + "DBClusterIdentifier": "sample-cluster", + "DBClusterParameterGroupName": "default.docdb3.6", + "DeletionProtection": true, + "MasterUserPassword": "ParentMasterPassword", + "PreferredBackupWindow": "07:34-08:04", + "PreferredMaintenanceWindow": "sat:04:51-sat:05:21" + }, + "Type": "AWS::DocDB::DBCluster" + } + } +} + +``` +
+
Negative test num. 7 - json file + +```json +{ + "Parameters": { + "ParentMasterPassword": { + "Description": "Password", + "Type": "String" + } + }, + "Resources": { + "NewAmpApp1": { + "Type": "AWS::DocDB::DBCluster", + "Properties": { + "DBClusterIdentifier": "sample-cluster", + "DBSubnetGroupName": "default", + "DeletionProtection": true, + "MasterUserPassword": "ParentMasterPassword", + "Port": 27017, + "PreferredBackupWindow": "07:34-08:04", + "PreferredMaintenanceWindow": "sat:04:51-sat:05:21", + "BackupRetentionPeriod": 8, + "SnapshotIdentifier": "sample-cluster-snapshot-id", + "KmsKeyId": "your-kms-key-id", + "MasterUsername": "your-master-username", + "StorageEncrypted": true, + "DBClusterParameterGroupName": "default.docdb3.6" + } + } + } +} + +``` +
+
Negative test num. 8 - json file + +```json +{ + "Resources": { + "NewAmpApp2": { + "Type": "AWS::DocDB::DBCluster", + "Properties": { + "MasterUserPassword": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}", + "Port": 27017, + "PreferredBackupWindow": "07:34-08:04", + "PreferredMaintenanceWindow": "sat:04:51-sat:05:21", + "SnapshotIdentifier": "sample-cluster-snapshot-id", + "StorageEncrypted": true + } + }, + "MyAmpAppSecretManagerRotater": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "Description": "This is my amp app instance secret", + "GenerateSecretString": { + "SecretStringTemplate": "{\"username\":\"admin\"}", + "GenerateStringKey": "password", + "PasswordLength": 16, + "ExcludeCharacters": "\"@/\\" + } + } + } + } +} + +``` +
+
Negative test num. 9 - json file + +```json +{ + "Parameters": { + "ParentAccessToken": { + "Type": "String", + "Description": "Access Token" + } + }, + "Resources": { + "NewAmpApp1": { + "Type": "AWS::Amplify::App", + "Properties": { + "Name": "NewAmpApp", + "OauthToken": "String", + "Description": "String", + "EnableBranchAutoDeletion": true, + "CustomHeaders": "String", + "IAMServiceRole": "String", + "Repository": "String", + "AccessToken": "ParentAccessToken", + "BuildSpec": "String" + } + } + } +} + +``` +
+
Negative test num. 10 - json file + +```json +{ + "Parameters": { + "ParentAccessToken": { + "Description": "Access Token", + "Type": "String", + "Default": "" + } + }, + "Resources": { + "NewAmpApp4": { + "Type": "AWS::Amplify::App", + "Properties": { + "AccessToken": "ParentAccessToken", + "Description": "String", + "Repository": "String", + "OauthToken": "String", + "BuildSpec": "String", + "CustomHeaders": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String", + "Name": "NewAmpApp" + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/3ae83918-7ec7-4cb8-80db-b91ef0f94002.md b/docs/queries/cloudformation-queries/aws/3ae83918-7ec7-4cb8-80db-b91ef0f94002.md new file mode 100644 index 00000000000..81b52015823 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/3ae83918-7ec7-4cb8-80db-b91ef0f94002.md @@ -0,0 +1,169 @@ +--- +title: Security Group Unrestricted Access To RDP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3ae83918-7ec7-4cb8-80db-b91ef0f94002 +- **Query name:** Security Group Unrestricted Access To RDP +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_groups_unrestricted_access_to_rdp) + +### Description +Security Groups does not allow 0.0.0.0/0 for rdp (port:3389)
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + KeyName: mykey + ImageId: '' + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 3389 + ToPort: 3389 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 +``` +```json title="Postitive test num. 2 - json file" hl_lines="10" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 3389, + "ToPort": 3389, + "CidrIp": "0.0.0.0/0" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "KeyName": "mykey", + "ImageId": "", + "SecurityGroups": [ + "InstanceSecurityGroup" + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + KeyName: mykey + ImageId: '' + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 127.0.0.1/32 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 127.0.0.1/33 +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "SecurityGroups": [ + "InstanceSecurityGroup" + ], + "KeyName": "mykey", + "ImageId": "" + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "127.0.0.1/33" + } + ], + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "127.0.0.1/32" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/3b02569b-fc6f-4153-b3a3-ba91022fed68.md b/docs/queries/cloudformation-queries/aws/3b02569b-fc6f-4153-b3a3-ba91022fed68.md new file mode 100644 index 00000000000..6d9124b450b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/3b02569b-fc6f-4153-b3a3-ba91022fed68.md @@ -0,0 +1,314 @@ +--- +title: ElastiCache With Disabled Transit Encryption +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3b02569b-fc6f-4153-b3a3-ba91022fed68 +- **Query name:** ElastiCache With Disabled Transit Encryption +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elasticache_with_disabled_transit_encryption) + +### Description +Ensure AWS ElastiCache Redis clusters have encryption for data at transit enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +Resources: + ReplicationGroup: + DeletionPolicy: Snapshot + UpdateReplacePolicy: Snapshot + Type: AWS::ElastiCache::ReplicationGroup + Properties: + ReplicationGroupDescription: !Ref 'AWS::StackName' + AtRestEncryptionEnabled: true + AuthToken: !If [HasAuthToken, !Ref AuthToken, !Ref 'AWS::NoValue'] + AutomaticFailoverEnabled: !If [HasAutomaticFailoverEnabled, true, false] + CacheNodeType: !Ref CacheNodeType + CacheParameterGroupName: !Ref CacheParameterGroup + CacheSubnetGroupName: !Ref CacheSubnetGroupName + Engine: redis + EngineVersion: !Ref EngineVersion + KmsKeyId: !If [HasKmsKey, {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyId'}, !Ref 'AWS::NoValue'] + NotificationTopicArn: !If [HasAlertTopic, {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}, !Ref 'AWS::NoValue'] + NumNodeGroups: !Ref NumShards + ReplicasPerNodeGroup: !Ref NumReplicas + PreferredMaintenanceWindow: 'sat:07:00-sat:08:00' + SecurityGroupIds: + - !Ref SecurityGroup + SnapshotName: !If [HasSnapshotName, !Ref SnapshotName, !Ref 'AWS::NoValue'] + SnapshotRetentionLimit: !Ref SnapshotRetentionLimit + SnapshotWindow: '00:00-03:00' + UpdatePolicy: + UseOnlineResharding: true + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26" +Resources: + MyReplicationGroup: + DeletionPolicy: Snapshot + UpdateReplacePolicy: Snapshot + Type: AWS::ElastiCache::ReplicationGroup + Properties: + ReplicationGroupDescription: !Ref 'AWS::StackName' + AuthToken: !If [HasAuthToken, !Ref AuthToken, !Ref 'AWS::NoValue'] + AutomaticFailoverEnabled: !If [HasAutomaticFailoverEnabled, true, false] + CacheNodeType: !Ref CacheNodeType + CacheParameterGroupName: !Ref CacheParameterGroup + CacheSubnetGroupName: !Ref CacheSubnetGroupName + AtRestEncryptionEnabled: true + Engine: redis + EngineVersion: !Ref EngineVersion + KmsKeyId: !If [HasKmsKey, {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyId'}, !Ref 'AWS::NoValue'] + NotificationTopicArn: !If [HasAlertTopic, {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}, !Ref 'AWS::NoValue'] + NumNodeGroups: !Ref NumShards + ReplicasPerNodeGroup: !Ref NumReplicas + PreferredMaintenanceWindow: 'sat:07:00-sat:08:00' + SecurityGroupIds: + - !Ref SecurityGroup + SnapshotName: !If [HasSnapshotName, !Ref SnapshotName, !Ref 'AWS::NoValue'] + SnapshotRetentionLimit: !Ref SnapshotRetentionLimit + SnapshotWindow: '00:00-03:00' + TransitEncryptionEnabled: false + UpdatePolicy: + UseOnlineResharding: true + +``` +```json title="Postitive test num. 3 - json file" hl_lines="4" +{ + "Resources": { + "ReplicationGroup": { + "Properties": { + "Engine": "redis", + "EngineVersion": "EngineVersion", + "ReplicasPerNodeGroup": "NumReplicas", + "PreferredMaintenanceWindow": "sat:07:00-sat:08:00", + "AtRestEncryptionEnabled": true, + "CacheParameterGroupName": "CacheParameterGroup", + "NotificationTopicArn": [ + "HasAlertTopic", + { + "Fn::ImportValue": "${ParentAlertStack}-TopicARN" + }, + "AWS::NoValue" + ], + "SecurityGroupIds": [ + "SecurityGroup" + ], + "SnapshotName": [ + "HasSnapshotName", + "SnapshotName", + "AWS::NoValue" + ], + "SnapshotRetentionLimit": "SnapshotRetentionLimit", + "CacheNodeType": "CacheNodeType", + "AutomaticFailoverEnabled": [ + "HasAutomaticFailoverEnabled", + true, + false + ], + "CacheSubnetGroupName": "CacheSubnetGroupName", + "KmsKeyId": [ + "HasKmsKey", + { + "Fn::ImportValue": "${ParentKmsKeyStack}-KeyId" + }, + "AWS::NoValue" + ], + "NumNodeGroups": "NumShards", + "AuthToken": [ + "HasAuthToken", + "AuthToken", + "AWS::NoValue" + ], + "SnapshotWindow": "00:00-03:00", + "ReplicationGroupDescription": "AWS::StackName" + }, + "UpdatePolicy": { + "UseOnlineResharding": true + }, + "DeletionPolicy": "Snapshot", + "UpdateReplacePolicy": "Snapshot", + "Type": "AWS::ElastiCache::ReplicationGroup" + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="18" +{ + "Resources": { + "MyReplicationGroup": { + "UpdateReplacePolicy": "Snapshot", + "Type": "AWS::ElastiCache::ReplicationGroup", + "Properties": { + "ReplicationGroupDescription": "AWS::StackName", + "AuthToken": [ + "HasAuthToken", + "AuthToken", + "AWS::NoValue" + ], + "EngineVersion": "EngineVersion", + "NumNodeGroups": "NumShards", + "SecurityGroupIds": [ + "SecurityGroup" + ], + "TransitEncryptionEnabled": false, + "CacheNodeType": "CacheNodeType", + "AtRestEncryptionEnabled": true, + "NotificationTopicArn": [ + "HasAlertTopic", + { + "Fn::ImportValue": "${ParentAlertStack}-TopicARN" + }, + "AWS::NoValue" + ], + "SnapshotName": [ + "HasSnapshotName", + "SnapshotName", + "AWS::NoValue" + ], + "AutomaticFailoverEnabled": [ + "HasAutomaticFailoverEnabled", + true, + false + ], + "Engine": "redis", + "ReplicasPerNodeGroup": "NumReplicas", + "PreferredMaintenanceWindow": "sat:07:00-sat:08:00", + "SnapshotRetentionLimit": "SnapshotRetentionLimit", + "SnapshotWindow": "00:00-03:00", + "CacheParameterGroupName": "CacheParameterGroup", + "CacheSubnetGroupName": "CacheSubnetGroupName", + "KmsKeyId": [ + "HasKmsKey", + { + "Fn::ImportValue": "${ParentKmsKeyStack}-KeyId" + }, + "AWS::NoValue" + ] + }, + "UpdatePolicy": { + "UseOnlineResharding": true + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + ReplicationGroup: + DeletionPolicy: Snapshot + UpdateReplacePolicy: Snapshot + Type: AWS::ElastiCache::ReplicationGroup + Properties: + ReplicationGroupDescription: !Ref 'AWS::StackName' + AtRestEncryptionEnabled: true + AuthToken: !If [HasAuthToken, !Ref AuthToken, !Ref 'AWS::NoValue'] + AutomaticFailoverEnabled: !If [HasAutomaticFailoverEnabled, true, false] + CacheNodeType: !Ref CacheNodeType + CacheParameterGroupName: !Ref CacheParameterGroup + CacheSubnetGroupName: !Ref CacheSubnetGroupName + Engine: redis + EngineVersion: !Ref EngineVersion + KmsKeyId: !If [HasKmsKey, {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyId'}, !Ref 'AWS::NoValue'] + NotificationTopicArn: !If [HasAlertTopic, {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}, !Ref 'AWS::NoValue'] + NumNodeGroups: !Ref NumShards + ReplicasPerNodeGroup: !Ref NumReplicas + PreferredMaintenanceWindow: 'sat:07:00-sat:08:00' + SecurityGroupIds: + - !Ref SecurityGroup + SnapshotName: !If [HasSnapshotName, !Ref SnapshotName, !Ref 'AWS::NoValue'] + SnapshotRetentionLimit: !Ref SnapshotRetentionLimit + SnapshotWindow: '00:00-03:00' + TransitEncryptionEnabled: true + UpdatePolicy: + UseOnlineResharding: true + + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "ReplicationGroup": { + "UpdatePolicy": { + "UseOnlineResharding": true + }, + "DeletionPolicy": "Snapshot", + "UpdateReplacePolicy": "Snapshot", + "Type": "AWS::ElastiCache::ReplicationGroup", + "Properties": { + "AuthToken": [ + "HasAuthToken", + "AuthToken", + "AWS::NoValue" + ], + "AutomaticFailoverEnabled": [ + "HasAutomaticFailoverEnabled", + true, + false + ], + "SecurityGroupIds": [ + "SecurityGroup" + ], + "TransitEncryptionEnabled": true, + "SnapshotWindow": "00:00-03:00", + "CacheParameterGroupName": "CacheParameterGroup", + "CacheSubnetGroupName": "CacheSubnetGroupName", + "Engine": "redis", + "EngineVersion": "EngineVersion", + "KmsKeyId": [ + "HasKmsKey", + { + "Fn::ImportValue": "${ParentKmsKeyStack}-KeyId" + }, + "AWS::NoValue" + ], + "SnapshotRetentionLimit": "SnapshotRetentionLimit", + "ReplicationGroupDescription": "AWS::StackName", + "ReplicasPerNodeGroup": "NumReplicas", + "PreferredMaintenanceWindow": "sat:07:00-sat:08:00", + "SnapshotName": [ + "HasSnapshotName", + "SnapshotName", + "AWS::NoValue" + ], + "AtRestEncryptionEnabled": true, + "CacheNodeType": "CacheNodeType", + "NotificationTopicArn": [ + "HasAlertTopic", + { + "Fn::ImportValue": "${ParentAlertStack}-TopicARN" + }, + "AWS::NoValue" + ], + "NumNodeGroups": "NumShards" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/3b316b05-564c-44a7-9c3f-405bb95e211e.md b/docs/queries/cloudformation-queries/aws/3b316b05-564c-44a7-9c3f-405bb95e211e.md new file mode 100644 index 00000000000..65294097fc3 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/3b316b05-564c-44a7-9c3f-405bb95e211e.md @@ -0,0 +1,255 @@ +--- +title: Redshift Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3b316b05-564c-44a7-9c3f-405bb95e211e +- **Query name:** Redshift Not Encrypted +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/redshift_not_encrypted) + +### Description +AWS Redshift Cluster should be encrypted. Check if 'Encrypted' field is false or undefined (default is false)
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: 2010-09-09 +Description: Redshift Stack +Resources: + RedshiftCluster: + Type: AWS::Redshift::Cluster + Properties: + ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup + ClusterType: !If [ SingleNode, single-node, multi-node ] + NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #' + DBName: !Sub ${DatabaseName} + IamRoles: + - !GetAtt RawDataBucketAccessRole.Arn + MasterUserPassword: !Ref MasterUserPassword + MasterUsername: !Ref MasterUsername + PubliclyAccessible: true + NodeType: dc1.large + Port: 5439 + VpcSecurityGroupIds: + - !Sub ${RedshiftSecurityGroup} + PreferredMaintenanceWindow: Sun:09:15-Sun:09:45 + DataBucket: + Type: AWS::S3::Bucket + Properties: + BucketName: !Sub ${DataBucketName} + + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +AWSTemplateFormatVersion: 2010-09-11 +Description: Redshift Stack2 +Resources: + RedshiftCluster2: + Type: AWS::Redshift::Cluster + Properties: + ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup + ClusterType: !If [ SingleNode, single-node, multi-node ] + NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #' + DBName: !Sub ${DatabaseName} + IamRoles: + - !GetAtt RawDataBucketAccessRole.Arn + MasterUserPassword: !Ref MasterUserPassword + MasterUsername: !Ref MasterUsername + PubliclyAccessible: true + NodeType: dc1.large + Port: 5439 + VpcSecurityGroupIds: + - !Sub ${RedshiftSecurityGroup} + PreferredMaintenanceWindow: Sun:09:15-Sun:09:45 + Encrypted: false + DataBucket: + Type: AWS::S3::Bucket + Properties: + BucketName: !Sub ${DataBucketName} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Redshift Stack", + "Resources": { + "RedshiftCluster": { + "Type": "AWS::Redshift::Cluster", + "Properties": { + "IamRoles": [ + "RawDataBucketAccessRole.Arn" + ], + "MasterUserPassword": "MasterUserPassword", + "PubliclyAccessible": true, + "NodeType": "dc1.large", + "VpcSecurityGroupIds": [ + "${RedshiftSecurityGroup}" + ], + "PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45", + "ClusterSubnetGroupName": "RedshiftClusterSubnetGroup", + "ClusterType": [ + "SingleNode", + "single-node", + "multi-node" + ], + "NumberOfNodes": [ + "SingleNode", + "AWS::NoValue", + "RedshiftNodeCount" + ], + "DBName": "${DatabaseName}", + "MasterUsername": "MasterUsername", + "Port": 5439 + } + }, + "DataBucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "${DataBucketName}" + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="32" +{ + "AWSTemplateFormatVersion": "2010-09-11T00:00:00Z", + "Description": "Redshift Stack2", + "Resources": { + "RedshiftCluster2": { + "Type": "AWS::Redshift::Cluster", + "Properties": { + "MasterUserPassword": "MasterUserPassword", + "PubliclyAccessible": true, + "NodeType": "dc1.large", + "Port": 5439, + "VpcSecurityGroupIds": [ + "${RedshiftSecurityGroup}" + ], + "PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45", + "ClusterSubnetGroupName": "RedshiftClusterSubnetGroup", + "ClusterType": [ + "SingleNode", + "single-node", + "multi-node" + ], + "NumberOfNodes": [ + "SingleNode", + "AWS::NoValue", + "RedshiftNodeCount" + ], + "DBName": "${DatabaseName}", + "IamRoles": [ + "RawDataBucketAccessRole.Arn" + ], + "MasterUsername": "MasterUsername", + "Encrypted": false + } + }, + "DataBucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "${DataBucketName}" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-11 +Description: Redshift Stack2 +Resources: + RedshiftCluster2: + Type: AWS::Redshift::Cluster + Properties: + ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup + ClusterType: !If [ SingleNode, single-node, multi-node ] + NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #' + DBName: !Sub ${DatabaseName} + IamRoles: + - !GetAtt RawDataBucketAccessRole.Arn + MasterUserPassword: !Ref MasterUserPassword + MasterUsername: !Ref MasterUsername + PubliclyAccessible: true + NodeType: dc1.large + Port: 5439 + VpcSecurityGroupIds: + - !Sub ${RedshiftSecurityGroup} + PreferredMaintenanceWindow: Sun:09:15-Sun:09:45 + Encrypted: true + DataBucket: + Type: AWS::S3::Bucket + Properties: + BucketName: !Sub ${DataBucketName} + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-11T00:00:00Z", + "Description": "Redshift Stack2", + "Resources": { + "RedshiftCluster2": { + "Properties": { + "ClusterType": [ + "SingleNode", + "single-node", + "multi-node" + ], + "NumberOfNodes": [ + "SingleNode", + "AWS::NoValue", + "RedshiftNodeCount" + ], + "DBName": "${DatabaseName}", + "IamRoles": [ + "RawDataBucketAccessRole.Arn" + ], + "NodeType": "dc1.large", + "PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45", + "Encrypted": true, + "ClusterSubnetGroupName": "RedshiftClusterSubnetGroup", + "MasterUsername": "MasterUsername", + "PubliclyAccessible": true, + "Port": 5439, + "VpcSecurityGroupIds": [ + "${RedshiftSecurityGroup}" + ], + "MasterUserPassword": "MasterUserPassword" + }, + "Type": "AWS::Redshift::Cluster" + }, + "DataBucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "${DataBucketName}" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/3b3b4411-ad1f-40e7-b257-a78a6bb9673a.md b/docs/queries/cloudformation-queries/aws/3b3b4411-ad1f-40e7-b257-a78a6bb9673a.md new file mode 100644 index 00000000000..0a3d6f0aae9 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/3b3b4411-ad1f-40e7-b257-a78a6bb9673a.md @@ -0,0 +1,108 @@ +--- +title: VPC Without Attached Subnet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3b3b4411-ad1f-40e7-b257-a78a6bb9673a +- **Query name:** VPC Without Attached Subnet +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/vpc_without_attached_subnet) + +### Description +VPCs without attached subnets may indicate that they are not being used
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myVPC_1: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/16 + EnableDnsSupport: 'false' + EnableDnsHostnames: 'false' + InstanceTenancy: dedicated + +``` +```json title="Postitive test num. 2 - json file" hl_lines="4" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myVPC_1": { + "Type": "AWS::EC2::VPC", + "Properties": { + "InstanceTenancy": "dedicated", + "CidrBlock": "10.0.0.0/16", + "EnableDnsSupport": "false", + "EnableDnsHostnames": "false" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myVPC_2: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/16 + EnableDnsSupport: 'false' + EnableDnsHostnames: 'false' + InstanceTenancy: dedicated + mySubnet: + Type: AWS::EC2::Subnet + Properties: + VpcId: + Ref: myVPC_2 + CidrBlock: 10.0.0.0/24 + AvailabilityZone: "us-east-1a" + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myVPC_2": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsSupport": "false", + "EnableDnsHostnames": "false", + "InstanceTenancy": "dedicated" + } + }, + "mySubnet": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": { + "Ref": "myVPC_2" + }, + "CidrBlock": "10.0.0.0/24", + "AvailabilityZone": "us-east-1a" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/3c3b7a58-b018-4d07-9444-d9ee7156e111.md b/docs/queries/cloudformation-queries/aws/3c3b7a58-b018-4d07-9444-d9ee7156e111.md new file mode 100644 index 00000000000..8d0ab54b6c1 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/3c3b7a58-b018-4d07-9444-d9ee7156e111.md @@ -0,0 +1,191 @@ +--- +title: Alexa Skill Plaintext Client Secret Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3c3b7a58-b018-4d07-9444-d9ee7156e111 +- **Query name:** Alexa Skill Plaintext Client Secret Exposed +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/alexa_skill_plaintext_client_secret_exposed) + +### Description +Alexa skills' client secrets should not be defined as a plaintext string. It should either use 'AWS Systems Manager Parameter Store' or 'AWS Secrets Manager' to retrieve sensitive information
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ask-skill.html#cfn-ask-skill-authenticationconfiguration) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +Resources: + MySkill: + Type: "Alexa::ASK::Skill" + Properties: + SkillPackage: + S3Bucket: "my-skill-packages" + S3Key: "skillpackage.zip" + S3BucketRole: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill + Overrides: + Manifest: + apis: + custom: + endpoint: + uri: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill + AuthenticationConfiguration: + ClientId: "amzn1.application-oa2-client.1234" + ClientSecret: "1234" + RefreshToken: "Atzr|1234" + VendorId: "1234" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="24" +{ + "Resources": { + "MySkill": { + "Type": "Alexa::ASK::Skill", + "Properties": { + "SkillPackage": { + "S3BucketRole": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill", + "Overrides": { + "Manifest": { + "apis": { + "custom": { + "endpoint": { + "uri": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill" + } + } + } + } + }, + "S3Bucket": "my-skill-packages", + "S3Key": "skillpackage.zip" + }, + "AuthenticationConfiguration": { + "ClientId": "amzn1.application-oa2-client.1234", + "ClientSecret": "1234", + "RefreshToken": "Atzr|1234" + }, + "VendorId": "1234" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MySkill: + Type: "Alexa::ASK::Skill" + Properties: + SkillPackage: + S3Bucket: "my-skill-packages" + S3Key: "skillpackage.zip" + S3BucketRole: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill + Overrides: + Manifest: + apis: + custom: + endpoint: + uri: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill + AuthenticationConfiguration: + ClientId: "amzn1.application-oa2-client.1234" + ClientSecret: "{{resolve:secretsmanager:123456}}" + RefreshToken: "Atzr|1234" + VendorId: "1234" + MySkill2: + Type: "Alexa::ASK::Skill" + Properties: + SkillPackage: + S3Bucket: "my-skill-packages" + S3Key: "skillpackage.zip" + S3BucketRole: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill + Overrides: + Manifest: + apis: + custom: + endpoint: + uri: arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill + AuthenticationConfiguration: + ClientId: "amzn1.application-oa2-client.1234" + ClientSecret: "{{resolve:ssm-secure:123456}}" + RefreshToken: "Atzr|1234" + VendorId: "1234" + # trigger validation + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MySkill": { + "Type": "Alexa::ASK::Skill", + "Properties": { + "SkillPackage": { + "S3Bucket": "my-skill-packages", + "S3Key": "skillpackage.zip", + "S3BucketRole": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill", + "Overrides": { + "Manifest": { + "apis": { + "custom": { + "endpoint": { + "uri": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill" + } + } + } + } + } + }, + "AuthenticationConfiguration": { + "ClientId": "amzn1.application-oa2-client.1234", + "ClientSecret": "{{resolve:secretsmanager:123456}}", + "RefreshToken": "Atzr|1234" + }, + "VendorId": "1234" + } + }, + "MySkill2": { + "Type": "Alexa::ASK::Skill", + "Properties": { + "SkillPackage": { + "S3Bucket": "my-skill-packages", + "S3Key": "skillpackage.zip", + "S3BucketRole": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill", + "Overrides": { + "Manifest": { + "apis": { + "custom": { + "endpoint": { + "uri": "arn:aws:lambda:us-east-1:377024778620:function:aws-node-alexa-skill" + } + } + } + } + } + }, + "AuthenticationConfiguration": { + "ClientId": "amzn1.application-oa2-client.1234", + "ClientSecret": "{{resolve:ssm-secure:123456}}", + "RefreshToken": "Atzr|1234" + }, + "VendorId": "1234" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6.md b/docs/queries/cloudformation-queries/aws/3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6.md new file mode 100644 index 00000000000..4e1084ad2dd --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6.md @@ -0,0 +1,162 @@ +--- +title: Redshift Cluster Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3de2d4ff-fe53-4fc9-95d3-2f8a69bf90d6 +- **Query name:** Redshift Cluster Logging Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/redshift_cluster_logging_disabled) + +### Description +Make sure Logging is enabled for Redshift Cluster
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-loggingproperties) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: 2010-09-09 +Description: Redshift Stack +Resources: + RedshiftCluster3: + Type: AWS::Redshift::Cluster + Properties: + ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup + ClusterType: !If [ SingleNode, single-node, multi-node ] + NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #' + DBName: !Sub ${DatabaseName} + IamRoles: + - !GetAtt RawDataBucketAccessRole.Arn + MasterUserPassword: !Ref MasterUserPassword + MasterUsername: !Ref MasterUsername + PubliclyAccessible: true + NodeType: dc1.large + Port: 5439 + VpcSecurityGroupIds: + - !Sub ${RedshiftSecurityGroup} + PreferredMaintenanceWindow: Sun:09:15-Sun:09:45 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Redshift Stack", + "Resources": { + "RedshiftCluster4": { + "Properties": { + "NodeType": "dc1.large", + "Port": 5439, + "VpcSecurityGroupIds": [ + "${RedshiftSecurityGroup}" + ], + "ClusterSubnetGroupName": "RedshiftClusterSubnetGroup", + "ClusterType": [ + "SingleNode", + "single-node", + "multi-node" + ], + "MasterUserPassword": "MasterUserPassword", + "MasterUsername": "MasterUsername", + "PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45", + "NumberOfNodes": [ + "SingleNode", + "AWS::NoValue", + "RedshiftNodeCount" + ], + "DBName": "${DatabaseName}", + "IamRoles": [ + "RawDataBucketAccessRole.Arn" + ], + "PubliclyAccessible": true + }, + "Type": "AWS::Redshift::Cluster" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Redshift Stack +Resources: + RedshiftCluster: + Type: AWS::Redshift::Cluster + Properties: + ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup + ClusterType: !If [ SingleNode, single-node, multi-node ] + NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #' + DBName: !Sub ${DatabaseName} + IamRoles: + - !GetAtt RawDataBucketAccessRole.Arn + MasterUserPassword: !Ref MasterUserPassword + MasterUsername: !Ref MasterUsername + PubliclyAccessible: true + NodeType: dc1.large + Port: 5439 + VpcSecurityGroupIds: + - !Sub ${RedshiftSecurityGroup} + PreferredMaintenanceWindow: Sun:09:15-Sun:09:45 + KmsKeyId: wewewewewefsa + LoggingProperties: + BucketName: "Some bucket name" + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Redshift Stack", + "Resources": { + "RedshiftCluster2": { + "Type": "AWS::Redshift::Cluster", + "Properties": { + "IamRoles": [ + "RawDataBucketAccessRole.Arn" + ], + "PubliclyAccessible": true, + "NodeType": "dc1.large", + "Port": 5439, + "VpcSecurityGroupIds": [ + "${RedshiftSecurityGroup}" + ], + "PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45", + "ClusterType": [ + "SingleNode", + "single-node", + "multi-node" + ], + "NumberOfNodes": [ + "SingleNode", + "AWS::NoValue", + "RedshiftNodeCount" + ], + "DBName": "${DatabaseName}", + "MasterUserPassword": "MasterUserPassword", + "MasterUsername": "MasterUsername", + "KmsKeyId": "wewewewewefsa", + "ClusterSubnetGroupName": "RedshiftClusterSubnetGroup", + "LoggingProperties": { + "BucketName": "Some bucket name" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/3e09413f-471e-40f3-8626-990c79ae63f3.md b/docs/queries/cloudformation-queries/aws/3e09413f-471e-40f3-8626-990c79ae63f3.md new file mode 100644 index 00000000000..d6baf3bf205 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/3e09413f-471e-40f3-8626-990c79ae63f3.md @@ -0,0 +1,172 @@ +--- +title: CloudTrail SNS Topic Name Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3e09413f-471e-40f3-8626-990c79ae63f3 +- **Query name:** CloudTrail SNS Topic Name Undefined +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudtrail_sns_topic_name_undefined) + +### Description +Check if SNS topic name is set for CloudTrail
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-snstopicname) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12 22" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + myTrail3: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + S3BucketName: + Ref: S3Bucket + IsLogging: false + IsMultiRegionTrail: true + myTrail4: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + EnableLogFileValidation: false + S3BucketName: + Ref: S3Bucket + SnsTopicName: "" + IsLogging: false + IsMultiRegionTrail: true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9 23" +{ + "Resources": { + "myTrail5": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "IsMultiRegionTrail": true, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "IsLogging": false + } + }, + "myTrail6": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "EnableLogFileValidation": false, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": "", + "IsLogging": false, + "IsMultiRegionTrail": true + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Description": "Email address to notify when new logs are published.", + "Type": "String" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + myTrail: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + EnableLogFileValidation: true + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Type": "String", + "Description": "Email address to notify when new logs are published." + } + }, + "Resources": { + "myTrail2": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "IsLogging": true, + "IsMultiRegionTrail": true, + "EnableLogFileValidation": true, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + } + } + }, + "S3Bucket": { + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket", + "Properties": {} + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/3e293410-d5b8-411f-85fd-7d26294f20c9.md b/docs/queries/cloudformation-queries/aws/3e293410-d5b8-411f-85fd-7d26294f20c9.md new file mode 100644 index 00000000000..af238c01c9b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/3e293410-d5b8-411f-85fd-7d26294f20c9.md @@ -0,0 +1,145 @@ +--- +title: VPC Without Network Firewall +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3e293410-d5b8-411f-85fd-7d26294f20c9 +- **Query name:** VPC Without Network Firewall +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/vpc_without_network_firewall) + +### Description +VPC should have a Network Firewall associated
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html#cfn-networkfirewall-firewall-vpcid) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myVPC11: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/16 + EnableDnsSupport: 'false' + EnableDnsHostnames: 'false' + InstanceTenancy: dedicated + SampleFirewall: + Type: AWS::NetworkFirewall::Firewall + Properties: + FirewallName: SampleFirewallName + FirewallPolicyArn: !Ref SampleFirewallPolicy + VpcId: !Ref myVPC + SubnetMappings: + - SubnetId: !Ref SampleSubnet1 + - SubnetId: !Ref SampleSubnet2 + Description: Firewall description goes here + +``` +```json title="Postitive test num. 2 - json file" hl_lines="21" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "SampleFirewall": { + "Properties": { + "Description": "Firewall description goes here", + "FirewallName": "SampleFirewallName", + "FirewallPolicyArn": "SampleFirewallPolicy", + "SubnetMappings": [ + { + "SubnetId": "SampleSubnet1" + }, + { + "SubnetId": "SampleSubnet2" + } + ], + "VpcId": "myVPC" + }, + "Type": "AWS::NetworkFirewall::Firewall" + }, + "myVPC11": { + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsHostnames": "false", + "EnableDnsSupport": "false", + "InstanceTenancy": "dedicated" + }, + "Type": "AWS::EC2::VPC" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myVPC1: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/16 + EnableDnsSupport: 'false' + EnableDnsHostnames: 'false' + InstanceTenancy: dedicated + SampleFirewall: + Type: AWS::NetworkFirewall::Firewall + Properties: + FirewallName: SampleFirewallName + FirewallPolicyArn: !Ref SampleFirewallPolicy + VpcId: !Ref myVPC1 + SubnetMappings: + - SubnetId: !Ref SampleSubnet1 + - SubnetId: !Ref SampleSubnet2 + Description: Firewall description goes here + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "SampleFirewall": { + "Properties": { + "Description": "Firewall description goes here", + "FirewallName": "SampleFirewallName", + "FirewallPolicyArn": "SampleFirewallPolicy", + "SubnetMappings": [ + { + "SubnetId": "SampleSubnet1" + }, + { + "SubnetId": "SampleSubnet2" + } + ], + "VpcId": "myVPC1" + }, + "Type": "AWS::NetworkFirewall::Firewall" + }, + "myVPC1": { + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsHostnames": "false", + "EnableDnsSupport": "false", + "InstanceTenancy": "dedicated" + }, + "Type": "AWS::EC2::VPC" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/42e7dca3-8cce-4325-8df0-108888259136.md b/docs/queries/cloudformation-queries/aws/42e7dca3-8cce-4325-8df0-108888259136.md new file mode 100644 index 00000000000..bf21a8a1230 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/42e7dca3-8cce-4325-8df0-108888259136.md @@ -0,0 +1,108 @@ +--- +title: BOM - AWS SNS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 42e7dca3-8cce-4325-8df0-108888259136 +- **Query name:** BOM - AWS SNS +- **Platform:** CloudFormation +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_bom/sns) + +### Description +A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: '2010-09-09' +Description: '' +Resources: + SnsTopic: + Type: 'AWS::SNS::Topic' + Properties: + Subscription: + - Endpoint: email@example.com + Protocol: email + TopicName: alarm-action + KmsMasterKeyId: ididididid + StartedTopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - !Ref SnsTopic + PolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: events.amazonaws.com + Action: + - sns:Publish + Resource: "*" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "", + "Resources": { + "SnsTopic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": "email@example.com", + "Protocol": "email" + } + ], + "TopicName": "alarm-action", + "KmsMasterKeyId": "ididididid" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": "true" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/43356255-495d-4148-ad8d-f6af5eac09dd.md b/docs/queries/cloudformation-queries/aws/43356255-495d-4148-ad8d-f6af5eac09dd.md new file mode 100644 index 00000000000..e4e7680890b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/43356255-495d-4148-ad8d-f6af5eac09dd.md @@ -0,0 +1,181 @@ +--- +title: GameLift Fleet EC2 InboundPermissions With Port Range +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 43356255-495d-4148-ad8d-f6af5eac09dd +- **Query name:** GameLift Fleet EC2 InboundPermissions With Port Range +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/gamelift_fleet_ec2_inbound_permissions_with_port_range) + +### Description +AWS GameLift Fleet EC2InboundPermissions should have a single port
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-gamelift-fleet.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 27" +Resources: + FleetResource1: + Type: AWS::GameLift::Fleet + Properties: + BuildId: !Ref BuildResource + CertificateConfiguration: + CertificateType: DISABLED + Description: Description of my Game Fleet1 + DesiredEc2Instances: 1 + EC2InboundPermissions: + - FromPort: '1234' + ToPort: '134' + IpRange: 0.0.0.0/24 + Protocol: TCP + - FromPort: 1356 + ToPort: 1578 + IpRange: 192.168.0.0/24 + Protocol: UDP + FleetResource3: + Type: AWS::GameLift::Fleet + Properties: + BuildId: !Ref BuildResource + CertificateConfiguration: + CertificateType: DISABLED + Description: Description of my Game Fleet3 + DesiredEc2Instances: 1 + EC2InboundPermissions: + - FromPort: 1234 + ToPort: '134' + IpRange: 0.0.0.0/24 + Protocol: TCP + - FromPort: '1356' + ToPort: 1578 + IpRange: 192.168.0.0/24 + Protocol: UDP + +``` +```json title="Postitive test num. 2 - json file" hl_lines="37 6" +{ + "Resources": { + "FleetResource1": { + "Type": "AWS::GameLift::Fleet", + "Properties": { + "EC2InboundPermissions": [ + { + "FromPort": "1234", + "ToPort": "134", + "IpRange": "0.0.0.0/24", + "Protocol": "TCP" + }, + { + "FromPort": 1356, + "ToPort": 1578, + "IpRange": "192.168.0.0/24", + "Protocol": "UDP" + } + ], + "BuildId": "BuildResource", + "CertificateConfiguration": { + "CertificateType": "DISABLED" + }, + "Description": "Description of my Game Fleet1", + "DesiredEc2Instances": 1 + } + }, + "FleetResource3": { + "Type": "AWS::GameLift::Fleet", + "Properties": { + "BuildId": "BuildResource", + "CertificateConfiguration": { + "CertificateType": "DISABLED" + }, + "Description": "Description of my Game Fleet3", + "DesiredEc2Instances": 1, + "EC2InboundPermissions": [ + { + "FromPort": 1234, + "ToPort": "134", + "IpRange": "0.0.0.0/24", + "Protocol": "TCP" + }, + { + "FromPort": "1356", + "ToPort": 1578, + "IpRange": "192.168.0.0/24", + "Protocol": "UDP" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + FleetResource2: + Type: AWS::GameLift::Fleet + Properties: + BuildId: !Ref BuildResource + CertificateConfiguration: + CertificateType: DISABLED + Description: Description of my Game Fleet + DesiredEc2Instances: 1 + EC2InboundPermissions: + - FromPort: '1234' + ToPort: '1234' + IpRange: 0.0.0.0/24 + Protocol: TCP + - FromPort: '1356' + ToPort: '1356' + IpRange: 192.168.0.0/24 + Protocol: UDP + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "FleetResource2": { + "Type": "AWS::GameLift::Fleet", + "Properties": { + "CertificateConfiguration": { + "CertificateType": "DISABLED" + }, + "Description": "Description of my Game Fleet", + "DesiredEc2Instances": 1, + "EC2InboundPermissions": [ + { + "FromPort": "1234", + "ToPort": "1234", + "IpRange": "0.0.0.0/24", + "Protocol": "TCP" + }, + { + "ToPort": "1356", + "IpRange": "192.168.0.0/24", + "Protocol": "UDP", + "FromPort": "1356" + } + ], + "BuildId": "BuildResource" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/44034eda-1c3f-486a-831d-e09a7dd94354.md b/docs/queries/cloudformation-queries/aws/44034eda-1c3f-486a-831d-e09a7dd94354.md new file mode 100644 index 00000000000..b1d3832ba3f --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/44034eda-1c3f-486a-831d-e09a7dd94354.md @@ -0,0 +1,412 @@ +--- +title: SageMaker EndPoint Config Should Specify KmsKeyId Attribute +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 44034eda-1c3f-486a-831d-e09a7dd94354 +- **Query name:** SageMaker EndPoint Config Should Specify KmsKeyId Attribute +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/sagemaker_endpoint_config_should_specify_kms_key_id_attribute) + +### Description +KmsKeyId attribute should be defined
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-endpointconfig.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="28" +Description: "Basic Hosting entities test. We need models to create endpoint configs." +Mappings: + RegionMap: + "us-west-2": + "NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest" + "us-east-2": + "NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest" + "us-east-1": + "NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest" + "eu-west-1": + "NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest" + "ap-northeast-1": + "NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest" + "ap-northeast-2": + "NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest" + "ap-southeast-2": + "NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest" + "eu-central-1": + "NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest" +Resources: + Endpoint: + Type: "AWS::SageMaker::Endpoint" + Properties: + EndpointConfigName: + !GetAtt EndpointConfig.EndpointConfigName + EndpointConfig: + Type: "AWS::SageMaker::EndpointConfig" + Properties: + ProductionVariants: + - InitialInstanceCount: 1 + InitialVariantWeight: 1.0 + InstanceType: ml.t2.large + ModelName: !GetAtt Model.ModelName + VariantName: !GetAtt Model.ModelName + Model: + Type: "AWS::SageMaker::Model" + Properties: + PrimaryContainer: + Image: !FindInMap [RegionMap, !Ref "AWS::Region", "NullTransformer"] + ExecutionRoleArn: !GetAtt ExecutionRole.Arn + + ExecutionRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Principal: + Service: + - "sagemaker.amazonaws.com" + Action: + - "sts:AssumeRole" + Path: "/" + Policies: + - + PolicyName: "root" + PolicyDocument: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Action: "*" + Resource: "*" +Outputs: + EndpointId: + Value: !Ref Endpoint + EndpointName: + Value: !GetAtt Endpoint.EndpointName +``` +```json title="Postitive test num. 2 - json file" hl_lines="40" +{ + "Description": "Basic Hosting entities test. We need models to create endpoint configs.", + "Mappings": { + "RegionMap": { + "ap-northeast-1": { + "NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest" + }, + "ap-northeast-2": { + "NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest" + }, + "ap-southeast-2": { + "NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest" + }, + "eu-central-1": { + "NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest" + }, + "us-west-2": { + "NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest" + }, + "us-east-2": { + "NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest" + }, + "us-east-1": { + "NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest" + }, + "eu-west-1": { + "NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest" + } + } + }, + "Resources": { + "Endpoint": { + "Properties": { + "EndpointConfigName": "EndpointConfig.EndpointConfigName" + }, + "Type": "AWS::SageMaker::Endpoint" + }, + "EndpointConfig": { + "Type": "AWS::SageMaker::EndpointConfig", + "Properties": { + "ProductionVariants": [ + { + "InitialInstanceCount": 1, + "InitialVariantWeight": 1, + "InstanceType": "ml.t2.large", + "ModelName": "Model.ModelName", + "VariantName": "Model.ModelName" + } + ] + } + }, + "Model": { + "Type": "AWS::SageMaker::Model", + "Properties": { + "PrimaryContainer": { + "Image": [ + "RegionMap", + "AWS::Region", + "NullTransformer" + ] + }, + "ExecutionRoleArn": "ExecutionRole.Arn" + } + }, + "ExecutionRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "sagemaker.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ], + "Version": "2012-10-17" + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "root", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] + } + } + ] + } + } + }, + "Outputs": { + "EndpointId": { + "Value": "Endpoint" + }, + "EndpointName": { + "Value": "Endpoint.EndpointName" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Description: "Basic Hosting entities test. We need models to create endpoint configs." +Mappings: + RegionMap: + "us-west-2": + "NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest" + "us-east-2": + "NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest" + "us-east-1": + "NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest" + "eu-west-1": + "NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest" + "ap-northeast-1": + "NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest" + "ap-northeast-2": + "NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest" + "ap-southeast-2": + "NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest" + "eu-central-1": + "NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest" +Resources: + Endpoint: + Type: "AWS::SageMaker::Endpoint" + Properties: + EndpointConfigName: + !GetAtt EndpointConfig.EndpointConfigName + EndpointConfig: + Type: "AWS::SageMaker::EndpointConfig" + Properties: + DataCaptureConfig: DataCaptureConfig + EndpointConfigName: String + KmsKeyId: String + ProductionVariants: + - InitialInstanceCount: 1 + InitialVariantWeight: 1.0 + InstanceType: ml.t2.large + ModelName: !GetAtt Model.ModelName + VariantName: !GetAtt Model.ModelName + Model: + Type: "AWS::SageMaker::Model" + Properties: + PrimaryContainer: + Image: !FindInMap [RegionMap, !Ref "AWS::Region", "NullTransformer"] + ExecutionRoleArn: !GetAtt ExecutionRole.Arn + + ExecutionRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Principal: + Service: + - "sagemaker.amazonaws.com" + Action: + - "sts:AssumeRole" + Path: "/" + Policies: + - + PolicyName: "root" + PolicyDocument: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Action: "*" + Resource: "*" +Outputs: + EndpointId: + Value: !Ref Endpoint + EndpointName: + Value: !GetAtt Endpoint.EndpointName + +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "Basic Hosting entities test. We need models to create endpoint configs.", + "Mappings": { + "RegionMap": { + "eu-central-1": { + "NullTransformer": "123456789012.dkr.ecr.eu-central-1.amazonaws.com/mymodel:latest" + }, + "us-west-2": { + "NullTransformer": "123456789012.dkr.ecr.us-west-2.amazonaws.com/mymodel:latest" + }, + "us-east-2": { + "NullTransformer": "123456789012.dkr.ecr.us-east-2.amazonaws.com/mymodel:latest" + }, + "us-east-1": { + "NullTransformer": "123456789012.dkr.ecr.us-east-1.amazonaws.com/mymodel:latest" + }, + "eu-west-1": { + "NullTransformer": "123456789012.dkr.ecr.eu-west-1.amazonaws.com/mymodel:latest" + }, + "ap-northeast-1": { + "NullTransformer": "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/mymodel:latest" + }, + "ap-northeast-2": { + "NullTransformer": "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/mymodel:latest" + }, + "ap-southeast-2": { + "NullTransformer": "123456789012.dkr.ecr.ap-southeast-2.amazonaws.com/mymodel:latest" + } + } + }, + "Resources": { + "Endpoint": { + "Type": "AWS::SageMaker::Endpoint", + "Properties": { + "EndpointConfigName": "EndpointConfig.EndpointConfigName" + } + }, + "EndpointConfig": { + "Type": "AWS::SageMaker::EndpointConfig", + "Properties": { + "EndpointConfigName": "String", + "KmsKeyId": "String", + "ProductionVariants": [ + { + "InitialInstanceCount": 1, + "InitialVariantWeight": 1, + "InstanceType": "ml.t2.large", + "ModelName": "Model.ModelName", + "VariantName": "Model.ModelName" + } + ], + "DataCaptureConfig": "DataCaptureConfig" + } + }, + "Model": { + "Type": "AWS::SageMaker::Model", + "Properties": { + "PrimaryContainer": { + "Image": [ + "RegionMap", + "AWS::Region", + "NullTransformer" + ] + }, + "ExecutionRoleArn": "ExecutionRole.Arn" + } + }, + "ExecutionRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "sagemaker.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "root", + "PolicyDocument": { + "Statement": [ + { + "Action": "*", + "Resource": "*", + "Effect": "Allow" + } + ], + "Version": "2012-10-17" + } + } + ] + } + } + }, + "Outputs": { + "EndpointName": { + "Value": "Endpoint.EndpointName" + }, + "EndpointId": { + "Value": "Endpoint" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/445020f6-b69e-4484-847f-02d4b7768902.md b/docs/queries/cloudformation-queries/aws/445020f6-b69e-4484-847f-02d4b7768902.md new file mode 100644 index 00000000000..6e059c022d8 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/445020f6-b69e-4484-847f-02d4b7768902.md @@ -0,0 +1,257 @@ +--- +title: IAM Password Without Uppercase Letter +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 445020f6-b69e-4484-847f-02d4b7768902 +- **Query name:** IAM Password Without Uppercase Letter +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter) + +### Description +IAM password should have at least one uppercase letter
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myp@ssw0rd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + - PolicyName: giveaccesstotopiconly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sns:* + Resource: + - !Ref mytopic + - Effect: Deny + Action: + - sns:* + NotResource: + - !Ref mytopic +``` +```json title="Postitive test num. 2 - json file" hl_lines="10" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myp@ssw0rd" + }, + "Policies": [ + { + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + }, + "PolicyName": "giveaccesstoqueueonly" + }, + { + "PolicyName": "giveaccesstotopiconly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Resource": [ + "mytopic" + ], + "Effect": "Allow", + "Action": [ + "sns:*" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sns:*" + ], + "NotResource": [ + "mytopic" + ] + } + ] + } + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + - PolicyName: giveaccesstotopiconly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sns:* + Resource: + - !Ref mytopic + - Effect: Deny + Action: + - sns:* + NotResource: + - !Ref mytopic +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "LoginProfile": { + "Password": "myP@ssW0rd" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + }, + { + "PolicyName": "giveaccesstotopiconly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sns:*" + ], + "Resource": [ + "mytopic" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sns:*" + ], + "NotResource": [ + "mytopic" + ] + } + ] + } + } + ], + "Path": "/" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c.md b/docs/queries/cloudformation-queries/aws/4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c.md new file mode 100644 index 00000000000..552899b6b9d --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c.md @@ -0,0 +1,540 @@ +--- +title: S3 Bucket Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4552b71f-0a2a-4bc4-92dd-ed7ec1b4674c +- **Query name:** S3 Bucket Logging Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_logging_disabled) + +### Description +Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-loggingconfig) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + mybucket: + Type: "AWS::S3::Bucket" + DeletionPolicy: Retain + Properties: + ReplicationConfiguration: + Role: + "Fn::GetAtt": + - WorkItemBucketBackupRole + - Arn + Rules: + - Destination: + Bucket: + "Fn::Join": + - "" + - - "arn:aws:s3:::" + - "Fn::Join": + - "-" + - - Ref: "AWS::Region" + - Ref: "AWS::StackName" + - replicationbucket + StorageClass: STANDARD + Id: Backup + Prefix: "" + Status: Enabled + VersioningConfiguration: + Status: Enabled + WorkItemBucketBackupRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: + - "sts:AssumeRole" + Effect: Allow + Principal: + Service: + - s3.amazonaws.com + BucketBackupPolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyDocument: + Statement: + - Action: + - "s3:GetReplicationConfiguration" + - "s3:ListBucket" + Effect: Allow + Resource: + - "Fn::Join": + - "" + - - "arn:aws:s3:::" + - Ref: RecordServiceS3Bucket + - Action: + - "s3:GetObjectVersion" + - "s3:GetObjectVersionAcl" + Effect: Allow + Resource: + - "Fn::Join": + - "" + - - "arn:aws:s3:::" + - Ref: RecordServiceS3Bucket + - /* + - Action: + - "s3:ReplicateObject" + - "s3:ReplicateDelete" + Effect: Allow + Resource: + - "Fn::Join": + - "" + - - "arn:aws:s3:::" + - "Fn::Join": + - "-" + - - Ref: "AWS::Region" + - Ref: "AWS::StackName" + - replicationbucket + - /* + PolicyName: BucketBackupPolicy + Roles: + - Ref: WorkItemBucketBackupRole + +``` +```json title="Postitive test num. 2 - json file" hl_lines="113" +{ + "Description": "A sample template", + "Resources": { + "WorkItemBucketBackupRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "s3.amazonaws.com" + ] + } + } + ] + } + } + }, + "BucketBackupPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "RecordServiceS3Bucket" + } + ] + ] + } + ], + "Action": [ + "s3:GetReplicationConfiguration", + "s3:ListBucket" + ], + "Effect": "Allow" + }, + { + "Action": [ + "s3:GetObjectVersion", + "s3:GetObjectVersionAcl" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "RecordServiceS3Bucket" + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "s3:ReplicateObject", + "s3:ReplicateDelete" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "AWS::Region" + }, + { + "Ref": "AWS::StackName" + }, + "replicationbucket" + ] + ] + }, + "/*" + ] + ] + } + ] + } + ] + }, + "PolicyName": "BucketBackupPolicy", + "Roles": [ + { + "Ref": "WorkItemBucketBackupRole" + } + ] + } + }, + "mybucket": { + "Properties": { + "ReplicationConfiguration": { + "Role": { + "Fn::GetAtt": [ + "WorkItemBucketBackupRole", + "Arn" + ] + }, + "Rules": [ + { + "Prefix": "", + "Status": "Enabled", + "Destination": { + "Bucket": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "AWS::Region" + }, + { + "Ref": "AWS::StackName" + }, + "replicationbucket" + ] + ] + } + ] + ] + }, + "StorageClass": "STANDARD" + }, + "Id": "Backup" + } + ] + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Retain" + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + RecordServiceS3Bucket: + Type: "AWS::S3::Bucket" + DeletionPolicy: Retain + Properties: + ReplicationConfiguration: + Role: + "Fn::GetAtt": + - WorkItemBucketBackupRole + - Arn + Rules: + - Destination: + Bucket: + "Fn::Join": + - "" + - - "arn:aws:s3:::" + - "Fn::Join": + - "-" + - - Ref: "AWS::Region" + - Ref: "AWS::StackName" + - replicationbucket + StorageClass: STANDARD + Id: Backup + Prefix: "" + Status: Enabled + VersioningConfiguration: + Status: Enabled + LoggingConfiguration: + DestinationBucketName: !Ref LoggingBucket + LogFilePrefix: loga/ + WorkItemBucketBackupRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: + - "sts:AssumeRole" + Effect: Allow + Principal: + Service: + - s3.amazonaws.com + BucketBackupPolicy: + Type: "AWS::IAM::Policy" + Properties: + PolicyDocument: + Statement: + - Action: + - "s3:GetReplicationConfiguration" + - "s3:ListBucket" + Effect: Allow + Resource: + - "Fn::Join": + - "" + - - "arn:aws:s3:::" + - Ref: RecordServiceS3Bucket + - Action: + - "s3:GetObjectVersion" + - "s3:GetObjectVersionAcl" + Effect: Allow + Resource: + - "Fn::Join": + - "" + - - "arn:aws:s3:::" + - Ref: RecordServiceS3Bucket + - /* + - Action: + - "s3:ReplicateObject" + - "s3:ReplicateDelete" + Effect: Allow + Resource: + - "Fn::Join": + - "" + - - "arn:aws:s3:::" + - "Fn::Join": + - "-" + - - Ref: "AWS::Region" + - Ref: "AWS::StackName" + - replicationbucket + - /* + PolicyName: BucketBackupPolicy + Roles: + - Ref: WorkItemBucketBackupRole + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "RecordServiceS3Bucket": { + "Properties": { + "ReplicationConfiguration": { + "Role": { + "Fn::GetAtt": [ + "WorkItemBucketBackupRole", + "Arn" + ] + }, + "Rules": [ + { + "Status": "Enabled", + "Destination": { + "Bucket": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "AWS::Region" + }, + { + "Ref": "AWS::StackName" + }, + "replicationbucket" + ] + ] + } + ] + ] + }, + "StorageClass": "STANDARD" + }, + "Id": "Backup", + "Prefix": "" + } + ] + }, + "VersioningConfiguration": { + "Status": "Enabled" + }, + "LoggingConfiguration": { + "DestinationBucketName": "LoggingBucket", + "LogFilePrefix": "loga/" + } + }, + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Retain" + }, + "WorkItemBucketBackupRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Principal": { + "Service": [ + "s3.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow" + } + ] + } + } + }, + "BucketBackupPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetReplicationConfiguration", + "s3:ListBucket" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "RecordServiceS3Bucket" + } + ] + ] + } + ] + }, + { + "Action": [ + "s3:GetObjectVersion", + "s3:GetObjectVersionAcl" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "RecordServiceS3Bucket" + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "s3:ReplicateObject", + "s3:ReplicateDelete" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "AWS::Region" + }, + { + "Ref": "AWS::StackName" + }, + "replicationbucket" + ] + ] + }, + "/*" + ] + ] + } + ] + } + ] + }, + "PolicyName": "BucketBackupPolicy", + "Roles": [ + { + "Ref": "WorkItemBucketBackupRole" + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/456b00a3-1072-4149-9740-6b8bb60251b0.md b/docs/queries/cloudformation-queries/aws/456b00a3-1072-4149-9740-6b8bb60251b0.md new file mode 100644 index 00000000000..2957c7c92ec --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/456b00a3-1072-4149-9740-6b8bb60251b0.md @@ -0,0 +1,188 @@ +--- +title: S3 Bucket Allows Restore Actions From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 456b00a3-1072-4149-9740-6b8bb60251b0 +- **Query name:** S3 Bucket Allows Restore Actions From All Principals +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_allows_restore_actions_from_all_principals) + +### Description +S3 Buckets must not allow Restore Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Restore, for all Principals.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="22 7" +#this is a problematic code where the query should report a result(s) +Resources: + SampleBucketPolicy3: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: "RestoreObject" + Effect: Allow + Resource: "*" + Principal: "*" + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + SampleBucketPolicy4: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: + - "RestoreObject" + - "GetObject" + Effect: Allow + Resource: "*" + Principal: "*" + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9 35" +{ + "Resources": { + "SampleBucketPolicy5": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "RestoreObject", + "Effect": "Allow", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + }, + "SampleBucketPolicy6": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "RestoreObject", + "GetObject" + ], + "Effect": "Allow", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + SampleBucketPolicy1: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: + - 's3:RestoreObject' + Effect: Deny + Resource: '*' + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "SampleBucketPolicy2": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:RestoreObject" + ], + "Effect": "Deny", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/48677914-6fdf-40ec-80c4-2b0e94079f54.md b/docs/queries/cloudformation-queries/aws/48677914-6fdf-40ec-80c4-2b0e94079f54.md new file mode 100644 index 00000000000..d674ae2447a --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/48677914-6fdf-40ec-80c4-2b0e94079f54.md @@ -0,0 +1,124 @@ +--- +title: IAM User Has Too Many Access Keys +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 48677914-6fdf-40ec-80c4-2b0e94079f54 +- **Query name:** IAM User Has Too Many Access Keys +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_user_too_many_access_keys) + +### Description +Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 14" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + firstKey: + Type: AWS::IAM::AccessKey + Properties: + UserName: !Ref myuser + secondKey: + Type: AWS::IAM::AccessKey + Properties: + UserName: !Ref myuser +``` +```json title="Postitive test num. 2 - json file" hl_lines="20 5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "secondKey": { + "Type": "AWS::IAM::AccessKey", + "Properties": { + "UserName": "myuser" + } + }, + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "LoginProfile": { + "Password": "myP@ssW0rd" + }, + "Path": "/" + } + }, + "firstKey": { + "Type": "AWS::IAM::AccessKey", + "Properties": { + "UserName": "myuser" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + firstKey: + Type: AWS::IAM::AccessKey + Properties: + UserName: + Ref: myuser +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + } + } + }, + "firstKey": { + "Type": "AWS::IAM::AccessKey", + "Properties": { + "UserName": { + "Ref": "myuser" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/48af92a5-c89b-4936-bc62-1086fe2bab23.md b/docs/queries/cloudformation-queries/aws/48af92a5-c89b-4936-bc62-1086fe2bab23.md new file mode 100644 index 00000000000..069e904a9ae --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/48af92a5-c89b-4936-bc62-1086fe2bab23.md @@ -0,0 +1,930 @@ +--- +title: EMR Cluster Without Security Configuration +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 48af92a5-c89b-4936-bc62-1086fe2bab23 +- **Query name:** EMR Cluster Without Security Configuration +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/emr_cluster_without_security_configuration) + +### Description +EMR Cluster should have security configuration defined.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticmapreduce-cluster.html#cfn-elasticmapreduce-cluster-securityconfiguration) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + CrossRealmTrustPrincipalPassword: + Type: String + KdcAdminPassword: + Type: String + Realm: + Type: String + InstanceType: + Type: String + ReleaseLabel: + Type: String + SubnetId: + Type: String +Resources: + cluster: + Type: 'AWS::EMR::Cluster' + Properties: + Instances: + MasterInstanceGroup: + InstanceCount: 1 + InstanceType: !Ref InstanceType + Market: ON_DEMAND + Name: cfnMaster + CoreInstanceGroup: + InstanceCount: 1 + InstanceType: !Ref InstanceType + Market: ON_DEMAND + Name: cfnCore + Ec2SubnetId: !Ref SubnetId + Name: CFNtest2 + JobFlowRole: !Ref emrEc2InstanceProfile + KerberosAttributes: + CrossRealmTrustPrincipalPassword: CfnIntegrationTest-1 + KdcAdminPassword: CfnIntegrationTest-1 + Realm: EC2.INTERNAL + ServiceRole: !Ref emrRole + ReleaseLabel: !Ref ReleaseLabel + SecurityConfiguration: !Ref securityConfiguration1 + VisibleToAllUsers: true + Tags: + - Key: key1 + Value: value1 + key: + Type: 'AWS::KMS::Key' + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !GetAtt + - emrEc2Role + - Arn + Action: 'kms:*' + Resource: '*' + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - '' + - - 'arn:aws:iam::' + - !Ref 'AWS::AccountId' + - ':root' + Action: 'kms:*' + Resource: '*' + securityConfiguration: + Type: 'AWS::EMR::SecurityConfiguration' + Properties: + SecurityConfiguration: + AuthenticationConfiguration: + KerberosConfiguration: + Provider: ClusterDedicatedKdc + ClusterDedicatedKdcConfiguration: + TicketLifetimeInHours: 24 + CrossRealmTrustConfiguration: + Realm: AD.DOMAIN.COM + Domain: ad.domain.com + AdminServer: ad.domain.com + KdcServer: ad.domain.com + emrRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: elasticmapreduce.amazonaws.com + Action: 'sts:AssumeRole' + Path: / + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole' + emrEc2Role: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: 'sts:AssumeRole' + Path: / + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role' + emrEc2InstanceProfile: + Type: 'AWS::IAM::InstanceProfile' + Properties: + Path: / + Roles: + - !Ref emrEc2Role +Outputs: + keyArn: + Value: !GetAtt + - key + - Arn + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + CrossRealmTrustPrincipalPassword: + Type: String + KdcAdminPassword: + Type: String + Realm: + Type: String + InstanceType: + Type: String + ReleaseLabel: + Type: String + SubnetId: + Type: String +Resources: + cluster1: + Type: 'AWS::EMR::Cluster' + Properties: + Instances: + MasterInstanceGroup: + InstanceCount: 1 + InstanceType: !Ref InstanceType + Market: ON_DEMAND + Name: cfnMaster + CoreInstanceGroup: + InstanceCount: 1 + InstanceType: !Ref InstanceType + Market: ON_DEMAND + Name: cfnCore + Ec2SubnetId: !Ref SubnetId + Name: CFNtest2 + JobFlowRole: !Ref emrEc2InstanceProfile + KerberosAttributes: + CrossRealmTrustPrincipalPassword: CfnIntegrationTest-1 + KdcAdminPassword: CfnIntegrationTest-1 + Realm: EC2.INTERNAL + ServiceRole: !Ref emrRole + ReleaseLabel: !Ref ReleaseLabel + VisibleToAllUsers: true + Tags: + - Key: key1 + Value: value1 + key: + Type: 'AWS::KMS::Key' + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !GetAtt + - emrEc2Role + - Arn + Action: 'kms:*' + Resource: '*' + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - '' + - - 'arn:aws:iam::' + - !Ref 'AWS::AccountId' + - ':root' + Action: 'kms:*' + Resource: '*' + emrRole1: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: elasticmapreduce.amazonaws.com + Action: 'sts:AssumeRole' + Path: / + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole' + emrEc2Role1: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: 'sts:AssumeRole' + Path: / + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role' + emrEc2InstanceProfile1: + Type: 'AWS::IAM::InstanceProfile' + Properties: + Path: / + Roles: + - !Ref emrEc2Role +Outputs: + keyArn: + Value: !GetAtt + - key + - Arn + +``` +```json title="Postitive test num. 3 - json file" hl_lines="43" +{ + "Outputs": { + "keyArn": { + "Value": [ + "key", + "Arn" + ] + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Parameters": { + "Realm": { + "Type": "String" + }, + "InstanceType": { + "Type": "String" + }, + "ReleaseLabel": { + "Type": "String" + }, + "SubnetId": { + "Type": "String" + }, + "CrossRealmTrustPrincipalPassword": { + "Type": "String" + }, + "KdcAdminPassword": { + "Type": "String" + } + }, + "Resources": { + "emrEc2InstanceProfile": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Path": "/", + "Roles": [ + "emrEc2Role" + ] + } + }, + "cluster": { + "Type": "AWS::EMR::Cluster", + "Properties": { + "ReleaseLabel": "ReleaseLabel", + "SecurityConfiguration": "securityConfiguration1", + "VisibleToAllUsers": true, + "Tags": [ + { + "Value": "value1", + "Key": "key1" + } + ], + "Instances": { + "MasterInstanceGroup": { + "Market": "ON_DEMAND", + "Name": "cfnMaster", + "InstanceCount": 1, + "InstanceType": "InstanceType" + }, + "CoreInstanceGroup": { + "InstanceCount": 1, + "InstanceType": "InstanceType", + "Market": "ON_DEMAND", + "Name": "cfnCore" + }, + "Ec2SubnetId": "SubnetId" + }, + "Name": "CFNtest2", + "JobFlowRole": "emrEc2InstanceProfile", + "KerberosAttributes": { + "CrossRealmTrustPrincipalPassword": "CfnIntegrationTest-1", + "KdcAdminPassword": "CfnIntegrationTest-1", + "Realm": "EC2.INTERNAL" + }, + "ServiceRole": "emrRole" + } + }, + "key": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1", + "Statement": [ + { + "Resource": "*", + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": [ + "emrEc2Role", + "Arn" + ] + }, + "Action": "kms:*" + }, + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + }, + "Action": "kms:*", + "Resource": "*", + "Sid": "Enable IAM User Permissions" + } + ] + } + } + }, + "securityConfiguration": { + "Type": "AWS::EMR::SecurityConfiguration", + "Properties": { + "SecurityConfiguration": { + "AuthenticationConfiguration": { + "KerberosConfiguration": { + "ClusterDedicatedKdcConfiguration": { + "TicketLifetimeInHours": 24, + "CrossRealmTrustConfiguration": { + "Realm": "AD.DOMAIN.COM", + "Domain": "ad.domain.com", + "AdminServer": "ad.domain.com", + "KdcServer": "ad.domain.com" + } + }, + "Provider": "ClusterDedicatedKdc" + } + } + } + } + }, + "emrRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2008-10-17T00:00:00Z", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "elasticmapreduce.amazonaws.com" + }, + "Action": "sts:AssumeRole", + "Sid": "" + } + ] + }, + "Path": "/", + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole" + ] + } + }, + "emrEc2Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2008-10-17T00:00:00Z", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }, + "Path": "/", + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role" + ] + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="5" +{ + "Resources": { + "cluster1": { + "Type": "AWS::EMR::Cluster", + "Properties": { + "Tags": [ + { + "Key": "key1", + "Value": "value1" + } + ], + "Instances": { + "MasterInstanceGroup": { + "InstanceCount": 1, + "InstanceType": "InstanceType", + "Market": "ON_DEMAND", + "Name": "cfnMaster" + }, + "CoreInstanceGroup": { + "InstanceCount": 1, + "InstanceType": "InstanceType", + "Market": "ON_DEMAND", + "Name": "cfnCore" + }, + "Ec2SubnetId": "SubnetId" + }, + "Name": "CFNtest2", + "JobFlowRole": "emrEc2InstanceProfile", + "KerberosAttributes": { + "CrossRealmTrustPrincipalPassword": "CfnIntegrationTest-1", + "KdcAdminPassword": "CfnIntegrationTest-1", + "Realm": "EC2.INTERNAL" + }, + "ServiceRole": "emrRole", + "ReleaseLabel": "ReleaseLabel", + "VisibleToAllUsers": true + } + }, + "key": { + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": [ + "emrEc2Role", + "Arn" + ] + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + }, + "Action": "kms:*", + "Resource": "*", + "Sid": "Enable IAM User Permissions" + } + ], + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1" + } + }, + "Type": "AWS::KMS::Key" + }, + "emrRole1": { + "Type": "AWS::IAM::Role", + "Properties": { + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2008-10-17T00:00:00Z", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "elasticmapreduce.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }, + "Path": "/" + } + }, + "emrEc2Role1": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2008-10-17T00:00:00Z", + "Statement": [ + { + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Action": "sts:AssumeRole", + "Sid": "", + "Effect": "Allow" + } + ] + }, + "Path": "/", + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role" + ] + } + }, + "emrEc2InstanceProfile1": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Path": "/", + "Roles": [ + "emrEc2Role" + ] + } + } + }, + "Outputs": { + "keyArn": { + "Value": [ + "key", + "Arn" + ] + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Parameters": { + "SubnetId": { + "Type": "String" + }, + "CrossRealmTrustPrincipalPassword": { + "Type": "String" + }, + "KdcAdminPassword": { + "Type": "String" + }, + "Realm": { + "Type": "String" + }, + "InstanceType": { + "Type": "String" + }, + "ReleaseLabel": { + "Type": "String" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + CrossRealmTrustPrincipalPassword: + Type: String + KdcAdminPassword: + Type: String + Realm: + Type: String + InstanceType: + Type: String + ReleaseLabel: + Type: String + SubnetId: + Type: String +Resources: + cluster: + Type: 'AWS::EMR::Cluster' + Properties: + Instances: + MasterInstanceGroup: + InstanceCount: 1 + InstanceType: !Ref InstanceType + Market: ON_DEMAND + Name: cfnMaster + CoreInstanceGroup: + InstanceCount: 1 + InstanceType: !Ref InstanceType + Market: ON_DEMAND + Name: cfnCore + Ec2SubnetId: !Ref SubnetId + Name: CFNtest2 + JobFlowRole: !Ref emrEc2InstanceProfile + KerberosAttributes: + CrossRealmTrustPrincipalPassword: CfnIntegrationTest-1 + KdcAdminPassword: CfnIntegrationTest-1 + Realm: EC2.INTERNAL + ServiceRole: !Ref emrRole + ReleaseLabel: !Ref ReleaseLabel + SecurityConfiguration: !Ref securityConfiguration + VisibleToAllUsers: true + Tags: + - Key: key1 + Value: value1 + key: + Type: 'AWS::KMS::Key' + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !GetAtt + - emrEc2Role + - Arn + Action: 'kms:*' + Resource: '*' + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - '' + - - 'arn:aws:iam::' + - !Ref 'AWS::AccountId' + - ':root' + Action: 'kms:*' + Resource: '*' + securityConfiguration: + Type: 'AWS::EMR::SecurityConfiguration' + Properties: + SecurityConfiguration: + AuthenticationConfiguration: + KerberosConfiguration: + Provider: ClusterDedicatedKdc + ClusterDedicatedKdcConfiguration: + TicketLifetimeInHours: 24 + CrossRealmTrustConfiguration: + Realm: AD.DOMAIN.COM + Domain: ad.domain.com + AdminServer: ad.domain.com + KdcServer: ad.domain.com + emrRole: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: elasticmapreduce.amazonaws.com + Action: 'sts:AssumeRole' + Path: / + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole' + emrEc2Role: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: 'sts:AssumeRole' + Path: / + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role' + emrEc2InstanceProfile: + Type: 'AWS::IAM::InstanceProfile' + Properties: + Path: / + Roles: + - !Ref emrEc2Role +Outputs: + keyArn: + Value: !GetAtt + - key + - Arn + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Parameters": { + "CrossRealmTrustPrincipalPassword": { + "Type": "String" + }, + "KdcAdminPassword": { + "Type": "String" + }, + "Realm": { + "Type": "String" + }, + "InstanceType": { + "Type": "String" + }, + "ReleaseLabel": { + "Type": "String" + }, + "SubnetId": { + "Type": "String" + } + }, + "Resources": { + "emrEc2Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2008-10-17T00:00:00Z", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }, + "Path": "/", + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role" + ] + } + }, + "emrEc2InstanceProfile": { + "Properties": { + "Path": "/", + "Roles": [ + "emrEc2Role" + ] + }, + "Type": "AWS::IAM::InstanceProfile" + }, + "cluster": { + "Type": "AWS::EMR::Cluster", + "Properties": { + "Name": "CFNtest2", + "JobFlowRole": "emrEc2InstanceProfile", + "ServiceRole": "emrRole", + "SecurityConfiguration": "securityConfiguration", + "Tags": [ + { + "Key": "key1", + "Value": "value1" + } + ], + "Instances": { + "MasterInstanceGroup": { + "InstanceCount": 1, + "InstanceType": "InstanceType", + "Market": "ON_DEMAND", + "Name": "cfnMaster" + }, + "CoreInstanceGroup": { + "InstanceCount": 1, + "InstanceType": "InstanceType", + "Market": "ON_DEMAND", + "Name": "cfnCore" + }, + "Ec2SubnetId": "SubnetId" + }, + "KerberosAttributes": { + "CrossRealmTrustPrincipalPassword": "CfnIntegrationTest-1", + "KdcAdminPassword": "CfnIntegrationTest-1", + "Realm": "EC2.INTERNAL" + }, + "ReleaseLabel": "ReleaseLabel", + "VisibleToAllUsers": true + } + }, + "key": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1", + "Statement": [ + { + "Principal": { + "AWS": [ + "emrEc2Role", + "Arn" + ] + }, + "Action": "kms:*", + "Resource": "*", + "Sid": "Enable IAM User Permissions", + "Effect": "Allow" + }, + { + "Action": "kms:*", + "Resource": "*", + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + } + } + ] + } + } + }, + "securityConfiguration": { + "Type": "AWS::EMR::SecurityConfiguration", + "Properties": { + "SecurityConfiguration": { + "AuthenticationConfiguration": { + "KerberosConfiguration": { + "Provider": "ClusterDedicatedKdc", + "ClusterDedicatedKdcConfiguration": { + "TicketLifetimeInHours": 24, + "CrossRealmTrustConfiguration": { + "Realm": "AD.DOMAIN.COM", + "Domain": "ad.domain.com", + "AdminServer": "ad.domain.com", + "KdcServer": "ad.domain.com" + } + } + } + } + } + } + }, + "emrRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "Path": "/", + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole" + ], + "AssumeRolePolicyDocument": { + "Version": "2008-10-17T00:00:00Z", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "elasticmapreduce.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } + } + } + }, + "Outputs": { + "keyArn": { + "Value": [ + "key", + "Arn" + ] + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/48c3bc58-6959-4f27-b647-4fedeace23be.md b/docs/queries/cloudformation-queries/aws/48c3bc58-6959-4f27-b647-4fedeace23be.md new file mode 100644 index 00000000000..084b86b0fe5 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/48c3bc58-6959-4f27-b647-4fedeace23be.md @@ -0,0 +1,155 @@ +--- +title: User Data Shell Script Is Encoded +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 48c3bc58-6959-4f27-b647-4fedeace23be +- **Query name:** User Data Shell Script Is Encoded +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/user_data_shell_script_is_encoded) + +### Description +User Data Shell Script must be encoded
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-launchtemplatedata.html#cfn-ec2-launchtemplate-launchtemplatedata-userdata) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="19" +Resources: + myLaunchConfig: + Type: AWS::AutoScaling::LaunchConfiguration + Properties: + ImageId: !Ref LatestAmiId + SecurityGroups: + - Ref: "myEC2SecurityGroup" + InstanceType: + Ref: "InstanceType" + BlockDeviceMappings: + - DeviceName: /dev/sda1 + Ebs: + VolumeSize: 30 + VolumeType: "gp2" + - DeviceName: /dev/sdm + Ebs: + VolumeSize: 100 + DeleteOnTermination: "false" + UserData: IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg== + +``` +```json title="Postitive test num. 2 - json file" hl_lines="33" +{ + "Resources": { + "myLaunchConfig": { + "Type": "AWS::AutoScaling::LaunchConfiguration", + "Properties": { + "ImageId": { + "Ref": "LatestAmiId" + }, + "SecurityGroups": [ + { + "Ref": "myEC2SecurityGroup" + } + ], + "InstanceType": { + "Ref": "InstanceType" + }, + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sda1", + "Ebs": { + "VolumeSize": "30", + "VolumeType": "gp2" + } + }, + { + "DeviceName": "/dev/sdm", + "Ebs": { + "VolumeSize": "100", + "DeleteOnTermination": "false" + } + } + ], + "UserData": "IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg==" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + myLaunchConfig: + Type: AWS::AutoScaling::LaunchConfiguration + Properties: + ImageId: !Ref LatestAmiId + SecurityGroups: + - Ref: "myEC2SecurityGroup" + InstanceType: + Ref: "InstanceType" + BlockDeviceMappings: + - DeviceName: /dev/sda1 + Ebs: + VolumeSize: 30 + VolumeType: "gp2" + - DeviceName: /dev/sdm + Ebs: + VolumeSize: 100 + DeleteOnTermination: "false" + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "myLaunchConfig": { + "Type": "AWS::AutoScaling::LaunchConfiguration", + "Properties": { + "ImageId": { + "Ref": "LatestAmiId" + }, + "SecurityGroups": [ + { + "Ref": "myEC2SecurityGroup" + } + ], + "InstanceType": { + "Ref": "InstanceType" + }, + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sda1", + "Ebs": { + "VolumeSize": "30", + "VolumeType": "gp2" + } + }, + { + "DeviceName": "/dev/sdm", + "Ebs": { + "VolumeSize": "100", + "DeleteOnTermination": "false" + } + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/48f100d9-f499-4c6d-b2b8-deafe47ffb26.md b/docs/queries/cloudformation-queries/aws/48f100d9-f499-4c6d-b2b8-deafe47ffb26.md new file mode 100644 index 00000000000..f1af819d85d --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/48f100d9-f499-4c6d-b2b8-deafe47ffb26.md @@ -0,0 +1,108 @@ +--- +title: S3 Bucket Allows Public ACL +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 48f100d9-f499-4c6d-b2b8-deafe47ffb26 +- **Query name:** S3 Bucket Allows Public ACL +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_allows_public_acl) + +### Description +S3 bucket allows public ACL
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 4 20" +Resources: + Bucket11: + Type: AWS::S3::Bucket + Properties: +--- +Resources: + Bucket12: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicPolicy : true + IgnorePublicAcls : true + RestrictPublicBuckets : true +--- +Resources: + Bucket13: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: false + BlockPublicPolicy : true + IgnorePublicAcls : true + RestrictPublicBuckets : true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "Resources": { + "Bucket1": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": false, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "AccessControl": "Private" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + Bucket1: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls : true + BlockPublicPolicy : true + IgnorePublicAcls : true + RestrictPublicBuckets : true +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Bucket1": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "AccessControl": "Private" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/493d9591-6249-47bf-8dc0-5c10161cc558.md b/docs/queries/cloudformation-queries/aws/493d9591-6249-47bf-8dc0-5c10161cc558.md new file mode 100644 index 00000000000..e4f5e0a4125 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/493d9591-6249-47bf-8dc0-5c10161cc558.md @@ -0,0 +1,166 @@ +--- +title: Security Groups Without VPC Attached +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 493d9591-6249-47bf-8dc0-5c10161cc558 +- **Query name:** Security Groups Without VPC Attached +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_groups_without_vpc_attached) + +### Description +Security Groups must have a VPC.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +Parameters: + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance + Type: 'AWS::EC2::KeyPair::KeyName' +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + - MyExistingSecurityGroup + KeyName: !Ref KeyName + ImageId: ami-7a11e213 + InstanceSecurityGroup: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupName: My Group Name + GroupDescription: Enable SSH access via port 22 + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: '22' + ToPort: '22' + CidrIp: 0.0.0.0/0 +``` +```json title="Postitive test num. 2 - json file" hl_lines="22" +{ + "Parameters": { + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName" + } + }, + "Resources": { + "Ec2Instance": { + "Properties": { + "SecurityGroups": [ + "InstanceSecurityGroup", + "MyExistingSecurityGroup" + ], + "KeyName": "KeyName", + "ImageId": "ami-7a11e213" + }, + "Type": "AWS::EC2::Instance" + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupName": "My Group Name", + "GroupDescription": "Enable SSH access via port 22", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": "22", + "ToPort": "22", + "CidrIp": "0.0.0.0/0" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Parameters: + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance + Type: 'AWS::EC2::KeyPair::KeyName' +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + - MyExistingSecurityGroup + KeyName: !Ref KeyName + ImageId: ami-7a11e213 + InstanceSecurityGroup: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupName: My Group Name + GroupDescription: Enable SSH access via port 22 + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: '22' + ToPort: '22' + CidrIp: 0.0.0.0/0 +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "SecurityGroups": [ + "InstanceSecurityGroup", + "MyExistingSecurityGroup" + ], + "KeyName": "KeyName", + "ImageId": "ami-7a11e213" + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": "22", + "ToPort": "22", + "CidrIp": "0.0.0.0/0" + } + ], + "GroupName": "My Group Name", + "GroupDescription": "Enable SSH access via port 22", + "VpcId": { + "Ref": "myVPC" + } + } + } + }, + "Parameters": { + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/494b03d3-bf40-4464-8524-7c56ad0700ed.md b/docs/queries/cloudformation-queries/aws/494b03d3-bf40-4464-8524-7c56ad0700ed.md new file mode 100644 index 00000000000..c30d583b773 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/494b03d3-bf40-4464-8524-7c56ad0700ed.md @@ -0,0 +1,468 @@ +--- +title: EC2 Sensitive Port Is Publicly Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 494b03d3-bf40-4464-8524-7c56ad0700ed +- **Query name:** EC2 Sensitive Port Is Publicly Exposed +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ec2_sensitive_port_is_publicly_exposed) + +### Description +The EC2 instance has a sensitive port connection exposed to the entire network
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +Resources: + UnsafeSecGroup01: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http and redis + VpcId: my-vpc + SecurityGroupIngress: + - FromPort: 8080 + ToPort: 8080 + CidrIp: 127.0.0.1/32 + IpProtocol: tcp + - IpProtocol: tcp + FromPort: 6379 + ToPort: 6379 + CidrIp: 10.0.0.1/0 + SecurityGroupEgress: + - FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + IpProtocol: tcp + EC2Instance01: + Type: AWS::EC2::Instance + Properties: + ImageId: ami-79fd7eee + InstanceType: t3.medium + SecurityGroups: + - UnsafeSecGroup01 + KeyName: my-new-rsa-key + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +Resources: + UnsafeSecGroup02: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http and mysql + VpcId: my-vpc + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 127.0.0.1/32 + - ToPort: 1434 + CidrIp: 10.0.0.1/0 + IpProtocol: tcp + FromPort: 1433 + - IpProtocol: tcp + FromPort: 150 + ToPort: 180 + CidrIp: 10.0.0.1/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + EC2Instance02: + Type: AWS::EC2::Instance + Properties: + InstanceType: t3.medium + SecurityGroups: + - UnsafeSecGroup02 + KeyName: my-new-rsa-key + ImageId: ami-79fd7eee + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="13" +AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +Resources: + UnsafeSecGroup03: + Type: AWS::EC2::SecurityGroup + Properties: + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + GroupDescription: Allow http and hadoop + VpcId: my-vpc + SecurityGroupIngress: + - ToPort: 80 + CidrIp: 0.0.0.0/0 + IpProtocol: tcp + FromPort: 80 + - ToPort: 9000 + CidrIp: 10.0.0.1/0 + IpProtocol: tcp + FromPort: 9000 + EC2Instance03: + Type: AWS::EC2::Instance + Properties: + SecurityGroups: + - UnsafeSecGroup03 + KeyName: my-new-rsa-key + ImageId: ami-79fd7eee + InstanceType: t3.medium + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="13" +AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +Resources: + UnsafeSecGroup04: + Type: AWS::EC2::SecurityGroup + Properties: + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + GroupDescription: Allow LDAP and SNMP + VpcId: my-vpc + SecurityGroupIngress: + - ToPort: 389 + FromPort: 389 + IpProtocol: all + CidrIp: 10.0.0.0/0 + - ToPort: 150 + FromPort: 180 + IpProtocol: udp + CidrIp: 10.0.0.1/0 + - ToPort: 53 + FromPort: 53 + IpProtocol: "-1" + CidrIp: 10.0.0.1/0 + EC2Instance03: + Type: AWS::EC2::Instance + Properties: + SecurityGroups: + - UnsafeSecGroup04 + KeyName: my-new-rsa-key + ImageId: ami-79fd7eee + InstanceType: t3.medium + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="17" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "UnsafeSecGroup01": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupEgress": [ + { + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ], + "GroupDescription": "Allow http and redis", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "FromPort": 8080, + "ToPort": 8080, + "CidrIp": "127.0.0.1/32", + "IpProtocol": "tcp" + }, + { + "IpProtocol": "tcp", + "FromPort": 6379, + "ToPort": 6379, + "CidrIp": "10.0.0.1/0" + } + ] + } + }, + "EC2Instance01": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "ami-79fd7eee", + "InstanceType": "t3.medium", + "SecurityGroups": [ + "UnsafeSecGroup01" + ], + "KeyName": "my-new-rsa-key" + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="9" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "UnsafeSecGroup02": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http and mysql", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "127.0.0.1/32" + }, + { + "CidrIp": "10.0.0.1/0", + "IpProtocol": "tcp", + "FromPort": 1433, + "ToPort": 1434 + }, + { + "IpProtocol": "tcp", + "FromPort": 150, + "ToPort": 180, + "CidrIp": "10.0.0.1/0" + } + ], + "SecurityGroupEgress": [ + { + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ] + } + }, + "EC2Instance02": { + "Type": "AWS::EC2::Instance", + "Properties": { + "SecurityGroups": [ + "UnsafeSecGroup02" + ], + "KeyName": "my-new-rsa-key", + "ImageId": "ami-79fd7eee", + "InstanceType": "t3.medium" + } + } + } +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="16" +{ + "Resources": { + "UnsafeSecGroup03": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22 + } + ], + "GroupDescription": "Allow http and hadoop", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + }, + { + "ToPort": 9000, + "CidrIp": "10.0.0.1/0", + "IpProtocol": "tcp", + "FromPort": 9000 + } + ] + } + }, + "EC2Instance03": { + "Type": "AWS::EC2::Instance", + "Properties": { + "SecurityGroups": [ + "UnsafeSecGroup03" + ], + "KeyName": "my-new-rsa-key", + "ImageId": "ami-79fd7eee", + "InstanceType": "t3.medium" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="16" +{ + "Resources": { + "UnsafeSecGroup04": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22 + } + ], + "GroupDescription": "Allow LDAP and SNMP", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "CidrIp": "10.0.0.0/0", + "ToPort": 389, + "FromPort": 389, + "IpProtocol": "all" + }, + { + "FromPort": 180, + "IpProtocol": "udp", + "CidrIp": "10.0.0.1/0", + "ToPort": 150 + }, + { + "IpProtocol": "-1", + "CidrIp": "10.0.0.1/0", + "ToPort": 53, + "FromPort": 53 + } + ] + } + }, + "EC2Instance03": { + "Type": "AWS::EC2::Instance", + "Properties": { + "SecurityGroups": [ + "UnsafeSecGroup04" + ], + "KeyName": "my-new-rsa-key", + "ImageId": "ami-79fd7eee", + "InstanceType": "t3.medium" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +Resources: + SafeSecGroup: + Type: AWS::EC2::SecurityGroup + Properties: + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 127.0.0.1/32 + GroupDescription: Allow http and ssh + VpcId: my-vpc + SecurityGroupIngress: + - FromPort: 80 + ToPort: 80 + CidrIp: 127.0.0.1/32 + IpProtocol: tcp + - ToPort: 77 + CidrIp: 127.0.0.1/32 + IpProtocol: all + FromPort: 77 + MyNegativeEC2Instance: + Type: AWS::EC2::Instance + Properties: + SecurityGroups: + - SafeSecGroup + KeyName: my-new-rsa-key + ImageId: ami-79fd7eee + InstanceType: t3.medium + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "SafeSecGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http and ssh", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "FromPort": 80, + "ToPort": 80, + "CidrIp": "127.0.0.1/32", + "IpProtocol": "tcp" + }, + { + "ToPort": 77, + "CidrIp": "127.0.0.1/32", + "IpProtocol": "all", + "FromPort": 77 + } + ], + "SecurityGroupEgress": [ + { + "FromPort": 22, + "ToPort": 22, + "CidrIp": "127.0.0.1/32", + "IpProtocol": "tcp" + } + ] + } + }, + "MyNegativeEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "SecurityGroups": [ + "SafeSecGroup" + ], + "KeyName": "my-new-rsa-key", + "ImageId": "ami-79fd7eee", + "InstanceType": "t3.medium" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/4a1e6b34-1008-4e61-a5f2-1f7c276f8d14.md b/docs/queries/cloudformation-queries/aws/4a1e6b34-1008-4e61-a5f2-1f7c276f8d14.md new file mode 100644 index 00000000000..ade70a8b9ab --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4a1e6b34-1008-4e61-a5f2-1f7c276f8d14.md @@ -0,0 +1,295 @@ +--- +title: Unrestricted Security Group Ingress +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4a1e6b34-1008-4e61-a5f2-1f7c276f8d14 +- **Query name:** Unrestricted Security Group Ingress +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/unrestricted_security_group_ingress) + +### Description +AWS Security Group Ingress CIDR should not be open to the world
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 43" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + CidrIp: 0.0.0.0/0 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + CidrIpv6: ::/0 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Postitive test num. 2 - json file" hl_lines="53 30" +{ + "Resources": { + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "CidrIp": "0.0.0.0/0", + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + } + } + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "FromPort": 0, + "ToPort": 65535, + "CidrIpv6": "::/0", + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp" + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "ToPort": 80, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80 + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "GroupDescription": "Allow http to client host" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 192.0.2.0/24 + SecurityGroupEgress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 192.0.2.0/24 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 0 + CidrIp: 192.0.2.0/24 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 0 + CidrIpv6: 2001:0DB8:1234::/48 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "192.0.2.0/24" + } + ], + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "192.0.2.0/24" + } + ] + } + }, + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 0, + "CidrIp": "192.0.2.0/24", + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + } + } + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 0, + "CidrIpv6": "2001:0DB8:1234::/48", + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/4a8daf95-709d-4a36-9132-d3e19878fa34.md b/docs/queries/cloudformation-queries/aws/4a8daf95-709d-4a36-9132-d3e19878fa34.md new file mode 100644 index 00000000000..b92c1e41a31 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4a8daf95-709d-4a36-9132-d3e19878fa34.md @@ -0,0 +1,103 @@ +--- +title: API Gateway Endpoint Config is Not Private +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4a8daf95-709d-4a36-9132-d3e19878fa34 +- **Query name:** API Gateway Endpoint Config is Not Private +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_endpoint_config_is_not_private) + +### Description +The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-restapi-endpointconfiguration.html#cfn-apigateway-restapi-endpointconfiguration-types) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 5" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MyRestApi: + Type: AWS::ApiGateway::RestApi + Properties: + Name: myRestApi + MyRestApi2: + Type: AWS::ApiGateway::RestApi + Properties: + EndpointConfiguration: + Types: + - EDGE + Name: myRestApi2 +``` +```json title="Postitive test num. 2 - json file" hl_lines="6 14" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MyRestApi": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Name": "myRestApi" + } + }, + "MyRestApi2": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "EndpointConfiguration": { + "Types": [ + "EDGE" + ] + }, + "Name": "myRestApi2" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MyRestApi: + Type: AWS::ApiGateway::RestApi + Properties: + EndpointConfiguration: + Types: + - PRIVATE + Name: myRestApi +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MyRestApi": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Name": "myRestApi" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/4a8fc9a2-2b2f-4b3f-aa8d-401425872034.md b/docs/queries/cloudformation-queries/aws/4a8fc9a2-2b2f-4b3f-aa8d-401425872034.md new file mode 100644 index 00000000000..de84cf04654 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4a8fc9a2-2b2f-4b3f-aa8d-401425872034.md @@ -0,0 +1,253 @@ +--- +title: SQS Queue Policy Allows NotPrincipal +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4a8fc9a2-2b2f-4b3f-aa8d-401425872034 +- **Query name:** SQS Queue Policy Allows NotPrincipal +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_principal) + +### Description +Checks if an SQS Queue policy has an Allow and a NotPrincipal. AWS strongly recommends against using `NotPrincipal` in the same policy statement as `"Effect": "Allow"`.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +Resources: + SampleSQSPolicy: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + PolicyDocument: + Statement: + - + Action: + - "SQS:SendMessage" + - "SQS:ReceiveMessage" + Effect: "Allow" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + NotPrincipal: + AWS: + - "111122223333" + - "*" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +Resources: + SampleSQSPolicy2: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + PolicyDocument: + Statement: + - + Action: + - "SQS:SendMessage" + - "SQS:CreateQueue" + Effect: "Allow" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + NotPrincipal: + AWS: + - "111122223333" + +``` +```json title="Postitive test num. 3 - json file" hl_lines="9" +{ + "Resources": { + "SampleSQSPolicy": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "Queues": [ + "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + ], + "PolicyDocument": { + "Statement": [ + { + "NotPrincipal": { + "AWS": [ + "111122223333", + "*" + ] + }, + "Action": [ + "SQS:SendMessage", + "SQS:ReceiveMessage" + ], + "Effect": "Allow", + "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2" + } + ] + } + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="9" +{ + "Resources": { + "SampleSQSPolicy2": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "Queues": [ + "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + ], + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "SQS:SendMessage", + "SQS:CreateQueue" + ], + "Effect": "Allow", + "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2", + "NotPrincipal": { + "AWS": [ + "111122223333" + ] + } + } + ] + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + SampleSQSPolicy: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + PolicyDocument: + Statement: + - + Action: + - "SQS:SendMessage" + - "SQS:ReceiveMessage" + Effect: "Deny" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + NotPrincipal: + AWS: + - "111122223333" + - "*" + +``` +```yaml title="Negative test num. 2 - yaml file" + +Resources: + SampleSQSPolicy2: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + PolicyDocument: + Statement: + - + Action: + - "SQS:SendMessage" + - "SQS:CreateQueue" + Effect: "Allow" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + Principal: + AWS: + - "111122223333" + +``` +```json title="Negative test num. 3 - json file" +{ + "Resources": { + "SampleSQSPolicy": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "Queues": [ + "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + ], + "PolicyDocument": { + "Statement": [ + { + "NotPrincipal": { + "AWS": [ + "111122223333", + "*" + ] + }, + "Action": [ + "SQS:SendMessage", + "SQS:ReceiveMessage" + ], + "Effect": "Deny", + "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2" + } + ] + } + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "SampleSQSPolicy2": { + "Properties": { + "Queues": [ + "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + ], + "PolicyDocument": { + "Statement": [ + { + "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2", + "Principal": { + "AWS": [ + "111122223333" + ] + }, + "Action": [ + "SQS:SendMessage", + "SQS:CreateQueue" + ], + "Effect": "Allow" + } + ] + } + }, + "Type": "AWS::SQS::QueuePolicy" + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/4ab10c48-bedb-4deb-8f3b-ff12783b61de.md b/docs/queries/cloudformation-queries/aws/4ab10c48-bedb-4deb-8f3b-ff12783b61de.md new file mode 100644 index 00000000000..1d47d85f185 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4ab10c48-bedb-4deb-8f3b-ff12783b61de.md @@ -0,0 +1,289 @@ +--- +title: API Gateway X-Ray Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4ab10c48-bedb-4deb-8f3b-ff12783b61de +- **Query name:** API Gateway X-Ray Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_xray_disabled) + +### Description +API Gateway should have X-Ray Tracing enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-tracingenabled) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + ProdPos3: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + TracingEnabled: false + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + ProdPos4: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + +``` +```json title="Postitive test num. 3 - json file" hl_lines="23" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "ProdPos1": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "RestApiId": { + "Ref": "MyRestApi" + }, + "DeploymentId": { + "Ref": "TestDeployment" + }, + "DocumentationVersion": { + "Ref": "MyDocumentationVersion" + }, + "ClientCertificateId": { + "Ref": "ClientCertificate" + }, + "Variables": { + "Stack": "Prod" + }, + "TracingEnabled": "false", + "MethodSettings": [ + { + "ResourcePath": "/", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "999" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "555" + } + ] + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "ProdPos2": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "RestApiId": { + "Ref": "MyRestApi" + }, + "DeploymentId": { + "Ref": "TestDeployment" + }, + "DocumentationVersion": { + "Ref": "MyDocumentationVersion" + }, + "ClientCertificateId": { + "Ref": "ClientCertificate" + }, + "Variables": { + "Stack": "Prod" + }, + "MethodSettings": [ + { + "ResourcePath": "/", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "999" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "555" + } + ] + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + ProdNeg1: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + TracingEnabled: true + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "ProdNeg2": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "RestApiId": { + "Ref": "MyRestApi" + }, + "DeploymentId": { + "Ref": "TestDeployment" + }, + "DocumentationVersion": { + "Ref": "MyDocumentationVersion" + }, + "ClientCertificateId": { + "Ref": "ClientCertificate" + }, + "Variables": { + "Stack": "Prod" + }, + "TracingEnabled": "true", + "MethodSettings": [ + { + "ResourcePath": "/", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "999" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "555" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/4ae8af91-5108-42cb-9471-3bdbe596eac9.md b/docs/queries/cloudformation-queries/aws/4ae8af91-5108-42cb-9471-3bdbe596eac9.md new file mode 100644 index 00000000000..b376d57ccae --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4ae8af91-5108-42cb-9471-3bdbe596eac9.md @@ -0,0 +1,142 @@ +--- +title: S3 Bucket With All Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4ae8af91-5108-42cb-9471-3bdbe596eac9 +- **Query name:** S3 Bucket With All Permissions +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_with_all_permissions) + +### Description +S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +#this is a problematic code where the query should report a result(s) +Resources: + SampleBucketPolicy3: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: "*" + Effect: Allow + Resource: "*" + Principal: "*" + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9" +{ + "Resources": { + "SampleBucketPolicy4": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "*", + "Effect": "Allow", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + SampleBucketPolicy1: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Deny + Resource: '*' + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "SampleBucketPolicy2": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetObject" + ], + "Effect": "Deny", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/4ba74f01-aba5-4be2-83bc-be79ff1a3b92.md b/docs/queries/cloudformation-queries/aws/4ba74f01-aba5-4be2-83bc-be79ff1a3b92.md new file mode 100644 index 00000000000..6fd701ca3ab --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4ba74f01-aba5-4be2-83bc-be79ff1a3b92.md @@ -0,0 +1,166 @@ +--- +title: Serverless Function Without Unique IAM Role +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4ba74f01-aba5-4be2-83bc-be79ff1a3b92 +- **Query name:** Serverless Function Without Unique IAM Role +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_sam/serverless_function_without_unique_iam_role) + +### Description +AWS Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks
+[Documentation](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-role) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="34 19" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function1: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + Role: arn:aws:iam::123456789012:role/lambda-role + Function2: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + Role: arn:aws:iam::123456789012:role/lambda-role + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="34 19" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function1: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + Role: !Ref Role + Function2: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + Role: !Ref Role + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function3: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + Role: arn:aws:iam::123456789012:role/lambda-role + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function1: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + Role: !Ref Role2 + Function2: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + Role: !Ref Role4 + +``` diff --git a/docs/queries/cloudformation-queries/aws/4c137350-7307-4803-8c04-17c09a7a9fcf.md b/docs/queries/cloudformation-queries/aws/4c137350-7307-4803-8c04-17c09a7a9fcf.md new file mode 100644 index 00000000000..216ecce69e4 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4c137350-7307-4803-8c04-17c09a7a9fcf.md @@ -0,0 +1,79 @@ +--- +title: Root Account Has Active Access Keys +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4c137350-7307-4803-8c04-17c09a7a9fcf +- **Query name:** Root Account Has Active Access Keys +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/root_account_has_active_access_keys) + +### Description +The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-accesskey.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + CFNKeys: + Type: AWS::IAM::AccessKey + Properties: + UserName: Root + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "CFNKeys": { + "Type": "AWS::IAM::AccessKey", + "Properties": { + "UserName": "Root" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + CFNKeys: + Type: AWS::IAM::AccessKey + Properties: + UserName: MyUser + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "CFNKeys": { + "Type": "AWS::IAM::AccessKey", + "Properties": { + "UserName": "MyUser" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/4d32780f-43a4-424a-a06d-943c543576a5.md b/docs/queries/cloudformation-queries/aws/4d32780f-43a4-424a-a06d-943c543576a5.md new file mode 100644 index 00000000000..b1343120ed5 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4d32780f-43a4-424a-a06d-943c543576a5.md @@ -0,0 +1,135 @@ +--- +title: IoT Policy Allows Action as Wildcard +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4d32780f-43a4-424a-a06d-943c543576a5 +- **Query name:** IoT Policy Allows Action as Wildcard +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iot_policy_allows_action_as_wildcard) + +### Description +IoT Policy should not allow Action to be set as *
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-policy.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + IoTPolicy: + Type: AWS::IoT::Policy + Properties: + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: "*" + Resource: + - arn:aws:iot:us-east-1:123456789012:client/client + - Effect: Deny + Action: + - sqs:* + NotResource: my-hardcoded-arn + PolicyName: PolicyName + +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "Resources": { + "IoTPolicy": { + "Type": "AWS::IoT::Policy", + "Properties": { + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": [ + "arn:aws:iot:us-east-1:123456789012:client/client" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": "my-hardcoded-arn" + } + ] + }, + "PolicyName": "PolicyName" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + IoTPolicy: + Type: AWS::IoT::Policy + Properties: + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - iot:Connect + Resource: + - arn:aws:iot:us-east-1:123456789012:client/client1 + PolicyName: PolicyName + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "IoTPolicy": { + "Type": "AWS::IoT::Policy", + "Properties": { + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iot:Connect" + ], + "Resource": [ + "arn:aws:iot:us-east-1:123456789012:client/client1" + ] + } + ] + }, + "PolicyName": "PolicyName" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/4e67c0ae-38a0-47f4-a50c-f0c9b75826df.md b/docs/queries/cloudformation-queries/aws/4e67c0ae-38a0-47f4-a50c-f0c9b75826df.md new file mode 100644 index 00000000000..059092851e8 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4e67c0ae-38a0-47f4-a50c-f0c9b75826df.md @@ -0,0 +1,194 @@ +--- +title: BOM - AWS DynamoDB +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4e67c0ae-38a0-47f4-a50c-f0c9b75826df +- **Query name:** BOM - AWS DynamoDB +- **Platform:** CloudFormation +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_bom/dynamo) + +### Description +A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="27" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + DynamoDBEndpoint: + Type: "AWS::EC2::VPCEndpoint" + Properties: + RouteTableIds: + - !Ref PublicRouteTable + - !Ref Private0RouteTable + - !Ref Private1RouteTable + - !Ref Private2RouteTable + ServiceName: + !Sub "com.amazonaws.${AWS::Region}.dynamodb" + VpcId: !Ref VPC + PolicyDocument: { + "Id": "Policy", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Statement", + "Action": "dynamodb:*", + "Effect": "Allow", + "Resource": "arn:aws:dynamodb:ap-southeast-2:123412341234:table/test", + "Principal": "*" + } + ] + } + DynamoDBOnDemandTable2: + Type: "AWS::DynamoDB::Table" + Properties: + TableName: test + AttributeDefinitions: + - AttributeName: pk + AttributeType: S + KeySchema: + - AttributeName: pk + KeyType: HASH + BillingMode: PAY_PER_REQUEST + SSESpecification: + SSEEnabled: false + SSEType: "KMS" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="27" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + DynamoDBEndpoint: + Type: "AWS::EC2::VPCEndpoint" + Properties: + RouteTableIds: + - !Ref PublicRouteTable + - !Ref Private0RouteTable + - !Ref Private1RouteTable + - !Ref Private2RouteTable + ServiceName: + !Sub "com.amazonaws.${AWS::Region}.dynamodb" + VpcId: !Ref VPC + PolicyDocument: { + "Id": "Policy", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Statement", + "Action": "dynamodb:*", + "Effect": "Allow", + "Resource": "*", + "Principal": "*" + } + ] + } + DynamoDBOnDemandTable2: + Type: "AWS::DynamoDB::Table" + Properties: + TableName: test2 + AttributeDefinitions: + - AttributeName: pk + AttributeType: S + KeySchema: + - AttributeName: pk + KeyType: HASH + BillingMode: PAY_PER_REQUEST + SSESpecification: + SSEEnabled: false + SSEType: "KMS" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="27" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + DynamoDBEndpoint: + Type: "AWS::EC2::VPCEndpoint" + Properties: + RouteTableIds: + - !Ref PublicRouteTable + - !Ref Private0RouteTable + - !Ref Private1RouteTable + - !Ref Private2RouteTable + ServiceName: + !Sub "com.amazonaws.${AWS::Region}.dynamodb" + VpcId: !Ref VPC + PolicyDocument: { + "Id": "Policy", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Statement", + "Action": "dynamodb:*", + "Effect": "Allow", + "Resource": "arn:aws:dynamodb:ap-southeast-2:123412341234:table/other", + "Principal": "*" + } + ] + } + DynamoDBOnDemandTable2: + Type: "AWS::DynamoDB::Table" + Properties: + TableName: test3 + AttributeDefinitions: + - AttributeName: pk + AttributeType: S + KeySchema: + - AttributeName: pk + KeyType: HASH + BillingMode: PAY_PER_REQUEST + SSESpecification: + SSEEnabled: false + SSEType: "KMS" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="3" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + DynamoDBOnDemandTable2: + Type: "AWS::DynamoDB::Table" + Properties: + TableName: test4 + AttributeDefinitions: + - AttributeName: pk + AttributeType: S + KeySchema: + - AttributeName: pk + KeyType: HASH + BillingMode: PAY_PER_REQUEST + SSESpecification: + SSEEnabled: false + SSEType: "KMS" + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` diff --git a/docs/queries/cloudformation-queries/aws/4e88adee-a8eb-4605-a78d-9fb1096e3091.md b/docs/queries/cloudformation-queries/aws/4e88adee-a8eb-4605-a78d-9fb1096e3091.md new file mode 100644 index 00000000000..295964e5077 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4e88adee-a8eb-4605-a78d-9fb1096e3091.md @@ -0,0 +1,249 @@ +--- +title: RDS Associated with Public Subnet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4e88adee-a8eb-4605-a78d-9fb1096e3091 +- **Query name:** RDS Associated with Public Subnet +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/rds_associated_with_public_subnet) + +### Description +RDS should not run in public subnet
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-dbsubnetgroupname) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +Resources: + Positive1: + Type: AWS::RDS::DBInstance + Properties: + AllocatedStorage: '5' + DBInstanceClass: db.t2.small + Engine: oracle-ee + LicenseModel: bring-your-own-license + MasterUsername: master + MasterUserPassword: SecretPassword01 + BackupRetentionPeriod: 7 + DBSubnetGroupName: + Ref: myDBSubnetGroup + DeletionPolicy: Snapshot + myDBSubnetGroup: + Properties: + DBSubnetGroupDescription: description + SubnetIds: + - Ref: mySubnet1 + - Ref: mySubnet2 + Tags: + - + Key: String + Value: String + Type: "AWS::RDS::DBSubnetGroup" + mySubnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: + Ref: myVPC + CidrBlock: 10.0.0.0/24 + AvailabilityZone: "us-east-1a" + Tags: + - Key: stack + Value: production + mySubnet2: + Type: AWS::EC2::Subnet + Properties: + VpcId: + Ref: myVPC + CidrBlock: 0.0.0.0/0 + AvailabilityZone: "us-east-1a" + Tags: + - Key: stack + Value: production + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9" +{ + "Resources": { + "Positive1": { + "DeletionPolicy": "Snapshot", + "Properties": { + "AllocatedStorage": "5", + "BackupRetentionPeriod": 7, + "DBInstanceClass": "db.t2.small", + "DBSubnetGroupName": { + "Ref": "myDBSubnetGroup" + }, + "Engine": "oracle-ee", + "LicenseModel": "bring-your-own-license", + "MasterUserPassword": "SecretPassword01", + "MasterUsername": "master" + }, + "Type": "AWS::RDS::DBInstance" + }, + "myDBSubnetGroup": { + "Properties": { + "DBSubnetGroupDescription": "description", + "SubnetIds": [ + { + "Ref": "mySubnet1" + }, + { + "Ref": "mySubnet2" + } + ], + "Tags": [ + { + "Key": "String", + "Value": "String" + } + ] + }, + "Type": "AWS::RDS::DBSubnetGroup" + }, + "mySubnet1": { + "Properties": { + "AvailabilityZone": "us-east-1a", + "CidrBlock": "10.0.0.0/24", + "Tags": [ + { + "Key": "stack", + "Value": "production" + } + ], + "VpcId": { + "Ref": "myVPC" + } + }, + "Type": "AWS::EC2::Subnet" + }, + "mySubnet2": { + "Properties": { + "AvailabilityZone": "us-east-1a", + "CidrBlock": "0.0.0.0/0", + "Tags": [ + { + "Key": "stack", + "Value": "production" + } + ], + "VpcId": { + "Ref": "myVPC" + } + }, + "Type": "AWS::EC2::Subnet" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + Negative1: + Type: AWS::RDS::DBInstance + Properties: + AllocatedStorage: '5' + DBInstanceClass: db.t2.small + Engine: oracle-ee + LicenseModel: bring-your-own-license + MasterUsername: master + MasterUserPassword: SecretPassword01 + BackupRetentionPeriod: 7 + DBSubnetGroupName: + Ref: myDBSubnetGroup0 + DeletionPolicy: Snapshot + myDBSubnetGroup0: + Properties: + DBSubnetGroupDescription: description + SubnetIds: + - Ref: mySubnet10 + Tags: + - + Key: String + Value: String + Type: "AWS::RDS::DBSubnetGroup" + mySubnet10: + Type: AWS::EC2::Subnet + Properties: + VpcId: + Ref: myVPC + CidrBlock: 10.0.0.0/24 + AvailabilityZone: "us-east-1a" + Tags: + - Key: stack + Value: production + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Negative1": { + "DeletionPolicy": "Snapshot", + "Properties": { + "AllocatedStorage": "5", + "BackupRetentionPeriod": 7, + "DBInstanceClass": "db.t2.small", + "DBSubnetGroupName": { + "Ref": "myDBSubnetGroup0" + }, + "Engine": "oracle-ee", + "LicenseModel": "bring-your-own-license", + "MasterUserPassword": "SecretPassword01", + "MasterUsername": "master" + }, + "Type": "AWS::RDS::DBInstance" + }, + "myDBSubnetGroup0": { + "Properties": { + "DBSubnetGroupDescription": "description", + "SubnetIds": [ + { + "Ref": "mySubnet10" + } + ], + "Tags": [ + { + "Key": "String", + "Value": "String" + } + ] + }, + "Type": "AWS::RDS::DBSubnetGroup" + }, + "mySubnet10": { + "Properties": { + "AvailabilityZone": "us-east-1a", + "CidrBlock": "10.0.0.0/24", + "Tags": [ + { + "Key": "stack", + "Value": "production" + } + ], + "VpcId": { + "Ref": "myVPC" + } + }, + "Type": "AWS::EC2::Subnet" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/4f0908b9-eb66-433f-9145-134274e1e944.md b/docs/queries/cloudformation-queries/aws/4f0908b9-eb66-433f-9145-134274e1e944.md new file mode 100644 index 00000000000..62fcb264a55 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4f0908b9-eb66-433f-9145-134274e1e944.md @@ -0,0 +1,379 @@ +--- +title: RouterTable with Default Routing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4f0908b9-eb66-433f-9145-134274e1e944 +- **Query name:** RouterTable with Default Routing +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/routertable_with_default_routing) + +### Description +NAT gateways are recommended, and not the default route which permits all traffic, in Route Tables.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route-table.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="66 61 54" +Resources: + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.1.0.0/16 + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Join ['', [!Ref "AWS::StackName", "-VPC" ]] + InternetGateway: + Type: AWS::EC2::InternetGateway + DependsOn: VPC + AttachGateway: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: !Ref VPC + InternetGatewayId: !Ref InternetGateway + PublicSubnetA: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.1.10.0/24 + AvailabilityZone: !Select [ 0, !GetAZs ] # Obtenha o primeiro AZ na lista + Tags: + - Key: Name + Value: !Sub ${AWS::StackName}-Public-A + Ec2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: + Fn::FindInMap: + - "RegionMap" + - Ref: "AWS::Region" + - "AMI" + KeyName: + Ref: "KeyName" + NetworkInterfaces: + - AssociatePublicIpAddress: true + DeviceIndex: "0" + SubnetId: !Ref PublicSubnetA + PublicRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: Public + PublicRoute1: + Type: AWS::EC2::Route + DependsOn: AttachGateway + Properties: + RouteTableId: !Ref PublicRouteTable + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: id + PublicRoute2: + Type: AWS::EC2::Route + DependsOn: AttachGateway + Properties: + RouteTableId: !Ref PublicRouteTable + DestinationIpv6CidrBlock: ::/0 + NatGatewayId: id + PublicRoute3: + Type: AWS::EC2::Route + DependsOn: AttachGateway + Properties: + RouteTableId: !Ref PublicRouteTable + DestinationCidrBlock: 10.1.10.0/24 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="43 108 37" +{ + "Resources": { + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway", + "DependsOn": "VPC" + }, + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": { + "Fn::FindInMap": [ + "RegionMap", + { + "Ref": "AWS::Region" + }, + "AMI" + ] + }, + "KeyName": { + "Ref": "KeyName" + }, + "NetworkInterfaces": [ + { + "AssociatePublicIpAddress": true, + "DeviceIndex": "0", + "SubnetId": "PublicSubnetA" + } + ] + } + }, + "PublicRoute1": { + "Type": "AWS::EC2::Route", + "DependsOn": "AttachGateway", + "Properties": { + "NatGatewayId": "id", + "RouteTableId": "PublicRouteTable", + "DestinationCidrBlock": "0.0.0.0/0" + } + }, + "PublicRoute3": { + "Type": "AWS::EC2::Route", + "DependsOn": "AttachGateway", + "Properties": { + "RouteTableId": "PublicRouteTable", + "DestinationCidrBlock": "10.1.10.0/24" + } + }, + "VPC": { + "Type": "AWS::EC2::VPC", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": [ + "", + [ + "AWS::StackName", + "-VPC" + ] + ] + } + ], + "CidrBlock": "10.1.0.0/16", + "EnableDnsSupport": true, + "EnableDnsHostnames": true + } + }, + "AttachGateway": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": "VPC", + "InternetGatewayId": "InternetGateway" + } + }, + "PublicSubnetA": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": "VPC", + "CidrBlock": "10.1.10.0/24", + "AvailabilityZone": [ + 0, + "" + ], + "Tags": [ + { + "Key": "Name", + "Value": "${AWS::StackName}-Public-A" + } + ] + } + }, + "PublicRouteTable": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": "VPC", + "Tags": [ + { + "Key": "Name", + "Value": "Public" + } + ] + } + }, + "PublicRoute2": { + "DependsOn": "AttachGateway", + "Properties": { + "RouteTableId": "PublicRouteTable", + "DestinationIpv6CidrBlock": "::/0", + "NatGatewayId": "id" + }, + "Type": "AWS::EC2::Route" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.1.0.0/16 + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Join ['', [!Ref "AWS::StackName", "-VPC" ]] + InternetGateway: + Type: AWS::EC2::InternetGateway + DependsOn: VPC + AttachGateway: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: !Ref VPC + InternetGatewayId: !Ref InternetGateway + PublicSubnetA: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.1.10.0/24 + AvailabilityZone: !Select [ 0, !GetAZs ] # Obtenha o primeiro AZ na lista + Tags: + - Key: Name + Value: !Sub ${AWS::StackName}-Public-A + Ec2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: + Fn::FindInMap: + - "RegionMap" + - Ref: "AWS::Region" + - "AMI" + KeyName: + Ref: "KeyName" + NetworkInterfaces: + - AssociatePublicIpAddress: true + DeviceIndex: "0" + SubnetId: !Ref PublicSubnetA + PublicRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref VPC + Tags: + - Key: Name + Value: Public + PublicRoute1: + Type: AWS::EC2::Route + DependsOn: AttachGateway + Properties: + RouteTableId: !Ref PublicRouteTable + DestinationCidrBlock: 172.16.0.0/24 + NatGatewayId: !Ref InternetGateway + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "VPC": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.1.0.0/16", + "EnableDnsSupport": true, + "EnableDnsHostnames": true, + "Tags": [ + { + "Key": "Name", + "Value": [ + "", + [ + "AWS::StackName", + "-VPC" + ] + ] + } + ] + } + }, + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway", + "DependsOn": "VPC" + }, + "AttachGateway": { + "Properties": { + "VpcId": "VPC", + "InternetGatewayId": "InternetGateway" + }, + "Type": "AWS::EC2::VPCGatewayAttachment" + }, + "PublicSubnetA": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": "VPC", + "CidrBlock": "10.1.10.0/24", + "AvailabilityZone": [ + 0, + "" + ], + "Tags": [ + { + "Value": "${AWS::StackName}-Public-A", + "Key": "Name" + } + ] + } + }, + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": { + "Fn::FindInMap": [ + "RegionMap", + { + "Ref": "AWS::Region" + }, + "AMI" + ] + }, + "KeyName": { + "Ref": "KeyName" + }, + "NetworkInterfaces": [ + { + "AssociatePublicIpAddress": true, + "DeviceIndex": "0", + "SubnetId": "PublicSubnetA" + } + ] + } + }, + "PublicRouteTable": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": "VPC", + "Tags": [ + { + "Key": "Name", + "Value": "Public" + } + ] + } + }, + "PublicRoute1": { + "Type": "AWS::EC2::Route", + "DependsOn": "AttachGateway", + "Properties": { + "RouteTableId": "PublicRouteTable", + "DestinationCidrBlock": "172.16.0.0/24", + "NatGatewayId": "InternetGateway" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/4fbfee74-8186-40d5-a24e-4baa76a855de.md b/docs/queries/cloudformation-queries/aws/4fbfee74-8186-40d5-a24e-4baa76a855de.md new file mode 100644 index 00000000000..b1badeb017f --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/4fbfee74-8186-40d5-a24e-4baa76a855de.md @@ -0,0 +1,135 @@ +--- +title: SQS Queue Policy Allows NotAction +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4fbfee74-8186-40d5-a24e-4baa76a855de +- **Query name:** SQS Queue Policy Allows NotAction +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/sqs_queue_policy_allows_not_action) + +### Description +AWS SQS Queue Policy should not allow NotAction since the actions specified in this element are the only actions in that are limited
+[Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +Resources: + SampleSQSPolicy2: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + PolicyDocument: + Statement: + - + NotAction: + - "SQS:SendMessage" + - "SQS:ReceiveMessage" + Effect: "Allow" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + Principal: + AWS: + - "111122223333" +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "Resources": { + "SampleSQSPolicy2": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "NotAction": [ + "SQS:SendMessage", + "SQS:ReceiveMessage" + ], + "Effect": "Allow", + "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2", + "Principal": { + "AWS": [ + "111122223333" + ] + } + } + ] + }, + "Queues": [ + "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + SampleSQSPolicy1: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + PolicyDocument: + Statement: + - + Action: + - "SQS:SendMessage" + - "SQS:ReceiveMessage" + Effect: "Allow" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + Principal: + AWS: + - "111122223333" +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "SampleSQSPolicy1": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "Queues": [ + "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + ], + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "SQS:SendMessage", + "SQS:ReceiveMessage" + ], + "Effect": "Allow", + "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2", + "Principal": { + "AWS": [ + "111122223333" + ] + } + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/52790cad-d60d-41d5-8483-146f9f21208d.md b/docs/queries/cloudformation-queries/aws/52790cad-d60d-41d5-8483-146f9f21208d.md new file mode 100644 index 00000000000..59240f5ef62 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/52790cad-d60d-41d5-8483-146f9f21208d.md @@ -0,0 +1,281 @@ +--- +title: API Gateway Cache Cluster Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 52790cad-d60d-41d5-8483-146f9f21208d +- **Query name:** API Gateway Cache Cluster Disabled +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled) + +### Description +AWS API Gateway should have cache clustering enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-cacheclusterenabled) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + ProdPos1: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + TracingEnabled: true + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="31" +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + ProdPos2: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + TracingEnabled: true + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + CacheClusterEnabled: false + +``` +```json title="Postitive test num. 3 - json file" hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "ProdPos1": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "RestApiId": { + "Ref": "MyRestApi" + }, + "DeploymentId": { + "Ref": "TestDeployment" + }, + "DocumentationVersion": { + "Ref": "MyDocumentationVersion" + }, + "ClientCertificateId": { + "Ref": "ClientCertificate" + }, + "Variables": { + "Stack": "Prod" + }, + "TracingEnabled": "true", + "MethodSettings": [ + { + "ResourcePath": "/", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "999" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "555" + } + ] + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "ProdPos2": { + "Properties": { + "CacheClusterEnabled": false, + "ClientCertificateId": "ClientCertificate", + "DeploymentId": "TestDeployment", + "Description": "Prod Stage", + "DocumentationVersion": "MyDocumentationVersion", + "MethodSettings": [ + { + "DataTraceEnabled": "false", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "ResourcePath": "/" + }, + { + "DataTraceEnabled": "false", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "ResourcePath": "/stack", + "ThrottlingBurstLimit": "999" + }, + { + "DataTraceEnabled": "false", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "ResourcePath": "/stack", + "ThrottlingBurstLimit": "555" + } + ], + "RestApiId": "MyRestApi", + "StageName": "Prod", + "TracingEnabled": true, + "Variables": { + "Stack": "Prod" + } + }, + "Type": "AWS::ApiGateway::Stage" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + ProdNeg1: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + TracingEnabled: true + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + CacheClusterEnabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "ProdNeg1": { + "Properties": { + "CacheClusterEnabled": true, + "ClientCertificateId": "ClientCertificate", + "DeploymentId": "TestDeployment", + "Description": "Prod Stage", + "DocumentationVersion": "MyDocumentationVersion", + "MethodSettings": [ + { + "DataTraceEnabled": "false", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "ResourcePath": "/" + }, + { + "DataTraceEnabled": "false", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "ResourcePath": "/stack", + "ThrottlingBurstLimit": "999" + }, + { + "DataTraceEnabled": "false", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "ResourcePath": "/stack", + "ThrottlingBurstLimit": "555" + } + ], + "RestApiId": "MyRestApi", + "StageName": "Prod", + "TracingEnabled": true, + "Variables": { + "Stack": "Prod" + } + }, + "Type": "AWS::ApiGateway::Stage" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/568cc372-ca64-420d-9015-ee347d00d288.md b/docs/queries/cloudformation-queries/aws/568cc372-ca64-420d-9015-ee347d00d288.md new file mode 100644 index 00000000000..cbc30664dfa --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/568cc372-ca64-420d-9015-ee347d00d288.md @@ -0,0 +1,103 @@ +--- +title: User Data Contains Encoded Private Key +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 568cc372-ca64-420d-9015-ee347d00d288 +- **Query name:** User Data Contains Encoded Private Key +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/user_data_contains_encoded_private_key) + +### Description +User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-launchconfig.html) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12 13" +{ + "Resources":{ + "myLaunchConfig3":{ + "Type":"AWS::AutoScaling::LaunchConfiguration", + "Properties":{ + "ImageId":"ami-02354e95b39ca8dec", + "SecurityGroups":[ { "Ref":"myEC2SecurityGroup" }, "myExistingEC2SecurityGroup" ], + "InstanceType":"m1.large", + "KeyName":{ + "Ref":"KeyName" + }, + "UserData": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="12 13" +--- +Resources: + myLaunchConfig4: + Type: AWS::AutoScaling::LaunchConfiguration + Properties: + ImageId: "ami-02354e95b39ca8dec" + SecurityGroups: + - Ref: "myEC2SecurityGroup" + - myExistingEC2SecurityGroup + InstanceType: "m1.large" + KeyName: + Ref: "KeyName" + UserData: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5" + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "Resources":{ + "myLaunchConfig":{ + "Type":"AWS::AutoScaling::LaunchConfiguration", + "Properties":{ + "ImageId":"ami-02354e95b39ca8dec", + "SecurityGroups":[ { "Ref":"myEC2SecurityGroup" }, "myExistingEC2SecurityGroup" ], + "InstanceType":"m1.large", + "KeyName":{ + "Ref":"KeyName" + }, + "UserData": "some-gibberish" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +--- +Resources: + myLaunchConfig2: + Type: AWS::AutoScaling::LaunchConfiguration + Properties: + ImageId: "ami-02354e95b39ca8dec" + SecurityGroups: + - Ref: "myEC2SecurityGroup" + - myExistingEC2SecurityGroup + InstanceType: "m1.large" + KeyName: + Ref: "KeyName" + UserData: "some-gibberish" + +``` diff --git a/docs/queries/cloudformation-queries/aws/57b12981-3816-4c31-b190-a1e614361dd2.md b/docs/queries/cloudformation-queries/aws/57b12981-3816-4c31-b190-a1e614361dd2.md new file mode 100644 index 00000000000..24989cd810a --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/57b12981-3816-4c31-b190-a1e614361dd2.md @@ -0,0 +1,111 @@ +--- +title: Public Lambda via API Gateway +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 57b12981-3816-4c31-b190-a1e614361dd2 +- **Query name:** Public Lambda via API Gateway +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/public_lambda_via_api_gateway) + +### Description +Allowing to run lambda function using public API Gateway
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + s3Permission3: + Type: AWS::Lambda::Permission + Properties: + FunctionName: !GetAtt function.Arn + Action: lambda:InvokeFunction + Principal: apigateway.amazonaws.com + SourceAccount: !Ref 'AWS::AccountId' + SourceArn: arn:aws:s3:eu-central-1:123456789012/*/* + +``` +```json title="Postitive test num. 2 - json file" hl_lines="18" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "s3Permission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "FunctionName": { + "Fn::GetAtt": [ + "function", + "Arn" + ] + }, + "Action": "lambda:InvokeFunction", + "Principal": "apigateway.amazonaws.com", + "SourceAccount": { + "Ref": "AWS::AccountId" + }, + "SourceArn": "arn:aws:s3:eu-central-1:123456789012/*/*" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + s3Permission3: + Type: AWS::Lambda::Permission + Properties: + FunctionName: !GetAtt function.Arn + Action: lambda:InvokeFunction + Principal: s3.amazonaws.com + SourceAccount: !Ref 'AWS::AccountId' + SourceArn: arn:aws:s3:eu-central-1:123456789012:bucketname + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "s3Permission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "FunctionName": { + "Fn::GetAtt": [ + "function", + "Arn" + ] + }, + "Action": "lambda:InvokeFunction", + "Principal": "s3.amazonaws.com", + "SourceAccount": { + "Ref": "AWS::AccountId" + }, + "SourceArn": "arn:aws:s3:eu-central-1:123456789012:bucketname" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/5906092d-5f74-490d-9a03-78febe0f65e1.md b/docs/queries/cloudformation-queries/aws/5906092d-5f74-490d-9a03-78febe0f65e1.md new file mode 100644 index 00000000000..cbc775781dd --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/5906092d-5f74-490d-9a03-78febe0f65e1.md @@ -0,0 +1,166 @@ +--- +title: GitHub Repository Set To Public +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5906092d-5f74-490d-9a03-78febe0f65e1 +- **Query name:** GitHub Repository Set To Public +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/github_repository_set_to_public) + +### Description +Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codestar-githubrepository.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + MyRepo3: + Type: AWS::CodeStar::GitHubRepository + Properties: + Code: + S3: + Bucket: "my-bucket" + Key: "sourcecode.zip" + ObjectVersion: "1" + EnableIssues: true + IsPrivate: false + RepositoryAccessToken: '{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}' + RepositoryDescription: a description + RepositoryName: my-github-repo + RepositoryOwner: my-github-account + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + MyRepo4: + Type: AWS::CodeStar::GitHubRepository + Properties: + Code: + S3: + Bucket: "my-bucket" + Key: "sourcecode.zip" + ObjectVersion: "1" + EnableIssues: true + RepositoryAccessToken: '{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}' + RepositoryDescription: a description + RepositoryName: my-github-repo + RepositoryOwner: my-github-account + +``` +```json title="Postitive test num. 3 - json file" hl_lines="5" +{ + "Resources": { + "MyRepo5": { + "Type": "AWS::CodeStar::GitHubRepository", + "Properties": { + "Code": { + "S3": { + "Bucket": "my-bucket", + "Key": "sourcecode.zip", + "ObjectVersion": "1" + } + }, + "EnableIssues": true, + "RepositoryAccessToken": "{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}", + "RepositoryDescription": "a description", + "RepositoryName": "my-github-repo", + "RepositoryOwner": "my-github-account" + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="14" +{ + "Resources": { + "MyRepo6": { + "Type": "AWS::CodeStar::GitHubRepository", + "Properties": { + "Code": { + "S3": { + "Bucket": "my-bucket", + "Key": "sourcecode.zip", + "ObjectVersion": "1" + } + }, + "EnableIssues": true, + "IsPrivate": false, + "RepositoryAccessToken": "{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}", + "RepositoryDescription": "a description", + "RepositoryName": "my-github-repo", + "RepositoryOwner": "my-github-account" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + MyRepo1: + Type: AWS::CodeStar::GitHubRepository + Properties: + Code: + S3: + Bucket: "my-bucket" + Key: "sourcecode.zip" + ObjectVersion: "1" + EnableIssues: true + IsPrivate: true + RepositoryAccessToken: '{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}' + RepositoryDescription: a description + RepositoryName: my-github-repo + RepositoryOwner: my-github-account + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyRepo2": { + "Type": "AWS::CodeStar::GitHubRepository", + "Properties": { + "Code": { + "S3": { + "Bucket": "my-bucket", + "Key": "sourcecode.zip", + "ObjectVersion": "1" + } + }, + "EnableIssues": true, + "IsPrivate": true, + "RepositoryAccessToken": "{{resolve:secretsmanager:your-secret-manager-name:SecretString:your-secret-manager-key}}", + "RepositoryDescription": "a description", + "RepositoryName": "my-github-repo", + "RepositoryOwner": "my-github-account" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/59a849c2-1127-4023-85a5-ef906dcd458c.md b/docs/queries/cloudformation-queries/aws/59a849c2-1127-4023-85a5-ef906dcd458c.md new file mode 100644 index 00000000000..e4f6813ee06 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/59a849c2-1127-4023-85a5-ef906dcd458c.md @@ -0,0 +1,97 @@ +--- +title: BOM - AWS SQS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 59a849c2-1127-4023-85a5-ef906dcd458c +- **Query name:** BOM - AWS SQS +- **Platform:** CloudFormation +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_bom/sqs) + +### Description +A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +Resources: + MyQueue: + Type: AWS::SQS::Queue + Properties: + QueueName: "SampleQueue" + KmsMasterKeyId: wewewewewewe + SampleSQSPolicy: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - !Ref MyQueue + PolicyDocument: + Statement: + - + Action: + - "SQS:SendMessage" + - "SQS:ReceiveMessage" + Effect: "Allow" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + Principal: + AWS: + - "111122223333" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="3" +{ + "Resources": { + "MyQueue": { + "Type": "AWS::SQS::Queue", + "Properties": { + "QueueName": "SampleQueue" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": "true" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/5b033ec8-f079-4323-b5c8-99d4620433a9.md b/docs/queries/cloudformation-queries/aws/5b033ec8-f079-4323-b5c8-99d4620433a9.md new file mode 100644 index 00000000000..eda273499fc --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/5b033ec8-f079-4323-b5c8-99d4620433a9.md @@ -0,0 +1,305 @@ +--- +title: EMR Security Configuration Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5b033ec8-f079-4323-b5c8-99d4620433a9 +- **Query name:** EMR Security Configuration Encryption Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/emr_security_configuration_encryptions_enabled) + +### Description +EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-emr-securityconfiguration.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 9" +Resources: + EMRSecurityConfiguration: + Type: AWS::EMR::SecurityConfiguration + Properties: + Name: String + SecurityConfiguration: + EncryptionConfiguration: + EnableInTransitEncryption: false + EnableAtRestEncryption: false + AtRestEncryptionConfiguration: + LocalDiskEncryptionConfiguration: + EnableEbsEncryption: true + EncryptionKeyProviderType: AwsKms + AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="9 10" +Resources: + EMRSecurityConfiguration01: + Type: AWS::EMR::SecurityConfiguration + Properties: + Name: String + SecurityConfiguration: + EncryptionConfiguration: + AtRestEncryptionConfiguration: + LocalDiskEncryptionConfiguration: + EnableEbsEncryption: false + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="8 9" +Resources: + EMRSecurityConfiguration03: + Type: AWS::EMR::SecurityConfiguration + Properties: + Name: String + SecurityConfiguration: + EncryptionConfiguration: + EnableInTransitEncryption: false + EnableAtRestEncryption: false + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="6" +Resources: + EMRSecurityConfiguration04: + Type: AWS::EMR::SecurityConfiguration + Properties: + Name: String + SecurityConfiguration: {} + + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="9 10" +{ + "Resources": { + "EMRSecurityConfiguration": { + "Type": "AWS::EMR::SecurityConfiguration", + "Properties": { + "Name": "String", + "SecurityConfiguration": { + "EncryptionConfiguration": { + "EnableInTransitEncryption": false, + "EnableAtRestEncryption": false, + "AtRestEncryptionConfiguration": { + "LocalDiskEncryptionConfiguration": { + "EnableEbsEncryption": true, + "EncryptionKeyProviderType": "AwsKms", + "AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" + } + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="9 10" +{ + "Resources": { + "EMRSecurityConfiguration01": { + "Properties": { + "Name": "String", + "SecurityConfiguration": { + "EncryptionConfiguration": { + "AtRestEncryptionConfiguration": { + "LocalDiskEncryptionConfiguration": { + "EnableEbsEncryption": false + } + } + } + } + }, + "Type": "AWS::EMR::SecurityConfiguration" + } + } +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="8 9" +{ + "Resources": { + "EMRSecurityConfiguration03": { + "Type": "AWS::EMR::SecurityConfiguration", + "Properties": { + "SecurityConfiguration": { + "EncryptionConfiguration": { + "EnableInTransitEncryption": false, + "EnableAtRestEncryption": false + } + }, + "Name": "String" + } + } + } +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="7" +{ + "Resources": { + "EMRSecurityConfiguration04": { + "Type": "AWS::EMR::SecurityConfiguration", + "Properties": { + "Name": "String", + "SecurityConfiguration": {} + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +#this is a problematic code where the query should report a result(s) +Resources: + EMRSecurityConfiguration: + Type: AWS::EMR::SecurityConfiguration + Properties: + Name: String + SecurityConfiguration: + EncryptionConfiguration: + EnableInTransitEncryption: true + EnableAtRestEncryption: true + AtRestEncryptionConfiguration: + LocalDiskEncryptionConfiguration: + EnableEbsEncryption: true + EncryptionKeyProviderType: AwsKms + AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 + +``` +```yaml title="Negative test num. 2 - yaml file" +Resources: + EMRSecurityConfiguration01: + Type: AWS::EMR::SecurityConfiguration + Properties: + Name: String + SecurityConfiguration: + EncryptionConfiguration: + AtRestEncryptionConfiguration: + LocalDiskEncryptionConfiguration: + EnableEbsEncryption: true + EncryptionKeyProviderType: AwsKms + AwsKmsKey: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012 + +``` +```yaml title="Negative test num. 3 - yaml file" +Resources: + EMRSecurityConfiguration02: + Type: AWS::EMR::SecurityConfiguration + Properties: + Name: String + SecurityConfiguration: + EncryptionConfiguration: + EnableInTransitEncryption: true + EnableAtRestEncryption: true + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "EMRSecurityConfiguration": { + "Type": "AWS::EMR::SecurityConfiguration", + "Properties": { + "Name": "String", + "SecurityConfiguration": { + "EncryptionConfiguration": { + "EnableInTransitEncryption": true, + "EnableAtRestEncryption": true, + "AtRestEncryptionConfiguration": { + "LocalDiskEncryptionConfiguration": { + "AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012", + "EnableEbsEncryption": true, + "EncryptionKeyProviderType": "AwsKms" + } + } + } + } + } + } + } +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "Resources": { + "EMRSecurityConfiguration01": { + "Type": "AWS::EMR::SecurityConfiguration", + "Properties": { + "Name": "String", + "SecurityConfiguration": { + "EncryptionConfiguration": { + "AtRestEncryptionConfiguration": { + "LocalDiskEncryptionConfiguration": { + "EnableEbsEncryption": true, + "EncryptionKeyProviderType": "AwsKms", + "AwsKmsKey": "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012" + } + } + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "Resources": { + "EMRSecurityConfiguration02": { + "Properties": { + "Name": "String", + "SecurityConfiguration": { + "EncryptionConfiguration": { + "EnableInTransitEncryption": true, + "EnableAtRestEncryption": true + } + } + }, + "Type": "AWS::EMR::SecurityConfiguration" + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/5b48c507-0d1f-41b0-a630-76817c6b4189.md b/docs/queries/cloudformation-queries/aws/5b48c507-0d1f-41b0-a630-76817c6b4189.md new file mode 100644 index 00000000000..3ac9eb509c8 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/5b48c507-0d1f-41b0-a630-76817c6b4189.md @@ -0,0 +1,190 @@ +--- +title: RefreshToken Is Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5b48c507-0d1f-41b0-a630-76817c6b4189 +- **Query name:** RefreshToken Is Exposed +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/refresh_token_is_exposed) + +### Description +Alexa ASK Skill AuthenticationConfiguration RefreshToken should not be a plaintext string
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ask-skill.html#cfn-ask-skill-authenticationconfiguration) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +Resources: + MySkill: + Type: "Alexa::ASK::Skill" + Properties: + SkillPackage: + S3Bucket: "my-skill-packages" + S3Key: "skillpackage.zip" + S3BucketRole: !GetAtt S3BucketReadRole.Arn + Overrides: + Manifest: + apis: + custom: + endpoint: + uri: !GetAtt SkillFunction.Arn + AuthenticationConfiguration: + ClientId: "amzn1.application-oa2-client.1234" + ClientSecret: "1234" + RefreshToken: "Atzr|1234" + VendorId: "1234" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="26" +{ + "Resources": { + "MySkill": { + "Type": "Alexa::ASK::Skill", + "Properties": { + "VendorId": "1234", + "SkillPackage": { + "S3Bucket": "my-skill-packages", + "S3Key": "skillpackage.zip", + "S3BucketRole": "S3BucketReadRole.Arn", + "Overrides": { + "Manifest": { + "apis": { + "custom": { + "endpoint": { + "uri": "SkillFunction.Arn" + } + } + } + } + } + }, + "AuthenticationConfiguration": { + "ClientId": "amzn1.application-oa2-client.1234", + "ClientSecret": "1234", + "RefreshToken": "Atzr|1234" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MySkill: + Type: "Alexa::ASK::Skill" + Properties: + SkillPackage: + S3Bucket: "my-skill-packages" + S3Key: "skillpackage.zip" + S3BucketRole: !GetAtt S3BucketReadRole.Arn + Overrides: + Manifest: + apis: + custom: + endpoint: + uri: !GetAtt SkillFunction.Arn + AuthenticationConfiguration: + ClientId: "amzn1.application-oa2-client.1234" + ClientSecret: "1234" + RefreshToken: "{{resolve:secretsmanager:Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX}}" + VendorId: "1234" + MySkill2: + Type: "Alexa::ASK::Skill" + Properties: + SkillPackage: + S3Bucket: "my-skill-packages" + S3Key: "skillpackage.zip" + S3BucketRole: !GetAtt S3BucketReadRole.Arn + Overrides: + Manifest: + apis: + custom: + endpoint: + uri: !GetAtt SkillFunction.Arn + AuthenticationConfiguration: + ClientId: "amzn1.application-oa2-client.1234" + ClientSecret: "1234" + RefreshToken: "{{resolve:ssm-secure:Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX}}" + VendorId: "1234" + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MySkill": { + "Type": "Alexa::ASK::Skill", + "Properties": { + "SkillPackage": { + "S3Bucket": "my-skill-packages", + "S3Key": "skillpackage.zip", + "S3BucketRole": "S3BucketReadRole.Arn", + "Overrides": { + "Manifest": { + "apis": { + "custom": { + "endpoint": { + "uri": "SkillFunction.Arn" + } + } + } + } + } + }, + "AuthenticationConfiguration": { + "ClientId": "amzn1.application-oa2-client.1234", + "ClientSecret": "1234", + "RefreshToken": "{{resolve:secretsmanager:Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX}}" + }, + "VendorId": "1234" + } + }, + "MySkill2": { + "Type": "Alexa::ASK::Skill", + "Properties": { + "SkillPackage": { + "S3Bucket": "my-skill-packages", + "S3Key": "skillpackage.zip", + "S3BucketRole": "S3BucketReadRole.Arn", + "Overrides": { + "Manifest": { + "apis": { + "custom": { + "endpoint": { + "uri": "SkillFunction.Arn" + } + } + } + } + } + }, + "AuthenticationConfiguration": { + "ClientId": "amzn1.application-oa2-client.1234", + "ClientSecret": "1234", + "RefreshToken": "{{resolve:ssm-secure:Atzr|IQEBLzAtAhRPpMJxdwVz2Nn6f2y-tpJX2DeX}}" + }, + "VendorId": "1234" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/5beacce3-4020-4a3d-9e1d-a36f953df630.md b/docs/queries/cloudformation-queries/aws/5beacce3-4020-4a3d-9e1d-a36f953df630.md new file mode 100644 index 00000000000..5edaa456091 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/5beacce3-4020-4a3d-9e1d-a36f953df630.md @@ -0,0 +1,320 @@ +--- +title: RDS Storage Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5beacce3-4020-4a3d-9e1d-a36f953df630 +- **Query name:** RDS Storage Not Encrypted +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/rds_storage_not_encrypted) + +### Description +RDS Storage should be encrypted, which means the attribute 'StorageEncrypted' should be set to 'true'
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="35" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyKey: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: !Ref DBInstanceType + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + KmsKeyId: !Ref MyKey + StorageEncrypted: false + + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +AWSTemplateFormatVersion: 2010-09-11 +Description: RDS Storage Encrypted2 +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyKey2: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + MyDBSmall2: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: !Ref DBInstanceType + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + KmsKeyId: !Ref MyKey + +``` +```json title="Postitive test num. 3 - json file" hl_lines="50" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "RDS Storage Encrypted", + "Parameters": { + "SourceDBInstanceIdentifier": { + "Type": "String" + }, + "DBInstanceType": { + "Type": "String" + }, + "SourceRegion": { + "Type": "String" + } + }, + "Resources": { + "MyKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + }, + "Action": "kms:*", + "Resource": "*" + } + ] + } + } + }, + "MyDBSmall": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "DBInstanceClass": "DBInstanceType", + "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier", + "SourceRegion": "SourceRegion", + "KmsKeyId": "MyKey", + "StorageEncrypted": false + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="45" +{ + "AWSTemplateFormatVersion": "2010-09-11T00:00:00Z", + "Description": "RDS Storage Encrypted2", + "Parameters": { + "SourceDBInstanceIdentifier": { + "Type": "String" + }, + "DBInstanceType": { + "Type": "String" + }, + "SourceRegion": { + "Type": "String" + } + }, + "Resources": { + "MyKey2": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Resource": "*", + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + } + } + ], + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1" + } + } + }, + "MyDBSmall2": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "SourceRegion": "SourceRegion", + "KmsKeyId": "MyKey", + "DBInstanceClass": "DBInstanceType", + "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyKey: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: !Ref DBInstanceType + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + KmsKeyId: !Ref MyKey + StorageEncrypted: true +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "RDS Storage Encrypted", + "Parameters": { + "SourceRegion": { + "Type": "String" + }, + "SourceDBInstanceIdentifier": { + "Type": "String" + }, + "DBInstanceType": { + "Type": "String" + } + }, + "Resources": { + "MyDBSmall": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier", + "SourceRegion": "SourceRegion", + "KmsKeyId": "MyKey", + "StorageEncrypted": true, + "DBInstanceClass": "DBInstanceType" + } + }, + "MyKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + }, + "Action": "kms:*", + "Resource": "*" + } + ] + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/5c0b06d5-b7a4-484c-aeb0-75a836269ff0.md b/docs/queries/cloudformation-queries/aws/5c0b06d5-b7a4-484c-aeb0-75a836269ff0.md new file mode 100644 index 00000000000..ed89846545a --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/5c0b06d5-b7a4-484c-aeb0-75a836269ff0.md @@ -0,0 +1,441 @@ +--- +title: CloudTrail Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5c0b06d5-b7a4-484c-aeb0-75a836269ff0 +- **Query name:** CloudTrail Logging Disabled +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudtrail_logging_disabled) + +### Description +Checks if logging is enabled for CloudTrail.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html#cfn-cloudtrail-trail-islogging) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="84 69" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + S3Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: {} + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: + Ref: S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AWSCloudTrailAclCheck" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:GetBucketAcl" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket} + - Sid: "AWSCloudTrailWrite" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:PutObject" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: "bucket-owner-full-control" + Topic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Ref: OperatorEmail + Protocol: email + TopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - Ref: "Topic" + PolicyDocument: + Version: "2008-10-17" + Statement: + - Sid: "AWSCloudTrailSNSPolicy" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Resource: "*" + Action: "SNS:Publish" + myTrail3: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: false + IsMultiRegionTrail: true + myTrail4: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + EnableLogFileValidation: false + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: false + IsMultiRegionTrail: true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="98 118" +{ + "Resources": { + "S3Bucket": { + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket", + "Properties": {} + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "S3Bucket" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::${S3Bucket}" + }, + { + "Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + }, + "Sid": "AWSCloudTrailWrite", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:PutObject" + } + ] + } + } + }, + "Topic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "OperatorEmail" + }, + "Protocol": "email" + } + ] + } + }, + "TopicPolicy": { + "Properties": { + "Topics": [ + { + "Ref": "Topic" + } + ], + "PolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailSNSPolicy", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Resource": "*", + "Action": "SNS:Publish" + } + ] + } + }, + "Type": "AWS::SNS::TopicPolicy" + }, + "myTrail5": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "IsMultiRegionTrail": true, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": false + } + }, + "myTrail6": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "EnableLogFileValidation": false, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": false, + "IsMultiRegionTrail": true + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Description": "Email address to notify when new logs are published.", + "Type": "String" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + S3Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: {} + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: + Ref: S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AWSCloudTrailAclCheck" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:GetBucketAcl" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket} + - Sid: "AWSCloudTrailWrite" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:PutObject" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: "bucket-owner-full-control" + Topic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Ref: OperatorEmail + Protocol: email + TopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - Ref: "Topic" + PolicyDocument: + Version: "2008-10-17" + Statement: + - Sid: "AWSCloudTrailSNSPolicy" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Resource: "*" + Action: "SNS:Publish" + myTrail: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + EnableLogFileValidation: true + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Type": "String", + "Description": "Email address to notify when new logs are published." + } + }, + "Resources": { + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "S3Bucket" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::${S3Bucket}", + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow" + }, + { + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + }, + "Sid": "AWSCloudTrailWrite" + } + ] + } + } + }, + "Topic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "OperatorEmail" + }, + "Protocol": "email" + } + ] + } + }, + "TopicPolicy": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "Topics": [ + { + "Ref": "Topic" + } + ], + "PolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailSNSPolicy", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Resource": "*", + "Action": "SNS:Publish" + } + ] + } + } + }, + "myTrail2": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "IsLogging": true, + "IsMultiRegionTrail": true, + "EnableLogFileValidation": true, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + } + } + }, + "S3Bucket": { + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket", + "Properties": {} + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/5c666ed9-b586-49ab-9873-c495a833b705.md b/docs/queries/cloudformation-queries/aws/5c666ed9-b586-49ab-9873-c495a833b705.md new file mode 100644 index 00000000000..0e3633d4e65 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/5c666ed9-b586-49ab-9873-c495a833b705.md @@ -0,0 +1,239 @@ +--- +title: Elasticsearch Without IAM Authentication +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5c666ed9-b586-49ab-9873-c495a833b705 +- **Query name:** Elasticsearch Without IAM Authentication +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elasticsearch_without_iam_authentication) + +### Description +AWS Elasticsearch should ensure IAM Authentication
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-accesspolicies) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates ES +Resources: + ElasticsearchDomain: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: "test" + ElasticsearchVersion: "7.10" + ElasticsearchClusterConfig: + DedicatedMasterEnabled: true + InstanceCount: "2" + ZoneAwarenessEnabled: true + InstanceType: "m3.medium.elasticsearch" + DedicatedMasterType: "m3.medium.elasticsearch" + DedicatedMasterCount: "3" + EBSOptions: + EBSEnabled: true + Iops: "0" + VolumeSize: "20" + VolumeType: "gp2" + AccessPolicies: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Principal: + AWS: "*" + Action: "es:*" + Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*" + LogPublishingOptions: + ES_APPLICATION_LOGS: + CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-application-logs" + Enabled: true + SEARCH_SLOW_LOGS: + CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs" + Enabled: true + INDEX_SLOW_LOGS: + CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs" + Enabled: true + AdvancedOptions: + rest.action.multi.allow_explicit_index: true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="26" +{ + "Resources": { + "ElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "DomainName": "test", + "ElasticsearchVersion": "7.10", + "ElasticsearchClusterConfig": { + "DedicatedMasterEnabled": true, + "InstanceCount": "2", + "ZoneAwarenessEnabled": true, + "InstanceType": "m3.medium.elasticsearch", + "DedicatedMasterType": "m3.medium.elasticsearch", + "DedicatedMasterCount": "3" + }, + "EBSOptions": { + "EBSEnabled": true, + "Iops": "0", + "VolumeSize": "20", + "VolumeType": "gp2" + }, + "AccessPolicies": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "es:*", + "Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*" + } + ] + }, + "LogPublishingOptions": { + "ES_APPLICATION_LOGS": { + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-application-logs", + "Enabled": true + }, + "SEARCH_SLOW_LOGS": { + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs", + "Enabled": true + }, + "INDEX_SLOW_LOGS": { + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs", + "Enabled": true + } + }, + "AdvancedOptions": { + "rest.action.multi.allow_explicit_index": true + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Creates RDS Cluster" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates ES +Resources: + ElasticsearchDomain: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: "test" + ElasticsearchVersion: "7.10" + ElasticsearchClusterConfig: + DedicatedMasterEnabled: true + InstanceCount: "2" + ZoneAwarenessEnabled: true + InstanceType: "m3.medium.elasticsearch" + DedicatedMasterType: "m3.medium.elasticsearch" + DedicatedMasterCount: "3" + EBSOptions: + EBSEnabled: true + Iops: "0" + VolumeSize: "20" + VolumeType: "gp2" + AccessPolicies: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Principal: + AWS: "arn:aws:iam::123456789012:user/es-user" + Action: "es:*" + Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*" + LogPublishingOptions: + ES_APPLICATION_LOGS: + CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-application-logs" + Enabled: true + SEARCH_SLOW_LOGS: + CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs" + Enabled: true + INDEX_SLOW_LOGS: + CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs" + Enabled: true + AdvancedOptions: + rest.action.multi.allow_explicit_index: true + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "ElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "DomainName": "test", + "ElasticsearchVersion": "7.10", + "ElasticsearchClusterConfig": { + "DedicatedMasterEnabled": true, + "InstanceCount": "2", + "ZoneAwarenessEnabled": true, + "InstanceType": "m3.medium.elasticsearch", + "DedicatedMasterType": "m3.medium.elasticsearch", + "DedicatedMasterCount": "3" + }, + "EBSOptions": { + "EBSEnabled": true, + "Iops": "0", + "VolumeSize": "20", + "VolumeType": "gp2" + }, + "AccessPolicies": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/es-user" + }, + "Action": "es:*", + "Resource": "arn:aws:es:us-east-1:123456789012:domain/test/*" + } + ] + }, + "LogPublishingOptions": { + "ES_APPLICATION_LOGS": { + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-application-logs", + "Enabled": true + }, + "SEARCH_SLOW_LOGS": { + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-slow-logs", + "Enabled": true + }, + "INDEX_SLOW_LOGS": { + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/aes/domains/es-index-slow-logs", + "Enabled": true + } + }, + "AdvancedOptions": { + "rest.action.multi.allow_explicit_index": true + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Creates RDS Cluster" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/5d3c1807-acb3-4bb0-be4e-0440230feeaf.md b/docs/queries/cloudformation-queries/aws/5d3c1807-acb3-4bb0-be4e-0440230feeaf.md new file mode 100644 index 00000000000..e61e8a9483c --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/5d3c1807-acb3-4bb0-be4e-0440230feeaf.md @@ -0,0 +1,246 @@ +--- +title: CloudWatch Metrics Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5d3c1807-acb3-4bb0-be4e-0440230feeaf +- **Query name:** CloudWatch Metrics Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudwatch_metrics_disabled) + +### Description +Checks if CloudWatch Metrics is Enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cw-alarm.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="18 20" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating TestDeployment +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'false' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="32 25" +{ + "Resources": { + "Prod": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "RestApiId": { + "Ref": "MyRestApi" + }, + "DeploymentId": { + "Ref": "TestDeployment" + }, + "DocumentationVersion": { + "Ref": "MyDocumentationVersion" + }, + "ClientCertificateId": { + "Ref": "ClientCertificate" + }, + "Variables": { + "Stack": "Prod" + }, + "MethodSettings": [ + { + "ResourcePath": "/", + "HttpMethod": "GET", + "DataTraceEnabled": "false" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "POST", + "MetricsEnabled": "false", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "999" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "555" + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating TestDeployment +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + Variables: + Stack: Prod + +``` +
Postitive test num. 4 - json file + +```json hl_lines="5" +{ + "Resources": { + "Prod": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "RestApiId": { + "Ref": "MyRestApi" + }, + "DeploymentId": { + "Ref": "TestDeployment" + }, + "DocumentationVersion": { + "Ref": "MyDocumentationVersion" + }, + "ClientCertificateId": { + "Ref": "ClientCertificate" + }, + "Variables": { + "Stack": "Prod" + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating TestDeployment +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Prod": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "RestApiId": { + "Ref": "MyRestApi" + }, + "DeploymentId": { + "Ref": "TestDeployment" + }, + "DocumentationVersion": { + "Ref": "MyDocumentationVersion" + }, + "ClientCertificateId": { + "Ref": "ClientCertificate" + }, + "Variables": { + "Stack": "Prod" + }, + "MethodSettings": [ + { + "ResourcePath": "/", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "999" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "555" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md b/docs/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md new file mode 100644 index 00000000000..bf4124a604c --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md @@ -0,0 +1,277 @@ +--- +title: Security Group Rule Without Description +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5e6c9c68-8a82-408e-8749-ddad78cbb9c5 +- **Query name:** Security Group Rule Without Description +- **Platform:** CloudFormation +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_group_rule_without_description) + +### Description +It's considered a best practice for AWS Security Group to have a description
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 4 7 12 19" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Postitive test num. 2 - json file" hl_lines="5 45 46 54 25" +{ + "Resources": { + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + } + } + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535 + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80 + } + ], + "VpcId": { + "Ref": "myVPC" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "SecurityGroupEgress": [ + { + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "Description": "TCP" + } + ] + } + }, + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + } + } + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/5e7acff5-095b-40ac-9073-ac2e4ad8a512.md b/docs/queries/cloudformation-queries/aws/5e7acff5-095b-40ac-9073-ac2e4ad8a512.md new file mode 100644 index 00000000000..422b5ae53ec --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/5e7acff5-095b-40ac-9073-ac2e4ad8a512.md @@ -0,0 +1,189 @@ +--- +title: IAM Policies Without Groups +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5e7acff5-095b-40ac-9073-ac2e4ad8a512 +- **Query name:** IAM Policies Without Groups +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_policies_without_groups) + +### Description +IAM policy should not apply directly to users, should be with a group
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-policy) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="25" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::Policy + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + Users: + - existinguser1 + - existinguser2 +``` +```json title="Postitive test num. 2 - json file" hl_lines="38" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::Policy", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ], + "Version": "2012-10-17" + }, + "Users": [ + "existinguser1", + "existinguser2" + ] + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::Policy + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + Groups: + - myexistinggroup1 +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::Policy", + "Properties": { + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Statement": [ + { + "Resource": [ + "myqueue.Arn" + ], + "Effect": "Allow", + "Action": [ + "sqs:*" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ], + "Version": "2012-10-17" + }, + "Groups": [ + "myexistinggroup1" + ] + } + ], + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/5f700072-b7ce-4e84-b3f3-497bf1c24a4d.md b/docs/queries/cloudformation-queries/aws/5f700072-b7ce-4e84-b3f3-497bf1c24a4d.md new file mode 100644 index 00000000000..5f2cf75bd65 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/5f700072-b7ce-4e84-b3f3-497bf1c24a4d.md @@ -0,0 +1,523 @@ +--- +title: DMS Endpoint Password Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5f700072-b7ce-4e84-b3f3-497bf1c24a4d +- **Query name:** DMS Endpoint Password Exposed +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/dms_endpoint_password_exposed) + +### Description +DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dms-endpoint.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="20" +Resources: + DMSEndpoint4: + Type: AWS::DMS::Endpoint + Properties: + CertificateArn: String + DatabaseName: String + EndpointIdentifier: String + EndpointType: String + EngineName: String + ExtraConnectionAttributes: String + KafkaSettings: + KafkaSettings + KinesisSettings: + KinesisSettings + KmsKeyId: String + MongoDbSettings: + MongoDbSettings + NeptuneSettings: + NeptuneSettings + Password: 'asDjskjs73!!' + Port: 80 + S3Settings: + S3Settings + ServerName: String + SslMode: String + Tags: + - Tag + Username: String + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + Default: 'asDjskjs73!' + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username!' +Resources: + DMSEndpoint5: + Type: AWS::DMS::Endpoint + Properties: + CertificateArn: String + DatabaseName: String + EndpointIdentifier: String + EndpointType: String + EngineName: String + ExtraConnectionAttributes: String + KafkaSettings: + KafkaSettings + KinesisSettings: + KinesisSettings + KmsKeyId: String + MongoDbSettings: + MongoDbSettings + NeptuneSettings: + NeptuneSettings + Password: !Ref ParentMasterPassword + Port: 80 + S3Settings: + S3Settings + ServerName: String + SslMode: String + Tags: + - Tag + Username: String + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="25" +Parameters: + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username!' +Resources: + DMSEndpoint6: + Type: AWS::DMS::Endpoint + Properties: + CertificateArn: String + DatabaseName: String + EndpointIdentifier: String + EndpointType: String + EngineName: String + ExtraConnectionAttributes: String + KafkaSettings: + KafkaSettings + KinesisSettings: + KinesisSettings + KmsKeyId: String + MongoDbSettings: + MongoDbSettings + NeptuneSettings: + NeptuneSettings + Password: 'asDjskjs73!!' + Port: 80 + S3Settings: + S3Settings + ServerName: String + SslMode: String + Tags: + - Tag + Username: String + +``` +
Postitive test num. 4 - json file + +```json hl_lines="23" +{ + "Resources": { + "DMSEndpoint4": { + "Type": "AWS::DMS::Endpoint", + "Properties": { + "MongoDbSettings": "MongoDbSettings", + "Port": 80, + "SslMode": "String", + "Username": "String", + "KafkaSettings": "KafkaSettings", + "EndpointIdentifier": "String", + "NeptuneSettings": "NeptuneSettings", + "DatabaseName": "String", + "ExtraConnectionAttributes": "String", + "ServerName": "String", + "Tags": [ + "Tag" + ], + "EngineName": "String", + "EndpointType": "String", + "KinesisSettings": "KinesisSettings", + "KmsKeyId": "String", + "Password": "asDjskjs73!!", + "S3Settings": "S3Settings", + "CertificateArn": "String" + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="6" +{ + "Parameters": { + "ParentMasterPassword": { + "Description": "Password", + "Type": "String", + "Default": "asDjskjs73!" + }, + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username!" + } + }, + "Resources": { + "DMSEndpoint5": { + "Type": "AWS::DMS::Endpoint", + "Properties": { + "EndpointIdentifier": "String", + "S3Settings": "S3Settings", + "ExtraConnectionAttributes": "String", + "MongoDbSettings": "MongoDbSettings", + "NeptuneSettings": "NeptuneSettings", + "Password": "ParentMasterPassword", + "CertificateArn": "String", + "EngineName": "String", + "KinesisSettings": "KinesisSettings", + "KmsKeyId": "String", + "ServerName": "String", + "Username": "String", + "DatabaseName": "String", + "EndpointType": "String", + "KafkaSettings": "KafkaSettings", + "Port": 80, + "SslMode": "String", + "Tags": [ + "Tag" + ] + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="26" +{ + "Parameters": { + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username!" + } + }, + "Resources": { + "DMSEndpoint6": { + "Type": "AWS::DMS::Endpoint", + "Properties": { + "ServerName": "String", + "EngineName": "String", + "KinesisSettings": "KinesisSettings", + "KmsKeyId": "String", + "Port": 80, + "S3Settings": "S3Settings", + "Tags": [ + "Tag" + ], + "Username": "String", + "DatabaseName": "String", + "EndpointIdentifier": "String", + "MongoDbSettings": "MongoDbSettings", + "Password": "asDjskjs73!!", + "SslMode": "String", + "CertificateArn": "String", + "NeptuneSettings": "NeptuneSettings", + "EndpointType": "String", + "ExtraConnectionAttributes": "String", + "KafkaSettings": "KafkaSettings" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + Default: '' + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username!' +Resources: + DMSEndpoint1: + Type: AWS::DMS::Endpoint + Properties: + CertificateArn: String + DatabaseName: String + EndpointIdentifier: String + EndpointType: String + EngineName: String + ExtraConnectionAttributes: String + KafkaSettings: + KafkaSettings + KinesisSettings: + KinesisSettings + KmsKeyId: String + MongoDbSettings: + MongoDbSettings + NeptuneSettings: + NeptuneSettings + Password: !Ref ParentMasterPassword + Port: 80 + S3Settings: + S3Settings + ServerName: String + SslMode: String + Tags: + - Tag + Username: String + +``` +```yaml title="Negative test num. 2 - yaml file" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username' +Resources: + DMSEndpoint2: + Type: AWS::DMS::Endpoint + Properties: + CertificateArn: String + DatabaseName: String + EndpointIdentifier: String + EndpointType: String + EngineName: String + ExtraConnectionAttributes: String + KafkaSettings: + KafkaSettings + KinesisSettings: + KinesisSettings + KmsKeyId: String + MongoDbSettings: + MongoDbSettings + NeptuneSettings: + NeptuneSettings + Password: !Ref ParentMasterPassword + Port: 80 + S3Settings: + S3Settings + ServerName: String + SslMode: String + Tags: + - Tag + Username: String + +``` +```yaml title="Negative test num. 3 - yaml file" +Resources: + DMSEndpoint3: + Type: AWS::DMS::Endpoint + Properties: + CertificateArn: String + DatabaseName: String + EndpointIdentifier: String + EndpointType: String + EngineName: String + ExtraConnectionAttributes: String + KafkaSettings: + KafkaSettings + KinesisSettings: + KinesisSettings + KmsKeyId: String + MongoDbSettings: + MongoDbSettings + NeptuneSettings: + NeptuneSettings + Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' + Port: 80 + S3Settings: + S3Settings + ServerName: String + SslMode: String + Tags: + - Tag + Username: String + MyAmpAppSecretManagerRotater: + Type: AWS::SecretsManager::Secret + Properties: + Description: 'This is my amp app instance secret' + GenerateSecretString: + SecretStringTemplate: '{"username": "admin"}' + GenerateStringKey: 'password' + PasswordLength: 16 + ExcludeCharacters: '"@/\' + +``` +
Negative test num. 4 - json file + +```json +{ + "Parameters": { + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username!" + }, + "ParentMasterPassword": { + "Description": "Password", + "Type": "String", + "Default": "" + } + }, + "Resources": { + "DMSEndpoint1": { + "Type": "AWS::DMS::Endpoint", + "Properties": { + "CertificateArn": "String", + "EndpointType": "String", + "EngineName": "String", + "ExtraConnectionAttributes": "String", + "EndpointIdentifier": "String", + "ServerName": "String", + "Username": "String", + "KafkaSettings": "KafkaSettings", + "KmsKeyId": "String", + "NeptuneSettings": "NeptuneSettings", + "Password": "ParentMasterPassword", + "Port": 80, + "Tags": [ + "Tag" + ], + "DatabaseName": "String", + "KinesisSettings": "KinesisSettings", + "MongoDbSettings": "MongoDbSettings", + "S3Settings": "S3Settings", + "SslMode": "String" + } + } + } +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "Parameters": { + "ParentMasterPassword": { + "Type": "String", + "Description": "Password" + }, + "ParentMasterUsername": { + "Type": "String", + "Default": "username", + "Description": "username" + } + }, + "Resources": { + "DMSEndpoint2": { + "Type": "AWS::DMS::Endpoint", + "Properties": { + "KafkaSettings": "KafkaSettings", + "NeptuneSettings": "NeptuneSettings", + "ServerName": "String", + "Tags": [ + "Tag" + ], + "Username": "String", + "EngineName": "String", + "DatabaseName": "String", + "EndpointIdentifier": "String", + "EndpointType": "String", + "KinesisSettings": "KinesisSettings", + "KmsKeyId": "String", + "Password": "ParentMasterPassword", + "S3Settings": "S3Settings", + "CertificateArn": "String", + "MongoDbSettings": "MongoDbSettings", + "Port": 80, + "SslMode": "String", + "ExtraConnectionAttributes": "String" + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "Resources": { + "DMSEndpoint3": { + "Type": "AWS::DMS::Endpoint", + "Properties": { + "SslMode": "String", + "Username": "String", + "CertificateArn": "String", + "ExtraConnectionAttributes": "String", + "KmsKeyId": "String", + "Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}", + "Port": 80, + "EndpointIdentifier": "String", + "KafkaSettings": "KafkaSettings", + "KinesisSettings": "KinesisSettings", + "NeptuneSettings": "NeptuneSettings", + "S3Settings": "S3Settings", + "ServerName": "String", + "Tags": [ + "Tag" + ], + "DatabaseName": "String", + "EndpointType": "String", + "EngineName": "String", + "MongoDbSettings": "MongoDbSettings" + } + }, + "MyAmpAppSecretManagerRotater": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "Description": "This is my amp app instance secret", + "GenerateSecretString": { + "SecretStringTemplate": "{\"username\": \"admin\"}", + "GenerateStringKey": "password", + "PasswordLength": 16, + "ExcludeCharacters": "\"@/\\" + } + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/60a05ede-0a68-4d0d-a58f-f538cf55ff79.md b/docs/queries/cloudformation-queries/aws/60a05ede-0a68-4d0d-a58f-f538cf55ff79.md new file mode 100644 index 00000000000..228f09eb765 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/60a05ede-0a68-4d0d-a58f-f538cf55ff79.md @@ -0,0 +1,71 @@ +--- +title: Serverless API Cache Cluster Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 60a05ede-0a68-4d0d-a58f-f538cf55ff79 +- **Query name:** Serverless API Cache Cluster Disabled +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_sam/serverless_api_cache_cluster_disabled) + +### Description +AWS Serverless API should have cache clustering enabled
+[Documentation](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-cacheclusterenabled) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi2: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + CacheClusterEnabled: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi3: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + CacheClusterEnabled: true + +``` diff --git a/docs/queries/cloudformation-queries/aws/61a94903-3cd3-4780-88ec-fc918819b9c8.md b/docs/queries/cloudformation-queries/aws/61a94903-3cd3-4780-88ec-fc918819b9c8.md new file mode 100644 index 00000000000..1aff3cb9d25 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/61a94903-3cd3-4780-88ec-fc918819b9c8.md @@ -0,0 +1,208 @@ +--- +title: ELB Using Insecure Protocols +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 61a94903-3cd3-4780-88ec-fc918819b9c8 +- **Query name:** ELB Using Insecure Protocols +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elb_using_insecure_protocols) + +### Description +ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Protocols that coincide with any of a predefined list of insecure protocols.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="34 27" +#this is a problematic code where the query should report a result(s) +Resources: + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: '80' + InstanceProtocol: HTTP + LoadBalancerPort: '443' + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + HealthCheck: + Target: HTTP:80/ + HealthyThreshold: '2' + UnhealthyThreshold: '3' + Interval: '10' + Timeout: '5' + Policies: + - PolicyName: My-SSLNegotiation-Policy + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: Protocol-SSLv2 + Value: ELBSecurityPolicy-TLS-1-2-2017-01 + - Name: Reference-Security-Policy + Value: ELBSecurityPolicy-TLS-1-2-2017-01 + - PolicyName: My-SSLNegotiation-Policy2 + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: Protocol-TLSv1 + Value: ELBSecurityPolicy-TLS-1-2-2017-01 +``` +```json title="Postitive test num. 2 - json file" hl_lines="50 35" +{ + "Resources": { + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "AvailabilityZones": [ + "us-east-2a" + ], + "CrossZone": true, + "Listeners": [ + { + "InstanceProtocol": "HTTP", + "LoadBalancerPort": "443", + "Protocol": "HTTPS", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ], + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", + "InstancePort": "80" + } + ], + "HealthCheck": { + "HealthyThreshold": "2", + "UnhealthyThreshold": "3", + "Interval": "10", + "Timeout": "5", + "Target": "HTTP:80/" + }, + "Policies": [ + { + "PolicyName": "My-SSLNegotiation-Policy", + "PolicyType": "SSLNegotiationPolicyType", + "Attributes": [ + { + "Name": "Protocol-SSLv2", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + }, + { + "Name": "Reference-Security-Policy", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + } + ] + }, + { + "PolicyName": "My-SSLNegotiation-Policy2", + "PolicyType": "SSLNegotiationPolicyType", + "Attributes": [ + { + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01", + "Name": "Protocol-TLSv1" + } + ] + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: '80' + InstanceProtocol: HTTP + LoadBalancerPort: '443' + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + HealthCheck: + Target: HTTP:80/ + HealthyThreshold: '2' + UnhealthyThreshold: '3' + Interval: '10' + Timeout: '5' + Policies: + - PolicyName: My-SSLNegotiation-Policy + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: Reference-Security-Policy + Value: ELBSecurityPolicy-TLS-1-2-2017-01 +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "HealthCheck": { + "Interval": "10", + "Timeout": "5", + "Target": "HTTP:80/", + "HealthyThreshold": "2", + "UnhealthyThreshold": "3" + }, + "Policies": [ + { + "PolicyName": "My-SSLNegotiation-Policy", + "PolicyType": "SSLNegotiationPolicyType", + "Attributes": [ + { + "Name": "Reference-Security-Policy", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + } + ] + } + ], + "AvailabilityZones": [ + "us-east-2a" + ], + "CrossZone": true, + "Listeners": [ + { + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ], + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", + "InstancePort": "80", + "InstanceProtocol": "HTTP", + "LoadBalancerPort": "443", + "Protocol": "HTTPS" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md b/docs/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md new file mode 100644 index 00000000000..ecc53ceea0b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/64ab651b-f5b2-4af0-8c89-ddd03c4d0e61.md @@ -0,0 +1,169 @@ +--- +title: S3 Bucket SSE Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 64ab651b-f5b2-4af0-8c89-ddd03c4d0e61 +- **Query name:** S3 Bucket SSE Disabled +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled) + +### Description +If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="15" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "S3 bucket with default encryption", + "Resources": { + "EncryptedS3Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": { + "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" + }, + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "aws:kms" + } + } + ] + } + }, + "DeletionPolicy": "Delete" + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +AWSTemplateFormatVersion: '2010-09-09' +Description: S3 bucket with default encryption +Resources: + EncryptedS3Bucket: + Type: 'AWS::S3::Bucket' + Properties: + BucketName: + 'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: 'aws:kms' + DeletionPolicy: Delete + +``` +```json title="Postitive test num. 3 - json file" hl_lines="16" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "S3 bucket with default encryption", + "Resources": { + "EncryptedS3Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": { + "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" + }, + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256", + "KMSMasterKeyID": "KMS-KEY-ARN" + } + } + ] + } + }, + "DeletionPolicy": "Delete" + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="13" +AWSTemplateFormatVersion: '2010-09-09' +Description: S3 bucket with default encryption +Resources: + EncryptedS3Bucket: + Type: 'AWS::S3::Bucket' + Properties: + BucketName: + 'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: 'AES256' + KMSMasterKeyID: KMS-KEY-ARN + DeletionPolicy: Delete + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "S3 bucket with default encryption", + "Resources": { + "EncryptedS3Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": { + "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" + }, + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "aws:kms", + "KMSMasterKeyID": "KMS-KEY-ARN" + } + } + ] + } + }, + "DeletionPolicy": "Delete" + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Description: S3 bucket with default encryption +Resources: + EncryptedS3Bucket: + Type: 'AWS::S3::Bucket' + Properties: + BucketName: + 'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: 'aws:kms' + KMSMasterKeyID: KMS-KEY-ARN + DeletionPolicy: Delete + +``` diff --git a/docs/queries/cloudformation-queries/aws/65844ba3-03a1-40a8-b3dd-919f122e8c95.md b/docs/queries/cloudformation-queries/aws/65844ba3-03a1-40a8-b3dd-919f122e8c95.md new file mode 100644 index 00000000000..46ecd5640a7 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/65844ba3-03a1-40a8-b3dd-919f122e8c95.md @@ -0,0 +1,431 @@ +--- +title: RDS Storage Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 65844ba3-03a1-40a8-b3dd-919f122e8c95 +- **Query name:** RDS Storage Encryption Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/rds_storage_encryption_disabled) + +### Description +RDS DBCluster should have storage encrypted set to true
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html#cfn-rds-dbcluster-storageencrypted) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Resources: + RDSCluster: + Properties: + DBClusterParameterGroupName: + Ref: RDSDBClusterParameterGroup + DBSubnetGroupName: DBSubnetGroup + Engine: aurora + MasterUserPassword: password + MasterUsername: username + StorageEncrypted: false + Type: "AWS::RDS::DBCluster" + RDSDBClusterParameterGroup: + Properties: + Description: "CloudFormation Sample Aurora Cluster Parameter Group" + Family: aurora5.6 + Parameters: + time_zone: US/Eastern + Type: "AWS::RDS::DBClusterParameterGroup" + RDSDBInstance1: + Properties: + AvailabilityZone: eu-west-1b + DBClusterIdentifier: + Ref: RDSCluster + DBInstanceClass: db.r3.xlarge + DBParameterGroupName: + Ref: RDSDBParameterGroup + DBSubnetGroupName: DBSubnetGroup + Engine: aurora + PubliclyAccessible: "true" + Type: "AWS::RDS::DBInstance" + RDSDBInstance2: + Properties: + AvailabilityZone: eu-west-1b + DBClusterIdentifier: + Ref: RDSCluster + DBInstanceClass: db.r3.xlarge + DBParameterGroupName: + Ref: RDSDBParameterGroup + DBSubnetGroupName: DBSubnetGroup + Engine: aurora + PubliclyAccessible: "true" + Type: "AWS::RDS::DBInstance" + RDSDBParameterGroup: + Type: 'AWS::RDS::DBParameterGroup' + Properties: + Description: CloudFormation Sample Aurora Parameter Group + Family: aurora5.6 + Parameters: + sql_mode: IGNORE_SPACE + max_allowed_packet: 1024 + innodb_buffer_pool_size: '{DBInstanceClassMemory*3/4}' + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Resources: + RDSCluster1: + Properties: + DBClusterParameterGroupName: + Ref: RDSDBClusterParameterGroup + DBSubnetGroupName: DBSubnetGroup + Engine: aurora + MasterUserPassword: password + MasterUsername: username + Type: "AWS::RDS::DBCluster" + RDSDBClusterParameterGroup: + Properties: + Description: "CloudFormation Sample Aurora Cluster Parameter Group" + Family: aurora5.6 + Parameters: + time_zone: US/Eastern + Type: "AWS::RDS::DBClusterParameterGroup" + RDSDBInstance1: + Properties: + AvailabilityZone: eu-west-1b + DBClusterIdentifier: + Ref: RDSCluster + DBInstanceClass: db.r3.xlarge + DBParameterGroupName: + Ref: RDSDBParameterGroup + DBSubnetGroupName: DBSubnetGroup + Engine: aurora + PubliclyAccessible: "true" + Type: "AWS::RDS::DBInstance" + RDSDBInstance2: + Properties: + AvailabilityZone: eu-west-1b + DBClusterIdentifier: + Ref: RDSCluster + DBInstanceClass: db.r3.xlarge + DBParameterGroupName: + Ref: RDSDBParameterGroup + DBSubnetGroupName: DBSubnetGroup + Engine: aurora + PubliclyAccessible: "true" + Type: "AWS::RDS::DBInstance" + RDSDBParameterGroup: + Type: 'AWS::RDS::DBParameterGroup' + Properties: + Description: CloudFormation Sample Aurora Parameter Group + Family: aurora5.6 + Parameters: + sql_mode: IGNORE_SPACE + max_allowed_packet: 1024 + innodb_buffer_pool_size: '{DBInstanceClassMemory*3/4}' + +``` +```json title="Postitive test num. 3 - json file" hl_lines="9" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Creates RDS Cluster", + "Resources": { + "RDSCluster": { + "Properties": { + "MasterUserPassword": "password", + "MasterUsername": "username", + "StorageEncrypted": false, + "DBClusterParameterGroupName": { + "Ref": "RDSDBClusterParameterGroup" + }, + "DBSubnetGroupName": "DBSubnetGroup", + "Engine": "aurora" + }, + "Type": "AWS::RDS::DBCluster" + }, + "RDSDBClusterParameterGroup": { + "Properties": { + "Description": "CloudFormation Sample Aurora Cluster Parameter Group", + "Family": "aurora5.6", + "Parameters": { + "time_zone": "US/Eastern" + } + }, + "Type": "AWS::RDS::DBClusterParameterGroup" + }, + "RDSDBInstance1": { + "Properties": { + "DBInstanceClass": "db.r3.xlarge", + "DBParameterGroupName": { + "Ref": "RDSDBParameterGroup" + }, + "DBSubnetGroupName": "DBSubnetGroup", + "Engine": "aurora", + "PubliclyAccessible": "true", + "AvailabilityZone": "eu-west-1b", + "DBClusterIdentifier": { + "Ref": "RDSCluster" + } + }, + "Type": "AWS::RDS::DBInstance" + }, + "RDSDBInstance2": { + "Properties": { + "DBClusterIdentifier": { + "Ref": "RDSCluster" + }, + "DBInstanceClass": "db.r3.xlarge", + "DBParameterGroupName": { + "Ref": "RDSDBParameterGroup" + }, + "DBSubnetGroupName": "DBSubnetGroup", + "Engine": "aurora", + "PubliclyAccessible": "true", + "AvailabilityZone": "eu-west-1b" + }, + "Type": "AWS::RDS::DBInstance" + }, + "RDSDBParameterGroup": { + "Type": "AWS::RDS::DBParameterGroup", + "Properties": { + "Description": "CloudFormation Sample Aurora Parameter Group", + "Family": "aurora5.6", + "Parameters": { + "max_allowed_packet": 1024, + "innodb_buffer_pool_size": "{DBInstanceClassMemory*3/4}", + "sql_mode": "IGNORE_SPACE" + } + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="59" +{ + "Description": "Creates RDS Cluster", + "Resources": { + "RDSDBClusterParameterGroup": { + "Properties": { + "Description": "CloudFormation Sample Aurora Cluster Parameter Group", + "Family": "aurora5.6", + "Parameters": { + "time_zone": "US/Eastern" + } + }, + "Type": "AWS::RDS::DBClusterParameterGroup" + }, + "RDSDBInstance1": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "PubliclyAccessible": "true", + "AvailabilityZone": "eu-west-1b", + "DBClusterIdentifier": { + "Ref": "RDSCluster" + }, + "DBInstanceClass": "db.r3.xlarge", + "DBParameterGroupName": { + "Ref": "RDSDBParameterGroup" + }, + "DBSubnetGroupName": "DBSubnetGroup", + "Engine": "aurora" + } + }, + "RDSDBInstance2": { + "Properties": { + "DBInstanceClass": "db.r3.xlarge", + "DBParameterGroupName": { + "Ref": "RDSDBParameterGroup" + }, + "DBSubnetGroupName": "DBSubnetGroup", + "Engine": "aurora", + "PubliclyAccessible": "true", + "AvailabilityZone": "eu-west-1b", + "DBClusterIdentifier": { + "Ref": "RDSCluster" + } + }, + "Type": "AWS::RDS::DBInstance" + }, + "RDSDBParameterGroup": { + "Properties": { + "Parameters": { + "sql_mode": "IGNORE_SPACE", + "max_allowed_packet": 1024, + "innodb_buffer_pool_size": "{DBInstanceClassMemory*3/4}" + }, + "Description": "CloudFormation Sample Aurora Parameter Group", + "Family": "aurora5.6" + }, + "Type": "AWS::RDS::DBParameterGroup" + }, + "RDSCluster1": { + "Properties": { + "Engine": "aurora", + "MasterUserPassword": "password", + "MasterUsername": "username", + "DBClusterParameterGroupName": { + "Ref": "RDSDBClusterParameterGroup" + }, + "DBSubnetGroupName": "DBSubnetGroup" + }, + "Type": "AWS::RDS::DBCluster" + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Resources: + RDSCluster: + Properties: + DBClusterParameterGroupName: + Ref: RDSDBClusterParameterGroup + DBSubnetGroupName: DBSubnetGroup + Engine: aurora + MasterUserPassword: password + MasterUsername: username + StorageEncrypted: true + Type: "AWS::RDS::DBCluster" + RDSDBClusterParameterGroup: + Properties: + Description: "CloudFormation Sample Aurora Cluster Parameter Group" + Family: aurora5.6 + Parameters: + time_zone: US/Eastern + Type: "AWS::RDS::DBClusterParameterGroup" + RDSDBInstance1: + Properties: + AvailabilityZone: eu-west-1b + DBClusterIdentifier: + Ref: RDSCluster + DBInstanceClass: db.r3.xlarge + DBParameterGroupName: + Ref: RDSDBParameterGroup + DBSubnetGroupName: DBSubnetGroup + Engine: aurora + PubliclyAccessible: "true" + Type: "AWS::RDS::DBInstance" + RDSDBInstance2: + Properties: + AvailabilityZone: eu-west-1b + DBClusterIdentifier: + Ref: RDSCluster + DBInstanceClass: db.r3.xlarge + DBParameterGroupName: + Ref: RDSDBParameterGroup + DBSubnetGroupName: DBSubnetGroup + Engine: aurora + PubliclyAccessible: "true" + Type: "AWS::RDS::DBInstance" + RDSDBParameterGroup: + Type: 'AWS::RDS::DBParameterGroup' + Properties: + Description: CloudFormation Sample Aurora Parameter Group + Family: aurora5.6 + Parameters: + sql_mode: IGNORE_SPACE + max_allowed_packet: 1024 + innodb_buffer_pool_size: '{DBInstanceClassMemory*3/4}' + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Creates RDS Cluster", + "Resources": { + "RDSDBClusterParameterGroup": { + "Properties": { + "Description": "CloudFormation Sample Aurora Cluster Parameter Group", + "Family": "aurora5.6", + "Parameters": { + "time_zone": "US/Eastern" + } + }, + "Type": "AWS::RDS::DBClusterParameterGroup" + }, + "RDSDBInstance1": { + "Properties": { + "PubliclyAccessible": "true", + "AvailabilityZone": "eu-west-1b", + "DBClusterIdentifier": { + "Ref": "RDSCluster" + }, + "DBInstanceClass": "db.r3.xlarge", + "DBParameterGroupName": { + "Ref": "RDSDBParameterGroup" + }, + "DBSubnetGroupName": "DBSubnetGroup", + "Engine": "aurora" + }, + "Type": "AWS::RDS::DBInstance" + }, + "RDSDBInstance2": { + "Properties": { + "PubliclyAccessible": "true", + "AvailabilityZone": "eu-west-1b", + "DBClusterIdentifier": { + "Ref": "RDSCluster" + }, + "DBInstanceClass": "db.r3.xlarge", + "DBParameterGroupName": { + "Ref": "RDSDBParameterGroup" + }, + "DBSubnetGroupName": "DBSubnetGroup", + "Engine": "aurora" + }, + "Type": "AWS::RDS::DBInstance" + }, + "RDSDBParameterGroup": { + "Type": "AWS::RDS::DBParameterGroup", + "Properties": { + "Description": "CloudFormation Sample Aurora Parameter Group", + "Family": "aurora5.6", + "Parameters": { + "sql_mode": "IGNORE_SPACE", + "max_allowed_packet": 1024, + "innodb_buffer_pool_size": "{DBInstanceClassMemory*3/4}" + } + } + }, + "RDSCluster": { + "Properties": { + "DBSubnetGroupName": "DBSubnetGroup", + "Engine": "aurora", + "MasterUserPassword": "password", + "MasterUsername": "username", + "StorageEncrypted": true, + "DBClusterParameterGroupName": { + "Ref": "RDSDBClusterParameterGroup" + } + }, + "Type": "AWS::RDS::DBCluster" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/65d07da5-9af5-44df-8983-52d2e6f24c44.md b/docs/queries/cloudformation-queries/aws/65d07da5-9af5-44df-8983-52d2e6f24c44.md new file mode 100644 index 00000000000..ca3a1d0b03e --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/65d07da5-9af5-44df-8983-52d2e6f24c44.md @@ -0,0 +1,905 @@ +--- +title: CloudTrail Not Integrated With CloudWatch +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 65d07da5-9af5-44df-8983-52d2e6f24c44 +- **Query name:** CloudTrail Not Integrated With CloudWatch +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudtrail_not_integrated_with_cloudwatch) + +### Description +CloudTrail should be integrated with CloudWatch
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudtrail-trail.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="62" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + S3Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: {} + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: + Ref: S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AWSCloudTrailAclCheck" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:GetBucketAcl" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket} + - Sid: "AWSCloudTrailWrite" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:PutObject" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: "bucket-owner-full-control" + Topic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Ref: OperatorEmail + Protocol: email + TopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - Ref: "Topic" + PolicyDocument: + Version: "2008-10-17" + Statement: + - Sid: "AWSCloudTrailSNSPolicy" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Resource: "*" + Action: "SNS:Publish" + myTrail: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: true + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="62" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + S3Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: {} + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: + Ref: S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AWSCloudTrailAclCheck" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:GetBucketAcl" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket} + - Sid: "AWSCloudTrailWrite" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:PutObject" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: "bucket-owner-full-control" + Topic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Ref: OperatorEmail + Protocol: email + TopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - Ref: "Topic" + PolicyDocument: + Version: "2008-10-17" + Statement: + - Sid: "AWSCloudTrailSNSPolicy" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Resource: "*" + Action: "SNS:Publish" + myTrail2: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + CloudWatchLogsRoleArn: + "Fn::GetAtt": + - IamRoleForCwLogs + - Arn + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: true + IamRoleForCwLogs: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "" + Effect: Allow + Principal: + Service: cloudtrail.amazonaws.com + Action: "sts:AssumeRole" + Policies: + - PolicyName: allow-access-to-cw-logs + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - "logs:CreateLogStream" + - "logs:PutLogEvents" + Resource: "*" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="62" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + S3Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: {} + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: + Ref: S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AWSCloudTrailAclCheck" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:GetBucketAcl" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket} + - Sid: "AWSCloudTrailWrite" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:PutObject" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: "bucket-owner-full-control" + Topic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Ref: OperatorEmail + Protocol: email + TopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - Ref: "Topic" + PolicyDocument: + Version: "2008-10-17" + Statement: + - Sid: "AWSCloudTrailSNSPolicy" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Resource: "*" + Action: "SNS:Publish" + myTrail3: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + CloudWatchLogsLogGroupArn: "arn:aws:logs:us-west-2:920172477660:log-group:CloudTrail/DefaultLogGroup:*" + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: true + IamRoleForCwLogs: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "" + Effect: Allow + Principal: + Service: cloudtrail.amazonaws.com + Action: "sts:AssumeRole" + Policies: + - PolicyName: allow-access-to-cw-logs + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - "logs:CreateLogStream" + - "logs:PutLogEvents" + Resource: "*" + +``` +
Postitive test num. 4 - json file + +```json hl_lines="82" +{ + "Resources": { + "S3Bucket": { + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket", + "Properties": {} + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "S3Bucket" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::${S3Bucket}" + }, + { + "Sid": "AWSCloudTrailWrite", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + } + } + ] + } + } + }, + "Topic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "OperatorEmail" + }, + "Protocol": "email" + } + ] + } + }, + "TopicPolicy": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "Topics": [ + { + "Ref": "Topic" + } + ], + "PolicyDocument": { + "Statement": [ + { + "Sid": "AWSCloudTrailSNSPolicy", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Resource": "*", + "Action": "SNS:Publish" + } + ], + "Version": "2008-10-17" + } + } + }, + "myTrail": { + "Properties": { + "IsMultiRegionTrail": true, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": true + }, + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail" + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Description": "Email address to notify when new logs are published.", + "Type": "String" + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="82" +{ + "Resources": { + "S3Bucket": { + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket", + "Properties": {} + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "S3Bucket" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::${S3Bucket}" + }, + { + "Sid": "AWSCloudTrailWrite", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + } + } + ] + } + } + }, + "Topic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "OperatorEmail" + }, + "Protocol": "email" + } + ] + } + }, + "TopicPolicy": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "Topics": [ + { + "Ref": "Topic" + } + ], + "PolicyDocument": { + "Statement": [ + { + "Sid": "AWSCloudTrailSNSPolicy", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Resource": "*", + "Action": "SNS:Publish" + } + ], + "Version": "2008-10-17" + } + } + }, + "myTrail": { + "Properties": { + "IsMultiRegionTrail": true, + "CloudWatchLogsRoleArn": { + "Fn::GetAtt": [ + "IamRoleForCwLogs", + "Arn" + ] + }, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": true + }, + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail" + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Description": "Email address to notify when new logs are published.", + "Type": "String" + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="82" +{ + "Resources": { + "S3Bucket": { + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket", + "Properties": {} + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "S3Bucket" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "arn:aws:s3:::${S3Bucket}" + }, + { + "Sid": "AWSCloudTrailWrite", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/*", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + } + } + ] + } + } + }, + "Topic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "OperatorEmail" + }, + "Protocol": "email" + } + ] + } + }, + "TopicPolicy": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "Topics": [ + { + "Ref": "Topic" + } + ], + "PolicyDocument": { + "Statement": [ + { + "Sid": "AWSCloudTrailSNSPolicy", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Resource": "*", + "Action": "SNS:Publish" + } + ], + "Version": "2008-10-17" + } + } + }, + "myTrail": { + "Properties": { + "IsMultiRegionTrail": true, + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-west-2:920172477660:log-group:CloudTrail/DefaultLogGroup:*", + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": true + }, + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail" + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Description": "Email address to notify when new logs are published.", + "Type": "String" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + S3Bucket: + DeletionPolicy: Retain + Type: AWS::S3::Bucket + Properties: {} + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: + Ref: S3Bucket + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "AWSCloudTrailAclCheck" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:GetBucketAcl" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket} + - Sid: "AWSCloudTrailWrite" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Action: "s3:PutObject" + Resource: !Sub |- + arn:aws:s3:::${S3Bucket}/AWSLogs/${AWS::AccountId}/* + Condition: + StringEquals: + s3:x-amz-acl: "bucket-owner-full-control" + Topic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Ref: OperatorEmail + Protocol: email + TopicPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + Topics: + - Ref: "Topic" + PolicyDocument: + Version: "2008-10-17" + Statement: + - Sid: "AWSCloudTrailSNSPolicy" + Effect: "Allow" + Principal: + Service: "cloudtrail.amazonaws.com" + Resource: "*" + Action: "SNS:Publish" + myTrail: + DependsOn: + - BucketPolicy + - TopicPolicy + Type: AWS::CloudTrail::Trail + Properties: + CloudWatchLogsLogGroupArn: "arn:aws:logs:us-west-2:920172477660:log-group:CloudTrail/DefaultLogGroup:*" + CloudWatchLogsRoleArn: + "Fn::GetAtt": + - IamRoleForCwLogs + - Arn + S3BucketName: + Ref: S3Bucket + SnsTopicName: + Fn::GetAtt: + - Topic + - TopicName + IsLogging: true + IsMultiRegionTrail: true + IamRoleForCwLogs: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: "" + Effect: Allow + Principal: + Service: cloudtrail.amazonaws.com + Action: "sts:AssumeRole" + Policies: + - PolicyName: allow-access-to-cw-logs + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - "logs:CreateLogStream" + - "logs:PutLogEvents" + Resource: "*" + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "OperatorEmail": { + "Description": "Email address to notify when new logs are published.", + "Type": "String" + } + }, + "Resources": { + "S3Bucket": { + "DeletionPolicy": "Retain", + "Type": "AWS::S3::Bucket", + "Properties": {} + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "S3Bucket" + }, + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailAclCheck", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:GetBucketAcl", + "Resource": "value" + }, + { + "Sid": "AWSCloudTrailWrite", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "s3:PutObject", + "Resource": "value", + "Condition": { + "StringEquals": { + "s3:x-amz-acl": "bucket-owner-full-control" + } + } + } + ] + } + } + }, + "Topic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Ref": "OperatorEmail" + }, + "Protocol": "email" + } + ] + } + }, + "TopicPolicy": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "Topics": [ + { + "Ref": "Topic" + } + ], + "PolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AWSCloudTrailSNSPolicy", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Resource": "*", + "Action": "SNS:Publish" + } + ] + } + } + }, + "myTrail": { + "DependsOn": [ + "BucketPolicy", + "TopicPolicy" + ], + "Type": "AWS::CloudTrail::Trail", + "Properties": { + "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-west-2:920172477660:log-group:CloudTrail/DefaultLogGroup:*", + "CloudWatchLogsRoleArn": { + "Fn::GetAtt": [ + "IamRoleForCwLogs", + "Arn" + ] + }, + "S3BucketName": { + "Ref": "S3Bucket" + }, + "SnsTopicName": { + "Fn::GetAtt": [ + "Topic", + "TopicName" + ] + }, + "IsLogging": true, + "IsMultiRegionTrail": true + } + }, + "IamRoleForCwLogs": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }, + "Policies": [ + { + "PolicyName": "allow-access-to-cw-logs", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "*" + } + ] + } + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/6685d912-d81f-4cfa-95ad-e316ea31c989.md b/docs/queries/cloudformation-queries/aws/6685d912-d81f-4cfa-95ad-e316ea31c989.md new file mode 100644 index 00000000000..dbcd4aa2234 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/6685d912-d81f-4cfa-95ad-e316ea31c989.md @@ -0,0 +1,353 @@ +--- +title: Directory Service Simple AD Password Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6685d912-d81f-4cfa-95ad-e316ea31c989 +- **Query name:** Directory Service Simple AD Password Exposed +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/directory_service_simple_ad_password_exposed) + +### Description +DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-directoryservice-simplead.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + Default: '' + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username!' +Resources: + NewAmpApp4: + Type: AWS::DirectoryService::SimpleAD + Properties: + CreateAlias: true + Description: String + EnableSso: true + Name: String + Password: 'asDjskjs73!!' + ShortName: String + Size: String + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="9" +Resources: + NewAmpApp5: + Type: AWS::DirectoryService::SimpleAD + Properties: + CreateAlias: true + Description: String + EnableSso: true + Name: String + Password: 'asDjskjs73!!' + ShortName: String + Size: String + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + Default: 'asDjskjs73!' + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username!' +Resources: + NewAmpApp6: + Type: AWS::DirectoryService::SimpleAD + Properties: + CreateAlias: true + Description: String + EnableSso: true + Name: String + Password: !Ref ParentMasterPassword + ShortName: String + Size: String + + +``` +
Postitive test num. 4 - json file + +```json hl_lines="20" +{ + "Parameters": { + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username!" + }, + "ParentMasterPassword": { + "Description": "Password", + "Type": "String", + "Default": "" + } + }, + "Resources": { + "NewAmpApp4": { + "Type": "AWS::DirectoryService::SimpleAD", + "Properties": { + "EnableSso": true, + "Name": "String", + "Password": "asDjskjs73!!", + "ShortName": "String", + "Size": "String", + "CreateAlias": true, + "Description": "String" + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="12" +{ + "Resources": { + "NewAmpApp5": { + "Type": "AWS::DirectoryService::SimpleAD", + "Properties": { + "ShortName": "String", + "Size": "String", + "CreateAlias": true, + "Description": "String", + "EnableSso": true, + "Name": "String", + "Password": "asDjskjs73!!" + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="6" +{ + "Parameters": { + "ParentMasterPassword": { + "Description": "Password", + "Type": "String", + "Default": "asDjskjs73!" + }, + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username!" + } + }, + "Resources": { + "NewAmpApp6": { + "Type": "AWS::DirectoryService::SimpleAD", + "Properties": { + "Size": "String", + "CreateAlias": true, + "Description": "String", + "EnableSso": true, + "Name": "String", + "Password": "ParentMasterPassword", + "ShortName": "String" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + Default: '' + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username!' +Resources: + NewAmpApp1: + Type: AWS::DirectoryService::SimpleAD + Properties: + CreateAlias: true + Description: String + EnableSso: true + Name: String + Password: !Ref ParentMasterPassword + ShortName: String + Size: String + +``` +```yaml title="Negative test num. 2 - yaml file" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username' +Resources: + NewAmpApp2: + Type: AWS::DirectoryService::SimpleAD + Properties: + CreateAlias: true + Description: String + EnableSso: true + Name: String + Password: !Ref ParentMasterPassword + ShortName: String + Size: String + +``` +```yaml title="Negative test num. 3 - yaml file" +Resources: + NewAmpApp3: + Type: AWS::DirectoryService::SimpleAD + Properties: + CreateAlias: true + Description: String + EnableSso: true + Name: String + Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' + ShortName: String + Size: String + MyAmpAppSecretManagerRotater: + Type: AWS::SecretsManager::Secret + Properties: + Description: 'This is my amp app instance secret' + GenerateSecretString: + SecretStringTemplate: '{"username": "admin"}' + GenerateStringKey: 'password' + PasswordLength: 16 + ExcludeCharacters: '"@/\' + +``` +
Negative test num. 4 - json file + +```json +{ + "Parameters": { + "ParentMasterPassword": { + "Description": "Password", + "Type": "String", + "Default": "" + }, + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username!" + } + }, + "Resources": { + "NewAmpApp1": { + "Type": "AWS::DirectoryService::SimpleAD", + "Properties": { + "Description": "String", + "EnableSso": true, + "Name": "String", + "Password": "ParentMasterPassword", + "ShortName": "String", + "Size": "String", + "CreateAlias": true + } + } + } +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "Parameters": { + "ParentMasterPassword": { + "Description": "Password", + "Type": "String" + }, + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username" + } + }, + "Resources": { + "NewAmpApp2": { + "Type": "AWS::DirectoryService::SimpleAD", + "Properties": { + "Size": "String", + "CreateAlias": true, + "Description": "String", + "EnableSso": true, + "Name": "String", + "Password": "ParentMasterPassword", + "ShortName": "String" + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "Resources": { + "NewAmpApp3": { + "Type": "AWS::DirectoryService::SimpleAD", + "Properties": { + "Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}", + "ShortName": "String", + "Size": "String", + "CreateAlias": true, + "Description": "String", + "EnableSso": true, + "Name": "String" + } + }, + "MyAmpAppSecretManagerRotater": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "Description": "This is my amp app instance secret", + "GenerateSecretString": { + "GenerateStringKey": "password", + "PasswordLength": 16, + "ExcludeCharacters": "\"@/\\", + "SecretStringTemplate": "{\"username\": \"admin\"}" + } + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/66f2d8f9-a911-4ced-ae27-34f09690bb2c.md b/docs/queries/cloudformation-queries/aws/66f2d8f9-a911-4ced-ae27-34f09690bb2c.md new file mode 100644 index 00000000000..1e6e7b7ccc7 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/66f2d8f9-a911-4ced-ae27-34f09690bb2c.md @@ -0,0 +1,183 @@ +--- +title: Security Groups Allows Unrestricted Outbound Traffic +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 66f2d8f9-a911-4ced-ae27-34f09690bb2c +- **Query name:** Security Groups Allows Unrestricted Outbound Traffic +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic) + +### Description +No security group should allow unrestricted egress access
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +Parameters: + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance + Type: 'AWS::EC2::KeyPair::KeyName' +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + - MyExistingSecurityGroup + KeyName: !Ref KeyName + ImageId: ami-7a11e213 + InstanceSecurityGroup: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupDescription: Enable SSH access via port 22 + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: '22' + ToPort: '22' + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: ALL + FromPort: '22' + ToPort: '22' + CidrIp: 0.0.0.0/0 +``` +```json title="Postitive test num. 2 - json file" hl_lines="21" +{ + "Parameters": { + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName" + } + }, + "Resources": { + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "ami-7a11e213", + "SecurityGroups": [ + "InstanceSecurityGroup", + "MyExistingSecurityGroup" + ], + "KeyName": "KeyName" + } + }, + "InstanceSecurityGroup": { + "Properties": { + "SecurityGroupIngress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": "22", + "ToPort": "22" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "ALL", + "FromPort": "22", + "ToPort": "22", + "CidrIp": "0.0.0.0/0" + } + ], + "GroupDescription": "Enable SSH access via port 22" + }, + "Type": "AWS::EC2::SecurityGroup" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Parameters: + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance + Type: 'AWS::EC2::KeyPair::KeyName' +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + - MyExistingSecurityGroup + KeyName: !Ref KeyName + ImageId: ami-7a11e213 + InstanceSecurityGroup: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupDescription: Enable SSH access via port 22 + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: '22' + ToPort: '22' + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: '22' + ToPort: '22' + CidrIp: 0.0.0.0/0 +``` +```json title="Negative test num. 2 - json file" +{ + "Parameters": { + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName" + } + }, + "Resources": { + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "SecurityGroups": [ + "InstanceSecurityGroup", + "MyExistingSecurityGroup" + ], + "KeyName": "KeyName", + "ImageId": "ami-7a11e213" + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Enable SSH access via port 22", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": "22", + "ToPort": "22", + "CidrIp": "0.0.0.0/0" + } + ], + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": "22", + "ToPort": "22" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/68b6a789-82f8-4cfd-85de-e95332fe6a61.md b/docs/queries/cloudformation-queries/aws/68b6a789-82f8-4cfd-85de-e95332fe6a61.md new file mode 100644 index 00000000000..d6452cdb52a --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/68b6a789-82f8-4cfd-85de-e95332fe6a61.md @@ -0,0 +1,162 @@ +--- +title: MQ Broker Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 68b6a789-82f8-4cfd-85de-e95332fe6a61 +- **Query name:** MQ Broker Is Publicly Accessible +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/mq_broker_is_publicly_accessible) + +### Description +Check if any MQ Broker is not publicly accessible
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-publiclyaccessible) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create a basic ActiveMQ broker" +Resources: + BasicBroker: + Type: "AWS::AmazonMQ::Broker" + Properties: + AutoMinorVersionUpgrade: "false" + BrokerName: MyBasicBroker + DeploymentMode: SINGLE_INSTANCE + EncryptionOptions: + UseAwsOwnedKey: true + EngineType: ActiveMQ + EngineVersion: "5.15.0" + HostInstanceType: mq.t2.micro + PubliclyAccessible: true + Users: + - + ConsoleAccess: "true" + Groups: + - MyGroup + Password: + Ref: "BrokerPassword" + Username: + Ref: "BrokerUsername" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="31" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create a basic ActiveMQ broker", + "Resources": { + "BasicBroker2": { + "Type": "AWS::AmazonMQ::Broker", + "Properties": { + "BrokerName": "MyBasicBroker", + "DeploymentMode": "SINGLE_INSTANCE", + "EncryptionOptions": { + "UseAwsOwnedKey": true + }, + "EngineType": "ActiveMQ", + "EngineVersion": "5.15.0", + "HostInstanceType": "mq.t2.micro", + "Users": [ + { + "ConsoleAccess": "true", + "Groups": [ + "MyGroup" + ], + "Password": { + "Ref": "BrokerPassword" + }, + "Username": { + "Ref": "BrokerUsername" + } + } + ], + "AutoMinorVersionUpgrade": "false", + "PubliclyAccessible": true + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create a basic ActiveMQ broker" +Resources: + BasicBroker: + Type: "AWS::AmazonMQ::Broker" + Properties: + AutoMinorVersionUpgrade: "false" + BrokerName: MyBasicBroker + DeploymentMode: SINGLE_INSTANCE + EncryptionOptions: + UseAwsOwnedKey: true + EngineType: ActiveMQ + EngineVersion: "5.15.0" + HostInstanceType: mq.t2.micro + PubliclyAccessible: false + Users: + - + ConsoleAccess: "true" + Groups: + - MyGroup + Password: + Ref: "BrokerPassword" + Username: + Ref: "BrokerUsername" + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create a basic ActiveMQ broker", + "Resources": { + "BasicBroker2": { + "Type": "AWS::AmazonMQ::Broker", + "Properties": { + "BrokerName": "MyBasicBroker", + "DeploymentMode": "SINGLE_INSTANCE", + "EncryptionOptions": { + "UseAwsOwnedKey": true + }, + "EngineType": "ActiveMQ", + "EngineVersion": "5.15.0", + "HostInstanceType": "mq.t2.micro", + "Users": [ + { + "ConsoleAccess": "true", + "Groups": [ + "MyGroup" + ], + "Password": { + "Ref": "BrokerPassword" + }, + "Username": { + "Ref": "BrokerUsername" + } + } + ], + "AutoMinorVersionUpgrade": "false" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/6b5b0313-771b-4319-ad7a-122ee78700ef.md b/docs/queries/cloudformation-queries/aws/6b5b0313-771b-4319-ad7a-122ee78700ef.md new file mode 100644 index 00000000000..4673088c2ce --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/6b5b0313-771b-4319-ad7a-122ee78700ef.md @@ -0,0 +1,94 @@ +--- +title: Serverless API Endpoint Config Not Private +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6b5b0313-771b-4319-ad7a-122ee78700ef +- **Query name:** Serverless API Endpoint Config Not Private +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_sam/serverless_api_endpoint_config_not_private) + +### Description +AWS Serverless API should set API Endpoint Config type to 'PRIVATE'. This way, it's not exposed to the public internet
+[Documentation](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-endpointconfiguration) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + CacheClusterEnabled: true + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi2: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + CacheClusterEnabled: true + EndpointConfiguration: + VpcEndpointIds: + - !Ref ApiGatewayVPCEndpoint + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi3: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + CacheClusterEnabled: true + EndpointConfiguration: + Types: + - EDGE + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi4: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + CacheClusterEnabled: true + EndpointConfiguration: + Types: + - PRIVATE + +``` diff --git a/docs/queries/cloudformation-queries/aws/6c131358-c54d-419b-9dd6-1f7dd41d180c.md b/docs/queries/cloudformation-queries/aws/6c131358-c54d-419b-9dd6-1f7dd41d180c.md new file mode 100644 index 00000000000..20d507980e9 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/6c131358-c54d-419b-9dd6-1f7dd41d180c.md @@ -0,0 +1,846 @@ +--- +title: ECS Cluster Not Encrypted At Rest +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6c131358-c54d-419b-9dd6-1f7dd41d180c +- **Query name:** ECS Cluster Not Encrypted At Rest +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest) + +### Description +Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="37" +Resources: + cluster: + Type: AWS::ECS::Cluster + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: !Ref AppName + MountPoints: + - SourceVolume: my-vol + ContainerPath: /var/www/my-vol + Image: amazon/amazon-ecs-sample + Cpu: '10' + PortMappings: + - ContainerPort: !Ref AppContainerPort + HostPort: !Ref AppHostPort + EntryPoint: + - /usr/sbin/apache2 + - '-D' + - FOREGROUND + Memory: '500' + Essential: true + - Name: busybox + Image: busybox + Cpu: '10' + EntryPoint: + - sh + - '-c' + Memory: '500' + Command: + - >- + /bin/sh -c "while true; do /bin/date > /var/www/my-vol/date; sleep + 1; done" + Essential: false + VolumesFrom: + - SourceContainer: !Ref AppName + Volumes: + - Host: + SourcePath: /var/lib/docker/vfs/dir/ + Name: my-vol + EFSVolumeConfiguration: + TransitEncryption: DISABLED + TransitEncryptionPort: 8080 + service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref cluster + DeploymentConfiguration: + MaximumPercent: 200 + MinimumHealthyPercent: 100 + DesiredCount: 0 + HealthCheckGracePeriodSeconds: !Ref HealthCheckGracePeriodSeconds + LoadBalancers: + - ContainerName: !Ref AppName + ContainerPort: !Ref AppContainerPort + LoadBalancerName: !Ref elb + PlacementStrategies: + - Type: binpack + Field: memory + - Type: spread + Field: host + PlacementConstraints: + - Type: memberOf + Expression: 'attribute:ecs.availability-zone != us-east-1d' + - Type: distinctInstance + TaskDefinition: !Ref taskdefinition + ServiceName: !Ref ServiceName + Role: !Ref Role + elb: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + LoadBalancerName: !Ref LoadBalancerName + Listeners: + - InstancePort: !Ref AppHostPort + LoadBalancerPort: '80' + Protocol: HTTP + Subnets: + - !Ref Subnet1 + DependsOn: GatewayAttachment + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/24 + Subnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.0.0/25 + InternetGateway: + Type: AWS::EC2::InternetGateway + GatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref VPC + Role: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: ecs.amazonaws.com + Action: 'sts:AssumeRole' + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26" +Resources: + cluster: + Type: AWS::ECS::Cluster + service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref cluster + DeploymentConfiguration: + MaximumPercent: 200 + MinimumHealthyPercent: 100 + DesiredCount: 0 + HealthCheckGracePeriodSeconds: !Ref HealthCheckGracePeriodSeconds + LoadBalancers: + - ContainerName: !Ref AppName + ContainerPort: !Ref AppContainerPort + LoadBalancerName: !Ref elb + PlacementStrategies: + - Type: binpack + Field: memory + - Type: spread + Field: host + PlacementConstraints: + - Type: memberOf + Expression: 'attribute:ecs.availability-zone != us-east-1d' + - Type: distinctInstance + TaskDefinition: !Ref taskdefinition1 + ServiceName: !Ref ServiceName + Role: !Ref Role + elb: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + LoadBalancerName: !Ref LoadBalancerName + Listeners: + - InstancePort: !Ref AppHostPort + LoadBalancerPort: '80' + Protocol: HTTP + Subnets: + - !Ref Subnet1 + DependsOn: GatewayAttachment + VPC2: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/24 + Subnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.0.0/25 + InternetGateway: + Type: AWS::EC2::InternetGateway + GatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref VPC + Role: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: ecs.amazonaws.com + Action: 'sts:AssumeRole' + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' + +``` +```json title="Postitive test num. 3 - json file" hl_lines="122" +{ + "Resources": { + "cluster": { + "Type": "AWS::ECS::Cluster" + }, + "service": { + "Type": "AWS::ECS::Service", + "Properties": { + "LoadBalancers": [ + { + "ContainerName": "AppName", + "ContainerPort": "AppContainerPort", + "LoadBalancerName": "elb" + } + ], + "PlacementStrategies": [ + { + "Type": "binpack", + "Field": "memory" + }, + { + "Type": "spread", + "Field": "host" + } + ], + "PlacementConstraints": [ + { + "Expression": "attribute:ecs.availability-zone != us-east-1d", + "Type": "memberOf" + }, + { + "Type": "distinctInstance" + } + ], + "Role": "Role", + "DeploymentConfiguration": { + "MaximumPercent": 200, + "MinimumHealthyPercent": 100 + }, + "DesiredCount": 0, + "TaskDefinition": "taskdefinition", + "ServiceName": "ServiceName", + "Cluster": "cluster", + "HealthCheckGracePeriodSeconds": "HealthCheckGracePeriodSeconds" + } + }, + "elb": { + "DependsOn": "GatewayAttachment", + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "LoadBalancerName": "LoadBalancerName", + "Listeners": [ + { + "LoadBalancerPort": "80", + "Protocol": "HTTP", + "InstancePort": "AppHostPort" + } + ], + "Subnets": [ + "Subnet1" + ] + } + }, + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway" + }, + "GatewayAttachment": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": "VPC", + "InternetGatewayId": "InternetGateway" + } + }, + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Essential": true, + "Name": "AppName", + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": "10", + "PortMappings": [ + { + "ContainerPort": "AppContainerPort", + "HostPort": "AppHostPort" + } + ], + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": "500" + }, + { + "Memory": "500", + "Command": [ + "/bin/sh -c \"while true; do /bin/date \u003e /var/www/my-vol/date; sleep 1; done\"" + ], + "Essential": false, + "VolumesFrom": [ + { + "SourceContainer": "AppName" + } + ], + "Name": "busybox", + "Image": "busybox", + "Cpu": "10", + "EntryPoint": [ + "sh", + "-c" + ] + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol", + "EFSVolumeConfiguration": { + "TransitEncryption": "DISABLED", + "TransitEncryptionPort": 8080 + } + } + ] + } + }, + "VPC": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/24" + } + }, + "Subnet1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": "VPC", + "CidrBlock": "10.0.0.0/25" + } + }, + "Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2008-10-17T00:00:00Z", + "Statement": [ + { + "Principal": { + "Service": "ecs.amazonaws.com" + }, + "Action": "sts:AssumeRole", + "Sid": "", + "Effect": "Allow" + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole" + ] + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="54" +{ + "Resources": { + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway" + }, + "GatewayAttachment": { + "Properties": { + "InternetGatewayId": "InternetGateway", + "VpcId": "VPC" + }, + "Type": "AWS::EC2::VPCGatewayAttachment" + }, + "Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "ecs.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ], + "Version": "2008-10-17T00:00:00Z" + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole" + ] + } + }, + "cluster": { + "Type": "AWS::ECS::Cluster" + }, + "service": { + "Type": "AWS::ECS::Service", + "Properties": { + "PlacementConstraints": [ + { + "Type": "memberOf", + "Expression": "attribute:ecs.availability-zone != us-east-1d" + }, + { + "Type": "distinctInstance" + } + ], + "ServiceName": "ServiceName", + "Role": "Role", + "Cluster": "cluster", + "DesiredCount": 0, + "HealthCheckGracePeriodSeconds": "HealthCheckGracePeriodSeconds", + "TaskDefinition": "taskdefinition1", + "DeploymentConfiguration": { + "MaximumPercent": 200, + "MinimumHealthyPercent": 100 + }, + "LoadBalancers": [ + { + "ContainerName": "AppName", + "ContainerPort": "AppContainerPort", + "LoadBalancerName": "elb" + } + ], + "PlacementStrategies": [ + { + "Type": "binpack", + "Field": "memory" + }, + { + "Type": "spread", + "Field": "host" + } + ] + } + }, + "elb": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "LoadBalancerName": "LoadBalancerName", + "Listeners": [ + { + "LoadBalancerPort": "80", + "Protocol": "HTTP", + "InstancePort": "AppHostPort" + } + ], + "Subnets": [ + "Subnet1" + ] + }, + "DependsOn": "GatewayAttachment" + }, + "VPC2": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/24" + } + }, + "Subnet1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": "VPC", + "CidrBlock": "10.0.0.0/25" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating ECS service +Parameters: + AppName: + Type: String + Description: Name of app requiring ELB exposure + Default: simple-app + AppContainerPort: + Type: Number + Description: Container port of app requiring ELB exposure + Default: '80' + AppHostPort: + Type: Number + Description: Host port of app requiring ELB exposure + Default: '80' + ServiceName: + Type: String + LoadBalancerName: + Type: String + HealthCheckGracePeriodSeconds: + Type: String +Resources: + cluster: + Type: AWS::ECS::Cluster + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: !Ref AppName + MountPoints: + - SourceVolume: my-vol + ContainerPath: /var/www/my-vol + Image: amazon/amazon-ecs-sample + Cpu: '10' + PortMappings: + - ContainerPort: !Ref AppContainerPort + HostPort: !Ref AppHostPort + EntryPoint: + - /usr/sbin/apache2 + - '-D' + - FOREGROUND + Memory: '500' + Essential: true + - Name: busybox + Image: busybox + Cpu: '10' + EntryPoint: + - sh + - '-c' + Memory: '500' + Command: + - >- + /bin/sh -c "while true; do /bin/date > /var/www/my-vol/date; sleep + 1; done" + Essential: false + VolumesFrom: + - SourceContainer: !Ref AppName + Volumes: + - Host: + SourcePath: /var/lib/docker/vfs/dir/ + Name: my-vol + EFSVolumeConfiguration: + TransitEncryption: ENABLED + TransitEncryptionPort: 8080 + + service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref cluster + DeploymentConfiguration: + MaximumPercent: 200 + MinimumHealthyPercent: 100 + DesiredCount: 0 + HealthCheckGracePeriodSeconds: !Ref HealthCheckGracePeriodSeconds + LoadBalancers: + - ContainerName: !Ref AppName + ContainerPort: !Ref AppContainerPort + LoadBalancerName: !Ref elb + PlacementStrategies: + - Type: binpack + Field: memory + - Type: spread + Field: host + PlacementConstraints: + - Type: memberOf + Expression: 'attribute:ecs.availability-zone != us-east-1d' + - Type: distinctInstance + TaskDefinition: !Ref taskdefinition + ServiceName: !Ref ServiceName + Role: !Ref Role + elb: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + LoadBalancerName: !Ref LoadBalancerName + Listeners: + - InstancePort: !Ref AppHostPort + LoadBalancerPort: '80' + Protocol: HTTP + Subnets: + - !Ref Subnet1 + DependsOn: GatewayAttachment + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/24 + Subnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.0.0/25 + InternetGateway: + Type: AWS::EC2::InternetGateway + GatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref VPC + Role: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: ecs.amazonaws.com + Action: 'sts:AssumeRole' + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' +Outputs: + Cluster: + Value: !Ref cluster +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating ECS service", + "Parameters": { + "HealthCheckGracePeriodSeconds": { + "Type": "String" + }, + "AppName": { + "Type": "String", + "Description": "Name of app requiring ELB exposure", + "Default": "simple-app" + }, + "AppContainerPort": { + "Type": "Number", + "Description": "Container port of app requiring ELB exposure", + "Default": "80" + }, + "AppHostPort": { + "Type": "Number", + "Description": "Host port of app requiring ELB exposure", + "Default": "80" + }, + "ServiceName": { + "Type": "String" + }, + "LoadBalancerName": { + "Type": "String" + } + }, + "Resources": { + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway" + }, + "GatewayAttachment": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "InternetGatewayId": "InternetGateway", + "VpcId": "VPC" + } + }, + "Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2008-10-17T00:00:00Z", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "ecs.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole" + ] + } + }, + "cluster": { + "Type": "AWS::ECS::Cluster" + }, + "service": { + "Type": "AWS::ECS::Service", + "Properties": { + "DeploymentConfiguration": { + "MaximumPercent": 200, + "MinimumHealthyPercent": 100 + }, + "TaskDefinition": "taskdefinition", + "Role": "Role", + "LoadBalancers": [ + { + "ContainerName": "AppName", + "ContainerPort": "AppContainerPort", + "LoadBalancerName": "elb" + } + ], + "PlacementStrategies": [ + { + "Type": "binpack", + "Field": "memory" + }, + { + "Type": "spread", + "Field": "host" + } + ], + "PlacementConstraints": [ + { + "Type": "memberOf", + "Expression": "attribute:ecs.availability-zone != us-east-1d" + }, + { + "Type": "distinctInstance" + } + ], + "ServiceName": "ServiceName", + "Cluster": "cluster", + "DesiredCount": 0, + "HealthCheckGracePeriodSeconds": "HealthCheckGracePeriodSeconds" + } + }, + "elb": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "Subnets": [ + "Subnet1" + ], + "LoadBalancerName": "LoadBalancerName", + "Listeners": [ + { + "LoadBalancerPort": "80", + "Protocol": "HTTP", + "InstancePort": "AppHostPort" + } + ] + }, + "DependsOn": "GatewayAttachment" + }, + "VPC": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/24" + } + }, + "Subnet1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.0.0.0/25", + "VpcId": "VPC" + } + }, + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Image": "amazon/amazon-ecs-sample", + "Cpu": "10", + "PortMappings": [ + { + "HostPort": "AppHostPort", + "ContainerPort": "AppContainerPort" + } + ], + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": "500", + "Essential": true, + "Name": "AppName", + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ] + }, + { + "Cpu": "10", + "EntryPoint": [ + "sh", + "-c" + ], + "Memory": "500", + "Command": [ + "/bin/sh -c \"while true; do /bin/date \u003e /var/www/my-vol/date; sleep 1; done\"" + ], + "Essential": false, + "VolumesFrom": [ + { + "SourceContainer": "AppName" + } + ], + "Name": "busybox", + "Image": "busybox" + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol", + "EFSVolumeConfiguration": { + "TransitEncryption": "ENABLED", + "TransitEncryptionPort": 8080 + } + } + ] + } + } + }, + "Outputs": { + "Cluster": { + "Value": "cluster" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/6c8d51af-218d-4bfb-94a9-94eabaa0703a.md b/docs/queries/cloudformation-queries/aws/6c8d51af-218d-4bfb-94a9-94eabaa0703a.md new file mode 100644 index 00000000000..34cbf68f635 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/6c8d51af-218d-4bfb-94a9-94eabaa0703a.md @@ -0,0 +1,107 @@ +--- +title: S3 Bucket Without Ignore Public ACL +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6c8d51af-218d-4bfb-94a9-94eabaa0703a +- **Query name:** S3 Bucket Without Ignore Public ACL +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_without_ignore_public_acl) + +### Description +S3 bucket without ignore public ACL
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 4 21" +Resources: + Bucket11: + Type: AWS::S3::Bucket + Properties: +--- +Resources: + Bucket12: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicPolicy : true + RestrictPublicBuckets : true +--- +Resources: + Bucket13: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: false + BlockPublicPolicy : true + IgnorePublicAcls : false + RestrictPublicBuckets : true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9" +{ + "Resources": { + "Bucket1": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": false, + "BlockPublicPolicy": true, + "IgnorePublicAcls": false, + "RestrictPublicBuckets": true + }, + "AccessControl": "Private" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + Bucket1: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls : true + BlockPublicPolicy : true + IgnorePublicAcls : true + RestrictPublicBuckets : true +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Bucket1": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "AccessControl": "Private" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/6d087495-2a42-4735-abf7-02ef5660a7e6.md b/docs/queries/cloudformation-queries/aws/6d087495-2a42-4735-abf7-02ef5660a7e6.md new file mode 100644 index 00000000000..44ff020d5d6 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/6d087495-2a42-4735-abf7-02ef5660a7e6.md @@ -0,0 +1,759 @@ +--- +title: EFS Without KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6d087495-2a42-4735-abf7-02ef5660a7e6 +- **Query name:** EFS Without KMS +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/efs_without_kms) + +### Description +Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="82" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create EFS system and Mount Targets for test VPC" +Parameters: + VPC: + Type: String + Description: The VPC identity + Default: vpc-ID + SubnetID1: + Type: String + Description: The subnet where to launch the service + Default: subnet-ID + SubnetID2: + Type: String + Description: the subnet where to Launch the service + Default: subnet-ID + SubnetID3: + Type: String + Description: The subnet where to launch the service + Default: subnet-ID + SubnetID4: + Type: String + Description: the subnet where to Launch the service + Default: subnet-ID +Resources: + EFSKMSKey: + Type: AWS::KMS::Key + Properties: + Description: "An example CMK with KMS" + KeyPolicy: + Version: "2012-10-17" + Id: "efs-default-key1" + Statement: + - Sid: "Allow administration of the key" + Effect: "Allow" + Principal: + AWS: "arn:aws:iam::999999999999:user/roger" + Action: + - "kms:Create*" + - "kms:Describe*" + - "kms:Enable*" + - "kms:List*" + - "kms:Put*" + - "kms:Update*" + - "kms:Revoke*" + - "kms:Disable*" + - "kms:Get*" + - "kms:Delete*" + - "kms:ScheduleKeyDeletion" + - "kms:CancelKeyDeletion" + Resource: "*" + - Sid: "Allow use of the key" + Effect: "Allow" + Principal: + AWS: "arn:aws:iam::999999999999:user/roger" + Action: + - "kms:DescribeKey" + - "kms:Encrypt" + - "kms:Decrypt" + - "kms:ReEncrypt*" + - "kms:GenerateDataKey" + - "kms:GenerateDataKeyWithoutPlaintext" + Resource: "*" + EFSSecurityGroup: + Type: "AWS::EC2::SecurityGroup" + Properties: + GroupDescription: "security group for the prod EFS" + GroupName: "test-EFS-SG" + VpcId: !Ref VPC + SecurityGroupIngress: + - SourceSecurityGroupId: sg-ID + Description: "servers to connect to efs" + FromPort: 2049 + IpProtocol: "tcp" + ToPort: 2049 + Tags: + - Key: Environment + Value: prod + - Key: Name + Value: test-VPC-EFS-SG + - Key: Project + Value: ITEngineering + EFSFileSystem01: + Type: AWS::EFS::FileSystem + Properties: + BackupPolicy: + Status: ENABLED + Encrypted: false + LifecyclePolicies: + - TransitionToIA: AFTER_60_DAYS + PerformanceMode: generalPurpose + ThroughputMode: bursting + FileSystemTags: + - Key: Environment + Value: prod + - Key: Name + Value: test-VPC-EFS + - Key: Project + Value: ITEngineering + MountTarget1: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem01 + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID1 + MountTarget2: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem01 + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID2 + MountTarget3: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem01 + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID3 + MountTarget4: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem01 + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID4 +Outputs: + EFS: + Description: The created EFS + Value: !Ref EFSFileSystem01 + EFSMountTarget1: + Description: The EFS MountTarget1 + Value: !Ref MountTarget1 + EFSMountTarget2: + Description: The EFS MountTarget2 + Value: !Ref MountTarget2 + EFSMountTarget3: + Description: The EFS MountTarget3 + Value: !Ref MountTarget3 + EFSMountTarget4: + Description: The EFS MountTarget4 + Value: !Ref MountTarget4 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="157" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create EFS system and Mount Targets for test VPC", + "Parameters": { + "VPC": { + "Type": "String", + "Description": "The VPC identity", + "Default": "vpc-ID" + }, + "SubnetID1": { + "Type": "String", + "Description": "The subnet where to launch the service", + "Default": "subnet-ID" + }, + "SubnetID2": { + "Default": "subnet-ID", + "Type": "String", + "Description": "the subnet where to Launch the service" + }, + "SubnetID3": { + "Description": "The subnet where to launch the service", + "Default": "subnet-ID", + "Type": "String" + }, + "SubnetID4": { + "Type": "String", + "Description": "the subnet where to Launch the service", + "Default": "subnet-ID" + } + }, + "Resources": { + "MountTarget1": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "EFSFileSystem01", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID1" + } + }, + "MountTarget2": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "EFSFileSystem01", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID2" + } + }, + "MountTarget3": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "EFSFileSystem01", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID3" + } + }, + "MountTarget4": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "EFSFileSystem01", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID4" + } + }, + "EFSKMSKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "Description": "An example CMK with KMS", + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "efs-default-key1", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::999999999999:user/roger" + }, + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" + ], + "Resource": "*", + "Sid": "Allow administration of the key" + }, + { + "Action": [ + "kms:DescribeKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "*", + "Sid": "Allow use of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::999999999999:user/roger" + } + } + ] + } + } + }, + "EFSSecurityGroup": { + "Properties": { + "SecurityGroupIngress": [ + { + "SourceSecurityGroupId": "sg-ID", + "Description": "servers to connect to efs", + "FromPort": 2049, + "IpProtocol": "tcp", + "ToPort": 2049 + } + ], + "Tags": [ + { + "Key": "Environment", + "Value": "prod" + }, + { + "Value": "test-VPC-EFS-SG", + "Key": "Name" + }, + { + "Key": "Project", + "Value": "ITEngineering" + } + ], + "GroupDescription": "security group for the prod EFS", + "GroupName": "test-EFS-SG", + "VpcId": "VPC" + }, + "Type": "AWS::EC2::SecurityGroup" + }, + "EFSFileSystem01": { + "Type": "AWS::EFS::FileSystem", + "Properties": { + "LifecyclePolicies": [ + { + "TransitionToIA": "AFTER_60_DAYS" + } + ], + "PerformanceMode": "generalPurpose", + "ThroughputMode": "bursting", + "FileSystemTags": [ + { + "Key": "Environment", + "Value": "prod" + }, + { + "Key": "Name", + "Value": "test-VPC-EFS" + }, + { + "Key": "Project", + "Value": "ITEngineering" + } + ], + "BackupPolicy": { + "Status": "ENABLED" + }, + "Encrypted": false + } + } + }, + "Outputs": { + "EFSMountTarget2": { + "Description": "The EFS MountTarget2", + "Value": "MountTarget2" + }, + "EFSMountTarget3": { + "Description": "The EFS MountTarget3", + "Value": "MountTarget3" + }, + "EFSMountTarget4": { + "Value": "MountTarget4", + "Description": "The EFS MountTarget4" + }, + "EFS": { + "Description": "The created EFS", + "Value": "EFSFileSystem01" + }, + "EFSMountTarget1": { + "Description": "The EFS MountTarget1", + "Value": "MountTarget1" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create EFS system and Mount Targets for test VPC" +Parameters: + VPC: + Type: String + Description: The VPC identity + Default: vpc-ID + SubnetID1: + Type: String + Description: The subnet where to launch the service + Default: subnet-ID + SubnetID2: + Type: String + Description: the subnet where to Launch the service + Default: subnet-ID + SubnetID3: + Type: String + Description: The subnet where to launch the service + Default: subnet-ID + SubnetID4: + Type: String + Description: the subnet where to Launch the service + Default: subnet-ID +Resources: + EFSKMSKey: + Type: AWS::KMS::Key + Properties: + Description: "An example CMK with KMS" + KeyPolicy: + Version: "2012-10-17" + Id: "efs-default-key1" + Statement: + - Sid: "Allow administration of the key" + Effect: "Allow" + Principal: + AWS: "arn:aws:iam::999999999999:user/roger" + Action: + - "kms:Create*" + - "kms:Describe*" + - "kms:Enable*" + - "kms:List*" + - "kms:Put*" + - "kms:Update*" + - "kms:Revoke*" + - "kms:Disable*" + - "kms:Get*" + - "kms:Delete*" + - "kms:ScheduleKeyDeletion" + - "kms:CancelKeyDeletion" + Resource: "*" + - Sid: "Allow use of the key" + Effect: "Allow" + Principal: + AWS: "arn:aws:iam::999999999999:user/roger" + Action: + - "kms:DescribeKey" + - "kms:Encrypt" + - "kms:Decrypt" + - "kms:ReEncrypt*" + - "kms:GenerateDataKey" + - "kms:GenerateDataKeyWithoutPlaintext" + Resource: "*" + EFSSecurityGroup: + Type: "AWS::EC2::SecurityGroup" + Properties: + GroupDescription: "security group for the prod EFS" + GroupName: "test-EFS-SG" + VpcId: !Ref VPC + SecurityGroupIngress: + - SourceSecurityGroupId: sg-ID + Description: "servers to connect to efs" + FromPort: 2049 + IpProtocol: "tcp" + ToPort: 2049 + Tags: + - Key: Environment + Value: prod + - Key: Name + Value: test-VPC-EFS-SG + - Key: Project + Value: ITEngineering + EFSFileSystem01: + Type: AWS::EFS::FileSystem + Properties: + BackupPolicy: + Status: ENABLED + Encrypted: false + KmsKeyId: !Ref EFSKMSKey + LifecyclePolicies: + - TransitionToIA: AFTER_60_DAYS + PerformanceMode: generalPurpose + ThroughputMode: bursting + FileSystemTags: + - Key: Environment + Value: prod + - Key: Name + Value: test-VPC-EFS + - Key: Project + Value: ITEngineering + MountTarget1: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem01 + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID1 + MountTarget2: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem01 + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID2 + MountTarget3: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem01 + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID3 + MountTarget4: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: !Ref EFSFileSystem01 + IpAddress: "*.*.*.*" + SecurityGroups: + - !Ref EFSSecurityGroup + SubnetId: !Ref SubnetID4 +Outputs: + EFS: + Description: The created EFS + Value: !Ref EFSFileSystem01 + EFSMountTarget1: + Description: The EFS MountTarget1 + Value: !Ref MountTarget1 + EFSMountTarget2: + Description: The EFS MountTarget2 + Value: !Ref MountTarget2 + EFSMountTarget3: + Description: The EFS MountTarget3 + Value: !Ref MountTarget3 + EFSMountTarget4: + Description: The EFS MountTarget4 + Value: !Ref MountTarget4 + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create EFS system and Mount Targets for test VPC", + "Parameters": { + "VPC": { + "Type": "String", + "Description": "The VPC identity", + "Default": "vpc-ID" + }, + "SubnetID1": { + "Description": "The subnet where to launch the service", + "Default": "subnet-ID", + "Type": "String" + }, + "SubnetID2": { + "Type": "String", + "Description": "the subnet where to Launch the service", + "Default": "subnet-ID" + }, + "SubnetID3": { + "Type": "String", + "Description": "The subnet where to launch the service", + "Default": "subnet-ID" + }, + "SubnetID4": { + "Type": "String", + "Description": "the subnet where to Launch the service", + "Default": "subnet-ID" + } + }, + "Resources": { + "EFSKMSKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "Description": "An example CMK with KMS", + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "efs-default-key1", + "Statement": [ + { + "Sid": "Allow administration of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::999999999999:user/roger" + }, + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::999999999999:user/roger" + }, + "Action": [ + "kms:DescribeKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "*", + "Sid": "Allow use of the key" + } + ] + } + } + }, + "EFSSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "Tags": [ + { + "Key": "Environment", + "Value": "prod" + }, + { + "Key": "Name", + "Value": "test-VPC-EFS-SG" + }, + { + "Value": "ITEngineering", + "Key": "Project" + } + ], + "GroupDescription": "security group for the prod EFS", + "GroupName": "test-EFS-SG", + "VpcId": "VPC", + "SecurityGroupIngress": [ + { + "SourceSecurityGroupId": "sg-ID", + "Description": "servers to connect to efs", + "FromPort": 2049, + "IpProtocol": "tcp", + "ToPort": 2049 + } + ] + } + }, + "EFSFileSystem01": { + "Type": "AWS::EFS::FileSystem", + "Properties": { + "BackupPolicy": { + "Status": "ENABLED" + }, + "Encrypted": false, + "KmsKeyId": "EFSKMSKey", + "LifecyclePolicies": [ + { + "TransitionToIA": "AFTER_60_DAYS" + } + ], + "PerformanceMode": "generalPurpose", + "ThroughputMode": "bursting", + "FileSystemTags": [ + { + "Key": "Environment", + "Value": "prod" + }, + { + "Key": "Name", + "Value": "test-VPC-EFS" + }, + { + "Key": "Project", + "Value": "ITEngineering" + } + ] + } + }, + "MountTarget1": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "EFSFileSystem01", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID1" + } + }, + "MountTarget2": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "FileSystemId": "EFSFileSystem01", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ], + "SubnetId": "SubnetID2" + } + }, + "MountTarget3": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "SubnetId": "SubnetID3", + "FileSystemId": "EFSFileSystem01", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ] + } + }, + "MountTarget4": { + "Type": "AWS::EFS::MountTarget", + "Properties": { + "SubnetId": "SubnetID4", + "FileSystemId": "EFSFileSystem01", + "IpAddress": "*.*.*.*", + "SecurityGroups": [ + "EFSSecurityGroup" + ] + } + } + }, + "Outputs": { + "EFSMountTarget2": { + "Description": "The EFS MountTarget2", + "Value": "MountTarget2" + }, + "EFSMountTarget3": { + "Description": "The EFS MountTarget3", + "Value": "MountTarget3" + }, + "EFSMountTarget4": { + "Description": "The EFS MountTarget4", + "Value": "MountTarget4" + }, + "EFS": { + "Description": "The created EFS", + "Value": "EFSFileSystem01" + }, + "EFSMountTarget1": { + "Description": "The EFS MountTarget1", + "Value": "MountTarget1" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/6d64f311-3da6-45f3-80f1-14db9771ea40.md b/docs/queries/cloudformation-queries/aws/6d64f311-3da6-45f3-80f1-14db9771ea40.md new file mode 100644 index 00000000000..c9e41f44c4a --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/6d64f311-3da6-45f3-80f1-14db9771ea40.md @@ -0,0 +1,157 @@ +--- +title: Permissive Web ACL Default Action +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6d64f311-3da6-45f3-80f1-14db9771ea40 +- **Query name:** Permissive Web ACL Default Action +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/webacl_allow_defaultaction) + +### Description +WebAcl DefaultAction should not be ALLOW
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-webacl.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +#this is a problematic code where the query should report a result(s) +Resources: + MyWebACL: + Type: "AWS::WAF::WebACL" + Properties: + Name: "WebACL to with three rules" + DefaultAction: + Type: "ALLOW" + MetricName: "MyWebACL" + Rules: + - + Action: + Type: "BLOCK" + Priority: 1 + RuleId: + Ref: "MyRule" + - + Action: + Type: "BLOCK" + Priority: 2 + RuleId: + Ref: "BadReferersRule" + - + Action: + Type: "BLOCK" + Priority: 3 + RuleId: + Ref: "SqlInjRule" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "Resources": { + "MyWebACL": { + "Type": "AWS::WAF::WebACL", + "Properties": { + "Name": "WebACL to with three rules", + "DefaultAction": { + "Type": "ALLOW" + }, + "MetricName": "MyWebACL", + "Rules": [ + { + "Action": { + "Type": "BLOCK" + }, + "Priority": 1, + "RuleId": { + "Ref": "MyRule" + } + }, + { + "RuleId": { + "Ref": "BadReferersRule" + }, + "Action": { + "Type": "BLOCK" + }, + "Priority": 2 + }, + { + "RuleId": { + "Ref": "SqlInjRule" + }, + "Action": { + "Type": "BLOCK" + }, + "Priority": 3 + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + MyWebACL: + Type: "AWS::WAF::WebACL" + Properties: + Name: "WebACL to with one rule" + DefaultAction: + Type: "BLOCK" + MetricName: "MyWebACL" + Rules: + - + Action: + Type: "ALLOW" + Priority: 1 + RuleId: + Ref: "MyRule" + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyWebACL": { + "Type": "AWS::WAF::WebACL", + "Properties": { + "Name": "WebACL to with one rule", + "DefaultAction": { + "Type": "BLOCK" + }, + "MetricName": "MyWebACL", + "Rules": [ + { + "Action": { + "Type": "ALLOW" + }, + "Priority": 1, + "RuleId": { + "Ref": "MyRule" + } + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md b/docs/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md new file mode 100644 index 00000000000..572c3e9a850 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md @@ -0,0 +1,169 @@ +--- +title: Security Group With Unrestricted Access To SSH +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6e856af2-62d7-4ba2-adc1-73b62cef9cc1 +- **Query name:** Security Group With Unrestricted Access To SSH +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_groups_with_unrestricted_access_to_ssh) + +### Description +'SSH' (TCP:22) should not be public in AWS Security Group
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + KeyName: mykey + ImageId: '' + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 +``` +```json title="Postitive test num. 2 - json file" hl_lines="27" +{ + "Resources": { + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "", + "SecurityGroups": [ + "InstanceSecurityGroup" + ], + "KeyName": "mykey" + } + }, + "InstanceSecurityGroup": { + "Properties": { + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "ToPort": 22, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": 22 + } + ] + }, + "Type": "AWS::EC2::SecurityGroup" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + KeyName: mykey + ImageId: '' + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 127.0.0.1/32 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 127.0.0.1/33 +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "FromPort": 80, + "ToPort": 80, + "CidrIp": "127.0.0.1/32", + "IpProtocol": "tcp" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "127.0.0.1/33" + } + ] + } + }, + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "SecurityGroups": [ + "InstanceSecurityGroup" + ], + "KeyName": "mykey", + "ImageId": "" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d.md b/docs/queries/cloudformation-queries/aws/6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d.md new file mode 100644 index 00000000000..f4b803411ec --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d.md @@ -0,0 +1,93 @@ +--- +title: SDB Domain Declared As A Resource +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6ea57c8b-f9c0-4ec7-bae3-bd75a9dee27d +- **Query name:** SDB Domain Declared As A Resource +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/sdb_domain_declared_as_a_resource) + +### Description +SimpleDB Domain resource should not be declared
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-simpledb.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +AWSTemplateFormatVersion: "2010-09-09" +Description: "SDB Domain declared" +Resources: + HostedZone: + Type: AWS::Route53::HostedZone + Properties: + Name: "HostedZone" + SBDDomain: + Type: AWS::SDB::Domain + Properties: + Description: "Some information" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="11" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "SDB Domain declared", + "Resources": { + "HostedZone": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "HostedZone" + } + }, + "SBDDomain": { + "Type": "AWS::SDB::Domain", + "Properties": { + "Description": "Some information" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "SDB Domain declared" +Resources: + HostedZone: + Type: AWS::Route53::HostedZone + Properties: + Name: "HostedZone" + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "SDB Domain declared", + "Resources": { + "HostedZone": { + "Type": "AWS::Route53::HostedZone", + "Properties": { + "Name": "HostedZone" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/6ef03ff6-a2bd-483c-851f-631f248bc0ea.md b/docs/queries/cloudformation-queries/aws/6ef03ff6-a2bd-483c-851f-631f248bc0ea.md new file mode 100644 index 00000000000..60c5761ecc4 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/6ef03ff6-a2bd-483c-851f-631f248bc0ea.md @@ -0,0 +1,293 @@ +--- +title: BOM - AWS RDS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6ef03ff6-a2bd-483c-851f-631f248bc0ea +- **Query name:** BOM - AWS RDS +- **Platform:** CloudFormation +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_bom/rds) + +### Description +A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="4" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "DBInstanceSample1":{ + "Type": "AWS::RDS::DBInstance", + "Properties": { + "Engine": "oracle-ee", + "DBSubnetGroupName": "DBSubnetGroupSample1", + "StorageEncrypted": false + } + }, + "VPCGatewayAttachmentSample1": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "InternetGatewayId": "", + "VpcId": "VPCSample1", + "VpnGatewayId": "" + } + }, + "SubnetSample1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.16.1.0/24", + "VpcId": { + "Ref": "VPCSample1" + } + } + }, + "DBSubnetGroupSample1": { + "Type": "AWS::RDS::DBSubnetGroup", + "Properties": { + "SubnetIds": [ + { + "Ref": "SubnetSample1" + } + ] + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="4 14" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "DBInstanceSample2":{ + "Type": "AWS::RDS::DBInstance", + "Properties": { + "Engine": "oracle-ee", + "DBSubnetGroupName": "DBSubnetGroupSample2", + "SourceDBInstanceIdentifier": { + "Ref":"DBInstanceRefSample2" + } + } + }, + "DBInstanceRefSample2":{ + "Type": "AWS::RDS::DBInstance", + "Properties": { + "Engine": "oracle-ee", + "DBSubnetGroupName": "DBSubnetGroupSample2", + "StorageEncrypted": false + } + }, + "SubnetSample2": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.16.1.0/24", + "VpcId": { + "Ref": "VPCSample2" + } + } + }, + "DBSubnetGroupSample2": { + "Type": "AWS::RDS::DBSubnetGroup", + "Properties": { + "SubnetIds": [ + { + "Ref": "SubnetSample2" + } + ] + } + } + } +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="4 14" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "DBInstanceSample3":{ + "Type": "AWS::RDS::DBInstance", + "Properties": { + "Engine": "oracle-ee", + "DBSubnetGroupName": "DBSubnetGroupSample3", + "SnapshotIdentifier": { + "Ref":"DBInstanceRefSample3" + } + } + }, + "DBInstanceRefSample3":{ + "Type": "AWS::RDS::DBInstance", + "Properties": { + "Engine": "oracle-ee", + "DBSubnetGroupName": "DBSubnetGroupSample3", + "StorageEncrypted": true + } + }, + "SubnetSample3": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "172.16.1.0/24", + "VpcId": { + "Ref": "VPCSample3" + } + } + }, + "DBSubnetGroupSample3": { + "Type": "AWS::RDS::DBSubnetGroup", + "Properties": { + "SubnetIds": [ + { + "Ref": "SubnetSample3" + } + ] + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="3" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + DBInstanceSample4: + Type: AWS::RDS::DBInstance + Properties: + Engine: aurora + PubliclyAccessible: true + DBClusterIdentifier: DBClusterSample4 + DBClusterSample4: + Type: 'AWS::RDS::DBCluster' + Properties: + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + DBClusterIdentifier: my-serverless-cluster + Engine: aurora + EngineVersion: 5.6.10a + EngineMode: serverless + StorageEncrypted: true + ScalingConfiguration: + AutoPause: true + MinCapacity: 4 + MaxCapacity: 32 + SecondsUntilAutoPause: 1000 + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="3" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + DBInstanceSample5: + Type: AWS::RDS::DBInstance + Properties: + Engine: aurora + PubliclyAccessible: true + DBClusterIdentifier: DBClusterSample5 + DBClusterSample5: + Type: 'AWS::RDS::DBCluster' + Properties: + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + DBClusterIdentifier: my-serverless-cluster + Engine: aurora + EngineVersion: 5.6.10a + EngineMode: serverless + SourceDBClusterIdentifier: !Ref DBClusterSampleRef5 + ScalingConfiguration: + AutoPause: true + MinCapacity: 4 + MaxCapacity: 32 + SecondsUntilAutoPause: 1000 + DBClusterSampleRef5: + Type: 'AWS::RDS::DBCluster' + Properties: + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + DBClusterIdentifier: my-serverless-cluster + Engine: aurora + EngineVersion: 5.6.10a + EngineMode: serverless + StorageEncrypted: true + ScalingConfiguration: + AutoPause: true + MinCapacity: 4 + MaxCapacity: 32 + SecondsUntilAutoPause: 1000 + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="3" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + DBInstanceSample6: + Type: AWS::RDS::DBInstance + Properties: + Engine: aurora + PubliclyAccessible: true + DBClusterIdentifier: DBClusterSample6 + DBClusterSample6: + Type: 'AWS::RDS::DBCluster' + Properties: + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + DBClusterIdentifier: my-serverless-cluster + Engine: aurora + EngineVersion: 5.6.10a + EngineMode: serverless + SnapshotIdentifier: !Ref DBClusterSampleRef6 + ScalingConfiguration: + AutoPause: true + MinCapacity: 4 + MaxCapacity: 32 + SecondsUntilAutoPause: 1000 + DBClusterSampleRef6: + Type: 'AWS::RDS::DBCluster' + Properties: + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + DBClusterIdentifier: my-serverless-cluster + Engine: aurora + EngineVersion: 5.6.10a + EngineMode: serverless + StorageEncrypted: true + ScalingConfiguration: + AutoPause: true + MinCapacity: 4 + MaxCapacity: 32 + SecondsUntilAutoPause: 1000 + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` diff --git a/docs/queries/cloudformation-queries/aws/709e6da6-fa1f-44cc-8f17-7f25f96dadbe.md b/docs/queries/cloudformation-queries/aws/709e6da6-fa1f-44cc-8f17-7f25f96dadbe.md new file mode 100644 index 00000000000..3c4ac5ea36b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/709e6da6-fa1f-44cc-8f17-7f25f96dadbe.md @@ -0,0 +1,252 @@ +--- +title: SageMaker Data Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 709e6da6-fa1f-44cc-8f17-7f25f96dadbe +- **Query name:** SageMaker Data Encryption Disabled +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/sagemaker_data_encryption_disabled) + +### Description +Amazon SageMaker's Notebook Instance must have its Data Encryption enabled, which means the attribute 'KmsKeyId' must be defined not empty or null.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sagemaker-notebookinstance.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="20 6" +#this is a problematic code where the query should report a result(s) +Description: "Basic NotebookInstance test update to a different instance type" +Resources: + BasicNotebookInstance: + Type: "AWS::SageMaker::NotebookInstance" + Properties: + InstanceType: "ml.t2.large" + RoleArn: !GetAtt ExecutionRole.Arn + BasicNotebookInstance2: + Type: "AWS::SageMaker::NotebookInstance" + Properties: + InstanceType: "ml.t2.large" + RoleArn: !GetAtt ExecutionRole.Arn + KmsKeyId: 'some-kms-key' + BasicNotebookInstance3: + Type: "AWS::SageMaker::NotebookInstance" + Properties: + InstanceType: "ml.t2.large" + RoleArn: !GetAtt ExecutionRole.Arn + KmsKeyId : "" + ExecutionRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Principal: + Service: + - "sagemaker.amazonaws.com" + Action: + - "sts:AssumeRole" + Path: "/" + Policies: + - + PolicyName: "root" + PolicyDocument: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Action: "*" + Resource: "*" +Outputs: + BasicNotebookInstanceId: + Value: !Ref BasicNotebookInstance + +``` +```json title="Postitive test num. 2 - json file" hl_lines="16 59" +{ + "Description": "Basic NotebookInstance test update to a different instance type", + "Resources": { + "BasicNotebookInstance2": { + "Type": "AWS::SageMaker::NotebookInstance", + "Properties": { + "RoleArn": "ExecutionRole.Arn", + "KmsKeyId": "some-kms-key", + "InstanceType": "ml.t2.large" + } + }, + "BasicNotebookInstance3": { + "Properties": { + "InstanceType": "ml.t2.large", + "RoleArn": "ExecutionRole.Arn", + "KmsKeyId": "" + }, + "Type": "AWS::SageMaker::NotebookInstance" + }, + "ExecutionRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "sagemaker.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] + }, + "PolicyName": "root" + } + ] + } + }, + "BasicNotebookInstance": { + "Type": "AWS::SageMaker::NotebookInstance", + "Properties": { + "InstanceType": "ml.t2.large", + "RoleArn": "ExecutionRole.Arn" + } + } + }, + "Outputs": { + "BasicNotebookInstanceId": { + "Value": "BasicNotebookInstance" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Description: "Basic NotebookInstance test update to a different instance type" +Resources: + BasicNotebookInstance: + Type: "AWS::SageMaker::NotebookInstance" + Properties: + InstanceType: "ml.t2.large" + RoleArn: !GetAtt ExecutionRole.Arn + KmsKeyId: "Key" + ExecutionRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Principal: + Service: + - "sagemaker.amazonaws.com" + Action: + - "sts:AssumeRole" + Path: "/" + Policies: + - + PolicyName: "root" + PolicyDocument: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Action: "*" + Resource: "*" +Outputs: + BasicNotebookInstanceId: + Value: !Ref BasicNotebookInstance +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "Basic NotebookInstance test update to a different instance type", + "Resources": { + "ExecutionRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "sagemaker.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "root", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] + } + } + ] + } + }, + "BasicNotebookInstance": { + "Type": "AWS::SageMaker::NotebookInstance", + "Properties": { + "RoleArn": "ExecutionRole.Arn", + "KmsKeyId": "Key", + "InstanceType": "ml.t2.large" + } + } + }, + "Outputs": { + "BasicNotebookInstanceId": { + "Value": "BasicNotebookInstance" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/71493c8b-3014-404c-9802-078b74496fb7.md b/docs/queries/cloudformation-queries/aws/71493c8b-3014-404c-9802-078b74496fb7.md new file mode 100644 index 00000000000..5f9d00a3861 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/71493c8b-3014-404c-9802-078b74496fb7.md @@ -0,0 +1,350 @@ +--- +title: Amplify App Basic Auth Config Password Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 71493c8b-3014-404c-9802-078b74496fb7 +- **Query name:** Amplify App Basic Auth Config Password Exposed +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed) + +### Description +Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-amplify-app-basicauthconfig.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + NewAmpApp-1: + Type: AWS::Amplify::App + Properties: + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + BasicAuthConfig: + EnableBasicAuth: true + Password: "@skdsjdk0234!AB" + Username: admin + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + ParentPassword: + Description: 'Password' + Type: String + Default: "@skdsjdk0234!AB" + ParentUsername: + Description: 'Username' + Type: String + Default: "" +Resources: + NewAmpApp-4: + Type: AWS::Amplify::App + Properties: + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + BasicAuthConfig: + EnableBasicAuth: true + Password: !Ref ParentPassword + Username: !Ref ParentUsername + +``` +```json title="Postitive test num. 3 - json file" hl_lines="12" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "NewAmpApp-1": { + "Type": "AWS::Amplify::App", + "Properties": { + "OauthToken": "String", + "Repository": "String", + "BasicAuthConfig": { + "Username": "admin", + "EnableBasicAuth": true, + "Password": "@skdsjdk0234!AB" + }, + "CustomHeaders": "String", + "Description": "String", + "Name": "NewAmpApp", + "BuildSpec": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String" + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="12" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Parameters": { + "ParentUsername": { + "Description": "Username", + "Type": "String", + "Default": "" + }, + "ParentPassword": { + "Description": "Password", + "Type": "String", + "Default": "@skdsjdk0234!AB" + } + }, + "Resources": { + "NewAmpApp-4": { + "Type": "AWS::Amplify::App", + "Properties": { + "CustomHeaders": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String", + "OauthToken": "String", + "Repository": "String", + "BuildSpec": "String", + "Description": "String", + "Name": "NewAmpApp", + "BasicAuthConfig": { + "Password": "ParentPassword", + "Username": "ParentUsername", + "EnableBasicAuth": true + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + NewAmpApp-2: + Type: AWS::Amplify::App + Properties: + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + BasicAuthConfig : + EnableBasicAuth: true + Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' + Username: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}' + MyAmpAppSecretManagerRotater: + Type: AWS::SecretsManager::Secret + Properties: + Description: 'This is my amp app instance secret' + GenerateSecretString: + SecretStringTemplate: '{"username": "admin"}' + GenerateStringKey: 'password' + PasswordLength: 16 + ExcludeCharacters: '"@/\' + +``` +```yaml title="Negative test num. 2 - yaml file" +Parameters: + ParentPassword: + Description: 'Password' + Type: String + ParentUsername: + Description: 'Username' + Type: String +Resources: + NewAmpApp-1: + Type: AWS::Amplify::App + Properties: + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + BasicAuthConfig: + EnableBasicAuth: true + Password: !Ref ParentPassword + Username: !Ref ParentUsername + + +``` +```yaml title="Negative test num. 3 - yaml file" +Parameters: + ParentPassword: + Description: 'Password' + Type: String + Default: "" + ParentUsername: + Description: 'Username' + Type: String + Default: "" +Resources: + NewAmpApp-4: + Type: AWS::Amplify::App + Properties: + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + BasicAuthConfig: + EnableBasicAuth: true + Password: !Ref ParentPassword + Username: !Ref ParentUsername + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "MyAmpAppSecretManagerRotater": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "GenerateSecretString": { + "PasswordLength": 16, + "ExcludeCharacters": "\"@/\\", + "SecretStringTemplate": "{\"username\": \"admin\"}", + "GenerateStringKey": "password" + }, + "Description": "This is my amp app instance secret" + } + }, + "NewAmpApp-2": { + "Type": "AWS::Amplify::App", + "Properties": { + "BasicAuthConfig": { + "EnableBasicAuth": true, + "Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}", + "Username": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}" + }, + "Description": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String", + "Name": "NewAmpApp", + "BuildSpec": "String", + "CustomHeaders": "String", + "OauthToken": "String", + "Repository": "String" + } + } + } +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "Resources": { + "NewAmpApp-1": { + "Type": "AWS::Amplify::App", + "Properties": { + "BasicAuthConfig": { + "EnableBasicAuth": true, + "Password": "ParentPassword", + "Username": "ParentUsername" + }, + "BuildSpec": "String", + "Name": "NewAmpApp", + "OauthToken": "String", + "Repository": "String", + "CustomHeaders": "String", + "Description": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String" + } + } + }, + "Parameters": { + "ParentPassword": { + "Description": "Password", + "Type": "String" + }, + "ParentUsername": { + "Description": "Username", + "Type": "String" + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "Parameters": { + "ParentPassword": { + "Description": "Password", + "Type": "String", + "Default": "" + }, + "ParentUsername": { + "Description": "Username", + "Type": "String", + "Default": "" + } + }, + "Resources": { + "NewAmpApp-4": { + "Type": "AWS::Amplify::App", + "Properties": { + "BuildSpec": "String", + "Description": "String", + "EnableBranchAutoDeletion": true, + "Repository": "String", + "BasicAuthConfig": { + "EnableBasicAuth": true, + "Password": "ParentPassword", + "Username": "ParentUsername" + }, + "CustomHeaders": "String", + "IAMServiceRole": "String", + "Name": "NewAmpApp", + "OauthToken": "String" + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/73980e43-f399-4fcc-a373-658228f7adf7.md b/docs/queries/cloudformation-queries/aws/73980e43-f399-4fcc-a373-658228f7adf7.md new file mode 100644 index 00000000000..c4760a74619 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/73980e43-f399-4fcc-a373-658228f7adf7.md @@ -0,0 +1,344 @@ +--- +title: Amplify App Access Token Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 73980e43-f399-4fcc-a373-658228f7adf7 +- **Query name:** Amplify App Access Token Exposed +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/amplify_app_access_token_exposed) + +### Description +Amplify App Access Token must not be in a plain text string or referenced in a parameter as a default value.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amplify-app.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + NewAmpApp: + Type: AWS::Amplify::App + Properties: + AccessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjJ9.tbDepxpstvGdW8TC3G8zg4B6rUYAOvfzdceoH48wgRQ + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: True + IAMServiceRole: String + Name: String + OauthToken: String + Repository: String + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + ParentAccessToken: + Description: 'Access Token' + Type: String + Default: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjJ9.tbDepxpstvGdW8TC3G8zg4B6rUYAOvfzdceoH48wgRQ' +Resources: + AmpApp: + Type: AWS::Amplify::App + Properties: + AccessToken: !Ref ParentAccessToken + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + ParentUserToken: + Description: 'UserToken' + Type: String +Resources: + NewApp: + Type: AWS::Amplify::App + Properties: + AccessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjJ9.tbDepxpstvGdW8TC3G8zg4B6rUYAOvfzdceoH48wgRQ + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + +``` +
Postitive test num. 4 - json file + +```json hl_lines="11" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "NewAmpApp": { + "Type": "AWS::Amplify::App", + "Properties": { + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String", + "OauthToken": "String", + "Repository": "String", + "AccessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjJ9.tbDepxpstvGdW8TC3G8zg4B6rUYAOvfzdceoH48wgRQ", + "CustomHeaders": "String", + "Name": "String", + "BuildSpec": "String", + "Description": "String" + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Parameters": { + "ParentAccessToken": { + "Description": "Access Token", + "Type": "String", + "Default": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjJ9.tbDepxpstvGdW8TC3G8zg4B6rUYAOvfzdceoH48wgRQ" + } + }, + "Resources": { + "AmpApp": { + "Type": "AWS::Amplify::App", + "Properties": { + "OauthToken": "String", + "AccessToken": "ParentAccessToken", + "Description": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String", + "BuildSpec": "String", + "CustomHeaders": "String", + "Name": "NewAmpApp", + "Repository": "String" + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="9" +{ + "Resources": { + "NewApp": { + "Type": "AWS::Amplify::App", + "Properties": { + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String", + "Name": "NewAmpApp", + "AccessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjJ9.tbDepxpstvGdW8TC3G8zg4B6rUYAOvfzdceoH48wgRQ", + "CustomHeaders": "String", + "Description": "String", + "OauthToken": "String", + "Repository": "String", + "BuildSpec": "String" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Parameters": { + "ParentUserToken": { + "Type": "String", + "Description": "UserToken" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + NewAmpApp: + Type: AWS::Amplify::App + Properties: + AccessToken: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + MyAmpAppSecretManagerRotater: + Type: AWS::SecretsManager::Secret + Properties: + Description: 'This is my amp app instance secret' + GenerateSecretString: + SecretStringTemplate: '{"username": "admin"}' + GenerateStringKey: 'password' + PasswordLength: 16 + ExcludeCharacters: '"@/\' + +``` +```yaml title="Negative test num. 2 - yaml file" +Parameters: + ParentAccessToken: + Description: 'Access Token' + Type: String +Resources: + NewAmp: + Type: AWS::Amplify::App + Properties: + AccessToken: !Ref ParentAccessToken + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + +``` +```yaml title="Negative test num. 3 - yaml file" +Parameters: + ParentAccessToken: + Description: 'Access Token' + Type: String + Default: "" +Resources: + AmpApp: + Type: AWS::Amplify::App + Properties: + AccessToken: !Ref ParentAccessToken + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "NewAmpApp": { + "Type": "AWS::Amplify::App", + "Properties": { + "Name": "NewAmpApp", + "Repository": "String", + "AccessToken": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}", + "BuildSpec": "String", + "Description": "String", + "OauthToken": "String", + "CustomHeaders": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String" + } + }, + "MyAmpAppSecretManagerRotater": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "Description": "This is my amp app instance secret", + "GenerateSecretString": { + "SecretStringTemplate": "{\"username\": \"admin\"}", + "GenerateStringKey": "password", + "PasswordLength": 16, + "ExcludeCharacters": "\"@/\\" + } + } + } + } +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "Parameters": { + "ParentAccessToken": { + "Description": "Access Token", + "Type": "String" + } + }, + "Resources": { + "NewAmp": { + "Properties": { + "Name": "NewAmpApp", + "AccessToken": "ParentAccessToken", + "BuildSpec": "String", + "Description": "String", + "EnableBranchAutoDeletion": true, + "CustomHeaders": "String", + "IAMServiceRole": "String", + "OauthToken": "String", + "Repository": "String" + }, + "Type": "AWS::Amplify::App" + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "Parameters": { + "ParentAccessToken": { + "Description": "Access Token", + "Type": "String", + "Default": "" + } + }, + "Resources": { + "AmpApp": { + "Type": "AWS::Amplify::App", + "Properties": { + "AccessToken": "ParentAccessToken", + "BuildSpec": "String", + "Repository": "String", + "OauthToken": "String", + "CustomHeaders": "String", + "Description": "String", + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String", + "Name": "NewAmpApp" + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/73d59e76-a12c-4b74-a3d8-d3e1e19c25b3.md b/docs/queries/cloudformation-queries/aws/73d59e76-a12c-4b74-a3d8-d3e1e19c25b3.md new file mode 100644 index 00000000000..acd28ff9695 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/73d59e76-a12c-4b74-a3d8-d3e1e19c25b3.md @@ -0,0 +1,169 @@ +--- +title: EKS node group remote access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 73d59e76-a12c-4b74-a3d8-d3e1e19c25b3 +- **Query name:** EKS node group remote access +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/eks_node_group_remote_access) + +### Description +Ensure Amazon EKS Node group has implict SSH access
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-eks-nodegroup.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +Resources: + EKSNodegroup: + Type: 'AWS::EKS::Nodegroup' + Properties: + ClusterName: prod + NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole' + ScalingConfig: + MinSize: 3 + DesiredSize: 5 + MaxSize: 7 + Labels: + Key1: Value1 + Key2: Value2 + Subnets: + - subnet-6782e71e + - subnet-e7e761ac + RemoteAccess: + Ec2SshKey: ED25519 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="21" +{ + "Resources": { + "EKSNodegroup": { + "Type": "AWS::EKS::Nodegroup", + "Properties": { + "ClusterName": "prod", + "NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole", + "ScalingConfig": { + "MinSize": 3, + "DesiredSize": 5, + "MaxSize": 7 + }, + "Labels": { + "Key1": "Value1", + "Key2": "Value2" + }, + "Subnets": [ + "subnet-6782e71e", + "subnet-e7e761ac" + ], + "RemoteAccess": { + "Ec2SshKey": "ED25519" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + SSHAccessToNodeSG: + Type: AWS::EC2::SecurityGroup + Properties: + VpcId: !Ref VpcId + GroupName: !Sub "${Project}-${Environment}-${EKSClusterName}-ssh-access-to-workers-source-sg" + GroupDescription: attach this sg to an instance to let it access via ssh to the eks node + Tags: + - Key: Environment + Value: !Ref Environment + - Key: Project + Value: !Ref Project + EKSNodegroup: + Type: 'AWS::EKS::Nodegroup' + Properties: + ClusterName: prod + NodeRole: 'arn:aws:iam::012345678910:role/eksInstanceRole' + ScalingConfig: + MinSize: 3 + DesiredSize: 5 + MaxSize: 7 + Labels: + Key1: Value1 + Key2: Value2 + Subnets: + - subnet-6782e71e + - subnet-e7e761ac + RemoteAccess: + Ec2SshKey: ED25519 + SourceSecurityGroups: + - !Ref SSHAccessToNodeSG + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "SSHAccessToNodeSG": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": "VpcId", + "GroupName": "${Project}-${Environment}-${EKSClusterName}-ssh-access-to-workers-source-sg", + "GroupDescription": "attach this sg to an instance to let it access via ssh to the eks node", + "Tags": [ + { + "Key": "Environment", + "Value": "Environment" + }, + { + "Key": "Project", + "Value": "Project" + } + ] + } + }, + "EKSNodegroup": { + "Properties": { + "RemoteAccess": { + "Ec2SshKey": "ED25519", + "SourceSecurityGroups": [ + "SSHAccessToNodeSG" + ] + }, + "ClusterName": "prod", + "NodeRole": "arn:aws:iam::012345678910:role/eksInstanceRole", + "ScalingConfig": { + "MinSize": 3, + "DesiredSize": 5, + "MaxSize": 7 + }, + "Labels": { + "Key1": "Value1", + "Key2": "Value2" + }, + "Subnets": [ + "subnet-6782e71e", + "subnet-e7e761ac" + ] + }, + "Type": "AWS::EKS::Nodegroup" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/74a18d1a-cf02-4a31-8791-ed0967ad7fdc.md b/docs/queries/cloudformation-queries/aws/74a18d1a-cf02-4a31-8791-ed0967ad7fdc.md new file mode 100644 index 00000000000..ffeae045078 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/74a18d1a-cf02-4a31-8791-ed0967ad7fdc.md @@ -0,0 +1,147 @@ +--- +title: Cognito UserPool Without MFA +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 74a18d1a-cf02-4a31-8791-ed0967ad7fdc +- **Query name:** Cognito UserPool Without MFA +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cognito_userpool_without_mfa) + +### Description +AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 14" +Resources: + UserPool2: + Type: "AWS::Cognito::UserPool" + Properties: + UserPoolName: !Sub ${AuthName}-user-pool + AutoVerifiedAttributes: + - phone_number + MfaConfiguration: "OFF" + SmsConfiguration: + ExternalId: !Sub ${AuthName}-external + SnsCallerArn: !GetAtt SNSRole.Arn + UserPool4: + Type: "AWS::Cognito::UserPool" + Properties: + UserPoolName: !Sub ${AuthName}-user-pool + AutoVerifiedAttributes: + - phone_number + SmsConfiguration: + ExternalId: !Sub ${AuthName}-external + SnsCallerArn: !GetAtt SNSRole.Arn +``` +```json title="Postitive test num. 2 - json file" hl_lines="10 19" +{ + "Resources": { + "UserPool2": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "UserPoolName": "${AuthName}-user-pool", + "AutoVerifiedAttributes": [ + "phone_number" + ], + "MfaConfiguration": "OFF", + "SmsConfiguration": { + "ExternalId": "${AuthName}-external", + "SnsCallerArn": "SNSRole.Arn" + } + } + }, + "UserPool4": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "SmsConfiguration": { + "ExternalId": "${AuthName}-external", + "SnsCallerArn": "SNSRole.Arn" + }, + "UserPoolName": "${AuthName}-user-pool", + "AutoVerifiedAttributes": [ + "phone_number" + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + UserPool: + Type: "AWS::Cognito::UserPool" + Properties: + UserPoolName: !Sub ${AuthName}-user-pool + AutoVerifiedAttributes: + - phone_number + MfaConfiguration: "ON" + SmsConfiguration: + ExternalId: !Sub ${AuthName}-external + SnsCallerArn: !GetAtt SNSRole.Arn + UserPool2: + Type: "AWS::Cognito::UserPool" + Properties: + UserPoolName: !Sub ${AuthName}-user-pool + AutoVerifiedAttributes: + - phone_number + MfaConfiguration: "OPTIONAL" + SmsConfiguration: + ExternalId: !Sub ${AuthName}-external + SnsCallerArn: !GetAtt SNSRole.Arn +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "UserPool": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "UserPoolName": "${AuthName}-user-pool", + "AutoVerifiedAttributes": [ + "phone_number" + ], + "MfaConfiguration": "ON", + "SmsConfiguration": { + "ExternalId": "${AuthName}-external", + "SnsCallerArn": "SNSRole.Arn" + } + } + }, + "UserPool2": { + "Type": "AWS::Cognito::UserPool", + "Properties": { + "UserPoolName": "${AuthName}-user-pool", + "AutoVerifiedAttributes": [ + "phone_number" + ], + "MfaConfiguration": "OPTIONAL", + "SmsConfiguration": { + "ExternalId": "${AuthName}-external", + "SnsCallerArn": "SNSRole.Arn" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/75be209d-1948-41f6-a8c8-e22dd0121134.md b/docs/queries/cloudformation-queries/aws/75be209d-1948-41f6-a8c8-e22dd0121134.md new file mode 100644 index 00000000000..82ce32203b3 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/75be209d-1948-41f6-a8c8-e22dd0121134.md @@ -0,0 +1,151 @@ +--- +title: ECR Repository Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 75be209d-1948-41f6-a8c8-e22dd0121134 +- **Query name:** ECR Repository Is Publicly Accessible +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ecr_repository_is_publicly_accessible) + +### Description +Amazon ECR image repositories shouldn't have public access
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +Resources: + MyRepository3: + Type: AWS::ECR::Repository + Properties: + RepositoryName: "test-repository" + RepositoryPolicyText: + Version: "2012-10-17" + Statement: + - + Sid: AllowPushPull + Effect: Allow + Principal: "*" + Action: + - "ecr:GetDownloadUrlForLayer" + - "ecr:BatchGetImage" + - "ecr:BatchCheckLayerAvailability" + - "ecr:PutImage" + - "ecr:InitiateLayerUpload" + - "ecr:UploadLayerPart" + - "ecr:CompleteLayerUpload" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "Resources": { + "MyRepository4": { + "Type": "AWS::ECR::Repository", + "Properties": { + "RepositoryName": "test-repository", + "RepositoryPolicyText": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AllowPushPull", + "Effect": "Allow", + "Principal": "*", + "Action": [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload" + ] + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MyRepository1: + Type: AWS::ECR::Repository + Properties: + RepositoryName: "test-repository" + RepositoryPolicyText: + Version: "2012-10-17" + Statement: + - + Sid: AllowPushPull + Effect: Allow + Principal: + AWS: + - "arn:aws:iam::123456789012:user/Bob" + - "arn:aws:iam::123456789012:user/Alice" + Action: + - "ecr:GetDownloadUrlForLayer" + - "ecr:BatchGetImage" + - "ecr:BatchCheckLayerAvailability" + - "ecr:PutImage" + - "ecr:InitiateLayerUpload" + - "ecr:UploadLayerPart" + - "ecr:CompleteLayerUpload" + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyRepository2": { + "Type": "AWS::ECR::Repository", + "Properties": { + "RepositoryName": "test-repository", + "RepositoryPolicyText": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AllowPushPull", + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::123456789012:user/Bob", + "arn:aws:iam::123456789012:user/Alice" + ] + }, + "Action": [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload" + ] + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/76ddf32c-85b1-4808-8935-7eef8030ab36.md b/docs/queries/cloudformation-queries/aws/76ddf32c-85b1-4808-8935-7eef8030ab36.md new file mode 100644 index 00000000000..e528c45ee2b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/76ddf32c-85b1-4808-8935-7eef8030ab36.md @@ -0,0 +1,247 @@ +--- +title: Batch Job Definition With Privileged Container Properties +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 76ddf32c-85b1-4808-8935-7eef8030ab36 +- **Query name:** Batch Job Definition With Privileged Container Properties +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/batch_job_definition_with_privileged_container_properties) + +### Description +Batch Job Definition should not have Privileged Container Properties
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-batch-jobdefinition.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + JobDefinition: + Type: AWS::Batch::JobDefinition + Properties: + Type: container + JobDefinitionName: nvidia-smi + ContainerProperties: + MountPoints: + - ReadOnly: false + SourceVolume: nvidia + ContainerPath: /usr/local/nvidia + Volumes: + - Host: + SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest + Name: nvidia + Command: + - nvidia-smi + Memory: 2000 + Privileged: true + JobRoleArn: String + ReadonlyRootFilesystem: true + Vcpus: 2 + Image: nvidia/cuda + +``` +```json title="Postitive test num. 2 - json file" hl_lines="12" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "BatchJobDefinition", + "Resources": { + "JobDefinition": { + "Type": "AWS::Batch::JobDefinition", + "Properties": { + "Type": "container", + "JobDefinitionName": "nvidia-smi", + "ContainerProperties": { + "Memory": 2000, + "Privileged": true, + "Vcpus": 2, + "MountPoints": [ + { + "ReadOnly": false, + "SourceVolume": "nvidia", + "ContainerPath": "/usr/local/nvidia" + } + ], + "Command": [ + "nvidia-smi" + ], + "ReadonlyRootFilesystem": true, + "Image": "nvidia/cuda", + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/nvidia-docker/volumes/nvidia_driver/latest" + }, + "Name": "nvidia" + } + ], + "JobRoleArn": "String" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + JobDefinition: + Type: AWS::Batch::JobDefinition + Properties: + Type: container + JobDefinitionName: nvidia-smi + ContainerProperties: + MountPoints: + - ReadOnly: false + SourceVolume: nvidia + ContainerPath: /usr/local/nvidia + Volumes: + - Host: + SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest + Name: nvidia + Command: + - nvidia-smi + Memory: 2000 + Privileged: false + JobRoleArn: String + ReadonlyRootFilesystem: true + Vcpus: 2 + Image: nvidia/cuda + + +``` +```yaml title="Negative test num. 2 - yaml file" + + +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + JobDefinition1: + Type: AWS::Batch::JobDefinition + Properties: + Type: container + JobDefinitionName: nvidia-smi + ContainerProperties: + MountPoints: + - ReadOnly: false + SourceVolume: nvidia + ContainerPath: /usr/local/nvidia + Volumes: + - Host: + SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest + Name: nvidia + Command: + - nvidia-smi + Memory: 2000 + JobRoleArn: String + ReadonlyRootFilesystem: true + Vcpus: 2 + Image: nvidia/cuda + +``` +```json title="Negative test num. 3 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "BatchJobDefinition", + "Resources": { + "JobDefinition": { + "Properties": { + "Type": "container", + "JobDefinitionName": "nvidia-smi", + "ContainerProperties": { + "Command": [ + "nvidia-smi" + ], + "JobRoleArn": "String", + "Vcpus": 2, + "ReadonlyRootFilesystem": true, + "Image": "nvidia/cuda", + "MountPoints": [ + { + "ReadOnly": false, + "SourceVolume": "nvidia", + "ContainerPath": "/usr/local/nvidia" + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/nvidia-docker/volumes/nvidia_driver/latest" + }, + "Name": "nvidia" + } + ], + "Memory": 2000, + "Privileged": false + } + }, + "Type": "AWS::Batch::JobDefinition" + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "BatchJobDefinition", + "Resources": { + "JobDefinition1": { + "Type": "AWS::Batch::JobDefinition", + "Properties": { + "Type": "container", + "JobDefinitionName": "nvidia-smi", + "ContainerProperties": { + "Memory": 2000, + "JobRoleArn": "String", + "ReadonlyRootFilesystem": true, + "Vcpus": 2, + "Image": "nvidia/cuda", + "MountPoints": [ + { + "SourceVolume": "nvidia", + "ContainerPath": "/usr/local/nvidia", + "ReadOnly": false + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/nvidia-docker/volumes/nvidia_driver/latest" + }, + "Name": "nvidia" + } + ], + "Command": [ + "nvidia-smi" + ] + } + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md b/docs/queries/cloudformation-queries/aws/7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md new file mode 100644 index 00000000000..f6d0b846904 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/7772bb8c-c0f3-42d4-8e4e-f1b8939ad085.md @@ -0,0 +1,247 @@ +--- +title: S3 Bucket Access to Any Principal +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7772bb8c-c0f3-42d4-8e4e-f1b8939ad085 +- **Query name:** S3 Bucket Access to Any Principal +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_access_to_any_principal) + +### Description +The S3 Bucket should not be associated with a policy statement that grants access to any principal
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2 27" +Resources: + Bucket: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: false + BlockPublicPolicy: false + IgnorePublicAcls: true + RestrictPublicBuckets: false + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref Bucket + PolicyDocument: + Statement: + - Effect: Allow + Principal: + AWS: + - "*" + Action: s3:GetObject + Resource: arn:aws:s3:::DOC-EXAMPLE-BUCKET/* + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + Bucket2: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: false + BlockPublicPolicy: false + IgnorePublicAcls: false + RestrictPublicBuckets: true + BucketPolicy2: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref Bucket2 + PolicyDocument: + Statement: + - Effect: Allow + Principal: + AWS: + - "*" + Action: s3:GetObject + Resource: arn:aws:s3:::DOC-EXAMPLE-BUCKET/* + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' +``` +```json title="Postitive test num. 2 - json file" hl_lines="42 3" +{ + "Resources": { + "Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": false, + "BlockPublicPolicy": false, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": false + } + } + }, + "BucketPolicy": { + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "*" + ] + }, + "Action": "s3:GetObject", + "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + }, + "Bucket": "Bucket" + }, + "Type": "AWS::S3::BucketPolicy" + }, + "Bucket2": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": false, + "BlockPublicPolicy": false, + "IgnorePublicAcls": false, + "RestrictPublicBuckets": true + } + } + }, + "BucketPolicy2": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": "Bucket2", + "PolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "*" + ] + }, + "Action": "s3:GetObject", + "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + Bucket: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: false + BlockPublicPolicy: false + IgnorePublicAcls: true + RestrictPublicBuckets: true + BucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref Bucket + PolicyDocument: + Statement: + - Effect: Allow + Principal: + AWS: + - arn:aws:iam::111122223333:user/Alice + - arn:aws:iam::111122223333:user/Fabio + Action: s3:GetObject + Resource: arn:aws:s3:::DOC-EXAMPLE-BUCKET/* + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": false, + "BlockPublicPolicy": false, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + } + } + }, + "BucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + }, + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::111122223333:user/Alice", + "arn:aws:iam::111122223333:user/Fabio" + ] + }, + "Action": "s3:GetObject", + "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" + } + ] + }, + "Bucket": "Bucket" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/77b6f1e2-bde4-4a6a-ae7e-a40659ff1576.md b/docs/queries/cloudformation-queries/aws/77b6f1e2-bde4-4a6a-ae7e-a40659ff1576.md new file mode 100644 index 00000000000..94f2cdfcc8c --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/77b6f1e2-bde4-4a6a-ae7e-a40659ff1576.md @@ -0,0 +1,345 @@ +--- +title: EC2 Network ACL Overlapping Ports +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 77b6f1e2-bde4-4a6a-ae7e-a40659ff1576 +- **Query name:** EC2 Network ACL Overlapping Ports +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ec2_network_acl_overlapping_ports) + +### Description +NetworkACL Entries are reusing or overlapping ports which may create ineffective rules
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-networkaclentry-portrange.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="42 78 18 54 90 30" +Resources: + MyNACL: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: vpc-1122334455aabbccd + Tags: + - Key: Name + Value: NACLforSSHTraffic + InboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 172.16.0.0/24 + PortRange: + From: 13 + To: 22 + OutboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 173.20.0.0/24 + PortRange: + From: 12 + To: 20 + OutboundTests: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 175.20.0.0/24 + PortRange: + From: 20 + To: 25 + InboundTests: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 151.20.0.0/24 + PortRange: + From: 6 + To: 13 + Default: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 150.20.0.0/24 + PortRange: + From: 1 + To: 2 + Match: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 121.20.0.0/24 + PortRange: + From: 3 + To: 5 + EqualMatch: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 120.20.0.0/24 + PortRange: + From: 3 + To: 5 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="38 73 105 82 116 22" +{ + "Resources": { + "Default": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow", + "CidrBlock": "150.20.0.0/24", + "PortRange": { + "From": 1, + "To": 2 + } + } + }, + "Match": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "PortRange": { + "From": 3, + "To": 5 + }, + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow", + "CidrBlock": "121.20.0.0/24" + } + }, + "EqualMatch": { + "Properties": { + "CidrBlock": "120.20.0.0/24", + "PortRange": { + "From": 3, + "To": 5 + }, + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow" + }, + "Type": "AWS::EC2::NetworkAclEntry" + }, + "MyNACL": { + "Type": "AWS::EC2::NetworkAcl", + "Properties": { + "VpcId": "vpc-1122334455aabbccd", + "Tags": [ + { + "Key": "Name", + "Value": "NACLforSSHTraffic" + } + ] + } + }, + "InboundRule": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow", + "CidrBlock": "172.16.0.0/24", + "PortRange": { + "From": 13, + "To": 22 + } + } + }, + "OutboundRule": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "PortRange": { + "From": 12, + "To": 20 + }, + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow", + "CidrBlock": "173.20.0.0/24" + } + }, + "OutboundTests": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow", + "CidrBlock": "175.20.0.0/24", + "PortRange": { + "From": 20, + "To": 25 + } + } + }, + "InboundTests": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "RuleAction": "allow", + "CidrBlock": "151.20.0.0/24", + "PortRange": { + "From": 6, + "To": 13 + }, + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6 + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MyNACL: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: vpc-1122334455aabbccd + Tags: + - Key: Name + Value: NACLforSSHTraffic + InboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 172.16.0.0/24 + PortRange: + From: 13 + To: 22 + OutboundRule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 173.20.0.0/24 + PortRange: + From: 24 + To: 25 + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyNACL": { + "Type": "AWS::EC2::NetworkAcl", + "Properties": { + "VpcId": "vpc-1122334455aabbccd", + "Tags": [ + { + "Key": "Name", + "Value": "NACLforSSHTraffic" + } + ] + } + }, + "InboundRule": { + "Properties": { + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow", + "CidrBlock": "172.16.0.0/24", + "PortRange": { + "From": 13, + "To": 22 + } + }, + "Type": "AWS::EC2::NetworkAclEntry" + }, + "OutboundRule": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow", + "CidrBlock": "173.20.0.0/24", + "PortRange": { + "From": 24, + "To": 25 + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/78055456-f670-4d2e-94d5-392d1cf4f5e4.md b/docs/queries/cloudformation-queries/aws/78055456-f670-4d2e-94d5-392d1cf4f5e4.md new file mode 100644 index 00000000000..413971fc24b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/78055456-f670-4d2e-94d5-392d1cf4f5e4.md @@ -0,0 +1,1393 @@ +--- +title: ELB Sensitive Port Is Exposed To Entire Network +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 78055456-f670-4d2e-94d5-392d1cf4f5e4 +- **Query name:** ELB Sensitive Port Is Exposed To Entire Network +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elb_sensitive_port_is_exposed_to_entire_network) + +### Description +The load balancer of the application with a sensitive port connection is exposed to the entire internet.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="37" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Scheme: internet-facing + Listeners: + - InstancePort: '80' + InstanceProtocol: HTTP + LoadBalancerPort: '443' + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + HealthCheck: + Target: HTTP:80/ + HealthyThreshold: '2' + UnhealthyThreshold: '3' + Interval: '10' + Timeout: '5' + SecurityGroups: + - !Ref LBSecGroup + Policies: + - PolicyName: My-SSLNegotiation-Policy + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: Reference-Security-Policy + Value: ELBSecurityPolicy-TLS-1-2-2017-01 + LBSecGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http and ssh + VpcId: my-vpc + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 50 + ToPort: 80 + CidrIp: 127.0.0.1/0 + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 127.0.0.1/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="22" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + MySubnets: + Description: "My subnet" + Type: List +Resources: + ApplicationLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: ip-target-alb + Subnets: !Ref MySubnets + SecurityGroups: + - !Ref ALBSecGroup + Tags: + - Key: Name + Value: ip-target-alb + ALBSecGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http and ssh + VpcId: my-vpc + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 127.0.0.1/32 + - IpProtocol: tcp + FromPort: 6379 + ToPort: 6379 + CidrIp: 127.0.0.1/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + HTTPALBListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + LoadBalancerArn: !Ref ApplicationLoadBalancer + Port: 80 + Protocol: HTTP + DefaultActions: + - Type: forward + TargetGroupArn: !Ref IPTargetGroup + IPTargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + VpcId: my-vpc + Port: 80 + Protocol: HTTP + TargetType: ip + Matcher: + HttpCode: '200' + HealthCheckIntervalSeconds: 10 + HealthCheckPath: /health/check + HealthCheckProtocol: HTTP + HealthCheckTimeoutSeconds: 5 + HealthyThresholdCount: 2 + UnhealthyThresholdCount: 2 + TestListenerRule1: + Type: "AWS::ElasticLoadBalancingV2::ListenerRule" + Properties: + Priority: 1 + ListenerArn: !Ref HTTPALBListener + Conditions: + - Field: "host-header" + Values: + - "test1.checkmarx.com" + Actions: + - Type: "forward" + TargetGroupArn: !Ref IPTargetGroup + Order: 1 + ForwardConfig: + TargetGroups: + - TargetGroupArn: !Ref IPTargetGroup + Weight: 1 + TargetGroupStickinessConfig: + Enabled: false + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="19" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + MySubnet: + Description: "My subnet" + Type: List +Resources: + GatewayLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: my-gateway-load-balancer + Scheme: internet-facing + Type: gateway + Subnets: !Ref MySubnet + InstancesSecGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http and ssh + VpcId: my-vpc + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 127.0.0.1/32 + - IpProtocol: tcp + FromPort: 636 + ToPort: 636 + CidrIp: 127.0.0.1/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + EC2Instance01: + Type: AWS::EC2::Instance + Properties: + InstanceType: t3.2xlarge + SecurityGroups: + - !Ref 'InstancesSecGroup' + KeyName: my-rsa-key + ImageId: ami-79fd7eee + EC2Instance02: + Type: AWS::EC2::Instance + Properties: + InstanceType: t3.2xlarge + SecurityGroups: + - !Ref 'InstancesSecGroup' + KeyName: my-rsa-key + ImageId: ami-79fd7eee + GatewayLoadBalancerTargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Name: t10-networklb-target + Port: 443 + Protocol: TCP + VpcId: t10-vpc-id + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: '60' + Targets: + - Id: !Ref EC2Instance01 + Port: 443 + - Id: !Ref EC2Instance02 + Port: 443 + Tags: + - Key: Name + Value: t10-networklb-target + GatewayLoadBalancerListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref GatewayLoadBalancerTargetGroup + LoadBalancerArn: !Ref GatewayLoadBalancer + Port: 443 + Protocol: TCP + GatewayLoadBalancerListenerCert: + Type: AWS::ElasticLoadBalancingV2::ListenerCertificate + Properties: + Certificates: + - CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456.... + ListenerArn: !Ref GatewayLoadBalancerListener + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="22" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + MySubnet: + Description: "My subnet" + Type: List +Resources: + NetworkLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: t10-networkloadbalancer + Scheme: internet-facing + Subnets: !Ref MySubnet + Type: network + Tags: + - Key: Name + Value: t10-networklb + ELBInstanceSecGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http and ssh + VpcId: my-vpc + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 81 + ToPort: 80 + CidrIp: 127.0.0.1/32 + - IpProtocol: tcp + FromPort: 27017 + ToPort: 27018 + CidrIp: 127.0.0.1/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + EC2Instance01: + Type: AWS::EC2::Instance + Properties: + InstanceType: t3.2xlarge + SecurityGroups: + - !Ref 'ELBInstanceSecGroup' + KeyName: my-rsa-key + ImageId: ami-79fd7eee + EC2Instance02: + Type: AWS::EC2::Instance + Properties: + InstanceType: t3.2xlarge + SecurityGroups: + - !Ref 'ELBInstanceSecGroup' + KeyName: my-rsa-key + ImageId: ami-79fd7eee + NetworkLoadBalancerTargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Name: t10-networklb-target + Port: 443 + Protocol: TCP + VpcId: t10-vpc-id + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: '60' + Targets: + - Id: !Ref EC2Instance01 + Port: 443 + - Id: !Ref EC2Instance02 + Port: 443 + Tags: + - Key: Name + Value: t10-networklb-target + NetworkLoadBalancerListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref NetworkLoadBalancerTargetGroup + LoadBalancerArn: !Ref NetworkLoadBalancer + Port: 443 + Protocol: TCP + NetworkLoadBalancerListenerCert: + Type: AWS::ElasticLoadBalancingV2::ListenerCertificate + Properties: + Certificates: + - CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456.... + ListenerArn: !Ref NetworkLoadBalancerListener + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="52" +{ + "Resources": { + "MyLoadBalancer": { + "Properties": { + "Scheme": "internet-facing", + "Listeners": [ + { + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", + "InstancePort": "80", + "InstanceProtocol": "HTTP", + "LoadBalancerPort": "443", + "Protocol": "HTTPS", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ] + } + ], + "HealthCheck": { + "HealthyThreshold": "2", + "UnhealthyThreshold": "3", + "Interval": "10", + "Timeout": "5", + "Target": "HTTP:80/" + }, + "SecurityGroups": [ + "LBSecGroup" + ], + "Policies": [ + { + "Attributes": [ + { + "Name": "Reference-Security-Policy", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + } + ], + "PolicyName": "My-SSLNegotiation-Policy", + "PolicyType": "SSLNegotiationPolicyType" + } + ], + "AvailabilityZones": [ + "us-east-2a" + ], + "CrossZone": true + }, + "Type": "AWS::ElasticLoadBalancing::LoadBalancer" + }, + "LBSecGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http and ssh", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 50, + "ToPort": 80, + "CidrIp": "127.0.0.1/0" + }, + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "127.0.0.1/0" + } + ], + "SecurityGroupEgress": [ + { + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="31" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Parameters": { + "MySubnets": { + "Description": "My subnet", + "Type": "List\u003cString\u003e" + } + }, + "Resources": { + "ApplicationLoadBalancer": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "SecurityGroups": [ + "ALBSecGroup" + ], + "Tags": [ + { + "Key": "Name", + "Value": "ip-target-alb" + } + ], + "Name": "ip-target-alb", + "Subnets": "MySubnets" + } + }, + "ALBSecGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http and ssh", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "FromPort": 80, + "ToPort": 80, + "CidrIp": "127.0.0.1/32", + "IpProtocol": "tcp" + }, + { + "IpProtocol": "tcp", + "FromPort": 6379, + "ToPort": 6379, + "CidrIp": "127.0.0.1/0" + } + ], + "SecurityGroupEgress": [ + { + "ToPort": 22, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": 22 + } + ] + } + }, + "HTTPALBListener": { + "Properties": { + "DefaultActions": [ + { + "Type": "forward", + "TargetGroupArn": "IPTargetGroup" + } + ], + "LoadBalancerArn": "ApplicationLoadBalancer", + "Port": 80, + "Protocol": "HTTP" + }, + "Type": "AWS::ElasticLoadBalancingV2::Listener" + }, + "IPTargetGroup": { + "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Properties": { + "HealthCheckIntervalSeconds": 10, + "HealthCheckPath": "/health/check", + "HealthCheckProtocol": "HTTP", + "HealthyThresholdCount": 2, + "VpcId": "my-vpc", + "TargetType": "ip", + "Matcher": { + "HttpCode": "200" + }, + "UnhealthyThresholdCount": 2, + "Port": 80, + "Protocol": "HTTP", + "HealthCheckTimeoutSeconds": 5 + } + }, + "TestListenerRule1": { + "Type": "AWS::ElasticLoadBalancingV2::ListenerRule", + "Properties": { + "Priority": 1, + "ListenerArn": "HTTPALBListener", + "Conditions": [ + { + "Values": [ + "test1.checkmarx.com" + ], + "Field": "host-header" + } + ], + "Actions": [ + { + "Type": "forward", + "TargetGroupArn": "IPTargetGroup", + "Order": 1, + "ForwardConfig": { + "TargetGroups": [ + { + "TargetGroupArn": "IPTargetGroup", + "Weight": 1 + } + ], + "TargetGroupStickinessConfig": { + "Enabled": false + } + } + } + ] + } + } + } +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="28" +{ + "Resources": { + "GatewayLoadBalancerListenerCert": { + "Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate", + "Properties": { + "Certificates": [ + { + "CertificateArn": "arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456...." + } + ], + "ListenerArn": "GatewayLoadBalancerListener" + } + }, + "GatewayLoadBalancer": { + "Properties": { + "Name": "my-gateway-load-balancer", + "Scheme": "internet-facing", + "Type": "gateway", + "Subnets": "MySubnet" + }, + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer" + }, + "InstancesSecGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http and ssh", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "127.0.0.1/32" + }, + { + "ToPort": 636, + "CidrIp": "127.0.0.1/0", + "IpProtocol": "tcp", + "FromPort": 636 + } + ], + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22 + } + ] + } + }, + "EC2Instance01": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": "t3.2xlarge", + "SecurityGroups": [ + "InstancesSecGroup" + ], + "KeyName": "my-rsa-key", + "ImageId": "ami-79fd7eee" + } + }, + "EC2Instance02": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": "t3.2xlarge", + "SecurityGroups": [ + "InstancesSecGroup" + ], + "KeyName": "my-rsa-key", + "ImageId": "ami-79fd7eee" + } + }, + "GatewayLoadBalancerTargetGroup": { + "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Properties": { + "TargetGroupAttributes": [ + { + "Key": "deregistration_delay.timeout_seconds", + "Value": "60" + } + ], + "Targets": [ + { + "Id": "EC2Instance01", + "Port": 443 + }, + { + "Id": "EC2Instance02", + "Port": 443 + } + ], + "Tags": [ + { + "Key": "Name", + "Value": "t10-networklb-target" + } + ], + "Name": "t10-networklb-target", + "Port": 443, + "Protocol": "TCP", + "VpcId": "t10-vpc-id" + } + }, + "GatewayLoadBalancerListener": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "DefaultActions": [ + { + "Type": "forward", + "TargetGroupArn": "GatewayLoadBalancerTargetGroup" + } + ], + "LoadBalancerArn": "GatewayLoadBalancer", + "Port": 443, + "Protocol": "TCP" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Parameters": { + "MySubnet": { + "Description": "My subnet", + "Type": "List\u003cString\u003e" + } + } +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="97" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Parameters": { + "MySubnet": { + "Description": "My subnet", + "Type": "List\u003cString\u003e" + } + }, + "Resources": { + "EC2Instance02": { + "Type": "AWS::EC2::Instance", + "Properties": { + "KeyName": "my-rsa-key", + "ImageId": "ami-79fd7eee", + "InstanceType": "t3.2xlarge", + "SecurityGroups": [ + "ELBInstanceSecGroup" + ] + } + }, + "NetworkLoadBalancerTargetGroup": { + "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Properties": { + "Targets": [ + { + "Id": "EC2Instance01", + "Port": 443 + }, + { + "Id": "EC2Instance02", + "Port": 443 + } + ], + "Tags": [ + { + "Key": "Name", + "Value": "t10-networklb-target" + } + ], + "Name": "t10-networklb-target", + "Port": 443, + "Protocol": "TCP", + "VpcId": "t10-vpc-id", + "TargetGroupAttributes": [ + { + "Key": "deregistration_delay.timeout_seconds", + "Value": "60" + } + ] + } + }, + "NetworkLoadBalancerListener": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "Port": 443, + "Protocol": "TCP", + "DefaultActions": [ + { + "Type": "forward", + "TargetGroupArn": "NetworkLoadBalancerTargetGroup" + } + ], + "LoadBalancerArn": "NetworkLoadBalancer" + } + }, + "NetworkLoadBalancerListenerCert": { + "Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate", + "Properties": { + "Certificates": [ + { + "CertificateArn": "arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456...." + } + ], + "ListenerArn": "NetworkLoadBalancerListener" + } + }, + "NetworkLoadBalancer": { + "Properties": { + "Tags": [ + { + "Value": "t10-networklb", + "Key": "Name" + } + ], + "Name": "t10-networkloadbalancer", + "Scheme": "internet-facing", + "Subnets": "MySubnet", + "Type": "network" + }, + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer" + }, + "ELBInstanceSecGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http and ssh", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "CidrIp": "127.0.0.1/32", + "IpProtocol": "tcp", + "FromPort": 81, + "ToPort": 80 + }, + { + "FromPort": 27017, + "ToPort": 27018, + "CidrIp": "127.0.0.1/0", + "IpProtocol": "tcp" + } + ], + "SecurityGroupEgress": [ + { + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ] + } + }, + "EC2Instance01": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": "t3.2xlarge", + "SecurityGroups": [ + "ELBInstanceSecGroup" + ], + "KeyName": "my-rsa-key", + "ImageId": "ami-79fd7eee" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Scheme: internet-facing + Listeners: + - InstancePort: '80' + InstanceProtocol: HTTP + LoadBalancerPort: '443' + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + HealthCheck: + Target: HTTP:80/ + HealthyThreshold: '2' + UnhealthyThreshold: '3' + Interval: '10' + Timeout: '5' + SecurityGroups: + [ !Ref LBNegativeSecGroup01 ] + Policies: + - PolicyName: My-SSLNegotiation-Policy + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: Reference-Security-Policy + Value: ELBSecurityPolicy-TLS-1-2-2017-01 + LBNegativeSecGroup01: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http and ssh + VpcId: my-vpc + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 127.0.0.1/32 + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 127.0.0.1/32 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + MySubnets: + Description: "My subnet" + Type: List +Resources: + ApplicationLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: ip-target-alb + Subnets: !Ref MySubnets + SecurityGroups: + - !Ref ALBNegativeSecGroup + Tags: + - Key: Name + Value: ip-target-alb + ALBNegativeSecGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http and ssh + VpcId: my-vpc + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 127.0.0.1/32 + - IpProtocol: tcp + FromPort: 77 + ToPort: 77 + CidrIp: 127.0.0.1/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + HTTPALBListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + LoadBalancerArn: !Ref ApplicationLoadBalancer + Port: 80 + Protocol: HTTP + DefaultActions: + - Type: forward + TargetGroupArn: !Ref IPTargetGroup + IPTargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + VpcId: my-vpc + Port: 80 + Protocol: HTTP + TargetType: ip + Matcher: + HttpCode: '200' + HealthCheckIntervalSeconds: 10 + HealthCheckPath: /health/check + HealthCheckProtocol: HTTP + HealthCheckTimeoutSeconds: 5 + HealthyThresholdCount: 2 + UnhealthyThresholdCount: 2 + TestListenerRule1: + Type: "AWS::ElasticLoadBalancingV2::ListenerRule" + Properties: + Priority: 1 + ListenerArn: !Ref HTTPALBListener + Conditions: + - Field: "host-header" + Values: + - "test1.checkmarx.com" + Actions: + - Type: "forward" + TargetGroupArn: !Ref IPTargetGroup + Order: 1 + ForwardConfig: + TargetGroups: + - TargetGroupArn: !Ref IPTargetGroup + Weight: 1 + TargetGroupStickinessConfig: + Enabled: false + +``` +```yaml title="Negative test num. 3 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + MySubnet: + Description: "My subnet" + Type: List +Resources: + NetworkLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: t10-networkloadbalancer + Scheme: internet-facing + Subnets: !Ref MySubnet + Type: network + Tags: + - Key: Name + Value: t10-networklb + InstancesNegativeSecGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http and ssh + VpcId: my-vpc + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 127.0.0.1/32 + - IpProtocol: tcp + FromPort: 77 + ToPort: 77 + CidrIp: 127.0.0.1/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + EC2Instance01: + Type: AWS::EC2::Instance + Properties: + InstanceType: t3.2xlarge + SecurityGroups: [!Ref 'InstancesNegativeSecGroup'] + KeyName: my-rsa-key + ImageId: ami-79fd7eee + EC2Instance02: + Type: AWS::EC2::Instance + Properties: + InstanceType: t3.2xlarge + SecurityGroups: [!Ref 'InstancesNegativeSecGroup'] + KeyName: my-rsa-key + ImageId: ami-79fd7eee + NetworkLoadBalancerTargetGroup: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + Name: t10-networklb-target + Port: 443 + Protocol: TCP + VpcId: t10-vpc-id + TargetGroupAttributes: + - Key: deregistration_delay.timeout_seconds + Value: 60 + Targets: + - Id: !Ref EC2Instance01 + Port: 443 + - Id: !Ref EC2Instance02 + Port: 443 + Tags: + - Key: Name + Value: t10-networklb-target + NetworkLoadBalancerListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref NetworkLoadBalancerTargetGroup + LoadBalancerArn: !Ref NetworkLoadBalancer + Port: 443 + Protocol: TCP + NetworkLoadBalancerListenerCert: + Type: AWS::ElasticLoadBalancingV2::ListenerCertificate + Properties: + Certificates: + - CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456.... + ListenerArn: !Ref NetworkLoadBalancerListener + +``` +
Negative test num. 4 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "HealthCheck": { + "UnhealthyThreshold": "3", + "Interval": "10", + "Timeout": "5", + "Target": "HTTP:80/", + "HealthyThreshold": "2" + }, + "SecurityGroups": [ + "LBNegativeSecGroup01" + ], + "Policies": [ + { + "PolicyType": "SSLNegotiationPolicyType", + "Attributes": [ + { + "Name": "Reference-Security-Policy", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + } + ], + "PolicyName": "My-SSLNegotiation-Policy" + } + ], + "AvailabilityZones": [ + "us-east-2a" + ], + "CrossZone": true, + "Scheme": "internet-facing", + "Listeners": [ + { + "LoadBalancerPort": "443", + "Protocol": "HTTPS", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ], + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", + "InstancePort": "80", + "InstanceProtocol": "HTTP" + } + ] + } + }, + "LBNegativeSecGroup01": { + "Properties": { + "GroupDescription": "Allow http and ssh", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "127.0.0.1/32" + }, + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "127.0.0.1/32" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0" + } + ] + }, + "Type": "AWS::EC2::SecurityGroup" + } + } +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Parameters": { + "MySubnets": { + "Description": "My subnet", + "Type": "List\u003cString\u003e" + } + }, + "Resources": { + "IPTargetGroup": { + "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Properties": { + "VpcId": "my-vpc", + "Protocol": "HTTP", + "HealthCheckIntervalSeconds": 10, + "UnhealthyThresholdCount": 2, + "Port": 80, + "TargetType": "ip", + "Matcher": { + "HttpCode": "200" + }, + "HealthCheckPath": "/health/check", + "HealthCheckProtocol": "HTTP", + "HealthCheckTimeoutSeconds": 5, + "HealthyThresholdCount": 2 + } + }, + "TestListenerRule1": { + "Properties": { + "Priority": 1, + "ListenerArn": "HTTPALBListener", + "Conditions": [ + { + "Field": "host-header", + "Values": [ + "test1.checkmarx.com" + ] + } + ], + "Actions": [ + { + "TargetGroupArn": "IPTargetGroup", + "Order": 1, + "ForwardConfig": { + "TargetGroups": [ + { + "TargetGroupArn": "IPTargetGroup", + "Weight": 1 + } + ], + "TargetGroupStickinessConfig": { + "Enabled": false + } + }, + "Type": "forward" + } + ] + }, + "Type": "AWS::ElasticLoadBalancingV2::ListenerRule" + }, + "ApplicationLoadBalancer": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "Name": "ip-target-alb", + "Subnets": "MySubnets", + "SecurityGroups": [ + "ALBNegativeSecGroup" + ], + "Tags": [ + { + "Key": "Name", + "Value": "ip-target-alb" + } + ] + } + }, + "ALBNegativeSecGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http and ssh", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "127.0.0.1/32" + }, + { + "IpProtocol": "tcp", + "FromPort": 77, + "ToPort": 77, + "CidrIp": "127.0.0.1/0" + } + ], + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22 + } + ] + } + }, + "HTTPALBListener": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "LoadBalancerArn": "ApplicationLoadBalancer", + "Port": 80, + "Protocol": "HTTP", + "DefaultActions": [ + { + "Type": "forward", + "TargetGroupArn": "IPTargetGroup" + } + ] + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Parameters": { + "MySubnet": { + "Type": "List\u003cString\u003e", + "Description": "My subnet" + } + }, + "Resources": { + "InstancesNegativeSecGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http and ssh", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "CidrIp": "127.0.0.1/32", + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22 + }, + { + "IpProtocol": "tcp", + "FromPort": 77, + "ToPort": 77, + "CidrIp": "127.0.0.1/0" + } + ], + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22 + } + ] + } + }, + "EC2Instance01": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": "t3.2xlarge", + "SecurityGroups": [ + "InstancesNegativeSecGroup" + ], + "KeyName": "my-rsa-key", + "ImageId": "ami-79fd7eee" + } + }, + "EC2Instance02": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": "t3.2xlarge", + "SecurityGroups": [ + "InstancesNegativeSecGroup" + ], + "KeyName": "my-rsa-key", + "ImageId": "ami-79fd7eee" + } + }, + "NetworkLoadBalancerTargetGroup": { + "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Properties": { + "Name": "t10-networklb-target", + "Port": 443, + "Protocol": "TCP", + "VpcId": "t10-vpc-id", + "TargetGroupAttributes": [ + { + "Value": 60, + "Key": "deregistration_delay.timeout_seconds" + } + ], + "Targets": [ + { + "Id": "EC2Instance01", + "Port": 443 + }, + { + "Id": "EC2Instance02", + "Port": 443 + } + ], + "Tags": [ + { + "Key": "Name", + "Value": "t10-networklb-target" + } + ] + } + }, + "NetworkLoadBalancerListener": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "DefaultActions": [ + { + "Type": "forward", + "TargetGroupArn": "NetworkLoadBalancerTargetGroup" + } + ], + "LoadBalancerArn": "NetworkLoadBalancer", + "Port": 443, + "Protocol": "TCP" + } + }, + "NetworkLoadBalancerListenerCert": { + "Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate", + "Properties": { + "Certificates": [ + { + "CertificateArn": "arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456...." + } + ], + "ListenerArn": "NetworkLoadBalancerListener" + } + }, + "NetworkLoadBalancer": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "Name": "t10-networkloadbalancer", + "Scheme": "internet-facing", + "Subnets": "MySubnet", + "Type": "network", + "Tags": [ + { + "Key": "Name", + "Value": "t10-networklb" + } + ] + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/783860a3-6dca-4c8b-81d0-7b62769ccbca.md b/docs/queries/cloudformation-queries/aws/783860a3-6dca-4c8b-81d0-7b62769ccbca.md new file mode 100644 index 00000000000..844cadc0f0d --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/783860a3-6dca-4c8b-81d0-7b62769ccbca.md @@ -0,0 +1,264 @@ +--- +title: API Gateway Deployment Without API Gateway UsagePlan Associated +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 783860a3-6dca-4c8b-81d0-7b62769ccbca +- **Query name:** API Gateway Deployment Without API Gateway UsagePlan Associated +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated) + +### Description +API Gateway Deployment should have API Gateway UsagePlan defined and associated.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-deployment.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + Deployment: + Type: 'AWS::ApiGateway::Deployment' + Properties: + RestApiId: !Ref MyRestApi + Description: My deployment + StageName: Prod + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + Deployment1: + Type: 'AWS::ApiGateway::Deployment' + Properties: + RestApiId: !Ref MyRestApi + Description: My deployment + StageName: Prod + usagePlan1: + Type: 'AWS::ApiGateway::UsagePlan' + Properties: + ApiStages: + - ApiId: !Ref MyRestApi + Stage: !Ref Prod1 + Description: Customer ABC's usage plan + Quota: + Limit: 5000 + Period: MONTH + Throttle: + BurstLimit: 200 + RateLimit: 100 + UsagePlanName: Plan_ABC + + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + Deployment2: + Type: 'AWS::ApiGateway::Deployment' + Properties: + RestApiId: !Ref MyRestApi + Description: My deployment + StageName: Prod1 + usagePlan2: + Type: 'AWS::ApiGateway::UsagePlan' + Properties: + ApiStages: + - ApiId: !Ref MyRestApi + Stage: !Ref Prod + Description: Customer ABC's usage plan + Quota: + Limit: 5000 + Period: MONTH + Throttle: + BurstLimit: 200 + RateLimit: 100 + UsagePlanName: Plan_ABC + +``` +
Postitive test num. 4 - json file + +```json hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "Deployment": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "StageName": "Prod", + "RestApiId": "MyRestApi", + "Description": "My deployment" + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "Deployment1": { + "Properties": { + "RestApiId": "MyRestApi", + "Description": "My deployment", + "StageName": "Prod" + }, + "Type": "AWS::ApiGateway::Deployment" + }, + "usagePlan1": { + "Properties": { + "Quota": { + "Limit": 5000, + "Period": "MONTH" + }, + "Throttle": { + "BurstLimit": 200, + "RateLimit": 100 + }, + "UsagePlanName": "Plan_ABC", + "ApiStages": [ + { + "ApiId": "MyRestApi", + "Stage": "Prod1" + } + ], + "Description": "Customer ABC's usage plan" + }, + "Type": "AWS::ApiGateway::UsagePlan" + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "Deployment2": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": "MyRestApi", + "Description": "My deployment", + "StageName": "Prod1" + } + }, + "usagePlan2": { + "Type": "AWS::ApiGateway::UsagePlan", + "Properties": { + "ApiStages": [ + { + "ApiId": "MyRestApi", + "Stage": "Prod" + } + ], + "Description": "Customer ABC's usage plan", + "Quota": { + "Limit": 5000, + "Period": "MONTH" + }, + "Throttle": { + "BurstLimit": 200, + "RateLimit": 100 + }, + "UsagePlanName": "Plan_ABC" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + Deployment: + Type: 'AWS::ApiGateway::Deployment' + Properties: + RestApiId: !Ref MyRestApi + Description: My deployment + StageName: Prod + usagePlan: + Type: 'AWS::ApiGateway::UsagePlan' + Properties: + ApiStages: + - ApiId: !Ref MyRestApi + Stage: !Ref Prod + Description: Customer ABC's usage plan + Quota: + Limit: 5000 + Period: MONTH + Throttle: + BurstLimit: 200 + RateLimit: 100 + UsagePlanName: Plan_ABC +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "Deployment": { + "Type": "AWS::ApiGateway::Deployment", + "Properties": { + "RestApiId": "MyRestApi", + "Description": "My deployment", + "StageName": "Prod" + } + }, + "usagePlan": { + "Type": "AWS::ApiGateway::UsagePlan", + "Properties": { + "ApiStages": [ + { + "ApiId": "MyRestApi", + "Stage": "Prod" + } + ], + "Description": "Customer ABC's usage plan", + "Quota": { + "Limit": 5000, + "Period": "MONTH" + }, + "Throttle": { + "RateLimit": 100, + "BurstLimit": 200 + }, + "UsagePlanName": "Plan_ABC" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/79d745f0-d5f3-46db-9504-bef73e9fd528.md b/docs/queries/cloudformation-queries/aws/79d745f0-d5f3-46db-9504-bef73e9fd528.md new file mode 100644 index 00000000000..275dc6fad5a --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/79d745f0-d5f3-46db-9504-bef73e9fd528.md @@ -0,0 +1,696 @@ +--- +title: ECS Service Without Running Tasks +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 79d745f0-d5f3-46db-9504-bef73e9fd528 +- **Query name:** ECS Service Without Running Tasks +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ecs_service_without_running_tasks) + +### Description +ECS Service should have at least 1 task running
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-deploymentconfiguration) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="64" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating ECS service +Parameters: + AppName: + Type: String + Description: Name of app requiring ELB exposure + Default: simple-app + AppContainerPort: + Type: Number + Description: Container port of app requiring ELB exposure + Default: '80' + AppHostPort: + Type: Number + Description: Host port of app requiring ELB exposure + Default: '80' + ServiceName: + Type: String + LoadBalancerName: + Type: String + HealthCheckGracePeriodSeconds: + Type: String +Resources: + cluster: + Type: AWS::ECS::Cluster + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: !Ref AppName + MountPoints: + - SourceVolume: my-vol + ContainerPath: /var/www/my-vol + Image: amazon/amazon-ecs-sample + Cpu: '10' + PortMappings: + - ContainerPort: !Ref AppContainerPort + HostPort: !Ref AppHostPort + EntryPoint: + - /usr/sbin/apache2 + - '-D' + - FOREGROUND + Memory: '500' + Essential: true + - Name: busybox + Image: busybox + Cpu: '10' + EntryPoint: + - sh + - '-c' + Memory: '500' + Command: + - >- + /bin/sh -c "while true; do /bin/date > /var/www/my-vol/date; sleep + 1; done" + Essential: false + VolumesFrom: + - SourceContainer: !Ref AppName + Volumes: + - Host: + SourcePath: /var/lib/docker/vfs/dir/ + Name: my-vol + service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref cluster + DesiredCount: 0 + HealthCheckGracePeriodSeconds: !Ref HealthCheckGracePeriodSeconds + LoadBalancers: + - ContainerName: !Ref AppName + ContainerPort: !Ref AppContainerPort + LoadBalancerName: !Ref elb + PlacementStrategies: + - Type: binpack + Field: memory + - Type: spread + Field: host + PlacementConstraints: + - Type: memberOf + Expression: 'attribute:ecs.availability-zone != us-east-1d' + - Type: distinctInstance + TaskDefinition: !Ref taskdefinition + ServiceName: !Ref ServiceName + Role: !Ref Role + elb: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + LoadBalancerName: !Ref LoadBalancerName + Listeners: + - InstancePort: !Ref AppHostPort + LoadBalancerPort: '80' + Protocol: HTTP + Subnets: + - !Ref Subnet1 + DependsOn: GatewayAttachment + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/24 + Subnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.0.0/25 + InternetGateway: + Type: AWS::EC2::InternetGateway + GatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref VPC + Role: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: ecs.amazonaws.com + Action: 'sts:AssumeRole' + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' +Outputs: + Cluster: + Value: !Ref cluster + +``` +```json title="Postitive test num. 2 - json file" hl_lines="152" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating ECS service", + "Parameters": { + "AppName": { + "Type": "String", + "Description": "Name of app requiring ELB exposure", + "Default": "simple-app" + }, + "AppContainerPort": { + "Default": "80", + "Type": "Number", + "Description": "Container port of app requiring ELB exposure" + }, + "AppHostPort": { + "Type": "Number", + "Description": "Host port of app requiring ELB exposure", + "Default": "80" + }, + "ServiceName": { + "Type": "String" + }, + "LoadBalancerName": { + "Type": "String" + }, + "HealthCheckGracePeriodSeconds": { + "Type": "String" + } + }, + "Resources": { + "cluster": { + "Type": "AWS::ECS::Cluster" + }, + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Cpu": "10", + "PortMappings": [ + { + "ContainerPort": "AppContainerPort", + "HostPort": "AppHostPort" + } + ], + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": "500", + "Essential": true, + "Name": "AppName", + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample" + }, + { + "Name": "busybox", + "Image": "busybox", + "Cpu": "10", + "EntryPoint": [ + "sh", + "-c" + ], + "Memory": "500", + "Command": [ + "/bin/sh -c \"while true; do /bin/date \u003e /var/www/my-vol/date; sleep 1; done\"" + ], + "Essential": false, + "VolumesFrom": [ + { + "SourceContainer": "AppName" + } + ] + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ] + } + }, + "elb": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "Listeners": [ + { + "InstancePort": "AppHostPort", + "LoadBalancerPort": "80", + "Protocol": "HTTP" + } + ], + "Subnets": [ + "Subnet1" + ], + "LoadBalancerName": "LoadBalancerName" + }, + "DependsOn": "GatewayAttachment" + }, + "VPC": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/24" + } + }, + "Subnet1": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": "VPC", + "CidrBlock": "10.0.0.0/25" + } + }, + "GatewayAttachment": { + "Properties": { + "InternetGatewayId": "InternetGateway", + "VpcId": "VPC" + }, + "Type": "AWS::EC2::VPCGatewayAttachment" + }, + "Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2008-10-17T00:00:00Z", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "ecs.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole" + ] + } + }, + "service": { + "Type": "AWS::ECS::Service", + "Properties": { + "LoadBalancers": [ + { + "ContainerName": "AppName", + "ContainerPort": "AppContainerPort", + "LoadBalancerName": "elb" + } + ], + "DesiredCount": 0, + "HealthCheckGracePeriodSeconds": "HealthCheckGracePeriodSeconds", + "PlacementStrategies": [ + { + "Field": "memory", + "Type": "binpack" + }, + { + "Type": "spread", + "Field": "host" + } + ], + "PlacementConstraints": [ + { + "Type": "memberOf", + "Expression": "attribute:ecs.availability-zone != us-east-1d" + }, + { + "Type": "distinctInstance" + } + ], + "TaskDefinition": "taskdefinition", + "ServiceName": "ServiceName", + "Role": "Role", + "Cluster": "cluster" + } + }, + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway" + } + }, + "Outputs": { + "Cluster": { + "Value": "cluster" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating ECS service +Parameters: + AppName: + Type: String + Description: Name of app requiring ELB exposure + Default: simple-app + AppContainerPort: + Type: Number + Description: Container port of app requiring ELB exposure + Default: '80' + AppHostPort: + Type: Number + Description: Host port of app requiring ELB exposure + Default: '80' + ServiceName: + Type: String + LoadBalancerName: + Type: String + HealthCheckGracePeriodSeconds: + Type: String +Resources: + cluster: + Type: AWS::ECS::Cluster + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: !Ref AppName + MountPoints: + - SourceVolume: my-vol + ContainerPath: /var/www/my-vol + Image: amazon/amazon-ecs-sample + Cpu: '10' + PortMappings: + - ContainerPort: !Ref AppContainerPort + HostPort: !Ref AppHostPort + EntryPoint: + - /usr/sbin/apache2 + - '-D' + - FOREGROUND + Memory: '500' + Essential: true + - Name: busybox + Image: busybox + Cpu: '10' + EntryPoint: + - sh + - '-c' + Memory: '500' + Command: + - >- + /bin/sh -c "while true; do /bin/date > /var/www/my-vol/date; sleep + 1; done" + Essential: false + VolumesFrom: + - SourceContainer: !Ref AppName + Volumes: + - Host: + SourcePath: /var/lib/docker/vfs/dir/ + Name: my-vol + service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref cluster + DeploymentConfiguration: + MaximumPercent: 200 + MinimumHealthyPercent: 100 + DesiredCount: 0 + HealthCheckGracePeriodSeconds: !Ref HealthCheckGracePeriodSeconds + LoadBalancers: + - ContainerName: !Ref AppName + ContainerPort: !Ref AppContainerPort + LoadBalancerName: !Ref elb + PlacementStrategies: + - Type: binpack + Field: memory + - Type: spread + Field: host + PlacementConstraints: + - Type: memberOf + Expression: 'attribute:ecs.availability-zone != us-east-1d' + - Type: distinctInstance + TaskDefinition: !Ref taskdefinition + ServiceName: !Ref ServiceName + Role: !Ref Role + elb: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + LoadBalancerName: !Ref LoadBalancerName + Listeners: + - InstancePort: !Ref AppHostPort + LoadBalancerPort: '80' + Protocol: HTTP + Subnets: + - !Ref Subnet1 + DependsOn: GatewayAttachment + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/24 + Subnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.0.0.0/25 + InternetGateway: + Type: AWS::EC2::InternetGateway + GatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref VPC + Role: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: ecs.amazonaws.com + Action: 'sts:AssumeRole' + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' +Outputs: + Cluster: + Value: !Ref cluster + +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "Creating ECS service", + "Parameters": { + "AppHostPort": { + "Default": "80", + "Type": "Number", + "Description": "Host port of app requiring ELB exposure" + }, + "ServiceName": { + "Type": "String" + }, + "LoadBalancerName": { + "Type": "String" + }, + "HealthCheckGracePeriodSeconds": { + "Type": "String" + }, + "AppName": { + "Type": "String", + "Description": "Name of app requiring ELB exposure", + "Default": "simple-app" + }, + "AppContainerPort": { + "Type": "Number", + "Description": "Container port of app requiring ELB exposure", + "Default": "80" + } + }, + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": "500", + "Essential": true, + "Name": "AppName", + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": "10", + "PortMappings": [ + { + "HostPort": "AppHostPort", + "ContainerPort": "AppContainerPort" + } + ] + }, + { + "VolumesFrom": [ + { + "SourceContainer": "AppName" + } + ], + "Name": "busybox", + "Image": "busybox", + "Cpu": "10", + "EntryPoint": [ + "sh", + "-c" + ], + "Memory": "500", + "Command": [ + "/bin/sh -c \"while true; do /bin/date \u003e /var/www/my-vol/date; sleep 1; done\"" + ], + "Essential": false + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ] + } + }, + "Subnet1": { + "Properties": { + "VpcId": "VPC", + "CidrBlock": "10.0.0.0/25" + }, + "Type": "AWS::EC2::Subnet" + }, + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway" + }, + "Role": { + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2008-10-17T00:00:00Z", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "ecs.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }, + "ManagedPolicyArns": [ + "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole" + ] + }, + "Type": "AWS::IAM::Role" + }, + "cluster": { + "Type": "AWS::ECS::Cluster" + }, + "service": { + "Type": "AWS::ECS::Service", + "Properties": { + "DesiredCount": 0, + "HealthCheckGracePeriodSeconds": "HealthCheckGracePeriodSeconds", + "LoadBalancers": [ + { + "LoadBalancerName": "elb", + "ContainerName": "AppName", + "ContainerPort": "AppContainerPort" + } + ], + "PlacementStrategies": [ + { + "Type": "binpack", + "Field": "memory" + }, + { + "Field": "host", + "Type": "spread" + } + ], + "ServiceName": "ServiceName", + "Cluster": "cluster", + "DeploymentConfiguration": { + "MaximumPercent": 200, + "MinimumHealthyPercent": 100 + }, + "PlacementConstraints": [ + { + "Type": "memberOf", + "Expression": "attribute:ecs.availability-zone != us-east-1d" + }, + { + "Type": "distinctInstance" + } + ], + "TaskDefinition": "taskdefinition", + "Role": "Role" + } + }, + "elb": { + "DependsOn": "GatewayAttachment", + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "LoadBalancerName": "LoadBalancerName", + "Listeners": [ + { + "Protocol": "HTTP", + "InstancePort": "AppHostPort", + "LoadBalancerPort": "80" + } + ], + "Subnets": [ + "Subnet1" + ] + } + }, + "VPC": { + "Properties": { + "CidrBlock": "10.0.0.0/24" + }, + "Type": "AWS::EC2::VPC" + }, + "GatewayAttachment": { + "Properties": { + "InternetGatewayId": "InternetGateway", + "VpcId": "VPC" + }, + "Type": "AWS::EC2::VPCGatewayAttachment" + } + }, + "Outputs": { + "Cluster": { + "Value": "cluster" + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/7f384a5f-b5a2-4d84-8ca3-ee0a5247becb.md b/docs/queries/cloudformation-queries/aws/7f384a5f-b5a2-4d84-8ca3-ee0a5247becb.md new file mode 100644 index 00000000000..8d60bacc272 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/7f384a5f-b5a2-4d84-8ca3-ee0a5247becb.md @@ -0,0 +1,344 @@ +--- +title: Empty Roles For ECS Cluster Task Definitions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7f384a5f-b5a2-4d84-8ca3-ee0a5247becb +- **Query name:** Empty Roles For ECS Cluster Task Definitions +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/empty_roles_for_ecs_cluster_task_definitions) + +### Description +Check if any ECS cluster has not defined proper roles for services' task definitions.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 41 6" +Resources: + NoTaskDefinition: + Type: AWS::ECS::Service + DependsOn: + - Listener + Properties: + Role: + Ref: ECSServiceRole + DesiredCount: 1 + LoadBalancers: + - TargetGroupArn: + Ref: TargetGroup + ContainerPort: 80 + ContainerName: sample-app + Cluster: + Ref: ECSCluster + InvalidTaskDefinition: + Type: AWS::ECS::Service + DependsOn: + - Listener + Properties: + Role: + Ref: ECSServiceRole + TaskDefinition: + Ref: MissingTaskDefinition + DesiredCount: 1 + LoadBalancers: + - TargetGroupArn: + Ref: TargetGroup + ContainerPort: 80 + ContainerName: sample-app + Cluster: + Ref: ECSCluster + TaskNoRole: + Type: AWS::ECS::Service + DependsOn: + - Listener + Properties: + Role: + Ref: ECSServiceRole + TaskDefinition: + Ref: ECSTaskDefinition + DesiredCount: 1 + LoadBalancers: + - TargetGroupArn: + Ref: TargetGroup + ContainerPort: 80 + ContainerName: sample-app + Cluster: + Ref: ECSCluster + ECSTaskDefinition: + Type: AWS::ECS::TaskDefinition + Properties: + Family: !Ref 'ServiceName' + Cpu: !Ref 'ContainerCpu' + Memory: !Ref 'ContainerMemory' + NetworkMode: awsvpc + RequiresCompatibilities: + - FARGATE + ExecutionRoleArn: + Fn::ImportValue: + !Join [':', [!Ref 'StackName', 'ECSTaskExecutionRole']] + ContainerDefinitions: + - Name: !Ref 'ServiceName' + Cpu: !Ref 'ContainerCpu' + Memory: !Ref 'ContainerMemory' + Image: !Ref 'ImageUrl' + PortMappings: + - ContainerPort: !Ref 'ContainerPort' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="96 11 39" +{ + "Resources": { + "InvalidTaskDefinition": { + "DependsOn": [ + "Listener" + ], + "Properties": { + "Role": { + "Ref": "ECSServiceRole" + }, + "TaskDefinition": { + "Ref": "MissingTaskDefinition" + }, + "DesiredCount": 1, + "LoadBalancers": [ + { + "TargetGroupArn": { + "Ref": "TargetGroup" + }, + "ContainerPort": 80, + "ContainerName": "sample-app" + } + ], + "Cluster": { + "Ref": "ECSCluster" + } + }, + "Type": "AWS::ECS::Service" + }, + "TaskNoRole": { + "Type": "AWS::ECS::Service", + "DependsOn": [ + "Listener" + ], + "Properties": { + "Role": { + "Ref": "ECSServiceRole" + }, + "TaskDefinition": { + "Ref": "ECSTaskDefinition" + }, + "DesiredCount": 1, + "LoadBalancers": [ + { + "ContainerPort": 80, + "ContainerName": "sample-app", + "TargetGroupArn": { + "Ref": "TargetGroup" + } + } + ], + "Cluster": { + "Ref": "ECSCluster" + } + } + }, + "ECSTaskDefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Image": "ImageUrl", + "PortMappings": [ + { + "ContainerPort": "ContainerPort" + } + ], + "Name": "ServiceName", + "Cpu": "ContainerCpu", + "Memory": "ContainerMemory" + } + ], + "Family": "ServiceName", + "Cpu": "ContainerCpu", + "Memory": "ContainerMemory", + "NetworkMode": "awsvpc", + "RequiresCompatibilities": [ + "FARGATE" + ], + "ExecutionRoleArn": { + "Fn::ImportValue": [ + ":", + [ + "StackName", + "ECSTaskExecutionRole" + ] + ] + } + } + }, + "NoTaskDefinition": { + "Type": "AWS::ECS::Service", + "DependsOn": [ + "Listener" + ], + "Properties": { + "Role": { + "Ref": "ECSServiceRole" + }, + "DesiredCount": 1, + "LoadBalancers": [ + { + "TargetGroupArn": { + "Ref": "TargetGroup" + }, + "ContainerPort": 80, + "ContainerName": "sample-app" + } + ], + "Cluster": { + "Ref": "ECSCluster" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + ECSService: + Type: AWS::ECS::Service + DependsOn: + - Listener + Properties: + Role: + Ref: ECSServiceRole + TaskDefinition: + Ref: ECSTaskDefinition + DesiredCount: 1 + LoadBalancers: + - TargetGroupArn: + Ref: TargetGroup + ContainerPort: 80 + ContainerName: sample-app + Cluster: + Ref: ECSCluster + ECSTaskDefinition: + Type: AWS::ECS::TaskDefinition + Properties: + Family: !Ref 'ServiceName' + Cpu: !Ref 'ContainerCpu' + Memory: !Ref 'ContainerMemory' + NetworkMode: awsvpc + RequiresCompatibilities: + - FARGATE + ExecutionRoleArn: + Fn::ImportValue: + !Join [':', [!Ref 'StackName', 'ECSTaskExecutionRole']] + TaskRoleArn: + Fn::If: + - 'HasCustomRole' + - !Ref 'Role' + - !Ref "AWS::NoValue" + ContainerDefinitions: + - Name: !Ref 'ServiceName' + Cpu: !Ref 'ContainerCpu' + Memory: !Ref 'ContainerMemory' + Image: !Ref 'ImageUrl' + PortMappings: + - ContainerPort: !Ref 'ContainerPort' + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "ECSTaskDefinition": { + "Properties": { + "Memory": "ContainerMemory", + "NetworkMode": "awsvpc", + "RequiresCompatibilities": [ + "FARGATE" + ], + "ExecutionRoleArn": { + "Fn::ImportValue": [ + ":", + [ + "StackName", + "ECSTaskExecutionRole" + ] + ] + }, + "TaskRoleArn": { + "Fn::If": [ + "HasCustomRole", + "Role", + "AWS::NoValue" + ] + }, + "ContainerDefinitions": [ + { + "Name": "ServiceName", + "Cpu": "ContainerCpu", + "Memory": "ContainerMemory", + "Image": "ImageUrl", + "PortMappings": [ + { + "ContainerPort": "ContainerPort" + } + ] + } + ], + "Family": "ServiceName", + "Cpu": "ContainerCpu" + }, + "Type": "AWS::ECS::TaskDefinition" + }, + "ECSService": { + "Type": "AWS::ECS::Service", + "DependsOn": [ + "Listener" + ], + "Properties": { + "DesiredCount": 1, + "LoadBalancers": [ + { + "TargetGroupArn": { + "Ref": "TargetGroup" + }, + "ContainerPort": 80, + "ContainerName": "sample-app" + } + ], + "Cluster": { + "Ref": "ECSCluster" + }, + "Role": { + "Ref": "ECSServiceRole" + }, + "TaskDefinition": { + "Ref": "ECSTaskDefinition" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/7f65be75-90ab-4036-8c2a-410aef7bb650.md b/docs/queries/cloudformation-queries/aws/7f65be75-90ab-4036-8c2a-410aef7bb650.md new file mode 100644 index 00000000000..bc72f219e02 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/7f65be75-90ab-4036-8c2a-410aef7bb650.md @@ -0,0 +1,164 @@ +--- +title: Kinesis SSE Not Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7f65be75-90ab-4036-8c2a-410aef7bb650 +- **Query name:** Kinesis SSE Not Configured +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/kinesis_sse_not_configured) + +### Description +AWS Kinesis Stream should have SSE (Server Side Encryption) defined
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kinesis-stream.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 26 19" +Resources: + EventStream1: + Type: AWS::Kinesis::Stream + Properties: + Name: EventStream + RetentionPeriodHours: 24 + ShardCount: 1 + StreamEncryption: + EncryptionType: KMS + Tags: + - Key: Name + Value: !Sub ${EnvironmentName}-EventStream-${AWS::Region} + EventStream2: + Type: AWS::Kinesis::Stream + Properties: + Name: EventStream + RetentionPeriodHours: 24 + ShardCount: 1 + StreamEncryption: + KeyId: !Ref myKey + Tags: + - Key: Name + Value: !Sub ${EnvironmentName}-EventStream-${AWS::Region} + EventStream3: + Type: AWS::Kinesis::Stream + Properties: + Name: EventStream + RetentionPeriodHours: 24 + ShardCount: 1 + Tags: + - Key: Name + Value: !Sub ${EnvironmentName}-EventStream-${AWS::Region} + + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9 26 39" +{ + "Resources": { + "EventStream1": { + "Type": "AWS::Kinesis::Stream", + "Properties": { + "Name": "EventStream", + "RetentionPeriodHours": 24, + "ShardCount": 1, + "StreamEncryption": { + "EncryptionType": "KMS" + }, + "Tags": [ + { + "Key": "Name", + "Value": "${EnvironmentName}-EventStream-${AWS::Region}" + } + ] + } + }, + "EventStream2": { + "Type": "AWS::Kinesis::Stream", + "Properties": { + "Name": "EventStream", + "RetentionPeriodHours": 24, + "ShardCount": 1, + "StreamEncryption": { + "KeyId": "myKey" + }, + "Tags": [ + { + "Key": "Name", + "Value": "${EnvironmentName}-EventStream-${AWS::Region}" + } + ] + } + }, + "EventStream3": { + "Type": "AWS::Kinesis::Stream", + "Properties": { + "Name": "EventStream", + "RetentionPeriodHours": 24, + "ShardCount": 1, + "Tags": [ + { + "Key": "Name", + "Value": "${EnvironmentName}-EventStream-${AWS::Region}" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + EventStream: + Type: AWS::Kinesis::Stream + Properties: + Name: EventStream + RetentionPeriodHours: 24 + ShardCount: 1 + StreamEncryption: + EncryptionType: KMS + KeyId: !Ref myKey + Tags: + - Key: Name + Value: !Sub ${EnvironmentName}-EventStream-${AWS::Region} +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "EventStream": { + "Type": "AWS::Kinesis::Stream", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "${EnvironmentName}-EventStream-${AWS::Region}" + } + ], + "Name": "EventStream", + "RetentionPeriodHours": 24, + "ShardCount": 1, + "StreamEncryption": { + "EncryptionType": "KMS", + "KeyId": "myKey" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/7f8843f0-9ea5-42b4-a02b-753055113195.md b/docs/queries/cloudformation-queries/aws/7f8843f0-9ea5-42b4-a02b-753055113195.md new file mode 100644 index 00000000000..35b1fd0a194 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/7f8843f0-9ea5-42b4-a02b-753055113195.md @@ -0,0 +1,130 @@ +--- +title: Geo Restriction Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7f8843f0-9ea5-42b4-a02b-753055113195 +- **Query name:** Geo Restriction Disabled +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/geo_restriction_disabled) + +### Description +Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content
+[Documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Logging: + IncludeCookies: 'false' + Bucket: mylogs.s3.amazonaws.com + Prefix: myprefix + Restrictions: + GeoRestriction: + RestrictionType: none + ViewerCertificate: + CloudFrontDefaultCertificate: 'true' +``` +```json title="Postitive test num. 2 - json file" hl_lines="15" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Logging": { + "IncludeCookies": "false", + "Bucket": "mylogs.s3.amazonaws.com", + "Prefix": "myprefix" + }, + "Restrictions": { + "GeoRestriction": { + "RestrictionType": "none" + } + }, + "ViewerCertificate": { + "CloudFrontDefaultCertificate": "true" + } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Logging: + IncludeCookies: 'false' + Bucket: mylogs.s3.amazonaws.com + Prefix: myprefix + Restrictions: + GeoRestriction: + RestrictionType: whitelist + Locations: + - AQ + - CV + ViewerCertificate: + CloudFrontDefaultCertificate: 'true' +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Logging": { + "IncludeCookies": "false", + "Bucket": "mylogs.s3.amazonaws.com", + "Prefix": "myprefix" + }, + "Restrictions": { + "GeoRestriction": { + "RestrictionType": "whitelist", + "Locations": [ + "AQ", + "CV" + ] + } + }, + "ViewerCertificate": { + "CloudFrontDefaultCertificate": "true" + } + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/7f8f1b60-43df-4c28-aa21-fb836dbd8071.md b/docs/queries/cloudformation-queries/aws/7f8f1b60-43df-4c28-aa21-fb836dbd8071.md new file mode 100644 index 00000000000..6abac0398e3 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/7f8f1b60-43df-4c28-aa21-fb836dbd8071.md @@ -0,0 +1,466 @@ +--- +title: API Gateway Stage Without API Gateway UsagePlan Associated +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7f8f1b60-43df-4c28-aa21-fb836dbd8071 +- **Query name:** API Gateway Stage Without API Gateway UsagePlan Associated +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_stage_without_api_gateway_usage_plan_associated) + +### Description +API Gateway Stage should have API Gateway UsagePlan defined and associated.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + Prod1: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + usagePlan1: + Type: 'AWS::ApiGateway::UsagePlan' + Properties: + ApiStages: + - ApiId: !Ref MyRestApi + Stage: !Ref Prod1 + Description: Customer ABC's usage plan + Quota: + Limit: 5000 + Period: MONTH + Throttle: + BurstLimit: 200 + RateLimit: 100 + UsagePlanName: Plan_ABC + + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + Prod2: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi1 + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + usagePlan2: + Type: 'AWS::ApiGateway::UsagePlan' + Properties: + ApiStages: + - ApiId: !Ref MyRestApi + Stage: !Ref Prod + Description: Customer ABC's usage plan + Quota: + Limit: 5000 + Period: MONTH + Throttle: + BurstLimit: 200 + RateLimit: 100 + UsagePlanName: Plan_ABC + + + + + + + + +``` +
Postitive test num. 4 - json file + +```json hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "Prod": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "MethodSettings": [ + { + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ResourcePath": "/", + "HttpMethod": "GET" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "999" + }, + { + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "555", + "ResourcePath": "/stack", + "HttpMethod": "GET", + "MetricsEnabled": "true" + } + ], + "StageName": "Prod", + "Description": "Prod Stage", + "RestApiId": "MyRestApi", + "DeploymentId": "TestDeployment", + "DocumentationVersion": "MyDocumentationVersion", + "ClientCertificateId": "ClientCertificate", + "Variables": { + "Stack": "Prod" + } + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "Prod1": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "Variables": { + "Stack": "Prod" + }, + "MethodSettings": [ + { + "ResourcePath": "/", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false" + }, + { + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "999", + "ResourcePath": "/stack", + "HttpMethod": "POST" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "555" + } + ], + "StageName": "Prod", + "Description": "Prod Stage", + "RestApiId": "MyRestApi", + "DeploymentId": "TestDeployment", + "DocumentationVersion": "MyDocumentationVersion", + "ClientCertificateId": "ClientCertificate" + } + }, + "usagePlan1": { + "Type": "AWS::ApiGateway::UsagePlan", + "Properties": { + "ApiStages": [ + { + "ApiId": "MyRestApi", + "Stage": "Prod1" + } + ], + "Description": "Customer ABC's usage plan", + "Quota": { + "Limit": 5000, + "Period": "MONTH" + }, + "Throttle": { + "BurstLimit": 200, + "RateLimit": 100 + }, + "UsagePlanName": "Plan_ABC" + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "Prod2": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "Variables": { + "Stack": "Prod" + }, + "MethodSettings": [ + { + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ResourcePath": "/" + }, + { + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "999", + "ResourcePath": "/stack", + "HttpMethod": "POST", + "MetricsEnabled": "true" + }, + { + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "555", + "ResourcePath": "/stack", + "HttpMethod": "GET" + } + ], + "StageName": "Prod", + "Description": "Prod Stage", + "RestApiId": "MyRestApi1", + "DeploymentId": "TestDeployment", + "DocumentationVersion": "MyDocumentationVersion", + "ClientCertificateId": "ClientCertificate" + } + }, + "usagePlan2": { + "Type": "AWS::ApiGateway::UsagePlan", + "Properties": { + "ApiStages": [ + { + "ApiId": "MyRestApi", + "Stage": "Prod" + } + ], + "Description": "Customer ABC's usage plan", + "Quota": { + "Limit": 5000, + "Period": "MONTH" + }, + "Throttle": { + "BurstLimit": 200, + "RateLimit": 100 + }, + "UsagePlanName": "Plan_ABC" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + usagePlan: + Type: 'AWS::ApiGateway::UsagePlan' + Properties: + ApiStages: + - ApiId: !Ref MyRestApi + Stage: !Ref Prod + Description: Customer ABC's usage plan + Quota: + Limit: 5000 + Period: MONTH + Throttle: + BurstLimit: 200 + RateLimit: 100 + UsagePlanName: Plan_ABC + + + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Prod": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "ClientCertificateId": "ClientCertificate", + "Variables": { + "Stack": "Prod" + }, + "MethodSettings": [ + { + "ResourcePath": "/", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "999" + }, + { + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "555", + "ResourcePath": "/stack", + "HttpMethod": "GET" + } + ], + "StageName": "Prod", + "Description": "Prod Stage", + "RestApiId": "MyRestApi", + "DeploymentId": "TestDeployment", + "DocumentationVersion": "MyDocumentationVersion" + } + }, + "usagePlan": { + "Type": "AWS::ApiGateway::UsagePlan", + "Properties": { + "ApiStages": [ + { + "Stage": "Prod", + "ApiId": "MyRestApi" + } + ], + "Description": "Customer ABC's usage plan", + "Quota": { + "Period": "MONTH", + "Limit": 5000 + }, + "Throttle": { + "BurstLimit": 200, + "RateLimit": 100 + }, + "UsagePlanName": "Plan_ABC" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/7fd0d461-5b8c-4815-898c-f2b4b117eb28.md b/docs/queries/cloudformation-queries/aws/7fd0d461-5b8c-4815-898c-f2b4b117eb28.md new file mode 100644 index 00000000000..d73619255ef --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/7fd0d461-5b8c-4815-898c-f2b4b117eb28.md @@ -0,0 +1,343 @@ +--- +title: API Gateway Without Configured Authorizer +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7fd0d461-5b8c-4815-898c-f2b4b117eb28 +- **Query name:** API Gateway Without Configured Authorizer +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_without_configured_authorizer) + +### Description +API Gateway REST API should have an API Gateway Authorizer
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-authorizer.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + DevWebSocket: + Type: 'AWS::ApiGatewayV2::Api' + Properties: + Name: TL-Dev-WebSocket-API + ProtocolType: WEBSOCKET + RouteSelectionExpression: $request.body.action + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + DevWebSocket5: + Type: 'AWS::ApiGatewayV2::Api' + Properties: + Name: TL-Dev-WebSocket-API + ProtocolType: WEBSOCKET + RouteSelectionExpression: $request.body.action + DevAuthorizerLambda5: + Type: 'AWS::Serverless::Function' + Properties: + CodeUri: WebSockets/Authorizer + Role: 'arn:aws:iam::************:role/LambdaDynamoDB' + Environment: + Variables: + STAGE: Dev + DevAuthorizerLambdaPermission5: + Type: 'AWS::Lambda::Permission' + Properties: + Action: 'lambda:invokeFunction' + Principal: apigateway.amazonaws.com + FunctionName: + Ref: DevAuthorizerLambda + SourceArn: + 'Fn::Sub': + - >- + arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/$connect + - __Stage__: '*' + __ApiId__: + Ref: DevWebSocket + DevWebSocketAuthorizer5: + Type: 'AWS::ApiGatewayV2::Authorizer' + Properties: + Name: DevAuthorizer + ApiId: + Ref: DevWebSocket222222 + AuthorizerType: REQUEST + AuthorizerUri: + 'Fn::Sub': >- + arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${DevAuthorizerLambda.Arn}/invocations + IdentitySource: + - route.request.querystring.token + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MyRestApi6: + Type: AWS::ApiGateway::RestApi + Properties: + EndpointConfiguration: + Types: + - PRIVATE + Name: myRestApi + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="3" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MyRestApi7: + Type: AWS::ApiGateway::RestApi + Properties: + EndpointConfiguration: + Types: + - PRIVATE + Name: myRestApi + Authorizer: + Type: 'AWS::ApiGateway::Authorizer' + Properties: + RestApiId: !Ref MyRestApi242 + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="4" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "DevWebSocket8": { + "Type": "AWS::ApiGatewayV2::Api", + "Properties": { + "Name": "TL-Dev-WebSocket-API", + "ProtocolType": "WEBSOCKET", + "RouteSelectionExpression": "$request.body.action" + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="20" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "DevWebSocketAuthorizer9": { + "Type": "AWS::ApiGatewayV2::Authorizer", + "Properties": { + "ApiId": { + "Ref": "DevWebSocket2err" + }, + "AuthorizerType": "REQUEST", + "AuthorizerUri": { + "Fn::Sub": "arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${DevAuthorizerLambda.Arn}/invocations" + }, + "IdentitySource": [ + "route.request.querystring.token" + ], + "Name": "DevAuthorizer" + } + }, + "DevWebSocket9": { + "Type": "AWS::ApiGatewayV2::Api", + "Properties": { + "Name": "TL-Dev-WebSocket-API", + "ProtocolType": "WEBSOCKET", + "RouteSelectionExpression": "$request.body.action" + } + }, + "DevAuthorizerLambda9": { + "Type": "AWS::Serverless::Function", + "Properties": { + "Environment": { + "Variables": { + "STAGE": "Dev" + } + }, + "CodeUri": "WebSockets/Authorizer", + "Role": "arn:aws:iam::************:role/LambdaDynamoDB" + } + }, + "DevAuthorizerLambdaPermission9": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "Principal": "apigateway.amazonaws.com", + "FunctionName": { + "Ref": "DevAuthorizerLambda" + }, + "SourceArn": { + "Fn::Sub": [ + "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/$connect", + { + "__Stage__": "*", + "__ApiId__": { + "Ref": "DevWebSocket" + } + } + ] + }, + "Action": "lambda:invokeFunction" + } + } + } +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="4" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MyRestApi10": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Name": "myRestApi" + } + } + } +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="4" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MyRestApi11": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Name": "myRestApi" + } + }, + "Authorizer": { + "Type": "AWS::ApiGateway::Authorizer", + "Properties": { + "RestApiId": "MyRestApiwww2" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + DevWebSocket2: + Type: 'AWS::ApiGatewayV2::Api' + Properties: + Name: TL-Dev-WebSocket-API + ProtocolType: WEBSOCKET + RouteSelectionExpression: $request.body.action + DevAuthorizerLambda: + Type: 'AWS::Serverless::Function' + Properties: + CodeUri: WebSockets/Authorizer + Role: 'arn:aws:iam::************:role/LambdaDynamoDB' + Environment: + Variables: + STAGE: Dev + DevAuthorizerLambdaPermission: + Type: 'AWS::Lambda::Permission' + Properties: + Action: 'lambda:invokeFunction' + Principal: apigateway.amazonaws.com + FunctionName: + Ref: DevAuthorizerLambda + SourceArn: + 'Fn::Sub': + - >- + arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${__ApiId__}/${__Stage__}/$connect + - __Stage__: '*' + __ApiId__: + Ref: DevWebSocket + DevWebSocketAuthorizer: + Type: 'AWS::ApiGatewayV2::Authorizer' + Properties: + Name: DevAuthorizer + ApiId: + Ref: DevWebSocket2 + AuthorizerType: REQUEST + AuthorizerUri: + 'Fn::Sub': >- + arn:aws:apigateway:${AWS::Region}:lambda:path/2015-03-31/functions/${DevAuthorizerLambda.Arn}/invocations + IdentitySource: + - route.request.querystring.token + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MyRestApi2: + Type: AWS::ApiGateway::RestApi + Properties: + EndpointConfiguration: + Types: + - PRIVATE + Name: myRestApi + Authorizer: + Type: 'AWS::ApiGateway::Authorizer' + Properties: + RestApiId: !Ref MyRestApi2 + +``` +```json title="Negative test num. 3 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MyRestApi3": { + "Properties": { + "EndpointConfiguration": { + "Types": [ + "PRIVATE" + ] + }, + "Name": "myRestApi" + }, + "Type": "AWS::ApiGateway::RestApi" + }, + "Authorizer": { + "Type": "AWS::ApiGateway::Authorizer", + "Properties": { + "RestApiId": "MyRestApi3" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/800fa019-49dd-421b-9042-7331fdd83fa2.md b/docs/queries/cloudformation-queries/aws/800fa019-49dd-421b-9042-7331fdd83fa2.md new file mode 100644 index 00000000000..aa691cd5a8f --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/800fa019-49dd-421b-9042-7331fdd83fa2.md @@ -0,0 +1,105 @@ +--- +title: High Access Key Rotation Period +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 800fa019-49dd-421b-9042-7331fdd83fa2 +- **Query name:** High Access Key Rotation Period +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/access_key_not_rotated_within_90_days) + +### Description +ConfigRule should enforce access keys to be rotated within 90 days.
+[Documentation](https://docs.amazonaws.cn/en_us/config/latest/developerguide/access-keys-rotated.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +Resources: + ConfigRule: + Type: AWS::Config::ConfigRule + Properties: + ConfigRuleName: access-keys-rotated + InputParameters: + maxAccessKeyAge: 100 + Source: + Owner: AWS + SourceIdentifier: ACCESS_KEYS_ROTATED + MaximumExecutionFrequency: TwentyFour_Hours + + +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "Resources": { + "ConfigRule": { + "Type": "AWS::Config::ConfigRule", + "Properties": { + "ConfigRuleName": "access-keys-rotated", + "InputParameters": { + "maxAccessKeyAge": 100 + }, + "Source": { + "Owner": "AWS", + "SourceIdentifier": "ACCESS_KEYS_ROTATED" + }, + "MaximumExecutionFrequency": "TwentyFour_Hours" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + ConfigRule: + Type: AWS::Config::ConfigRule + Properties: + ConfigRuleName: access-keys-rotated + InputParameters: + maxAccessKeyAge: 90 + Source: + Owner: AWS + SourceIdentifier: ACCESS_KEYS_ROTATED + MaximumExecutionFrequency: TwentyFour_Hours + + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "ConfigRule": { + "Type": "AWS::Config::ConfigRule", + "Properties": { + "MaximumExecutionFrequency": "TwentyFour_Hours", + "ConfigRuleName": "access-keys-rotated", + "InputParameters": { + "maxAccessKeyAge": 90 + }, + "Source": { + "SourceIdentifier": "ACCESS_KEYS_ROTATED", + "Owner": "AWS" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/80908a75-586b-4c61-ab04-490f4f4525b8.md b/docs/queries/cloudformation-queries/aws/80908a75-586b-4c61-ab04-490f4f4525b8.md new file mode 100644 index 00000000000..524a214563e --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/80908a75-586b-4c61-ab04-490f4f4525b8.md @@ -0,0 +1,213 @@ +--- +title: ELB Without Secure Protocol +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 80908a75-586b-4c61-ab04-490f4f4525b8 +- **Query name:** ELB Without Secure Protocol +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elb_without_secure_protocol) + +### Description +Check if the ELB is setup with SSL or HTTPS for secure communication
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11 13" +#this is a problematic code where the query should report a result(s) +Resources: + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: '80' + InstanceProtocol: HTTP + LoadBalancerPort: '443' + Protocol: HTTP + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + HealthCheck: + Target: HTTP:80/ + HealthyThreshold: '2' + UnhealthyThreshold: '3' + Interval: '10' + Timeout: '5' + Policies: + - PolicyName: My-SSLNegotiation-Policy + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: Reference-Security-Policy + Value: ELBSecurityPolicy-TLS-1-2-2017-01 +``` +```json title="Postitive test num. 2 - json file" hl_lines="9 11" +{ + "Resources": { + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "Listeners": [ + { + "InstancePort": "80", + "InstanceProtocol": "HTTP", + "LoadBalancerPort": "443", + "Protocol": "HTTP", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ], + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate" + } + ], + "HealthCheck": { + "Target": "HTTP:80/", + "HealthyThreshold": "2", + "UnhealthyThreshold": "3", + "Interval": "10", + "Timeout": "5" + }, + "Policies": [ + { + "PolicyName": "My-SSLNegotiation-Policy", + "PolicyType": "SSLNegotiationPolicyType", + "Attributes": [ + { + "Name": "Reference-Security-Policy", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + } + ] + } + ], + "AvailabilityZones": [ + "us-east-2a" + ], + "CrossZone": true + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + MyLoadBalancer1: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: '80' + InstanceProtocol: HTTPS + LoadBalancerPort: '443' + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + HealthCheck: + Target: HTTP:80/ + HealthyThreshold: '2' + UnhealthyThreshold: '3' + Interval: '10' + Timeout: '5' + Policies: + - PolicyName: My-SSLNegotiation-Policy + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: Reference-Security-Policy + Value: ELBSecurityPolicy-TLS-1-2-2017-01 + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyLoadBalancer1": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "CrossZone": true, + "Listeners": [ + { + "InstancePort": "80", + "InstanceProtocol": "HTTPS", + "LoadBalancerPort": "443", + "Protocol": "HTTPS", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ], + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate" + } + ], + "HealthCheck": { + "Interval": "10", + "Timeout": "5", + "Target": "HTTP:80/", + "HealthyThreshold": "2", + "UnhealthyThreshold": "3" + }, + "Policies": [ + { + "PolicyName": "My-SSLNegotiation-Policy", + "PolicyType": "SSLNegotiationPolicyType", + "Attributes": [ + { + "Name": "Reference-Security-Policy", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + } + ] + } + ], + "AvailabilityZones": [ + "us-east-2a" + ] + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + MyLoadBalancer2: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: '9443' + InstanceProtocol: SSL + LoadBalancerPort: '443' + Protocol: SSL + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + Policies: + - PolicyName: My-SSLNegotiation-Policy + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: Reference-Security-Policy + Value: ELBSecurityPolicy-TLS-1-2-2017-01 + +``` diff --git a/docs/queries/cloudformation-queries/aws/809f77f8-d10e-4842-a84f-3be7b6ff1190.md b/docs/queries/cloudformation-queries/aws/809f77f8-d10e-4842-a84f-3be7b6ff1190.md new file mode 100644 index 00000000000..e784e08a62b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/809f77f8-d10e-4842-a84f-3be7b6ff1190.md @@ -0,0 +1,208 @@ +--- +title: ELB Using Weak Ciphers +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 809f77f8-d10e-4842-a84f-3be7b6ff1190 +- **Query name:** ELB Using Weak Ciphers +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elb_using_weak_ciphers) + +### Description +ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the ELB Listeners must not have Policies that posses Ciphers that coincide with any of a predefined list of weak ciphers.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="34 27 29" +#this is a problematic code where the query should report a result(s) +Resources: + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: '80' + InstanceProtocol: HTTP + LoadBalancerPort: '443' + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + HealthCheck: + Target: HTTP:80/ + HealthyThreshold: '2' + UnhealthyThreshold: '3' + Interval: '10' + Timeout: '5' + Policies: + - PolicyName: My-SSLNegotiation-Policy + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: TLS_RSA_NULL_SHA1 + Value: ELBSecurityPolicy-TLS-1-2-2017-01 + - Name: DHE-DSS-DES-CBC3-SHA + Value: ELBSecurityPolicy-TLS-1-2-2017-01 + - PolicyName: My-SSLNegotiation-Policy2 + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: TLS_DHE_PSK_WITH_NULL_SHA256 + Value: ELBSecurityPolicy-TLS-1-2-2017-01 +``` +```json title="Postitive test num. 2 - json file" hl_lines="40 49 35" +{ + "Resources": { + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "AvailabilityZones": [ + "us-east-2a" + ], + "CrossZone": true, + "Listeners": [ + { + "InstancePort": "80", + "InstanceProtocol": "HTTP", + "LoadBalancerPort": "443", + "Protocol": "HTTPS", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ], + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate" + } + ], + "HealthCheck": { + "Target": "HTTP:80/", + "HealthyThreshold": "2", + "UnhealthyThreshold": "3", + "Interval": "10", + "Timeout": "5" + }, + "Policies": [ + { + "PolicyName": "My-SSLNegotiation-Policy", + "PolicyType": "SSLNegotiationPolicyType", + "Attributes": [ + { + "Name": "TLS_RSA_NULL_SHA1", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + }, + { + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01", + "Name": "DHE-DSS-DES-CBC3-SHA" + } + ] + }, + { + "PolicyName": "My-SSLNegotiation-Policy2", + "PolicyType": "SSLNegotiationPolicyType", + "Attributes": [ + { + "Name": "TLS_DHE_PSK_WITH_NULL_SHA256", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + } + ] + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: '80' + InstanceProtocol: HTTP + LoadBalancerPort: '443' + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + HealthCheck: + Target: HTTP:80/ + HealthyThreshold: '2' + UnhealthyThreshold: '3' + Interval: '10' + Timeout: '5' + Policies: + - PolicyName: My-SSLNegotiation-Policy + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: Reference-Security-Policy + Value: ELBSecurityPolicy-TLS-1-2-2017-01 +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "AvailabilityZones": [ + "us-east-2a" + ], + "CrossZone": true, + "Listeners": [ + { + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", + "InstancePort": "80", + "InstanceProtocol": "HTTP", + "LoadBalancerPort": "443", + "Protocol": "HTTPS", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ] + } + ], + "HealthCheck": { + "HealthyThreshold": "2", + "UnhealthyThreshold": "3", + "Interval": "10", + "Timeout": "5", + "Target": "HTTP:80/" + }, + "Policies": [ + { + "PolicyType": "SSLNegotiationPolicyType", + "Attributes": [ + { + "Name": "Reference-Security-Policy", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + } + ], + "PolicyName": "My-SSLNegotiation-Policy" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/80b7ac3f-d2b7-4577-9b10-df7913497162.md b/docs/queries/cloudformation-queries/aws/80b7ac3f-d2b7-4577-9b10-df7913497162.md new file mode 100644 index 00000000000..35b014972df --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/80b7ac3f-d2b7-4577-9b10-df7913497162.md @@ -0,0 +1,155 @@ +--- +title: EBS Volume Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 80b7ac3f-d2b7-4577-9b10-df7913497162 +- **Query name:** EBS Volume Encryption Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ebs_volume_encryption_disabled) + +### Description +EBS volumes should be encrypted
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Volume" +Resources: + NewVolume: + Type: AWS::EC2::Volume + Properties: + Size: 100 + Encrypted: false + AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone + Tags: + - Key: MyTag + Value: TagValue + DeletionPolicy: Snapshot + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Volume 02" +Resources: + NewVolume02: + Type: AWS::EC2::Volume + Properties: + Size: 100 + AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone + Tags: + - Key: MyTag + Value: TagValue + DeletionPolicy: Snapshot + +``` +```json title="Postitive test num. 3 - json file" hl_lines="15" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Volume", + "Resources": { + "NewVolume": { + "Type": "AWS::EC2::Volume", + "Properties": { + "Tags": [ + { + "Key": "MyTag", + "Value": "TagValue" + } + ], + "Size": 100, + "Encrypted": false, + "AvailabilityZone": "Ec2Instance.AvailabilityZone" + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="6" +{ + "Description": "Volume 02", + "Resources": { + "NewVolume02": { + "Type": "AWS::EC2::Volume", + "Properties": { + "Size": 100, + "AvailabilityZone": "Ec2Instance.AvailabilityZone", + "Tags": [ + { + "Key": "MyTag", + "Value": "TagValue" + } + ] + }, + "DeletionPolicy": "Snapshot" + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Volume" +Resources: + NewVolume: + Type: AWS::EC2::Volume + Properties: + Size: 100 + Encrypted: true + AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone + Tags: + - Key: MyTag + Value: TagValue + DeletionPolicy: Snapshot + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Volume", + "Resources": { + "NewVolume": { + "Type": "AWS::EC2::Volume", + "Properties": { + "Encrypted": true, + "AvailabilityZone": "Ec2Instance.AvailabilityZone", + "Tags": [ + { + "Key": "MyTag", + "Value": "TagValue" + } + ], + "Size": 100 + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/80d45af4-4920-4236-a56e-b7ef419d1941.md b/docs/queries/cloudformation-queries/aws/80d45af4-4920-4236-a56e-b7ef419d1941.md new file mode 100644 index 00000000000..197c75447e7 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/80d45af4-4920-4236-a56e-b7ef419d1941.md @@ -0,0 +1,135 @@ +--- +title: API Gateway V2 Stage Access Logging Settings Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 80d45af4-4920-4236-a56e-b7ef419d1941 +- **Query name:** API Gateway V2 Stage Access Logging Settings Not Defined +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_v2_stage_access_logging_settings_not_defined) + +### Description +API Gateway V2 Stage should have Access Logging Settings defined.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-stage.html#cfn-apigatewayv2-stage-accesslogsettings) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + MyStage: + Type: 'AWS::ApiGatewayV2::Stage' + Properties: + StageName: Prod + Description: Prod Stage + DeploymentId: !Ref MyDeployment + ApiId: !Ref CFNWebSocket + DefaultRouteSettings: + DetailedMetricsEnabled: true + LoggingLevel: INFO + DataTraceEnabled: false + ThrottlingBurstLimit: 10 + ThrottlingRateLimit: 10 + + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGatewayV2::Stage", + "Properties": { + "Description": "Prod Stage", + "DeploymentId": "MyDeployment", + "ApiId": "CFNWebSocket", + "DefaultRouteSettings": { + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10, + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false + }, + "StageName": "Prod" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Resources: + MyStage: + Type: 'AWS::ApiGatewayV2::Stage' + Properties: + StageName: Prod + Description: Prod Stage + DeploymentId: !Ref MyDeployment + ApiId: !Ref CFNWebSocket + DefaultRouteSettings: + DetailedMetricsEnabled: true + LoggingLevel: INFO + DataTraceEnabled: false + ThrottlingBurstLimit: 10 + ThrottlingRateLimit: 10 + AccessLogSettings: + DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group' + Format: >- + {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp", + "caller":"$context.identity.caller", + "user":"$context.identity.user","requestTime":"$context.requestTime", + "eventType":"$context.eventType","routeKey":"$context.routeKey", + "status":"$context.status","connectionId":"$context.connectionId"} + + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyStage": { + "Type": "AWS::ApiGatewayV2::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "DeploymentId": "MyDeployment", + "ApiId": "CFNWebSocket", + "DefaultRouteSettings": { + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + }, + "AccessLogSettings": { + "DestinationArn": "arn:aws:logs:us-east-1:123456789:log-group:my-log-group", + "Format": "{\"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\",\"requestTime\":\"$context.requestTime\", \"eventType\":\"$context.eventType\",\"routeKey\":\"$context.routeKey\", \"status\":\"$context.status\",\"connectionId\":\"$context.connectionId\"}" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/818f38ed-8446-4132-9c03-474d49e10195.md b/docs/queries/cloudformation-queries/aws/818f38ed-8446-4132-9c03-474d49e10195.md new file mode 100644 index 00000000000..1723b2882ae --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/818f38ed-8446-4132-9c03-474d49e10195.md @@ -0,0 +1,142 @@ +--- +title: SNS Topic Publicity Has Allow and NotAction Simultaneously +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 818f38ed-8446-4132-9c03-474d49e10195 +- **Query name:** SNS Topic Publicity Has Allow and NotAction Simultaneously +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously) + +### Description +SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-sns-policy) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + mysnspolicy: + Type: AWS::SNS::TopicPolicy + Properties: + PolicyDocument: + Id: MyTopicPolicy + Version: '2012-10-17' + Statement: + - Sid: MyStatementId + Effect: Allow + NotAction: "s3:DeleteBucket" + Resource: "arn:aws:s3:::*" + - Sid: MyStatementId2 + Effect: Allow + NotAction: "iam:*" + Resource: "*" + Topics: + - !Ref mytopic +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "mysnspolicy": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "PolicyDocument": { + "Id": "MyTopicPolicy", + "Version": "2012-10-17", + "Statement": [ + { + "NotAction": "s3:DeleteBucket", + "Resource": "arn:aws:s3:::*", + "Sid": "MyStatementId", + "Effect": "Allow" + }, + { + "Sid": "MyStatementId2", + "Effect": "Allow", + "NotAction": "iam:*", + "Resource": "*" + } + ] + }, + "Topics": [ + "mytopic" + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + mysnspolicy: + Type: AWS::SNS::TopicPolicy + Properties: + PolicyDocument: + Id: MyTopicPolicy + Version: '2012-10-17' + Statement: + - Sid: Mystatementid + Effect: Allow + Principal: + AWS: !GetAtt myuser.Arn + Action: sns:Publish + Resource: "*" + Topics: + - !Ref mytopic +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "mysnspolicy": { + "Type": "AWS::SNS::TopicPolicy", + "Properties": { + "PolicyDocument": { + "Id": "MyTopicPolicy", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Mystatementid", + "Effect": "Allow", + "Principal": { + "AWS": "myuser.Arn" + }, + "Action": "sns:Publish", + "Resource": "*" + } + ] + }, + "Topics": [ + "mytopic" + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/8275fab0-68ec-4705-bbf4-86975edb170e.md b/docs/queries/cloudformation-queries/aws/8275fab0-68ec-4705-bbf4-86975edb170e.md new file mode 100644 index 00000000000..ab050a78399 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/8275fab0-68ec-4705-bbf4-86975edb170e.md @@ -0,0 +1,230 @@ +--- +title: API Gateway Without Security Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8275fab0-68ec-4705-bbf4-86975edb170e +- **Query name:** API Gateway Without Security Policy +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_without_security_policy) + +### Description +API Gateway should have a Security Policy defined and use TLS 1.2.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-securitypolicy) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="20" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Parameters: + cfnDomainName: + Type: String + certificateArn: + Type: String + type: + Type: String +Resources: + myDomainName: + Type: AWS::ApiGateway::DomainName + Properties: + CertificateArn: !Ref certificateArn + DomainName: !Ref cfnDomainName + EndpointConfiguration: + Types: + - !Ref type + RegionalCertificateArn: !Ref certificateArn + SecurityPolicy: "TLS_1_0" +Outputs: + DomainName: + Value: !Ref myDomainName + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Parameters: + cfnDomainName: + Type: String + certificateArn: + Type: String + type: + Type: String +Resources: + myDomainName1: + Type: AWS::ApiGateway::DomainName + Properties: + CertificateArn: !Ref certificateArn + DomainName: !Ref cfnDomainName + EndpointConfiguration: + Types: + - !Ref type + RegionalCertificateArn: !Ref certificateArn +Outputs: + DomainName: + Value: !Ref myDomainName + +``` +```json title="Postitive test num. 3 - json file" hl_lines="26" +{ + "Description": "Router53", + "Parameters": { + "cfnDomainName": { + "Type": "String" + }, + "certificateArn": { + "Type": "String" + }, + "type": { + "Type": "String" + } + }, + "Resources": { + "myDomainName": { + "Type": "AWS::ApiGateway::DomainName", + "Properties": { + "CertificateArn": "certificateArn", + "DomainName": "cfnDomainName", + "EndpointConfiguration": { + "Types": [ + "type" + ] + }, + "RegionalCertificateArn": "certificateArn", + "SecurityPolicy": "TLS_1_0" + } + } + }, + "Outputs": { + "DomainName": { + "Value": "myDomainName" + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="15" +{ + "Parameters": { + "type": { + "Type": "String" + }, + "cfnDomainName": { + "Type": "String" + }, + "certificateArn": { + "Type": "String" + } + }, + "Resources": { + "myDomainName1": { + "Properties": { + "DomainName": "cfnDomainName", + "EndpointConfiguration": { + "Types": [ + "type" + ] + }, + "RegionalCertificateArn": "certificateArn", + "CertificateArn": "certificateArn" + }, + "Type": "AWS::ApiGateway::DomainName" + } + }, + "Outputs": { + "DomainName": { + "Value": "myDomainName" + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Router53" +Parameters: + cfnDomainName: + Type: String + certificateArn: + Type: String + type: + Type: String +Resources: + myDomainName: + Type: AWS::ApiGateway::DomainName + Properties: + CertificateArn: !Ref certificateArn + DomainName: !Ref cfnDomainName + EndpointConfiguration: + Types: + - !Ref type + RegionalCertificateArn: !Ref certificateArn + SecurityPolicy: "TLS_1_2" +Outputs: + DomainName: + Value: !Ref myDomainName + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Parameters": { + "cfnDomainName": { + "Type": "String" + }, + "certificateArn": { + "Type": "String" + }, + "type": { + "Type": "String" + } + }, + "Resources": { + "myDomainName": { + "Type": "AWS::ApiGateway::DomainName", + "Properties": { + "DomainName": "cfnDomainName", + "EndpointConfiguration": { + "Types": [ + "type" + ] + }, + "RegionalCertificateArn": "certificateArn", + "SecurityPolicy": "TLS_1_2", + "CertificateArn": "certificateArn" + } + } + }, + "Outputs": { + "DomainName": { + "Value": "myDomainName" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2.md b/docs/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2.md new file mode 100644 index 00000000000..7258c2d8c2b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2.md @@ -0,0 +1,111 @@ +--- +title: Unknown Port Exposed To Internet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 829ce3b8-065c-41a3-ad57-e0accfea82d2 +- **Query name:** Unknown Port Exposed To Internet +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/unknown_port_exposed_to_internet) + +### Description +AWS Security Group should not have an unknown port exposed to the entire Internet
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Expose unknown port to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 23 + ToPort: 25 + CidrIp: 0.0.0.0/0 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="12" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Expose unknown port to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 110, + "ToPort": 119, + "CidrIp": "0.0.0.0/0" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Expose known ports to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 20 + ToPort: 23 + CidrIp: 0.0.0.0/0 + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Expose known port to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/835d5497-a526-4aea-a23f-98a9afd1635f.md b/docs/queries/cloudformation-queries/aws/835d5497-a526-4aea-a23f-98a9afd1635f.md new file mode 100644 index 00000000000..d0b88b2c0d6 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/835d5497-a526-4aea-a23f-98a9afd1635f.md @@ -0,0 +1,442 @@ +--- +title: S3 Bucket ACL Allows Read to Any Authenticated User +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 835d5497-a526-4aea-a23f-98a9afd1635f +- **Query name:** S3 Bucket ACL Allows Read to Any Authenticated User +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_acl_allows_read_to_any_authenticated_user) + +### Description +S3 Buckets should not be readable to any authenticated user
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts01: + Type: AWS::S3::Bucket + Properties: + AccessControl: AuthenticatedRead + BucketName: jenkins-artifacts + Tags: + - Key: CostCenter + Value: ITEngineering + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + StaticPage01: + Type: AWS::S3::Bucket + Properties: + AccessControl: AuthenticatedRead + BucketName: public-read-static-page01 + WebsiteConfiguration: + ErrorDocument: 404.html + IndexDocument: index.html + Tags: + - Key: CostCenter + Value: ITEngineering + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts02: + Type: AWS::S3::Bucket + Properties: + AccessControl: AuthenticatedRead + BucketName: jenkins-artifacts-block-public + PublicAccessBlockConfiguration: + BlockPublicPolicy: false + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: ITEngineering + - Key: Type + Value: CICD + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + S3BucketForWebsiteContent: + Type: AWS::S3::Bucket + Properties: + AccessControl: AuthenticatedRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts01": { + "Properties": { + "AccessControl": "AuthenticatedRead", + "BucketName": "jenkins-artifacts", + "Tags": [ + { + "Value": "ITEngineering", + "Key": "CostCenter" + } + ] + }, + "Type": "AWS::S3::Bucket" + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "StaticPage01": { + "Properties": { + "AccessControl": "AuthenticatedRead", + "BucketName": "public-read-static-page01", + "WebsiteConfiguration": { + "ErrorDocument": "404.html", + "IndexDocument": "index.html" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + } + ] + }, + "Type": "AWS::S3::Bucket" + } + } +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="20" +{ + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts02": { + "Type": "AWS::S3::Bucket", + "Properties": { + "VersioningConfiguration": { + "Status": "Enabled" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + }, + { + "Key": "Type", + "Value": "CICD" + } + ], + "AccessControl": "AuthenticatedRead", + "BucketName": "jenkins-artifacts-block-public", + "PublicAccessBlockConfiguration": { + "BlockPublicPolicy": false + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="7" +{ + "Description": "Creating S3 bucket", + "Resources": { + "S3BucketForWebsiteContent": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "AuthenticatedRead", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "error.html" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts03: + Type: AWS::S3::Bucket + Properties: + AccessControl: BucketOwnerFullControl + BucketName: jenkins-artifacts + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: ITEngineering + - Key: Type + Value: CICD + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts04: + Type: AWS::S3::Bucket + Properties: + AccessControl: Private + BucketName: jenkins-secret-artifacts + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: '' + +``` +```yaml title="Negative test num. 3 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + JenkinsArtifacts05: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicReadWrite + BucketName: jenkins-secret-artifacts2 + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: ITEngineering + +``` +
Negative test num. 4 - yaml file + +```yaml +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + StaticPage03: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicRead + BucketName: public-read-static-page + WebsiteConfiguration: + ErrorDocument: 404.html + IndexDocument: index.html + Tags: + - Key: CostCenter + Value: ITEngineering +Outputs: + WebsiteURL: + Value: + Fn::GetAtt: + - StaticPage03 + - WebsiteURL + Description: URL for website hosted on S3 + S3BucketSecureURL: + Value: + Fn::Join: + - "" + - - https:// + - Fn::GetAtt: + - StaticPage03 + - DomainName + Description: Name of S3 bucket to hold website content + +``` +
+
Negative test num. 5 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts03": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + }, + { + "Key": "Type", + "Value": "CICD" + } + ], + "AccessControl": "BucketOwnerFullControl", + "BucketName": "jenkins-artifacts", + "VersioningConfiguration": { + "Status": "Enabled" + } + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts04": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "Private", + "BucketName": "jenkins-secret-artifacts", + "VersioningConfiguration": { + "Status": "Enabled" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "" + } + ] + } + } + } +} + +``` +
+
Negative test num. 7 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts05": { + "Properties": { + "BucketName": "jenkins-secret-artifacts2", + "VersioningConfiguration": { + "Status": "Enabled" + }, + "Tags": [ + { + "Value": "ITEngineering", + "Key": "CostCenter" + } + ], + "AccessControl": "PublicReadWrite" + }, + "Type": "AWS::S3::Bucket" + } + } +} + +``` +
+
Negative test num. 8 - json file + +```json +{ + "Resources": { + "StaticPage03": { + "Type": "AWS::S3::Bucket", + "Properties": { + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + } + ], + "AccessControl": "PublicRead", + "BucketName": "public-read-static-page", + "WebsiteConfiguration": { + "ErrorDocument": "404.html", + "IndexDocument": "index.html" + } + } + } + }, + "Outputs": { + "WebsiteURL": { + "Value": { + "Fn::GetAtt": [ + "StaticPage03", + "WebsiteURL" + ] + }, + "Description": "URL for website hosted on S3" + }, + "S3BucketSecureURL": { + "Description": "Name of S3 bucket to hold website content", + "Value": { + "Fn::Join": [ + "", + [ + "https://", + { + "Fn::GetAtt": [ + "StaticPage03", + "DomainName" + ] + } + ] + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket" +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/837e033c-4717-40bd-807e-6abaa30161b7.md b/docs/queries/cloudformation-queries/aws/837e033c-4717-40bd-807e-6abaa30161b7.md new file mode 100644 index 00000000000..8df26b78a91 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/837e033c-4717-40bd-807e-6abaa30161b7.md @@ -0,0 +1,98 @@ +--- +title: Stack Notifications Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 837e033c-4717-40bd-807e-6abaa30161b7 +- **Query name:** Stack Notifications Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/stack_notifications_disabled) + +### Description +AWS CloudFormation should have stack notifications enabled to be notified when an event occurs
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stack.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myStackWithParams: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-2/EC2ChooseAMI.template + Parameters: + InstanceType: t1.micro + KeyName: mykey + +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myStackWithParams": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://s3.amazonaws.com/cloudformation-templates-us-east-2/EC2ChooseAMI.template", + "Parameters": { + "InstanceType": "t1.micro", + "KeyName": "mykey" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myStackWithParams: + Type: AWS::CloudFormation::Stack + Properties: + NotificationARNs: + - "String" + TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-2/EC2ChooseAMI.template + Parameters: + InstanceType: t1.micro + KeyName: mykey + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myStackWithParams": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "NotificationARNs": [ + "string" + ], + "TemplateURL": "https://s3.amazonaws.com/cloudformation-templates-us-east-2/EC2ChooseAMI.template", + "Parameters": { + "InstanceType": "t1.micro", + "KeyName": "mykey" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/839f238f-2e3a-4a72-b945-8abdf91af955.md b/docs/queries/cloudformation-queries/aws/839f238f-2e3a-4a72-b945-8abdf91af955.md new file mode 100644 index 00000000000..09b9286528e --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/839f238f-2e3a-4a72-b945-8abdf91af955.md @@ -0,0 +1,257 @@ +--- +title: IAM Password Without Number +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 839f238f-2e3a-4a72-b945-8abdf91af955 +- **Query name:** IAM Password Without Number +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_password_without_number) + +### Description +IAM user resource Login Profile Password should have at least one number
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssWordleng + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + - PolicyName: giveaccesstotopiconly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sns:* + Resource: + - !Ref mytopic + - Effect: Deny + Action: + - sns:* + NotResource: + - !Ref mytopic +``` +```json title="Postitive test num. 2 - json file" hl_lines="10" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssWordleng" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "NotResource": [ + "myqueue.Arn" + ], + "Effect": "Deny", + "Action": [ + "sqs:*" + ] + } + ] + } + }, + { + "PolicyName": "giveaccesstotopiconly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sns:*" + ], + "Resource": [ + "mytopic" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sns:*" + ], + "NotResource": [ + "mytopic" + ] + } + ] + } + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rdleng + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + - PolicyName: giveaccesstotopiconly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sns:* + Resource: + - !Ref mytopic + - Effect: Deny + Action: + - sns:* + NotResource: + - !Ref mytopic +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rdleng" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ], + "Version": "2012-10-17" + } + }, + { + "PolicyDocument": { + "Statement": [ + { + "Resource": [ + "mytopic" + ], + "Effect": "Allow", + "Action": [ + "sns:*" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sns:*" + ], + "NotResource": [ + "mytopic" + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "giveaccesstotopiconly" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7.md b/docs/queries/cloudformation-queries/aws/85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7.md new file mode 100644 index 00000000000..c19ec09e966 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7.md @@ -0,0 +1,332 @@ +--- +title: Cross-Account IAM Assume Role Policy Without ExternalId or MFA +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 85138beb-ce7c-4ca3-a09f-e8fbcc57ddd7 +- **Query name:** Cross-Account IAM Assume Role Policy Without ExternalId or MFA +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa) + +### Description +Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + RootRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: > + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "" + } + ] + } + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "RootRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "" + } + ] + }, + "Path": "/" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + RootRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: > + { + "Version": "2012-10-17", + "Statement": { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "", + "Condition": { + "Bool": { + "aws:MultiFactorAuthPresent": "false" + } + } + } + } + +``` +
Postitive test num. 4 - json file + +```json hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "RootRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "", + "Condition": { + "Bool": { + "aws:MultiFactorAuthPresent": "false" + } + } + } + }, + "Path": "/" + } + } + } +} + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + RootRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: > + { + "Version": "2012-10-17", + "Statement": { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + } + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "RootRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "", + "Condition": { + "StringEquals": { + "sts:ExternalId": "" + } + } + } + }, + "Path": "/" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + RootRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: > + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "", + "Condition": { + "StringEquals": { + "sts:ExternalId": "98765" + } + } + } + ] + } + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "RootRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "", + "Condition": { + "StringEquals": { + "sts:ExternalId": "98765" + } + } + } + ] + }, + "Path": "/" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + RootRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: > + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "", + "Condition": { + "Bool": { + "aws:MultiFactorAuthPresent": "true" + } + } + } + ] + } + +``` +
Negative test num. 4 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "RootRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::987654321145:root" + }, + "Effect": "Allow", + "Resource": "*", + "Sid": "", + "Condition": { + "Bool": { + "aws:MultiFactorAuthPresent": "true" + } + } + } + ] + }, + "Path": "/" + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/860ba89b-b8de-4e72-af54-d6aee4138a69.md b/docs/queries/cloudformation-queries/aws/860ba89b-b8de-4e72-af54-d6aee4138a69.md new file mode 100644 index 00000000000..8dfc8dc5863 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/860ba89b-b8de-4e72-af54-d6aee4138a69.md @@ -0,0 +1,106 @@ +--- +title: S3 Bucket Allows Public Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 860ba89b-b8de-4e72-af54-d6aee4138a69 +- **Query name:** S3 Bucket Allows Public Policy +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_with_public_policy) + +### Description +S3 bucket allows public policy
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 19 4" +Resources: + Bucket11: + Type: AWS::S3::Bucket + Properties: +--- +Resources: + Bucket12: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + RestrictPublicBuckets : true +--- +Resources: + Bucket13: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: false + BlockPublicPolicy : false + IgnorePublicAcls : false + RestrictPublicBuckets : true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "Resources": { + "Bucket1": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": false, + "BlockPublicPolicy": false, + "IgnorePublicAcls": false, + "RestrictPublicBuckets": true + }, + "AccessControl": "Private" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + Bucket1: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls : true + BlockPublicPolicy : true + IgnorePublicAcls : true + RestrictPublicBuckets : true +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Bucket1": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "AccessControl": "Private" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/86a248ab-0e01-4564-a82a-878303e253bb.md b/docs/queries/cloudformation-queries/aws/86a248ab-0e01-4564-a82a-878303e253bb.md new file mode 100644 index 00000000000..e8d8dcb1c7f --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/86a248ab-0e01-4564-a82a-878303e253bb.md @@ -0,0 +1,296 @@ +--- +title: ElasticSearch Not Encrypted At Rest +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 86a248ab-0e01-4564-a82a-878303e253bb +- **Query name:** ElasticSearch Not Encrypted At Rest +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elasticsearch_not_encrypted_at_rest) + +### Description +Check if ElasticSearch encryption is disabled at Rest
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-encryptionatrestoptions) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Resources: + ElasticsearchDomain: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: "test" + ElasticsearchClusterConfig: + DedicatedMasterEnabled: "true" + InstanceCount: "2" + ZoneAwarenessEnabled: "true" + InstanceType: "m3.medium.elasticsearch" + DedicatedMasterType: "m3.medium.elasticsearch" + DedicatedMasterCount: "3" + EncryptionAtRestOptions: + Enabled: false + EBSOptions: + EBSEnabled: true + Iops: 0 + VolumeSize: 20 + VolumeType: "gp2" + SnapshotOptions: + AutomatedSnapshotStartHour: "0" + AccessPolicies: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Principal: + AWS: "arn:aws:iam::123456789012:user/es-user" + Action: "es:*" + Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*" + AdvancedOptions: + rest.action.multi.allow_explicit_index: "true" + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Resources: + ElasticsearchDomain1: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: "test" + ElasticsearchClusterConfig: + DedicatedMasterEnabled: "true" + InstanceCount: "2" + ZoneAwarenessEnabled: "true" + InstanceType: "m3.medium.elasticsearch" + DedicatedMasterType: "m3.medium.elasticsearch" + DedicatedMasterCount: "3" + EBSOptions: + EBSEnabled: true + Iops: 0 + VolumeSize: 20 + VolumeType: "gp2" + SnapshotOptions: + AutomatedSnapshotStartHour: "0" + AccessPolicies: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Principal: + AWS: "arn:aws:iam::123456789012:user/es-user" + Action: "es:*" + Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*" + AdvancedOptions: + rest.action.multi.allow_explicit_index: "true" + +``` +```json title="Postitive test num. 3 - json file" hl_lines="8" +{ + "Description": "Creates RDS Cluster", + "Resources": { + "ElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "EncryptionAtRestOptions": { + "Enabled": false + }, + "EBSOptions": { + "EBSEnabled": true, + "Iops": 0, + "VolumeSize": 20, + "VolumeType": "gp2" + }, + "SnapshotOptions": { + "AutomatedSnapshotStartHour": "0" + }, + "AccessPolicies": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/es-user" + }, + "Action": "es:*", + "Resource": "arn:aws:es:us-east-1:846973539254:domain/test/*" + } + ] + }, + "AdvancedOptions": { + "rest.action.multi.allow_explicit_index": "true" + }, + "DomainName": "test", + "ElasticsearchClusterConfig": { + "DedicatedMasterType": "m3.medium.elasticsearch", + "DedicatedMasterCount": "3", + "DedicatedMasterEnabled": "true", + "InstanceCount": "2", + "ZoneAwarenessEnabled": "true", + "InstanceType": "m3.medium.elasticsearch" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="5" +{ + "Resources": { + "ElasticsearchDomain1": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "DomainName": "test", + "ElasticsearchClusterConfig": { + "InstanceCount": "2", + "ZoneAwarenessEnabled": "true", + "InstanceType": "m3.medium.elasticsearch", + "DedicatedMasterType": "m3.medium.elasticsearch", + "DedicatedMasterCount": "3", + "DedicatedMasterEnabled": "true" + }, + "EBSOptions": { + "EBSEnabled": true, + "Iops": 0, + "VolumeSize": 20, + "VolumeType": "gp2" + }, + "SnapshotOptions": { + "AutomatedSnapshotStartHour": "0" + }, + "AccessPolicies": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/es-user" + }, + "Action": "es:*", + "Resource": "arn:aws:es:us-east-1:846973539254:domain/test/*" + } + ] + }, + "AdvancedOptions": { + "rest.action.multi.allow_explicit_index": "true" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Creates RDS Cluster" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Resources: + ElasticsearchDomain: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: "test" + ElasticsearchClusterConfig: + DedicatedMasterEnabled: "true" + InstanceCount: "2" + ZoneAwarenessEnabled: "true" + InstanceType: "m3.medium.elasticsearch" + DedicatedMasterType: "m3.medium.elasticsearch" + DedicatedMasterCount: "3" + EncryptionAtRestOptions: + Enabled: true + EBSOptions: + EBSEnabled: true + Iops: 0 + VolumeSize: 20 + VolumeType: "gp2" + SnapshotOptions: + AutomatedSnapshotStartHour: "0" + AccessPolicies: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Principal: + AWS: "arn:aws:iam::123456789012:user/es-user" + Action: "es:*" + Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*" + AdvancedOptions: + rest.action.multi.allow_explicit_index: "true" + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "ElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "AccessPolicies": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/es-user" + }, + "Action": "es:*", + "Resource": "arn:aws:es:us-east-1:846973539254:domain/test/*" + } + ] + }, + "AdvancedOptions": { + "rest.action.multi.allow_explicit_index": "true" + }, + "DomainName": "test", + "ElasticsearchClusterConfig": { + "DedicatedMasterCount": "3", + "DedicatedMasterEnabled": "true", + "InstanceCount": "2", + "ZoneAwarenessEnabled": "true", + "InstanceType": "m3.medium.elasticsearch", + "DedicatedMasterType": "m3.medium.elasticsearch" + }, + "EncryptionAtRestOptions": { + "Enabled": true + }, + "EBSOptions": { + "EBSEnabled": true, + "Iops": 0, + "VolumeSize": 20, + "VolumeType": "gp2" + }, + "SnapshotOptions": { + "AutomatedSnapshotStartHour": "0" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Creates RDS Cluster" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/87482183-a8e7-4e42-a566-7a23ec231c16.md b/docs/queries/cloudformation-queries/aws/87482183-a8e7-4e42-a566-7a23ec231c16.md new file mode 100644 index 00000000000..00badd92714 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/87482183-a8e7-4e42-a566-7a23ec231c16.md @@ -0,0 +1,289 @@ +--- +title: Security Group Ingress With Port Range +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 87482183-a8e7-4e42-a566-7a23ec231c16 +- **Query name:** Security Group Ingress With Port Range +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_group_ingress_with_port_range) + +### Description +AWS Security Group Ingress should have a single port
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 37" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 87 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 87 + CidrIp: 0.0.0.0/0 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9 53" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "Description": "TCP", + "FromPort": 80, + "ToPort": 87, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 87, + "CidrIp": "0.0.0.0/0" + } + ], + "GroupDescription": "Allow http to client host" + } + }, + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "ToPort": 65535, + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0 + } + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 0 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 0 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 0, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "Description": "TCP" + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "OutboundRule": { + "Properties": { + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 0 + }, + "Type": "AWS::EC2::SecurityGroupEgress" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/88d55d94-315d-4564-beee-d2d725feab11.md b/docs/queries/cloudformation-queries/aws/88d55d94-315d-4564-beee-d2d725feab11.md new file mode 100644 index 00000000000..2c6b8bd5533 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/88d55d94-315d-4564-beee-d2d725feab11.md @@ -0,0 +1,91 @@ +--- +title: SageMaker Enabling Internet Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 88d55d94-315d-4564-beee-d2d725feab11 +- **Query name:** SageMaker Enabling Internet Access +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/sagemaker_enabling_internet_access) + +### Description +SageMaker must have disabled internet access and root access for Creating Notebook Instances.
+[Documentation](https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_id-based-policy-examples.html#sagemaker-condition-nbi-lockdown) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Internet access and root access for Creating Notebook Instances" +Resources: + Notebook: + Type: AWS::SageMaker::NotebookInstance + Properties: + DirectInternetAccess: "Enabled" + InstanceType: "ml.c4.2xlarge" + RoleArn: "role" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "Resources": { + "Notebook": { + "Type": "AWS::SageMaker::NotebookInstance", + "Properties": { + "InstanceType": "ml.c4.2xlarge", + "RoleArn": "role", + "DirectInternetAccess": "Enabled" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Internet access and root access for Creating Notebook Instances" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Internet access and root access for Creating Notebook Instances" +Resources: + Notebook: + Type: AWS::SageMaker::NotebookInstance + Properties: + DirectInternetAccess: "Disabled" + InstanceType: "ml.c4.2xlarge" + RoleArn: "role" + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Internet access and root access for Creating Notebook Instances", + "Resources": { + "Notebook": { + "Type": "AWS::SageMaker::NotebookInstance", + "Properties": { + "DirectInternetAccess": "Disabled", + "InstanceType": "ml.c4.2xlarge", + "RoleArn": "role" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/89827c57-5a8a-49eb-9731-976a606d70db.md b/docs/queries/cloudformation-queries/aws/89827c57-5a8a-49eb-9731-976a606d70db.md new file mode 100644 index 00000000000..a2072a7a51d --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/89827c57-5a8a-49eb-9731-976a606d70db.md @@ -0,0 +1,201 @@ +--- +title: Workspace Without Encryption +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 89827c57-5a8a-49eb-9731-976a606d70db +- **Query name:** Workspace Without Encryption +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/workspace_without_encryption) + +### Description +Workspaces should have encryption enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-workspaces-workspace.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +Resources: + MyWorkSpace: + Type: AWS::WorkSpaces::Workspace + Properties: + BundleId: !FindInMap + - WSTypeMap + - !Ref 'WorkstationType' + - BundleId + DirectoryId: !FindInMap + - WSTypeMap + - !Ref 'WorkstationType' + - DirectoryId + UserName: !Ref 'UserName' + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +Resources: + MyWorkSpace2: + Type: AWS::WorkSpaces::Workspace + Properties: + BundleId: !FindInMap + - WSTypeMap + - !Ref 'WorkstationType' + - BundleId + DirectoryId: !FindInMap + - WSTypeMap + - !Ref 'WorkstationType' + - DirectoryId + UserName: !Ref 'UserName' + UserVolumeEncryptionEnabled: false + +``` +```json title="Postitive test num. 3 - json file" hl_lines="5" +{ + "Resources": { + "MyWorkSpace": { + "Type": "AWS::WorkSpaces::Workspace", + "Properties": { + "BundleId": [ + "WSTypeMap", + "WorkstationType", + "BundleId" + ], + "DirectoryId": [ + "WSTypeMap", + "WorkstationType", + "DirectoryId" + ], + "UserName": "UserName" + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="17" +{ + "Resources": { + "MyWorkSpace2": { + "Type": "AWS::WorkSpaces::Workspace", + "Properties": { + "BundleId": [ + "WSTypeMap", + "WorkstationType", + "BundleId" + ], + "DirectoryId": [ + "WSTypeMap", + "WorkstationType", + "DirectoryId" + ], + "UserName": "UserName", + "UserVolumeEncryptionEnabled": false + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MyWorkSpace: + Type: AWS::WorkSpaces::Workspace + Properties: + BundleId: !FindInMap + - WSTypeMap + - !Ref 'WorkstationType' + - BundleId + DirectoryId: !FindInMap + - WSTypeMap + - !Ref 'WorkstationType' + - DirectoryId + UserName: !Ref 'UserName' + UserVolumeEncryptionEnabled: true + +``` +```yaml title="Negative test num. 2 - yaml file" +Resources: + MyWorkSpace2: + Type: AWS::WorkSpaces::Workspace + Properties: + BundleId: !FindInMap + - WSTypeMap + - !Ref 'WorkstationType' + - BundleId + DirectoryId: !FindInMap + - WSTypeMap + - !Ref 'WorkstationType' + - DirectoryId + UserName: !Ref 'UserName' + UserVolumeEncryptionEnabled: 'true' + +``` +```json title="Negative test num. 3 - json file" +{ + "Resources": { + "MyWorkSpace": { + "Type": "AWS::WorkSpaces::Workspace", + "Properties": { + "BundleId": [ + "WSTypeMap", + "WorkstationType", + "BundleId" + ], + "DirectoryId": [ + "WSTypeMap", + "WorkstationType", + "DirectoryId" + ], + "UserName": "UserName", + "UserVolumeEncryptionEnabled": true + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "MyWorkSpace2": { + "Type": "AWS::WorkSpaces::Workspace", + "Properties": { + "BundleId": [ + "WSTypeMap", + "WorkstationType", + "BundleId" + ], + "DirectoryId": [ + "WSTypeMap", + "WorkstationType", + "DirectoryId" + ], + "UserName": "UserName", + "UserVolumeEncryptionEnabled": "true" + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/8a6d36cd-0bc6-42b7-92c4-67acc8576861.md b/docs/queries/cloudformation-queries/aws/8a6d36cd-0bc6-42b7-92c4-67acc8576861.md new file mode 100644 index 00000000000..d35bad3453d --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/8a6d36cd-0bc6-42b7-92c4-67acc8576861.md @@ -0,0 +1,312 @@ +--- +title: Instance With No VPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8a6d36cd-0bc6-42b7-92c4-67acc8576861 +- **Query name:** Instance With No VPC +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/instance_with_no_vpc) + +### Description +EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
+[Documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-vpc.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +Resources: + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.1.0.0/16 + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Join ['', [!Ref "AWS::StackName", "-VPC" ]] + InternetGateway: + Type: AWS::EC2::InternetGateway + DependsOn: VPC + AttachGateway: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: !Ref VPC + InternetGatewayId: !Ref InternetGateway + PublicSubnetA: + Type: AWS::EC2::Subnet + Properties: + CidrBlock: 10.1.10.0/24 + AvailabilityZone: !Select [ 0, !GetAZs ] # Obtenha o primeiro AZ na lista + Tags: + - Key: Name + Value: !Sub ${AWS::StackName}-Public-A + Ec2Instance-01: + Type: AWS::EC2::Instance + Properties: + ImageId: "some-ec2-image" + Fn::FindInMap: + - "RegionMap" + - Ref: "AWS::Region" + - "AMI" + KeyName: "some-rsa-key" + Ref: "KeyName" + NetworkInterfaces: + - AssociatePublicIpAddress: "true" + DeviceIndex: 0 + SubnetId: !Ref PublicSubnetA + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +Resources: + Ec2Instance-02: + Type: AWS::EC2::Instance + Properties: + ImageId: "some-ec2-image" + Fn::FindInMap: + - "RegionMap" + - Ref: "AWS::Region" + - "AMI" + KeyName: "some-rsa-key" + Ref: "KeyName" + +``` +```json title="Postitive test num. 3 - json file" hl_lines="35" +{ + "Resources": { + "VPC": { + "Properties": { + "Tags": [ + { + "Value": [ + "", + [ + "AWS::StackName", + "-VPC" + ] + ], + "Key": "Name" + } + ], + "CidrBlock": "10.1.0.0/16", + "EnableDnsSupport": true, + "EnableDnsHostnames": true + }, + "Type": "AWS::EC2::VPC" + }, + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway", + "DependsOn": "VPC" + }, + "AttachGateway": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": "VPC", + "InternetGatewayId": "InternetGateway" + } + }, + "PublicSubnetA": { + "Properties": { + "CidrBlock": "10.1.10.0/24", + "AvailabilityZone": [ + 0, + "" + ], + "Tags": [ + { + "Key": "Name", + "Value": "${AWS::StackName}-Public-A" + } + ] + }, + "Type": "AWS::EC2::Subnet" + }, + "Ec2Instance-01": { + "Type": "AWS::EC2::Instance", + "Properties": { + "Fn::FindInMap": [ + "RegionMap", + { + "Ref": "AWS::Region" + }, + "AMI" + ], + "KeyName": "some-rsa-key", + "Ref": "KeyName", + "NetworkInterfaces": [ + { + "AssociatePublicIpAddress": "true", + "DeviceIndex": 0, + "SubnetId": "PublicSubnetA" + } + ], + "ImageId": "some-ec2-image" + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="5" +{ + "Resources": { + "Ec2Instance-02": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "some-ec2-image", + "Fn::FindInMap": [ + "RegionMap", + { + "Ref": "AWS::Region" + }, + "AMI" + ], + "KeyName": "some-rsa-key", + "Ref": "KeyName" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + VPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.1.0.0/16 + EnableDnsSupport: true + EnableDnsHostnames: true + Tags: + - Key: Name + Value: !Join ['', [!Ref "AWS::StackName", "-VPC" ]] + InternetGateway: + Type: AWS::EC2::InternetGateway + DependsOn: VPC + AttachGateway: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: !Ref VPC + InternetGatewayId: !Ref InternetGateway + PublicSubnetA: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.1.10.0/24 + AvailabilityZone: !Select [ 0, !GetAZs ] # Obtenha o primeiro AZ na lista + Tags: + - Key: Name + Value: !Sub ${AWS::StackName}-Public-A + Ec2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: 'some-ec2-image' + Fn::FindInMap: + - "RegionMap" + - Ref: "AWS::Region" + - "AMI" + KeyName: 'some-rsa-key' + Ref: "KeyName" + NetworkInterfaces: + - AssociatePublicIpAddress: "true" + DeviceIndex: 0 + SubnetId: !Ref PublicSubnetA + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "VPC": { + "Type": "AWS::EC2::VPC", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": [ + "", + [ + "AWS::StackName", + "-VPC" + ] + ] + } + ], + "CidrBlock": "10.1.0.0/16", + "EnableDnsSupport": true, + "EnableDnsHostnames": true + } + }, + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway", + "DependsOn": "VPC" + }, + "AttachGateway": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": "VPC", + "InternetGatewayId": "InternetGateway" + } + }, + "PublicSubnetA": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "CidrBlock": "10.1.10.0/24", + "AvailabilityZone": [ + 0, + "" + ], + "Tags": [ + { + "Value": "${AWS::StackName}-Public-A", + "Key": "Name" + } + ], + "VpcId": "VPC" + } + }, + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "KeyName": "some-rsa-key", + "Ref": "KeyName", + "NetworkInterfaces": [ + { + "AssociatePublicIpAddress": "true", + "DeviceIndex": 0, + "SubnetId": "PublicSubnetA" + } + ], + "ImageId": "some-ec2-image", + "Fn::FindInMap": [ + "RegionMap", + { + "Ref": "AWS::Region" + }, + "AMI" + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/8c415f6f-7b90-4a27-a44a-51047e1506f9.md b/docs/queries/cloudformation-queries/aws/8c415f6f-7b90-4a27-a44a-51047e1506f9.md new file mode 100644 index 00000000000..bc426687104 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/8c415f6f-7b90-4a27-a44a-51047e1506f9.md @@ -0,0 +1,123 @@ +--- +title: RDS With Backup Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8c415f6f-7b90-4a27-a44a-51047e1506f9 +- **Query name:** RDS With Backup Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/rds_with_backup_disabled) + +### Description +Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +Resources: + MyDB: + Type: AWS::RDS::DBInstance + Properties: + DBSecurityGroups: + - Ref: MyDbSecurityByEC2SecurityGroup + - Ref: MyDbSecurityByCIDRIPGroup + AllocatedStorage: '5' + DBInstanceClass: db.t2.small + Engine: oracle-ee + LicenseModel: bring-your-own-license + MasterUsername: master + MasterUserPassword: SecretPassword01 + BackupRetentionPeriod: 0 + DeletionPolicy: Snapshot +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "Resources": { + "MyDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "BackupRetentionPeriod": 0, + "DBSecurityGroups": [ + { + "Ref": "MyDbSecurityByEC2SecurityGroup" + }, + { + "Ref": "MyDbSecurityByCIDRIPGroup" + } + ], + "AllocatedStorage": "5", + "DBInstanceClass": "db.t2.small", + "Engine": "oracle-ee", + "LicenseModel": "bring-your-own-license", + "MasterUsername": "master", + "MasterUserPassword": "SecretPassword01" + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MyDB: + Type: AWS::RDS::DBInstance + Properties: + DBSecurityGroups: + - Ref: MyDbSecurityByEC2SecurityGroup + - Ref: MyDbSecurityByCIDRIPGroup + AllocatedStorage: '5' + DBInstanceClass: db.t2.small + Engine: oracle-ee + LicenseModel: bring-your-own-license + MasterUsername: master + MasterUserPassword: SecretPassword01 + BackupRetentionPeriod: 7 + DeletionPolicy: Snapshot +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "BackupRetentionPeriod": 7, + "DBSecurityGroups": [ + { + "Ref": "MyDbSecurityByEC2SecurityGroup" + }, + { + "Ref": "MyDbSecurityByCIDRIPGroup" + } + ], + "AllocatedStorage": "5", + "DBInstanceClass": "db.t2.small", + "Engine": "oracle-ee", + "LicenseModel": "bring-your-own-license", + "MasterUsername": "master", + "MasterUserPassword": "SecretPassword01" + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/8d29754a-2a18-460d-a1ba-9509f8d359da.md b/docs/queries/cloudformation-queries/aws/8d29754a-2a18-460d-a1ba-9509f8d359da.md new file mode 100644 index 00000000000..3e16b45108d --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/8d29754a-2a18-460d-a1ba-9509f8d359da.md @@ -0,0 +1,72 @@ +--- +title: IAM Access Analyzer Not Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8d29754a-2a18-460d-a1ba-9509f8d359da +- **Query name:** IAM Access Analyzer Not Enabled +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_access_analyzer_not_enabled) + +### Description +IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
+[Documentation](https://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template 2 +Resources: + myuseeer: + Type: AWS::IAM::Group + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + Analyzer: + Type: "AWS::AccessAnalyzer::Analyzer" + Properties: + AnalyzerName: MyAccountAnalyzer + Type: ACCOUNT + Tags: + - Key: Kind + Value: Dev + ArchiveRules: + - # Archive findings for a trusted AWS account + RuleName: ArchiveTrustedAccountAccess + Filter: + - Property: "principal.AWS" + Eq: + - "123456789012" + - # Archive findings for known public S3 buckets + RuleName: ArchivePublicS3BucketsAccess + Filter: + - Property: "resource" + Contains: + - "arn:aws:s3:::docs-bucket" + - "arn:aws:s3:::clients-bucket" + +``` diff --git a/docs/queries/cloudformation-queries/aws/8dd0ff1f-0da4-48df-9bb3-7f338ae36a40.md b/docs/queries/cloudformation-queries/aws/8dd0ff1f-0da4-48df-9bb3-7f338ae36a40.md new file mode 100644 index 00000000000..91b144ba5c4 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/8dd0ff1f-0da4-48df-9bb3-7f338ae36a40.md @@ -0,0 +1,288 @@ +--- +title: EC2 Not EBS Optimized +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8dd0ff1f-0da4-48df-9bb3-7f338ae36a40 +- **Query name:** EC2 Not EBS Optimized +- **Platform:** CloudFormation +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ec2_not_ebs_optimized) + +### Description +It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-ebsoptimized) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +Resources: + MyEC2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: "ami-79fd7eee" + KeyName: "testkey" + BlockDeviceMappings: + - DeviceName: "/dev/sdm" + Ebs: + VolumeType: "io1" + Iops: "200" + DeleteOnTermination: "false" + VolumeSize: "20" + - DeviceName: "/dev/sdk" + NoDevice: {} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="5" +{ + "Resources": { + "MyEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "ami-79fd7eee", + "KeyName": "testkey", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sdm", + "Ebs": { + "VolumeType": "io1", + "Iops": "200", + "DeleteOnTermination": "false", + "VolumeSize": "20" + } + }, + { + "DeviceName": "/dev/sdk", + "NoDevice": {} + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="16" +Resources: + MyEC2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: "ami-79fd7eee" + KeyName: "testkey" + BlockDeviceMappings: + - DeviceName: "/dev/sdm" + Ebs: + VolumeType: "io1" + Iops: "200" + DeleteOnTermination: "false" + VolumeSize: "20" + - DeviceName: "/dev/sdk" + NoDevice: {} + EbsOptimized: false + +``` +
Postitive test num. 4 - json file + +```json hl_lines="23" +{ + "Resources": { + "MyEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "ami-79fd7eee", + "KeyName": "testkey", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sdm", + "Ebs": { + "VolumeType": "io1", + "Iops": "200", + "DeleteOnTermination": "false", + "VolumeSize": "20" + } + }, + { + "DeviceName": "/dev/sdk", + "NoDevice": {} + } + ], + "EbsOptimized": false + } + } + } +} + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="4" +Resources: + MyEC2Instance: + Type: AWS::EC2::Instance + Properties: + InstanceType: t2.small + ImageId: "ami-79fd7eee" + KeyName: "testkey" + BlockDeviceMappings: + - DeviceName: "/dev/sdm" + Ebs: + VolumeType: "io1" + Iops: "200" + DeleteOnTermination: "false" + VolumeSize: "20" + - DeviceName: "/dev/sdk" + NoDevice: {} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="5" +{ + "Resources": { + "MyEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": "t2.small", + "ImageId": "ami-79fd7eee", + "KeyName": "testkey", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sdm", + "Ebs": { + "VolumeType": "io1", + "Iops": "200", + "DeleteOnTermination": "false", + "VolumeSize": "20" + } + }, + { + "DeviceName": "/dev/sdk", + "NoDevice": {} + } + ] + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MyEC2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: "ami-79fd7eee" + KeyName: "testkey" + BlockDeviceMappings: + - DeviceName: "/dev/sdm" + Ebs: + VolumeType: "io1" + Iops: "200" + DeleteOnTermination: "false" + VolumeSize: "20" + - DeviceName: "/dev/sdk" + NoDevice: {} + EbsOptimized: true + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "ami-79fd7eee", + "KeyName": "testkey", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sdm", + "Ebs": { + "VolumeType": "io1", + "Iops": "200", + "DeleteOnTermination": "false", + "VolumeSize": "20" + } + }, + { + "DeviceName": "/dev/sdk", + "NoDevice": {} + } + ], + "EbsOptimized": true + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +Resources: + MyEC2Instance: + Type: AWS::EC2::Instance + Properties: + InstanceType: t3.nano + ImageId: "ami-79fd7eee" + KeyName: "testkey" + BlockDeviceMappings: + - DeviceName: "/dev/sdm" + Ebs: + VolumeType: "io1" + Iops: "200" + DeleteOnTermination: "false" + VolumeSize: "20" + - DeviceName: "/dev/sdk" + NoDevice: {} + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "MyEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": "t3.nano", + "ImageId": "ami-79fd7eee", + "KeyName": "testkey", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sdm", + "Ebs": { + "VolumeType": "io1", + "Iops": "200", + "DeleteOnTermination": "false", + "VolumeSize": "20" + } + }, + { + "DeviceName": "/dev/sdk", + "NoDevice": {} + } + ] + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/8df8e857-bd59-44fa-9f4c-d77594b95b46.md b/docs/queries/cloudformation-queries/aws/8df8e857-bd59-44fa-9f4c-d77594b95b46.md new file mode 100644 index 00000000000..9060c093114 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/8df8e857-bd59-44fa-9f4c-d77594b95b46.md @@ -0,0 +1,387 @@ +--- +title: Lambda Function Without Tags +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8df8e857-bd59-44fa-9f4c-d77594b95b46 +- **Query name:** Lambda Function Without Tags +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/lambda_function_without_tags) + +### Description +AWS Lambda Functions must have associated tags.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="52" +AWSTemplateFormatVersion: '2010-09-09' +Parameters: + ExistingSecurityGroups: + Type: List + ExistingVPC: + Type: AWS::EC2::VPC::Id + Description: The VPC ID that includes the security groups in the ExistingSecurityGroups + parameter. + InstanceType: + Type: String + Default: t2.micro + AllowedValues: + - t2.micro + - m1.small +Mappings: + AWSInstanceType2Arch: + t2.micro: + Arch: HVM64 + m1.small: + Arch: HVM64 + AWSRegionArch2AMI: + us-east-1: + HVM64: ami-0ff8a91507f77f867 + HVMG2: ami-0a584ac55a7631c0c +Resources: + SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow HTTP traffic to the host + VpcId: + Ref: ExistingVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: '80' + ToPort: '80' + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: '80' + ToPort: '80' + CidrIp: 0.0.0.0/0 + AllSecurityGroups: + Type: Custom::Split + Properties: + ServiceToken: !GetAtt AppendItemToListFunction.Arn + List: + Ref: ExistingSecurityGroups + AppendedItem: + Ref: SecurityGroup + AppendItemToListFunction: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: !GetAtt LambdaExecutionRole.Arn + Code: + ZipFile: !Sub | + var response = require('cfn-response'); + exports.handler = function(event, context) { + var responseData = {Value: event.ResourceProperties.List}; + responseData.Value.push(event.ResourceProperties.AppendedItem); + response.send(event, context, response.SUCCESS, responseData); + }; + Runtime: nodejs8.10 + MyEC2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: + Fn::FindInMap: + - AWSRegionArch2AMI + - Ref: AWS::Region + - Fn::FindInMap: + - AWSInstanceType2Arch + - Ref: InstanceType + - Arch + SecurityGroupIds: !GetAtt AllSecurityGroups.Value + InstanceType: + Ref: InstanceType + LambdaExecutionRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: + - sts:AssumeRole + Path: "/" + Policies: + - PolicyName: root + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - logs:* + Resource: arn:aws:logs:*:*:* +Outputs: + AllSecurityGroups: + Description: Security Groups that are associated with the EC2 instance + Value: + Fn::Join: + - ", " + - Fn::GetAtt: + - AllSecurityGroups + - Value + +``` +```json title="Postitive test num. 2 - json file" hl_lines="75" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "ExistingVPC": { + "Type": "AWS::EC2::VPC::Id", + "Description": "The VPC ID that includes the security groups in the ExistingSecurityGroups parameter." + }, + "InstanceType": { + "Type": "String", + "Default": "t2.micro", + "AllowedValues": [ + "t2.micro", + "m1.small" + ] + }, + "ExistingSecurityGroups": { + "Type": "List\u003cAWS::EC2::SecurityGroup::Id\u003e" + } + }, + "Mappings": { + "AWSInstanceType2Arch": { + "t2.micro": { + "Arch": "HVM64" + }, + "m1.small": { + "Arch": "HVM64" + } + }, + "AWSRegionArch2AMI": { + "us-east-1": { + "HVM64": "ami-0ff8a91507f77f867", + "HVMG2": "ami-0a584ac55a7631c0c" + } + } + }, + "Resources": { + "SecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow HTTP traffic to the host", + "VpcId": { + "Ref": "ExistingVPC" + }, + "SecurityGroupIngress": [ + { + "FromPort": "80", + "ToPort": "80", + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": "80", + "ToPort": "80", + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "AllSecurityGroups": { + "Type": "Custom::Split", + "Properties": { + "ServiceToken": "AppendItemToListFunction.Arn", + "List": { + "Ref": "ExistingSecurityGroups" + }, + "AppendedItem": { + "Ref": "SecurityGroup" + } + } + }, + "AppendItemToListFunction": { + "Properties": { + "Handler": "index.handler", + "Role": "LambdaExecutionRole.Arn", + "Code": { + "ZipFile": "var response = require('cfn-response');\nexports.handler = function(event, context) {\n var responseData = {Value: event.ResourceProperties.List};\n responseData.Value.push(event.ResourceProperties.AppendedItem);\n response.send(event, context, response.SUCCESS, responseData);\n};\n" + }, + "Runtime": "nodejs8.10" + }, + "Type": "AWS::Lambda::Function" + }, + "MyEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": { + "Fn::FindInMap": [ + "AWSRegionArch2AMI", + { + "Ref": "AWS::Region" + }, + { + "Fn::FindInMap": [ + "AWSInstanceType2Arch", + { + "Ref": "InstanceType" + }, + "Arch" + ] + } + ] + }, + "SecurityGroupIds": "AllSecurityGroups.Value", + "InstanceType": { + "Ref": "InstanceType" + } + } + }, + "LambdaExecutionRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "Policies": [ + { + "PolicyName": "root", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "logs:*" + ], + "Resource": "arn:aws:logs:*:*:*" + } + ] + } + } + ], + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + } + } + ], + "Version": "2012-10-17" + }, + "Path": "/" + } + } + }, + "Outputs": { + "AllSecurityGroups": { + "Description": "Security Groups that are associated with the EC2 instance", + "Value": { + "Fn::Join": [ + ", ", + { + "Fn::GetAtt": [ + "AllSecurityGroups", + "Value" + ] + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Description: VPC function. +Resources: + Function: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: arn:aws:iam::123456789012:role/lambda-role + Code: + S3Bucket: my-bucket + S3Key: function.zip + Runtime: nodejs12.x + Timeout: 5 + TracingConfig: + Mode: Active + VpcConfig: + SecurityGroupIds: + - sg-085912345678492fb + SubnetIds: + - subnet-071f712345678e7c8 + - subnet-07fd123456788a036 + Tags: + - Key: Description + Value: VPC Function + - Key: Type + Value: AWS Lambda Function + +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "VPC function.", + "Resources": { + "Function": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Runtime": "nodejs12.x", + "Timeout": 5, + "TracingConfig": { + "Mode": "Active" + }, + "VpcConfig": { + "SecurityGroupIds": [ + "sg-085912345678492fb" + ], + "SubnetIds": [ + "subnet-071f712345678e7c8", + "subnet-07fd123456788a036" + ] + }, + "Tags": [ + { + "Value": "VPC Function", + "Key": "Description" + }, + { + "Key": "Type", + "Value": "AWS Lambda Function" + } + ], + "Handler": "index.handler", + "Role": "arn:aws:iam::123456789012:role/lambda-role", + "Code": { + "S3Bucket": "my-bucket", + "S3Key": "function.zip" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/8f957abd-9703-413d-87d3-c578950a753c.md b/docs/queries/cloudformation-queries/aws/8f957abd-9703-413d-87d3-c578950a753c.md new file mode 100644 index 00000000000..d0128848fe0 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/8f957abd-9703-413d-87d3-c578950a753c.md @@ -0,0 +1,213 @@ +--- +title: IAM Group Without Users +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8f957abd-9703-413d-87d3-c578950a753c +- **Query name:** IAM Group Without Users +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_group_without_users) + +### Description +IAM Group should have at least one user associated
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template 2 +Resources: + myuseeer: + Type: AWS::IAM::Group + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + IamUserAdminSample22: + Type: AWS::IAM::User + Condition: IsSampleIamUser + Properties: + UserName: sample-iam-user-admin + Groups: + - !Ref 'myu2ser' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuseeer2": { + "Type": "AWS::IAM::Group", + "Properties": { + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ], + "Effect": "Deny" + } + ] + } + } + ], + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + } + } + }, + "IamUserAdminSample222": { + "Type": "AWS::IAM::User", + "Condition": "IsSampleIamUser", + "Properties": { + "UserName": "sample-iam-user-admin", + "Groups": [ + "myu2ser" + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::Group + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + IamUserAdminSample: + Type: AWS::IAM::User + Condition: IsSampleIamUser + Properties: + UserName: sample-iam-user-admin + Groups: + - !Ref 'myuser' + +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "A sample template", + "Resources": { + "myuserr": { + "Type": "AWS::IAM::Group", + "Properties": { + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "NotResource": [ + "myqueue.Arn" + ], + "Effect": "Deny", + "Action": [ + "sqs:*" + ] + } + ] + } + } + ], + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + } + } + }, + "IamUserAdminSample": { + "Type": "AWS::IAM::User", + "Condition": "IsSampleIamUser", + "Properties": { + "UserName": "sample-iam-user-admin", + "Groups": [ + "myuserr" + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/9025b2b3-e554-4842-ba87-db7aeec36d35.md b/docs/queries/cloudformation-queries/aws/9025b2b3-e554-4842-ba87-db7aeec36d35.md new file mode 100644 index 00000000000..0c36842315b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/9025b2b3-e554-4842-ba87-db7aeec36d35.md @@ -0,0 +1,159 @@ +--- +title: Unscanned ECR Image +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9025b2b3-e554-4842-ba87-db7aeec36d35 +- **Query name:** Unscanned ECR Image +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/unscanned_ecr_image) + +### Description +Checks if the ECR Image has been scanned
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-imagescanningconfiguration) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: "2010-09-11" +Resources: + MyRepository3: + Type: AWS::ECR::Repository + Properties: + RepositoryName: "test-repository" + RepositoryPolicyText: + Version: "2012-10-17" + Statement: + - + Sid: AllowPushPull + Effect: Allow + Principal: + AWS: + - "arn:aws:iam::123456789012:user/Bob" + - "arn:aws:iam::123456789012:user/Alice" + Action: + - "ecr:GetDownloadUrlForLayer" + - "ecr:BatchGetImage" + - "ecr:BatchCheckLayerAvailability" + - "ecr:PutImage" + - "ecr:InitiateLayerUpload" + - "ecr:UploadLayerPart" + - "ecr:CompleteLayerUpload" + + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +AWSTemplateFormatVersion: "2010-09-11" +Resources: + MyRepository4: + Type: AWS::ECR::Repository + Properties: + RepositoryName: "test-repository" + ImageScanningConfiguration: + ScanOnPush: "false" + +``` +```json title="Postitive test num. 3 - json file" hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MyRepository5": { + "Type": "AWS::ECR::Repository", + "Properties": { + "RepositoryName": "test-repository", + "RepositoryPolicyText": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "AllowPushPull", + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::123456789012:user/Bob", + "arn:aws:iam::123456789012:user/Alice" + ] + }, + "Action": [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload" + ] + } + ] + } + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="9" +{ + "AWSTemplateFormatVersion": "2010-09-11T00:00:00Z", + "Resources": { + "MyRepository6": { + "Type": "AWS::ECR::Repository", + "Properties": { + "RepositoryName": "test-repository", + "ImageScanningConfiguration": { + "ScanOnPush": "false" + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-11" +Resources: + MyRepository: + Type: AWS::ECR::Repository + Properties: + RepositoryName: "test-repository" + ImageScanningConfiguration: + ScanOnPush: "true" + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-11T00:00:00Z", + "Resources": { + "MyRepository2": { + "Type": "AWS::ECR::Repository", + "Properties": { + "RepositoryName": "test-repository", + "ImageScanningConfiguration": { + "ScanOnPush": "true" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/90501b1b-cded-4cc1-9e8b-206b85cda317.md b/docs/queries/cloudformation-queries/aws/90501b1b-cded-4cc1-9e8b-206b85cda317.md new file mode 100644 index 00000000000..01319470203 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/90501b1b-cded-4cc1-9e8b-206b85cda317.md @@ -0,0 +1,91 @@ +--- +title: S3 Static Website Host Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 90501b1b-cded-4cc1-9e8b-206b85cda317 +- **Query name:** S3 Static Website Host Enabled +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_static_website_host_enabled) + +### Description +Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-websiteconfiguration.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +Resources: + Bucket2: + Type: AWS::S3::Bucket + Properties: + AccessControl: PublicRead + WebsiteConfiguration: + IndexDocument: index.html + ErrorDocument: error.html + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "Resources": { + "Bucket2": { + "Type": "AWS::S3::Bucket", + "Properties": { + "AccessControl": "PublicRead", + "WebsiteConfiguration": { + "IndexDocument": "index.html", + "ErrorDocument": "error.html" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + Bucket1: + Type: AWS::S3::Bucket + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls : true + BlockPublicPolicy : true + IgnorePublicAcls : true + RestrictPublicBuckets : true +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Bucket1": { + "Type": "AWS::S3::Bucket", + "Properties": { + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + }, + "AccessControl": "Private" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/9488c451-074e-4cd3-aee3-7db6104f542c.md b/docs/queries/cloudformation-queries/aws/9488c451-074e-4cd3-aee3-7db6104f542c.md new file mode 100644 index 00000000000..9474655e36d --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/9488c451-074e-4cd3-aee3-7db6104f542c.md @@ -0,0 +1,212 @@ +--- +title: Lambda Functions Without X-Ray Tracing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9488c451-074e-4cd3-aee3-7db6104f542c +- **Query name:** Lambda Functions Without X-Ray Tracing +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/lambda_functions_without_x-ray_tracing) + +### Description +AWS Lambda functions should have TracingConfig enabled. For this, property 'tracingConfig.mode' should have the value 'Active'
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lambda-function-tracingconfig.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="37" +#this is a problematic code where the query should report a result(s) +AWSTemplateFormatVersion: '2010-09-09' +Description: Lambda function with cfn-response. +Resources: + primer: + Type: AWS::Lambda::Function + Properties: + Runtime: nodejs12.x + Role: arn:aws:iam::123456789012:role/lambda-role + Handler: index.handler + Code: + ZipFile: | + var aws = require('aws-sdk') + var response = require('cfn-response') + exports.handler = function(event, context) { + console.log("REQUEST RECEIVED:\n" + JSON.stringify(event)) + // For Delete requests, immediately send a SUCCESS response. + if (event.RequestType == "Delete") { + response.send(event, context, "SUCCESS") + return + } + var responseStatus = "FAILED" + var responseData = {} + var functionName = event.ResourceProperties.FunctionName + var lambda = new aws.Lambda() + lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) { + if (err) { + responseData = {Error: "Invoke call failed"} + console.log(responseData.Error + ":\n", err) + } + else responseStatus = "SUCCESS" + response.send(event, context, responseStatus, responseData) + }) + } + Description: Invoke a function during stack creation. + TracingConfig: + Mode: PassThrough + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +Resources: + Function: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: arn:aws:iam::123456789012:role/lambda-role + Code: + S3Bucket: my-bucket + S3Key: function.zip + Runtime: nodejs12.x + Timeout: 5 + VpcConfig: + SecurityGroupIds: + - sg-085912345678492fb + SubnetIds: + - subnet-071f712345678e7c8 + - subnet-07fd123456788a036 + +``` +```json title="Postitive test num. 3 - json file" hl_lines="16" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Lambda function with cfn-response.", + "Resources": { + "primer": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Runtime": "nodejs12.x", + "Role": "arn:aws:iam::123456789012:role/lambda-role", + "Handler": "index.handler", + "Code": { + "ZipFile": "var aws = require('aws-sdk')\nvar response = require('cfn-response')\nexports.handler = function(event, context) {\n console.log(\"REQUEST RECEIVED:\\n\" + JSON.stringify(event))\n // For Delete requests, immediately send a SUCCESS response.\n if (event.RequestType == \"Delete\") {\n response.send(event, context, \"SUCCESS\")\n return\n }\n var responseStatus = \"FAILED\"\n var responseData = {}\n var functionName = event.ResourceProperties.FunctionName\n var lambda = new aws.Lambda()\n lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) {\n if (err) {\n responseData = {Error: \"Invoke call failed\"}\n console.log(responseData.Error + \":\\n\", err)\n }\n else responseStatus = \"SUCCESS\"\n response.send(event, context, responseStatus, responseData)\n })\n}\n" + }, + "Description": "Invoke a function during stack creation.", + "TracingConfig": { + "Mode": "PassThrough" + } + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="4" +{ + "Resources": { + "Function": { + "Properties": { + "Timeout": 5, + "VpcConfig": { + "SecurityGroupIds": [ + "sg-085912345678492fb" + ], + "SubnetIds": [ + "subnet-071f712345678e7c8", + "subnet-07fd123456788a036" + ] + }, + "Handler": "index.handler", + "Role": "arn:aws:iam::123456789012:role/lambda-role", + "Code": { + "S3Bucket": "my-bucket", + "S3Key": "function.zip" + }, + "Runtime": "nodejs12.x" + }, + "Type": "AWS::Lambda::Function" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +AWSTemplateFormatVersion: '2010-09-09' +Description: Lambda function with cfn-response. +Resources: + primer: + Type: AWS::Lambda::Function + Properties: + Runtime: nodejs12.x + Role: arn:aws:iam::123456789012:role/lambda-role + Handler: index.handler + Code: + ZipFile: | + var aws = require('aws-sdk') + var response = require('cfn-response') + exports.handler = function(event, context) { + console.log("REQUEST RECEIVED:\n" + JSON.stringify(event)) + // For Delete requests, immediately send a SUCCESS response. + if (event.RequestType == "Delete") { + response.send(event, context, "SUCCESS") + return + } + var responseStatus = "FAILED" + var responseData = {} + var functionName = event.ResourceProperties.FunctionName + var lambda = new aws.Lambda() + lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) { + if (err) { + responseData = {Error: "Invoke call failed"} + console.log(responseData.Error + ":\n", err) + } + else responseStatus = "SUCCESS" + response.send(event, context, responseStatus, responseData) + }) + } + Description: Invoke a function during stack creation. + TracingConfig: + Mode: Active +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Lambda function with cfn-response.", + "Resources": { + "primer": { + "Type": "AWS::Lambda::Function", + "Properties": { + "TracingConfig": { + "Mode": "Active" + }, + "Runtime": "nodejs12.x", + "Role": "arn:aws:iam::123456789012:role/lambda-role", + "Handler": "index.handler", + "Code": { + "ZipFile": "var aws = require('aws-sdk')\nvar response = require('cfn-response')\nexports.handler = function(event, context) {\n console.log(\"REQUEST RECEIVED:\\n\" + JSON.stringify(event))\n // For Delete requests, immediately send a SUCCESS response.\n if (event.RequestType == \"Delete\") {\n response.send(event, context, \"SUCCESS\")\n return\n }\n var responseStatus = \"FAILED\"\n var responseData = {}\n var functionName = event.ResourceProperties.FunctionName\n var lambda = new aws.Lambda()\n lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) {\n if (err) {\n responseData = {Error: \"Invoke call failed\"}\n console.log(responseData.Error + \":\\n\", err)\n }\n else responseStatus = \"SUCCESS\"\n response.send(event, context, responseStatus, responseData)\n })\n}\n" + }, + "Description": "Invoke a function during stack creation." + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/953b3cdb-ce13-428a-aa12-318726506661.md b/docs/queries/cloudformation-queries/aws/953b3cdb-ce13-428a-aa12-318726506661.md new file mode 100644 index 00000000000..cc601746e91 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/953b3cdb-ce13-428a-aa12-318726506661.md @@ -0,0 +1,174 @@ +--- +title: IAM Policies With Full Privileges +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 953b3cdb-ce13-428a-aa12-318726506661 +- **Query name:** IAM Policies With Full Privileges +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_policies_with_full_privileges) + +### Description +IAM policies shouldn't allow full administrative privileges (for all resources)
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 21" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + mypolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: mygrouppolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: ["*"] + Resource: "*" + Groups: + - myexistinggroup1 + - !Ref mygroup + mypolicy2: + Type: AWS::IAM::Policy + Properties: + PolicyName: mygrouppolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: "*" + Resource: "*" + Groups: + - myexistinggroup1 + - !Ref mygroup + + + + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9 31" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "mypolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "mygrouppolicy", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "*" + ], + "Resource": "*" + } + ] + }, + "Groups": [ + "myexistinggroup1", + "mygroup" + ] + } + }, + "mypolicy2": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "mygrouppolicy", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] + }, + "Groups": [ + "myexistinggroup1", + "mygroup" + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + MyPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: mygrouppolicy + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:GetObject + - s3:PutObject + - s3:PutObjectAcl + Resource: arn:aws:s3:::myAWSBucket/* + Groups: + - myexistinggroup1 + - !Ref mygroup + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "MyPolicy": { + "Properties": { + "PolicyName": "mygrouppolicy", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:PutObjectAcl" + ], + "Resource": "arn:aws:s3:::myAWSBucket/*" + } + ] + }, + "Groups": [ + "myexistinggroup1", + "mygroup" + ] + }, + "Type": "AWS::IAM::Policy" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/9564406d-e761-4e61-b8d7-5926e3ab8e79.md b/docs/queries/cloudformation-queries/aws/9564406d-e761-4e61-b8d7-5926e3ab8e79.md new file mode 100644 index 00000000000..2c4b947a004 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/9564406d-e761-4e61-b8d7-5926e3ab8e79.md @@ -0,0 +1,457 @@ +--- +title: DB Security Group With Public Scope +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9564406d-e761-4e61-b8d7-5926e3ab8e79 +- **Query name:** DB Security Group With Public Scope +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/db_security_group_with_public_scope) + +### Description +The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +Resources: + DBEC2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Open database for access + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + DBInstance: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: true + DBName: + Ref: DBName + Engine: MySQL + MultiAZ: + Ref: MultiAZDatabase + MasterUsername: + Ref: DBUser + DBInstanceClass: + Ref: DBClass + AllocatedStorage: + Ref: DBAllocatedStorage + MasterUserPassword: + Ref: DBPassword + VPCSecurityGroups: + - !GetAtt DBEC2SecurityGroup.GroupId + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +Resources: + DBinstance2: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: true + DBSecurityGroups: + - + Ref: "DbSecurityByEC2SecurityGroup" + AllocatedStorage: "5" + DBInstanceClass: "db.t3.small" + Engine: "MySQL" + MasterUsername: "YourName" + MasterUserPassword: "YourPassword" + DeletionPolicy: "Snapshot" + DbSecurityByEC2SecurityGroup: + Type: AWS::RDS::DBSecurityGroup + Properties: + GroupDescription: "Ingress for Amazon EC2 security group" + DBSecurityGroupIngress: + - + CIDRIP: 0.0.0.0/0 + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +Resources: + DBEC2SecurityGroup2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Open database for access + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIpv6: ::/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + DBInstance3: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: true + DBName: + Ref: DBName + Engine: MySQL + MultiAZ: + Ref: MultiAZDatabase + MasterUsername: + Ref: DBUser + DBInstanceClass: + Ref: DBClass + AllocatedStorage: + Ref: DBAllocatedStorage + MasterUserPassword: + Ref: DBPassword + VPCSecurityGroups: + - !GetAtt DBEC2SecurityGroup2.GroupId + +``` +
Postitive test num. 4 - json file + +```json hl_lines="6" +{ + "Resources": { + "DBEC2SecurityGroup": { + "Properties": { + "GroupDescription": "Open database for access", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ] + }, + "Type": "AWS::EC2::SecurityGroup" + }, + "DBInstance": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "PubliclyAccessible": true, + "Engine": "MySQL", + "MasterUsername": { + "Ref": "DBUser" + }, + "VPCSecurityGroups": [ + "DBEC2SecurityGroup.GroupId" + ], + "DBName": { + "Ref": "DBName" + }, + "MultiAZ": { + "Ref": "MultiAZDatabase" + }, + "DBInstanceClass": { + "Ref": "DBClass" + }, + "AllocatedStorage": { + "Ref": "DBAllocatedStorage" + }, + "MasterUserPassword": { + "Ref": "DBPassword" + } + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="24" +{ + "Resources": { + "DBinstance2": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "PubliclyAccessible": true, + "DBSecurityGroups": [ + { + "Ref": "DbSecurityByEC2SecurityGroup" + } + ], + "AllocatedStorage": "5", + "DBInstanceClass": "db.t3.small", + "Engine": "MySQL", + "MasterUsername": "YourName", + "MasterUserPassword": "YourPassword" + }, + "DeletionPolicy": "Snapshot" + }, + "DbSecurityByEC2SecurityGroup": { + "Type": "AWS::RDS::DBSecurityGroup", + "Properties": { + "GroupDescription": "Ingress for Amazon EC2 security group", + "DBSecurityGroupIngress": [ + { + "CIDRIP": "0.0.0.0/0" + } + ] + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="15" +{ + "Resources": { + "DBEC2SecurityGroup2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "GroupDescription": "Open database for access", + "SecurityGroupIngress": [ + { + "CidrIpv6": "::/0", + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80 + } + ] + } + }, + "DBInstance3": { + "Properties": { + "Engine": "MySQL", + "AllocatedStorage": { + "Ref": "DBAllocatedStorage" + }, + "MasterUserPassword": { + "Ref": "DBPassword" + }, + "VPCSecurityGroups": [ + "DBEC2SecurityGroup2.GroupId" + ], + "PubliclyAccessible": true, + "DBName": { + "Ref": "DBName" + }, + "MultiAZ": { + "Ref": "MultiAZDatabase" + }, + "MasterUsername": { + "Ref": "DBUser" + }, + "DBInstanceClass": { + "Ref": "DBClass" + } + }, + "Type": "AWS::RDS::DBInstance" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + DBEC2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Open database for access + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 1.2.3.4/24 + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIpv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + DBInstance: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: true + DBName: + Ref: DBName + Engine: MySQL + MultiAZ: + Ref: MultiAZDatabase + MasterUsername: + Ref: DBUser + DBInstanceClass: + Ref: DBClass + AllocatedStorage: + Ref: DBAllocatedStorage + MasterUserPassword: + Ref: DBPassword + VPCSecurityGroups: + - !GetAtt DBEC2SecurityGroup.GroupId + + +``` +```yaml title="Negative test num. 2 - yaml file" +Resources: + DBinstance: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: true + DBSecurityGroups: + - + Ref: "DbSecurityByEC2SecurityGroup" + AllocatedStorage: "5" + DBInstanceClass: "db.t3.small" + Engine: "MySQL" + MasterUsername: "YourName" + MasterUserPassword: "YourPassword" + DeletionPolicy: "Snapshot" + DbSecurityByEC2SecurityGroup: + Type: AWS::RDS::DBSecurityGroup + Properties: + GroupDescription: "Ingress for Amazon EC2 security group" + DBSecurityGroupIngress: + - + CIDRIP: 1.2.3.4/24 + +``` +```json title="Negative test num. 3 - json file" +{ + "Resources": { + "DBEC2SecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupIngress": [ + { + "CidrIp": "1.2.3.4/24", + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80 + }, + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIpv6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "GroupDescription": "Open database for access" + } + }, + "DBInstance": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "PubliclyAccessible": true, + "DBName": { + "Ref": "DBName" + }, + "MultiAZ": { + "Ref": "MultiAZDatabase" + }, + "MasterUsername": { + "Ref": "DBUser" + }, + "AllocatedStorage": { + "Ref": "DBAllocatedStorage" + }, + "Engine": "MySQL", + "DBInstanceClass": { + "Ref": "DBClass" + }, + "MasterUserPassword": { + "Ref": "DBPassword" + }, + "VPCSecurityGroups": [ + "DBEC2SecurityGroup.GroupId" + ] + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "DBinstance": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "AllocatedStorage": "5", + "DBInstanceClass": "db.t3.small", + "Engine": "MySQL", + "MasterUsername": "YourName", + "MasterUserPassword": "YourPassword", + "PubliclyAccessible": true, + "DBSecurityGroups": [ + { + "Ref": "DbSecurityByEC2SecurityGroup" + } + ] + }, + "DeletionPolicy": "Snapshot" + }, + "DbSecurityByEC2SecurityGroup": { + "Type": "AWS::RDS::DBSecurityGroup", + "Properties": { + "GroupDescription": "Ingress for Amazon EC2 security group", + "DBSecurityGroupIngress": [ + { + "CIDRIP": "1.2.3.4/24" + } + ] + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/97e94d17-e2c7-4109-a53b-6536ac1bb64e.md b/docs/queries/cloudformation-queries/aws/97e94d17-e2c7-4109-a53b-6536ac1bb64e.md new file mode 100644 index 00000000000..dc5aa4c7ce6 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/97e94d17-e2c7-4109-a53b-6536ac1bb64e.md @@ -0,0 +1,217 @@ +--- +title: VPC Attached With Too Many Gateways +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 97e94d17-e2c7-4109-a53b-6536ac1bb64e +- **Query name:** VPC Attached With Too Many Gateways +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/vpc_attached_with_too_many_gateways) + +### Description +The number of gateways attached should not approach or go beyond the limit of 3, in a particular VPC
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc-gateway-attachment.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myVPC: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/16 + EnableDnsSupport: 'false' + EnableDnsHostnames: 'false' + InstanceTenancy: dedicated + AttachVpnGateway: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: + Ref: myVPC + VpnGatewayId: + Ref: myVPNGateway + AttachVpnGateway2: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: + Ref: myVPC + VpnGatewayId: + Ref: myVPNGateway2 + AttachVpnGateway3: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: + Ref: myVPC + VpnGatewayId: + Ref: myVPNGateway3 + AttachVpnGateway4: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: + Ref: myVPC + VpnGatewayId: + Ref: myVPNGateway4 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "AttachVpnGateway4": { + "Properties": { + "VpcId": { + "Ref": "myVPC" + }, + "VpnGatewayId": { + "Ref": "myVPNGateway4" + } + }, + "Type": "AWS::EC2::VPCGatewayAttachment" + }, + "myVPC": { + "Type": "AWS::EC2::VPC", + "Properties": { + "EnableDnsHostnames": "false", + "InstanceTenancy": "dedicated", + "CidrBlock": "10.0.0.0/16", + "EnableDnsSupport": "false" + } + }, + "AttachVpnGateway": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "myVPC" + }, + "VpnGatewayId": { + "Ref": "myVPNGateway" + } + } + }, + "AttachVpnGateway2": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "myVPC" + }, + "VpnGatewayId": { + "Ref": "myVPNGateway2" + } + } + }, + "AttachVpnGateway3": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "myVPC" + }, + "VpnGatewayId": { + "Ref": "myVPNGateway3" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myVPC_2: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/16 + EnableDnsSupport: 'false' + EnableDnsHostnames: 'false' + InstanceTenancy: dedicated + AttachVpnGateway: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: + Ref: myVPC_2 + VpnGatewayId: + Ref: myVPNGateway + AttachVpnGateway2: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: + Ref: myVPC_2 + VpnGatewayId: + Ref: myVPNGateway2 + AttachVpnGateway3: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + VpcId: + Ref: myVPC_2 + VpnGatewayId: + Ref: myVPNGateway3 + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myVPC_2": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsSupport": "false", + "EnableDnsHostnames": "false", + "InstanceTenancy": "dedicated" + } + }, + "AttachVpnGateway": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "myVPC_2" + }, + "VpnGatewayId": { + "Ref": "myVPNGateway" + } + } + }, + "AttachVpnGateway2": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "myVPC_2" + }, + "VpnGatewayId": { + "Ref": "myVPNGateway2" + } + } + }, + "AttachVpnGateway3": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": { + "Ref": "myVPC_2" + }, + "VpnGatewayId": { + "Ref": "myVPNGateway3" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/9b6a3f5b-5fd6-40ee-9bc0-ed604911212d.md b/docs/queries/cloudformation-queries/aws/9b6a3f5b-5fd6-40ee-9bc0-ed604911212d.md new file mode 100644 index 00000000000..2b9ccc43989 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/9b6a3f5b-5fd6-40ee-9bc0-ed604911212d.md @@ -0,0 +1,314 @@ +--- +title: SQS Policy With Public Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9b6a3f5b-5fd6-40ee-9bc0-ed604911212d +- **Query name:** SQS Policy With Public Access +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/sqs_policy_with_public_access) + +### Description +Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +Resources: + SampleSQSPolicy: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + PolicyDocument: + Statement: + - + Action: + - "SQS:SendMessage" + - "SQS:CreateQueue" + Effect: "Allow" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + Principal: + AWS: + - "111122223333" + - "*" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +Resources: + SampleSQSPolicy: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + PolicyDocument: + Statement: + - + Action: + - "SQS:SendMessage" + - "SQS:AddPermission" + Effect: "Allow" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + Principal: + AWS: + - "111122223333" + - "arn:aws:iam::437628376:*" + +``` +```json title="Postitive test num. 3 - json file" hl_lines="9" +{ + "Resources": { + "SampleSQSPolicy": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "Queues": [ + "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + ], + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "SQS:SendMessage", + "SQS:CreateQueue" + ], + "Effect": "Allow", + "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2", + "Principal": { + "AWS": [ + "111122223333", + "*" + ] + } + } + ] + } + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="9" +{ + "Resources": { + "SampleSQSPolicy": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "Queues": [ + "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + ], + "PolicyDocument": { + "Statement": [ + { + "Principal": { + "AWS": [ + "111122223333", + "arn:aws:iam::437628376:*" + ] + }, + "Action": [ + "SQS:SendMessage", + "SQS:AddPermission" + ], + "Effect": "Allow", + "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2" + } + ] + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + SampleSQSPolicy: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + PolicyDocument: + Statement: + - + Action: + - "SQS:SendMessage" + - "SQS:ReceiveMessage" + Effect: "Allow" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + Principal: + AWS: + - "111122223333" + - "*" + +``` +```yaml title="Negative test num. 2 - yaml file" +Resources: + SampleSQSPolicy2: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + PolicyDocument: + Statement: + - + Action: + - "SQS:SendMessage" + - "SQS:CreateQueue" + Effect: "Allow" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + Principal: + AWS: + - "111122223333" + +``` +```yaml title="Negative test num. 3 - yaml file" +Resources: + SampleSQSPolicy3: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + PolicyDocument: + Statement: + - + Action: + - "SQS:SendMessage" + - "SQS:CreateQueue" + Effect: "Deny" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + Principal: + AWS: + - "111122223333" + - "*" + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "SampleSQSPolicy": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "Queues": [ + "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + ], + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "SQS:SendMessage", + "SQS:ReceiveMessage" + ], + "Effect": "Allow", + "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2", + "Principal": { + "AWS": [ + "111122223333", + "*" + ] + } + } + ] + } + } + } + } +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "Resources": { + "SampleSQSPolicy2": { + "Type": "AWS::SQS::QueuePolicy", + "Properties": { + "Queues": [ + "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + ], + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "SQS:SendMessage", + "SQS:CreateQueue" + ], + "Effect": "Allow", + "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2", + "Principal": { + "AWS": [ + "111122223333" + ] + } + } + ] + } + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "Resources": { + "SampleSQSPolicy3": { + "Properties": { + "Queues": [ + "https://sqs:us-east-2.amazonaws.com/444455556666/queue2" + ], + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "SQS:SendMessage", + "SQS:CreateQueue" + ], + "Effect": "Deny", + "Resource": "arn:aws:sqs:us-east-2:444455556666:queue2", + "Principal": { + "AWS": [ + "111122223333", + "*" + ] + } + } + ] + } + }, + "Type": "AWS::SQS::QueuePolicy" + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/9b83114b-b2a1-4534-990d-06da015e47aa.md b/docs/queries/cloudformation-queries/aws/9b83114b-b2a1-4534-990d-06da015e47aa.md new file mode 100644 index 00000000000..a9c20fbe0d7 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/9b83114b-b2a1-4534-990d-06da015e47aa.md @@ -0,0 +1,91 @@ +--- +title: Lambda Permission Misconfigured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9b83114b-b2a1-4534-990d-06da015e47aa +- **Query name:** Lambda Permission Misconfigured +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/lambda_permission_misconfigured) + +### Description +Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'
+[Documentation](https://docs.aws.amazon.com/pt_br/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +Resources: + s3Permission: + Type: AWS::Lambda::Permission + Properties: + FunctionName: !GetAtt function.Arn + Action: lambda:GetFunction + Principal: s3.amazonaws.com + SourceAccount: !Ref 'AWS::AccountId' + SourceArn: !GetAtt bucket.Arn + +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "Resources": { + "s3Permission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "SourceArn": "bucket.Arn", + "FunctionName": "function.Arn", + "Action": "lambda:GetFunction", + "Principal": "s3.amazonaws.com", + "SourceAccount": "AWS::AccountId" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + s3Permission: + Type: AWS::Lambda::Permission + Properties: + FunctionName: !GetAtt function.Arn + Action: lambda:InvokeFunction + Principal: s3.amazonaws.com + SourceAccount: !Ref 'AWS::AccountId' + SourceArn: !GetAtt bucket.Arn + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "s3Permission": { + "Type": "AWS::Lambda::Permission", + "Properties": { + "FunctionName": "function.Arn", + "Action": "lambda:InvokeFunction", + "Principal": "s3.amazonaws.com", + "SourceAccount": "AWS::AccountId", + "SourceArn": "bucket.Arn" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/9c7028d9-04c2-45be-b8b2-1188ccaefb36.md b/docs/queries/cloudformation-queries/aws/9c7028d9-04c2-45be-b8b2-1188ccaefb36.md new file mode 100644 index 00000000000..3a8ca185021 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/9c7028d9-04c2-45be-b8b2-1188ccaefb36.md @@ -0,0 +1,219 @@ +--- +title: SageMaker Notebook Not Placed In VPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9c7028d9-04c2-45be-b8b2-1188ccaefb36 +- **Query name:** SageMaker Notebook Not Placed In VPC +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/sagemaker_notebook_not_placed_in_vpc) + +### Description +SageMaker Notebook must be placed in a VPC
+[Documentation](https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_id-based-policy-examples.html#sagemaker-condition-nbi-lockdown) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: "2010-09-09" +Description: "NotebookInstance" +Resources: + NotebookInstance: + Type: "AWS::SageMaker::NotebookInstance" + DependsOn: [ MountTarget1, MountTarget2, MountTarget3, VpcS3Endpoint ] + Properties: + NotebookInstanceName: !Ref NotebookInstanceName + InstanceType: !Ref NotebookInstanceType + RoleArn: !GetAtt ExecutionRole.Arn + RootAccess: Enabled + SecurityGroupIds: + - !GetAtt VpcSecurityGroup.GroupId + DirectInternetAccess: Disabled + AdditionalCodeRepositories: !If + - CreateCodeRepo + - [!GetAtt CodeRepo.CodeRepositoryName] + - !Ref 'AWS::NoValue' + LifecycleConfigName: !GetAtt NotebookStartConfig.NotebookInstanceLifecycleConfigName + VolumeSizeInGB: !Ref EbsVolumeSize + Tags: + - Key: Name + Value: !Ref 'AWS::StackName' + Vpc: + Type: 'AWS::EC2::VPC' + Properties: + CidrBlock: !Ref VpcCIDR + EnableDnsSupport: 'true' + EnableDnsHostnames: 'true' + Tags: + - Key: Name + Value: !Ref 'AWS::StackName' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="27" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "NotebookInstance", + "Resources": { + "Vpc": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "VpcCIDR", + "EnableDnsSupport": "true", + "EnableDnsHostnames": "true", + "Tags": [ + { + "Key": "Name", + "Value": "AWS::StackName" + } + ] + } + }, + "NotebookInstance": { + "Type": "AWS::SageMaker::NotebookInstance", + "DependsOn": [ + "MountTarget1", + "MountTarget2", + "MountTarget3", + "VpcS3Endpoint" + ], + "Properties": { + "VolumeSizeInGB": "EbsVolumeSize", + "Tags": [ + { + "Key": "Name", + "Value": "AWS::StackName" + } + ], + "NotebookInstanceName": "NotebookInstanceName", + "SecurityGroupIds": [ + "VpcSecurityGroup.GroupId" + ], + "DirectInternetAccess": "Disabled", + "AdditionalCodeRepositories": [ + "CreateCodeRepo", + [ + "CodeRepo.CodeRepositoryName" + ], + "AWS::NoValue" + ], + "LifecycleConfigName": "NotebookStartConfig.NotebookInstanceLifecycleConfigName", + "InstanceType": "NotebookInstanceType", + "RoleArn": "ExecutionRole.Arn", + "RootAccess": "Enabled" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "NotebookInstance" +Resources: + NotebookInstance: + Type: "AWS::SageMaker::NotebookInstance" + DependsOn: [ MountTarget1, MountTarget2, MountTarget3, VpcS3Endpoint ] + Properties: + NotebookInstanceName: !Ref NotebookInstanceName + InstanceType: !Ref NotebookInstanceType + RoleArn: !GetAtt ExecutionRole.Arn + RootAccess: Enabled + SecurityGroupIds: + - !GetAtt VpcSecurityGroup.GroupId + SubnetId: !Ref PrivateSubnet1 + DirectInternetAccess: Disabled + AdditionalCodeRepositories: !If + - CreateCodeRepo + - [!GetAtt CodeRepo.CodeRepositoryName] + - !Ref 'AWS::NoValue' + LifecycleConfigName: !GetAtt NotebookStartConfig.NotebookInstanceLifecycleConfigName + VolumeSizeInGB: !Ref EbsVolumeSize + Tags: + - Key: Name + Value: !Ref 'AWS::StackName' + Vpc: + Type: 'AWS::EC2::VPC' + Properties: + CidrBlock: !Ref VpcCIDR + EnableDnsSupport: 'true' + EnableDnsHostnames: 'true' + Tags: + - Key: Name + Value: !Ref 'AWS::StackName' + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "NotebookInstance", + "Resources": { + "NotebookInstance": { + "Type": "AWS::SageMaker::NotebookInstance", + "DependsOn": [ + "MountTarget1", + "MountTarget2", + "MountTarget3", + "VpcS3Endpoint" + ], + "Properties": { + "InstanceType": "NotebookInstanceType", + "RoleArn": "ExecutionRole.Arn", + "SecurityGroupIds": [ + "VpcSecurityGroup.GroupId" + ], + "AdditionalCodeRepositories": [ + "CreateCodeRepo", + [ + "CodeRepo.CodeRepositoryName" + ], + "AWS::NoValue" + ], + "VolumeSizeInGB": "EbsVolumeSize", + "Tags": [ + { + "Key": "Name", + "Value": "AWS::StackName" + } + ], + "NotebookInstanceName": "NotebookInstanceName", + "SubnetId": "PrivateSubnet1", + "DirectInternetAccess": "Disabled", + "LifecycleConfigName": "NotebookStartConfig.NotebookInstanceLifecycleConfigName", + "RootAccess": "Enabled" + } + }, + "Vpc": { + "Properties": { + "CidrBlock": "VpcCIDR", + "EnableDnsSupport": "true", + "EnableDnsHostnames": "true", + "Tags": [ + { + "Key": "Name", + "Value": "AWS::StackName" + } + ] + }, + "Type": "AWS::EC2::VPC" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/9d13b150-a2ab-42a1-b6f4-142e41f81e52.md b/docs/queries/cloudformation-queries/aws/9d13b150-a2ab-42a1-b6f4-142e41f81e52.md new file mode 100644 index 00000000000..4e4d2900edb --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/9d13b150-a2ab-42a1-b6f4-142e41f81e52.md @@ -0,0 +1,143 @@ +--- +title: SNS Topic Without KmsMasterKeyId +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9d13b150-a2ab-42a1-b6f4-142e41f81e52 +- **Query name:** SNS Topic Without KmsMasterKeyId +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/sns_topic_without_kms_master_key_id) + +### Description +KmsMasterKeyId attribute should not be undefined
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MySNSTopic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Fn::GetAtt: + - "MyQueue1" + - "Arn" + Protocol: "sqs" + - Endpoint: + Fn::GetAtt: + - "MyQueue2" + - "Arn" + Protocol: "sqs" + TopicName: "SampleTopic" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MySNSTopic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Fn::GetAtt": [ + "MyQueue1", + "Arn" + ] + }, + "Protocol": "sqs" + }, + { + "Endpoint": { + "Fn::GetAtt": [ + "MyQueue2", + "Arn" + ] + }, + "Protocol": "sqs" + } + ], + "TopicName": "SampleTopic" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MySNSTopic: + Type: AWS::SNS::Topic + Properties: + Subscription: + - Endpoint: + Fn::GetAtt: + - "MyQueue1" + - "Arn" + Protocol: "sqs" + - Endpoint: + Fn::GetAtt: + - "MyQueue2" + - "Arn" + Protocol: "sqs" + TopicName: "SampleTopic" + KmsMasterKeyId: "kmsMasterKeyId" + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "MySNSTopic": { + "Type": "AWS::SNS::Topic", + "Properties": { + "Subscription": [ + { + "Endpoint": { + "Fn::GetAtt": [ + "MyQueue1", + "Arn" + ] + }, + "Protocol": "sqs" + }, + { + "Endpoint": { + "Fn::GetAtt": [ + "MyQueue2", + "Arn" + ] + }, + "Protocol": "sqs" + } + ], + "TopicName": "SampleTopic", + "KmsMasterKeyId": "kmsMasterKeyId" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/9e8c89b3-7997-4d15-93e4-7911b9db99fd.md b/docs/queries/cloudformation-queries/aws/9e8c89b3-7997-4d15-93e4-7911b9db99fd.md new file mode 100644 index 00000000000..e2a5183ff35 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/9e8c89b3-7997-4d15-93e4-7911b9db99fd.md @@ -0,0 +1,177 @@ +--- +title: Inline Policies Are Attached To ECS Service +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9e8c89b3-7997-4d15-93e4-7911b9db99fd +- **Query name:** Inline Policies Are Attached To ECS Service +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/inline_policies_are_attached_to_ecs_service) + +### Description +Check if any ECS service has inline policies attached, which are embedded directly into an entity (user, group,...), instead of the equivalent recommended managed policies.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +Resources: + InlinePolicy: + Type: AWS::ECS::Service + DependsOn: + - Listener + Properties: + Role: + Ref: IAMPolicy + LoadBalancers: + - TargetGroupArn: + Ref: TargetGroup + ContainerPort: 80 + ContainerName: sample-app + Cluster: + Ref: ECSCluster + IAMPolicy: + Type: 'AWS::IAM::Policy' + Properties: + PolicyName: root + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: '*' + Resource: '*' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9" +{ + "Resources": { + "InlinePolicy": { + "Type": "AWS::ECS::Service", + "DependsOn": [ + "Listener" + ], + "Properties": { + "Role": { + "Ref": "IAMPolicy" + }, + "LoadBalancers": [ + { + "TargetGroupArn": { + "Ref": "TargetGroup" + }, + "ContainerPort": 80, + "ContainerName": "sample-app" + } + ], + "Cluster": { + "Ref": "ECSCluster" + } + } + }, + "IAMPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "root", + "PolicyDocument": { + "Version": "2012-10-17T00:00:00Z", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" + +Resources: + InlinePolicy: + Type: AWS::ECS::Service + DependsOn: + - Listener + Properties: + LoadBalancers: + - TargetGroupArn: + Ref: TargetGroup + ContainerPort: 80 + ContainerName: sample-app + Cluster: + Ref: ECSCluster + IAMPolicy: + Type: 'AWS::IAM::Policy' + Properties: + PolicyName: root + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: '*' + Resource: '*' + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "IAMPolicy": { + "Properties": { + "PolicyName": "root", + "PolicyDocument": { + "Version": "2012-10-17T00:00:00Z", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] + } + }, + "Type": "AWS::IAM::Policy" + }, + "InlinePolicy": { + "DependsOn": [ + "Listener" + ], + "Properties": { + "LoadBalancers": [ + { + "TargetGroupArn": { + "Ref": "TargetGroup" + }, + "ContainerPort": 80, + "ContainerName": "sample-app" + } + ], + "Cluster": { + "Ref": "ECSCluster" + } + }, + "Type": "AWS::ECS::Service" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/9ecb6b21-18bc-4aa7-bd07-db20f1c746db.md b/docs/queries/cloudformation-queries/aws/9ecb6b21-18bc-4aa7-bd07-db20f1c746db.md new file mode 100644 index 00000000000..df852469e34 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/9ecb6b21-18bc-4aa7-bd07-db20f1c746db.md @@ -0,0 +1,317 @@ +--- +title: CloudFormation Specifying Credentials Not Safe +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9ecb6b21-18bc-4aa7-bd07-db20f1c746db +- **Query name:** CloudFormation Specifying Credentials Not Safe +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudformation_specifying_credentials_not_safe) + +### Description +Specifying credentials in the template itself is probably not safe to do.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-authentication.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 35 71" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + WebServer: + Type: AWS::EC2::Instance + DependsOn: "BucketPolicy" + Metadata: + AWS::CloudFormation::Init: + config: + packages: + yum: + httpd: [] + files: + /var/www/html/index.html: + source: + Fn::Join: + - "" + - + - "http://s3.amazonaws.com/" + - Ref: "BucketName" + - "/index.html" + mode: "000400" + owner: "apache" + group: "apache" + authentication: "S3AccessCreds" + services: + sysvinit: + httpd: + enabled: "true" + ensureRunning: "true" + AWS::CloudFormation::Authentication: + S3AccessCreds: + type: "S3" + accessKeyId: + Ref: "CfnKeys" + secretKey: + Fn::GetAtt: + - "CfnKeys" + - "SecretAccessKey" + WebServer2: + Type: AWS::EC2::Instance + DependsOn: "BucketPolicy" + Metadata: + AWS::CloudFormation::Init: + config: + packages: + yum: + httpd: [] + files: + /var/www/html/index.html: + source: + Fn::Join: + - "" + - + - "http://s3.amazonaws.com/" + - Ref: "BucketName" + - "/index.html" + mode: "000400" + owner: "apache" + group: "apache" + authentication: "S3AccessCreds" + services: + sysvinit: + httpd: + enabled: "true" + ensureRunning: "true" + AWS::CloudFormation::Authentication: + BasicAccessCreds: + type: "basic" + username: + Ref: "UserName" + password: + Ref: "Password" + uris: + - "example.com/test" +Properties: + EC2 Resource Properties ... +``` +```json title="Postitive test num. 2 - json file" hl_lines="48 51 112" +{ + "Properties": "EC2 Resource Properties ...", + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "WebServer": { + "DependsOn": "BucketPolicy", + "Metadata": { + "AWS::CloudFormation::Init": { + "config": { + "packages": { + "yum": { + "httpd": [] + } + }, + "files": { + "/var/www/html/index.html": { + "authentication": "S3AccessCreds", + "source": { + "Fn::Join": [ + "", + [ + "http://s3.amazonaws.com/", + { + "Ref": "BucketName" + }, + "/index.html" + ] + ] + }, + "mode": "000400", + "owner": "apache", + "group": "apache" + } + }, + "services": { + "sysvinit": { + "httpd": { + "enabled": "true", + "ensureRunning": "true" + } + } + } + } + }, + "AWS::CloudFormation::Authentication": { + "S3AccessCreds": { + "type": "S3", + "accessKeyId": { + "Ref": "CfnKeys" + }, + "secretKey": { + "Fn::GetAtt": [ + "CfnKeys", + "SecretAccessKey" + ] + } + } + } + }, + "Type": "AWS::EC2::Instance" + }, + "WebServer2": { + "Type": "AWS::EC2::Instance", + "DependsOn": "BucketPolicy", + "Metadata": { + "AWS::CloudFormation::Init": { + "config": { + "packages": { + "yum": { + "httpd": [] + } + }, + "files": { + "/var/www/html/index.html": { + "group": "apache", + "authentication": "S3AccessCreds", + "source": { + "Fn::Join": [ + "", + [ + "http://s3.amazonaws.com/", + { + "Ref": "BucketName" + }, + "/index.html" + ] + ] + }, + "mode": "000400", + "owner": "apache" + } + }, + "services": { + "sysvinit": { + "httpd": { + "enabled": "true", + "ensureRunning": "true" + } + } + } + } + }, + "AWS::CloudFormation::Authentication": { + "BasicAccessCreds": { + "uris": [ + "example.com/test" + ], + "type": "basic", + "username": { + "Ref": "UserName" + }, + "password": { + "Ref": "Password" + } + } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + WebServer: + Type: AWS::EC2::Instance + Metadata: + AWS::CloudFormation::Init: + config: + packages: + yum: + httpd: [] + files: + /var/www/html/index.html: + source: + Fn::Join: + - "" + - + - "http://s3.amazonaws.com/" + - Ref: "BucketName" + - "/index.html" + mode: "000400" + owner: "apache" + group: "apache" + authentication: "S3AccessCreds" + services: + sysvinit: + httpd: + enabled: "true" + ensureRunning: "true" + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "WebServer": { + "Type": "AWS::EC2::Instance", + "DependsOn": "BucketPolicy", + "Metadata": { + "AWS::CloudFormation::Init": { + "config": { + "packages": { + "yum": { + "httpd": [] + } + }, + "files": { + "/var/www/html/index.html": { + "source": { + "Fn::Join": [ + "", + [ + "http://s3.amazonaws.com/", + { + "Ref": "BucketName" + }, + "/index.html" + ] + ] + }, + "mode": "000400", + "owner": "apache", + "group": "apache", + "authentication": "S3AccessCreds" + } + }, + "services": { + "sysvinit": { + "httpd": { + "enabled": "true", + "ensureRunning": "true" + } + } + } + } + } + } + } + }, + "Properties": "EC2 Resource Properties ...", + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d.md b/docs/queries/cloudformation-queries/aws/9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d.md new file mode 100644 index 00000000000..136c61f166e --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d.md @@ -0,0 +1,224 @@ +--- +title: Configuration Aggregator to All Regions Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d +- **Query name:** Configuration Aggregator to All Regions Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/config_configuration_aggregator_to_all_regions_disabled) + +### Description +AWS Config Configuration Aggregator All Regions must be set to True
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-config-configurationaggregator.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 10 21 49" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + OperatorEmail: + Description: "Email address to notify when new logs are published." + Type: String +Resources: + ConfigurationAggregator1: + Type: 'AWS::Config::ConfigurationAggregator' + Properties: + AccountAggregationSources: + - AccountIds: + - '123456789012' + - '987654321012' + AwsRegions: + - us-west-2 + - us-east-1 + ConfigurationAggregatorName: MyConfigurationAggregator + ConfigurationAggregator2: + Type: 'AWS::Config::ConfigurationAggregator' + Properties: + AccountAggregationSources: + - AccountIds: + - '123456789012' + - '987654321012' + AwsRegions: + - us-west-2 + - us-east-1 + AllAwsRegions: false + ConfigurationAggregatorName: MyConfigurationAggregator + ConfigurationAggregator3: + Type: 'AWS::Config::ConfigurationAggregator' + Properties: + OrganizationAggregationSource: + RoleArn: >- + arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations + AwsRegions: + - us-west-2 + - us-east-1 + ConfigurationAggregatorName: MyConfigurationAggregator + ConfigurationAggregator4: + Type: 'AWS::Config::ConfigurationAggregator' + Properties: + OrganizationAggregationSource: + RoleArn: >- + arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations + AwsRegions: + - us-west-2 + - us-east-1 + AllAwsRegions: false + ConfigurationAggregatorName: MyConfigurationAggregator + +``` +```json title="Postitive test num. 2 - json file" hl_lines="24 62 43 6" +{ + "Resources": { + "ConfigurationAggregator5": { + "Type": "AWS::Config::ConfigurationAggregator", + "Properties": { + "AccountAggregationSources": [ + { + "AccountIds": [ + "123456789012", + "987654321012" + ], + "AwsRegions": [ + "us-west-2", + "us-east-1" + ] + } + ], + "ConfigurationAggregatorName": "MyConfigurationAggregator" + } + }, + "ConfigurationAggregator6": { + "Type": "AWS::Config::ConfigurationAggregator", + "Properties": { + "AccountAggregationSources": [ + { + "AccountIds": [ + "123456789012", + "987654321012" + ], + "AwsRegions": [ + "us-west-2", + "us-east-1" + ], + "AllAwsRegions": false + } + ], + "ConfigurationAggregatorName": "MyConfigurationAggregator" + } + }, + "ConfigurationAggregator7": { + "Type": "AWS::Config::ConfigurationAggregator", + "Properties": { + "OrganizationAggregationSource": { + "RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations", + "AwsRegions": [ + "us-west-2", + "us-east-1" + ] + }, + "ConfigurationAggregatorName": "MyConfigurationAggregator" + } + }, + "ConfigurationAggregator8": { + "Type": "AWS::Config::ConfigurationAggregator", + "Properties": { + "OrganizationAggregationSource": { + "RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations", + "AwsRegions": [ + "us-west-2", + "us-east-1" + ], + "AllAwsRegions": false + }, + "ConfigurationAggregatorName": "MyConfigurationAggregator" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + ConfigurationAggregator9: + Type: 'AWS::Config::ConfigurationAggregator' + Properties: + AccountAggregationSources: + - AccountIds: + - '123456789012' + - '987654321012' + AwsRegions: + - us-west-2 + - us-east-1 + AllAwsRegions: true + ConfigurationAggregatorName: MyConfigurationAggregator + ConfigurationAggregator10: + Type: 'AWS::Config::ConfigurationAggregator' + Properties: + OrganizationAggregationSource: + RoleArn: >- + arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations + AwsRegions: + - us-west-2 + - us-east-1 + AllAwsRegions: true + ConfigurationAggregatorName: MyConfigurationAggregator + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "ConfigurationAggregator6": { + "Type": "AWS::Config::ConfigurationAggregator", + "Properties": { + "AccountAggregationSources": [ + { + "AccountIds": [ + "123456789012", + "987654321012" + ], + "AwsRegions": [ + "us-west-2", + "us-east-1" + ], + "AllAwsRegions": true + } + ], + "ConfigurationAggregatorName": "MyConfigurationAggregator" + } + }, + "ConfigurationAggregator8": { + "Type": "AWS::Config::ConfigurationAggregator", + "Properties": { + "OrganizationAggregationSource": { + "RoleArn": "arn:aws:iam::012345678912:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations", + "AwsRegions": [ + "us-west-2", + "us-east-1" + ], + "AllAwsRegions": true + }, + "ConfigurationAggregatorName": "MyConfigurationAggregator" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/9fcd0a0a-9b6f-4670-a215-d94e6bf3f184.md b/docs/queries/cloudformation-queries/aws/9fcd0a0a-9b6f-4670-a215-d94e6bf3f184.md new file mode 100644 index 00000000000..92ab698863f --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/9fcd0a0a-9b6f-4670-a215-d94e6bf3f184.md @@ -0,0 +1,268 @@ +--- +title: IAM Database Auth Not Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9fcd0a0a-9b6f-4670-a215-d94e6bf3f184 +- **Query name:** IAM Database Auth Not Enabled +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_database_auth_not_enabled) + +### Description +IAM Database Auth Enabled should be configured to true when using compatible engine and version
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html#cfn-rds-dbinstance-enableiamdatabaseauthentication) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="19" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: db.r3.xlarge + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + DeletionProtection: false + KmsKeyId: !Ref MyKey + EnableIAMDatabaseAuthentication: false + Engine: aurora + +``` +```json title="Postitive test num. 2 - json file" hl_lines="31" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "RDS Storage Encrypted", + "Parameters": { + "SourceDBInstanceIdentifier": { + "Type": "String" + }, + "DBInstanceType": { + "Type": "String" + }, + "SourceRegion": { + "Type": "String" + } + }, + "Resources": { + "MyDBSmall": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "DBInstanceClass": { + "Ref": "DBInstanceType" + }, + "SourceDBInstanceIdentifier": { + "Ref": "SourceDBInstanceIdentifier" + }, + "SourceRegion": { + "Ref": "SourceRegion" + }, + "KmsKeyId": { + "Ref": "MyKey" + }, + "EnableIAMDatabaseAuthentication": false, + "Engine": "mysql" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="13" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: db.r3.xlarge + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + DeletionProtection: false + KmsKeyId: !Ref MyKey + Engine: mysql + +``` +
Postitive test num. 4 - json file + +```json hl_lines="18" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "RDS Storage Encrypted", + "Parameters": { + "SourceDBInstanceIdentifier": { + "Type": "String" + }, + "DBInstanceType": { + "Type": "String" + }, + "SourceRegion": { + "Type": "String" + } + }, + "Resources": { + "MyDBSmall": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "DBInstanceClass": { + "Ref": "DBInstanceType" + }, + "SourceDBInstanceIdentifier": { + "Ref": "SourceDBInstanceIdentifier" + }, + "SourceRegion": { + "Ref": "SourceRegion" + }, + "KmsKeyId": { + "Ref": "MyKey" + }, + "Engine": "mysql" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: !Ref DBInstanceType + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + DeletionProtection: false + KmsKeyId: !Ref MyKey + EnableIAMDatabaseAuthentication: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "RDS Storage Encrypted", + "Parameters": { + "SourceDBInstanceIdentifier": { + "Type": "String" + }, + "DBInstanceType": { + "Type": "String" + }, + "SourceRegion": { + "Type": "String" + } + }, + "Resources": { + "MyDBSmall": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "DBInstanceClass": { + "Ref": "DBInstanceType" + }, + "SourceDBInstanceIdentifier": { + "Ref": "SourceDBInstanceIdentifier" + }, + "SourceRegion": { + "Ref": "SourceRegion" + }, + "KmsKeyId": { + "Ref": "MyKey" + }, + "EnableIAMDatabaseAuthentication" : true + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: db.t2.small + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + DeletionProtection: false + KmsKeyId: !Ref MyKey + EnableIAMDatabaseAuthentication: false + Engine: aurora + +``` +
Negative test num. 4 - yaml file + +```yaml +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: db.t2.small + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + DeletionProtection: false + KmsKeyId: !Ref MyKey + EnableIAMDatabaseAuthentication: false + Engine: mariadb + EngineVersion: 10.2.43 + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/a0ae0a4e-712b-4115-8112-51b9eeed9d69.md b/docs/queries/cloudformation-queries/aws/a0ae0a4e-712b-4115-8112-51b9eeed9d69.md new file mode 100644 index 00000000000..87e38175ec9 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a0ae0a4e-712b-4115-8112-51b9eeed9d69.md @@ -0,0 +1,447 @@ +--- +title: Lambda Functions With Full Privileges +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a0ae0a4e-712b-4115-8112-51b9eeed9d69 +- **Query name:** Lambda Functions With Full Privileges +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/lambda_functions_with_full_privileges) + +### Description +AWS Lambda Functions should not have roles with policies granting full administrative privileges.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="76" +AWSTemplateFormatVersion: '2010-09-09' +Parameters: + ExistingSecurityGroups: + Type: List + ExistingVPC: + Type: AWS::EC2::VPC::Id + Description: The VPC ID that includes the security groups in the ExistingSecurityGroups + parameter. + InstanceType: + Type: String + Default: t2.micro + AllowedValues: + - t2.micro + - m1.small +Resources: + SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow HTTP traffic to the host + VpcId: + Ref: ExistingVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: '80' + ToPort: '80' + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: '80' + ToPort: '80' + CidrIp: 0.0.0.0/0 + AllSecurityGroups: + Type: Custom::Split + Properties: + ServiceToken: !GetAtt AppendItemToListFunction.Arn + List: + Ref: ExistingSecurityGroups + AppendedItem: + Ref: SecurityGroup + AppendItemToListFunction: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: !GetAtt LambdaExecutionRole.Arn + Code: + ZipFile: | + var response = require('cfn-response'); + exports.handler = function(event, context) { + var responseData = {Value: event.ResourceProperties.List}; + responseData.Value.push(event.ResourceProperties.AppendedItem); + response.send(event, context, response.SUCCESS, responseData); + }; + Runtime: nodejs8.10 + MyEC2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: ami-0ff8a91507f77f867 + SecurityGroupIds: !GetAtt AllSecurityGroups.Value + InstanceType: + Ref: InstanceType + LambdaExecutionRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: + - sts:AssumeRole + Path: "/" + Policies: + - PolicyName: root + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - "*" + Resource: arn:aws:logs:*:*:* + +``` +```json title="Postitive test num. 2 - json file" hl_lines="101" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "InstanceType": { + "Default": "t2.micro", + "AllowedValues": [ + "t2.micro", + "m1.small" + ], + "Type": "String" + }, + "ExistingSecurityGroups": { + "Type": "List\u003cAWS::EC2::SecurityGroup::Id\u003e" + }, + "ExistingVPC": { + "Description": "The VPC ID that includes the security groups in the ExistingSecurityGroups parameter.", + "Type": "AWS::EC2::VPC::Id" + } + }, + "Resources": { + "SecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow HTTP traffic to the host", + "VpcId": { + "Ref": "ExistingVPC" + }, + "SecurityGroupIngress": [ + { + "FromPort": "80", + "ToPort": "80", + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": "80", + "ToPort": "80", + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "AllSecurityGroups": { + "Type": "Custom::Split", + "Properties": { + "ServiceToken": "AppendItemToListFunction.Arn", + "List": { + "Ref": "ExistingSecurityGroups" + }, + "AppendedItem": { + "Ref": "SecurityGroup" + } + } + }, + "AppendItemToListFunction": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "var response = require('cfn-response');\nexports.handler = function(event, context) {\n var responseData = {Value: event.ResourceProperties.List};\n responseData.Value.push(event.ResourceProperties.AppendedItem);\n response.send(event, context, response.SUCCESS, responseData);\n};\n" + }, + "Runtime": "nodejs8.10", + "Handler": "index.handler", + "Role": "LambdaExecutionRole.Arn" + } + }, + "MyEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "ami-0ff8a91507f77f867", + "SecurityGroupIds": "AllSecurityGroups.Value", + "InstanceType": { + "Ref": "InstanceType" + } + } + }, + "LambdaExecutionRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "root", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "*" + ], + "Resource": "arn:aws:logs:*:*:*" + } + ] + } + } + ] + }, + "Type": "AWS::IAM::Role" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Parameters: + ExistingSecurityGroups: + Type: List + ExistingVPC: + Type: AWS::EC2::VPC::Id + Description: The VPC ID that includes the security groups in the ExistingSecurityGroups + parameter. + InstanceType: + Type: String + Default: t2.micro + AllowedValues: + - t2.micro + - m1.small +Resources: + SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow HTTP traffic to the host + VpcId: + Ref: ExistingVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: '80' + ToPort: '80' + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: '80' + ToPort: '80' + CidrIp: 0.0.0.0/0 + AllSecurityGroups: + Type: Custom::Split + Properties: + ServiceToken: !GetAtt AppendItemToListFunction.Arn + List: + Ref: ExistingSecurityGroups + AppendedItem: + Ref: SecurityGroup + AppendItemToListFunction: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: !GetAtt LambdaExecutionRole.Arn + Code: + ZipFile: | + var response = require('cfn-response'); + exports.handler = function(event, context) { + var responseData = {Value: event.ResourceProperties.List}; + responseData.Value.push(event.ResourceProperties.AppendedItem); + response.send(event, context, response.SUCCESS, responseData); + }; + Runtime: nodejs8.10 + MyEC2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: ami-0ff8a91507f77f867 + SecurityGroupIds: !GetAtt AllSecurityGroups.Value + InstanceType: + Ref: InstanceType + LambdaExecutionRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: + - sts:AssumeRole + Path: "/" + Policies: + - PolicyName: root + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - iam:ChangePassword + Resource: arn:aws:iam::account-ID-without-hyphens:user/Bob + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "ExistingSecurityGroups": { + "Type": "List\u003cAWS::EC2::SecurityGroup::Id\u003e" + }, + "ExistingVPC": { + "Description": "The VPC ID that includes the security groups in the ExistingSecurityGroups parameter.", + "Type": "AWS::EC2::VPC::Id" + }, + "InstanceType": { + "Type": "String", + "Default": "t2.micro", + "AllowedValues": [ + "t2.micro", + "m1.small" + ] + } + }, + "Resources": { + "SecurityGroup": { + "Properties": { + "GroupDescription": "Allow HTTP traffic to the host", + "VpcId": { + "Ref": "ExistingVPC" + }, + "SecurityGroupIngress": [ + { + "FromPort": "80", + "ToPort": "80", + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": "80", + "ToPort": "80", + "CidrIp": "0.0.0.0/0" + } + ] + }, + "Type": "AWS::EC2::SecurityGroup" + }, + "AllSecurityGroups": { + "Type": "Custom::Split", + "Properties": { + "ServiceToken": "AppendItemToListFunction.Arn", + "List": { + "Ref": "ExistingSecurityGroups" + }, + "AppendedItem": { + "Ref": "SecurityGroup" + } + } + }, + "AppendItemToListFunction": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Handler": "index.handler", + "Role": "LambdaExecutionRole.Arn", + "Code": { + "ZipFile": "var response = require('cfn-response');\nexports.handler = function(event, context) {\n var responseData = {Value: event.ResourceProperties.List};\n responseData.Value.push(event.ResourceProperties.AppendedItem);\n response.send(event, context, response.SUCCESS, responseData);\n};\n" + }, + "Runtime": "nodejs8.10" + } + }, + "MyEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "ami-0ff8a91507f77f867", + "SecurityGroupIds": "AllSecurityGroups.Value", + "InstanceType": { + "Ref": "InstanceType" + } + } + }, + "LambdaExecutionRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "lambda.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "root", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:ChangePassword" + ], + "Resource": "arn:aws:iam::account-ID-without-hyphens:user/Bob" + } + ] + } + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/a227ec01-f97a-4084-91a4-47b350c1db54.md b/docs/queries/cloudformation-queries/aws/a227ec01-f97a-4084-91a4-47b350c1db54.md new file mode 100644 index 00000000000..be04978df98 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a227ec01-f97a-4084-91a4-47b350c1db54.md @@ -0,0 +1,289 @@ +--- +title: S3 Bucket Without Versioning +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a227ec01-f97a-4084-91a4-47b350c1db54 +- **Query name:** S3 Bucket Without Versioning +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_without_versioning) + +### Description +S3 bucket should have versioning enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +Resources: + RecordServiceS3Bucket: + Type: 'AWS::S3::Bucket' + DeletionPolicy: Retain + Properties: + ReplicationConfiguration: + Role: + 'Fn::GetAtt': + - WorkItemBucketBackupRole + - Arn + Rules: + - Destination: + Bucket: + 'Fn::Join': + - '' + - - 'arn:aws:s3:::' + - 'Fn::Join': + - '-' + - - Ref: 'AWS::Region' + - Ref: 'AWS::StackName' + - replicationbucket + StorageClass: STANDARD + Id: Backup + Prefix: '' + Status: Enabled + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="27" +Resources: + RecordServiceS3Bucket2: + Type: 'AWS::S3::Bucket' + DeletionPolicy: Retain + Properties: + ReplicationConfiguration: + Role: + 'Fn::GetAtt': + - WorkItemBucketBackupRole + - Arn + Rules: + - Destination: + Bucket: + 'Fn::Join': + - '' + - - 'arn:aws:s3:::' + - 'Fn::Join': + - '-' + - - Ref: 'AWS::Region' + - Ref: 'AWS::StackName' + - replicationbucket + StorageClass: STANDARD + Id: Backup + Prefix: '' + Status: Enabled + VersioningConfiguration: + Status: Suspended + +``` +```json title="Postitive test num. 3 - json file" hl_lines="4" +{ + "Resources": { + "RecordServiceS3Bucket": { + "Properties": { + "ReplicationConfiguration": { + "Role": { + "Fn::GetAtt": [ + "WorkItemBucketBackupRole", + "Arn" + ] + }, + "Rules": [ + { + "Id": "Backup", + "Prefix": "", + "Status": "Enabled", + "Destination": { + "Bucket": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "AWS::Region" + }, + { + "Ref": "AWS::StackName" + }, + "replicationbucket" + ] + ] + } + ] + ] + }, + "StorageClass": "STANDARD" + } + } + ] + } + }, + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Retain" + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="48" +{ + "Resources": { + "RecordServiceS3Bucket2": { + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Retain", + "Properties": { + "ReplicationConfiguration": { + "Rules": [ + { + "Destination": { + "Bucket": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "AWS::Region" + }, + { + "Ref": "AWS::StackName" + }, + "replicationbucket" + ] + ] + } + ] + ] + }, + "StorageClass": "STANDARD" + }, + "Id": "Backup", + "Prefix": "", + "Status": "Enabled" + } + ], + "Role": { + "Fn::GetAtt": [ + "WorkItemBucketBackupRole", + "Arn" + ] + } + }, + "VersioningConfiguration": { + "Status": "Suspended" + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + RecordServiceS3Bucket: + Type: 'AWS::S3::Bucket' + DeletionPolicy: Retain + Properties: + ReplicationConfiguration: + Role: + 'Fn::GetAtt': + - WorkItemBucketBackupRole + - Arn + Rules: + - Destination: + Bucket: + 'Fn::Join': + - '' + - - 'arn:aws:s3:::' + - 'Fn::Join': + - '-' + - - Ref: 'AWS::Region' + - Ref: 'AWS::StackName' + - replicationbucket + StorageClass: STANDARD + Id: Backup + Prefix: '' + Status: Enabled + VersioningConfiguration: + Status: Enabled + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "RecordServiceS3Bucket": { + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Retain", + "Properties": { + "ReplicationConfiguration": { + "Rules": [ + { + "Id": "Backup", + "Prefix": "", + "Status": "Enabled", + "Destination": { + "Bucket": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "AWS::Region" + }, + { + "Ref": "AWS::StackName" + }, + "replicationbucket" + ] + ] + } + ] + ] + }, + "StorageClass": "STANDARD" + } + } + ], + "Role": { + "Fn::GetAtt": [ + "WorkItemBucketBackupRole", + "Arn" + ] + } + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/a25cd877-375c-4121-a640-730929936fac.md b/docs/queries/cloudformation-queries/aws/a25cd877-375c-4121-a640-730929936fac.md new file mode 100644 index 00000000000..d0cdab85c90 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a25cd877-375c-4121-a640-730929936fac.md @@ -0,0 +1,89 @@ +--- +title: GuardDuty Detector Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a25cd877-375c-4121-a640-730929936fac +- **Query name:** GuardDuty Detector Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/guardduty_detector_disabled) + +### Description +Make sure that Amazon GuardDuty is Enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-detector.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + mydetector3: + Type: AWS::GuardDuty::Detector + Properties: + Enable: False + FindingPublishingFrequency: FIFTEEN_MINUTES + +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "mydetector4": { + "Properties": { + "Enable": false, + "FindingPublishingFrequency": "FIFTEEN_MINUTES" + }, + "Type": "AWS::GuardDuty::Detector" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + mydetector: + Type: AWS::GuardDuty::Detector + Properties: + Enable: True + FindingPublishingFrequency: FIFTEEN_MINUTES + +``` +```json title="Negative test num. 2 - json file" +{ + "document": [ + { + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "mydetector2": { + "Properties": { + "Enable": true, + "FindingPublishingFrequency": "FIFTEEN_MINUTES" + }, + "Type": "AWS::GuardDuty::Detector" + } + }, + "id": "f63e21c6-c58e-45cf-b7b4-6b548d9f7674", + "file": "C:\\Users\\pedrom\\Desktop\\Data\\yaml\\yaml.yaml" + } + ] +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/a2f2800e-614b-4bc8-89e6-fec8afd24800.md b/docs/queries/cloudformation-queries/aws/a2f2800e-614b-4bc8-89e6-fec8afd24800.md new file mode 100644 index 00000000000..502ff533095 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a2f2800e-614b-4bc8-89e6-fec8afd24800.md @@ -0,0 +1,124 @@ +--- +title: Serverless API Without Content Encoding +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a2f2800e-614b-4bc8-89e6-fec8afd24800 +- **Query name:** Serverless API Without Content Encoding +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_sam/serverless_api_without_content_encoding) + +### Description +AWS Serverless API should enable Content Encoding through the attribute 'MinimumCompressionSize'. This value should be greater than -1 and smaller than 10485760
+[Documentation](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-minimumcompressionsize) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + CacheClusterEnabled: true + AccessLogSetting: + DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group' + Format: >- + {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp", + "caller":"$context.identity.caller", + "user":"$context.identity.user","requestTime":"$context.requestTime", + "eventType":"$context.eventType","routeKey":"$context.routeKey", + "status":"$context.status","connectionId":"$context.connectionId"} + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi2: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + CacheClusterEnabled: true + AccessLogSetting: + DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group' + Format: >- + {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp", + "caller":"$context.identity.caller", + "user":"$context.identity.user","requestTime":"$context.requestTime", + "eventType":"$context.eventType","routeKey":"$context.routeKey", + "status":"$context.status","connectionId":"$context.connectionId"} + MinimumCompressionSize: -1 + + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="19" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi3: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + CacheClusterEnabled: true + AccessLogSetting: + DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group' + Format: >- + {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp", + "caller":"$context.identity.caller", + "user":"$context.identity.user","requestTime":"$context.requestTime", + "eventType":"$context.eventType","routeKey":"$context.routeKey", + "status":"$context.status","connectionId":"$context.connectionId"} + MinimumCompressionSize: 11485759 + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi4: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + CacheClusterEnabled: true + AccessLogSetting: + DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group' + Format: >- + {"requestId":"$context.requestId", "ip": "$context.identity.sourceIp", + "caller":"$context.identity.caller", + "user":"$context.identity.user","requestTime":"$context.requestTime", + "eventType":"$context.eventType","routeKey":"$context.routeKey", + "status":"$context.status","connectionId":"$context.connectionId"} + MinimumCompressionSize: 114 + + +``` diff --git a/docs/queries/cloudformation-queries/aws/a3aa0087-8228-4e7e-b202-dc9036972d02.md b/docs/queries/cloudformation-queries/aws/a3aa0087-8228-4e7e-b202-dc9036972d02.md new file mode 100644 index 00000000000..bcd1ea9df77 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a3aa0087-8228-4e7e-b202-dc9036972d02.md @@ -0,0 +1,99 @@ +--- +title: Neptune Cluster With IAM Database Authentication Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a3aa0087-8228-4e7e-b202-dc9036972d02 +- **Query name:** Neptune Cluster With IAM Database Authentication Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/neptune_cluster_with_iam_database_authentication_disabled) + +### Description +Neptune Cluster should have IAM Database Authentication enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-neptune-dbcluster.html#cfn-neptune-dbcluster-iamauthenabled) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12 7" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + NeptuneDBCluster: + Type: AWS::Neptune::DBCluster + Properties: + IamAuthEnabled: false + StorageEncrypted: true + NeptuneDBCluster2: + Type: AWS::Neptune::DBCluster + Properties: + IamAuthEnabled: false + StorageEncrypted: true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="8 15" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "NeptuneDBCluster": { + "Type": "AWS::Neptune::DBCluster", + "Properties": { + "IamAuthEnabled": false, + "StorageEncrypted": true + } + }, + "NeptuneDBCluster2": { + "Type": "AWS::Neptune::DBCluster", + "Properties": { + "IamAuthEnabled": false, + "StorageEncrypted": true + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + NeptuneDBCluster3: + Type: AWS::Neptune::DBCluster + Properties: + IamAuthEnabled: true + StorageEncrypted: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "NeptuneDBCluster3": { + "Type": "AWS::Neptune::DBCluster", + "Properties": { + "IamAuthEnabled": true, + "StorageEncrypted": true + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd.md b/docs/queries/cloudformation-queries/aws/a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd.md new file mode 100644 index 00000000000..38383f9eea9 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd.md @@ -0,0 +1,295 @@ +--- +title: Security Group Ingress Has CIDR Not Recommended +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a3e4e39a-e5fc-4ee9-8cf5-700febfa86dd +- **Query name:** Security Group Ingress Has CIDR Not Recommended +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_group_ingress_has_cidr_not_recommended) + +### Description +AWS Security Group Ingress CIDR should not be /32 in case of IPV4 or /128 in case of IPV6
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="43 13" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 122.24.0.0/32 + SecurityGroupEgress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 192.0.2.0/24 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + CidrIp: 192.0.2.0/24 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + CidrIpv6: ::/128 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Postitive test num. 2 - json file" hl_lines="44 69" +{ + "Resources": { + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "ToPort": 65535, + "CidrIp": "192.0.2.0/24", + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0 + } + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "CidrIpv6": "::/128" + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "SecurityGroupEgress": [ + { + "ToPort": 80, + "CidrIp": "192.0.2.0/24", + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80 + } + ], + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "122.24.0.0/32" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 192.0.2.0/24 + SecurityGroupEgress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 192.0.2.0/24 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 0 + CidrIp: 192.0.2.0/24 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 0 + CidrIpv6: 2001:0DB8:1234::/48 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "InstanceSecurityGroup": { + "Properties": { + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "192.0.2.0/24" + } + ], + "SecurityGroupEgress": [ + { + "ToPort": 80, + "CidrIp": "192.0.2.0/24", + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80 + } + ], + "GroupDescription": "Allow http to client host" + }, + "Type": "AWS::EC2::SecurityGroup" + }, + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "ToPort": 0, + "CidrIp": "192.0.2.0/24", + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0 + } + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "ToPort": 0, + "CidrIpv6": "2001:0DB8:1234::/48", + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0 + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/a478af30-8c3a-404d-aa64-0b673cee509a.md b/docs/queries/cloudformation-queries/aws/a478af30-8c3a-404d-aa64-0b673cee509a.md new file mode 100644 index 00000000000..e6c2eec296c --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a478af30-8c3a-404d-aa64-0b673cee509a.md @@ -0,0 +1,155 @@ +--- +title: Redshift Using Default Port +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a478af30-8c3a-404d-aa64-0b673cee509a +- **Query name:** Redshift Using Default Port +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/redshift_using_default_port) + +### Description +Redshift should not use the default port (5439) because an attacker can easily guess the port
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html#cfn-redshift-cluster-port) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 28" +Resources: + myCluster: + Type: "AWS::Redshift::Cluster" + Properties: + PubliclyAccessible: false + DBName: "mydb" + MasterUsername: "master" + MasterUserPassword: + Ref: "MasterUserPassword" + NodeType: "ds2.xlarge" + ClusterType: "single-node" + Tags: + - Key: foo + Value: bar + myCluster2: + Type: "AWS::Redshift::Cluster" + Properties: + PubliclyAccessible: false + DBName: "mydb" + MasterUsername: "master" + MasterUserPassword: + Ref: "MasterUserPassword" + NodeType: "ds2.xlarge" + ClusterType: "single-node" + Tags: + - Key: foo + Value: bar + Port: 5439 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="5 39" +{ + "Resources": { + "myCluster": { + "Type": "AWS::Redshift::Cluster", + "Properties": { + "NodeType": "ds2.xlarge", + "ClusterType": "single-node", + "Tags": [ + { + "Key": "foo", + "Value": "bar" + } + ], + "PubliclyAccessible": true, + "DBName": "mydb", + "MasterUsername": "master", + "MasterUserPassword": { + "Ref": "MasterUserPassword" + } + } + }, + "myCluster2": { + "Type": "AWS::Redshift::Cluster", + "Properties": { + "Tags": [ + { + "Key": "foo", + "Value": "bar" + } + ], + "PubliclyAccessible": true, + "DBName": "mydb", + "MasterUsername": "master", + "MasterUserPassword": { + "Ref": "MasterUserPassword" + }, + "NodeType": "ds2.xlarge", + "ClusterType": "single-node", + "Port": 5439 + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + myCluster: + Type: "AWS::Redshift::Cluster" + Properties: + PubliclyAccessible: false + DBName: "mydb" + MasterUsername: "master" + MasterUserPassword: + Ref: "MasterUserPassword" + NodeType: "ds2.xlarge" + ClusterType: "single-node" + Tags: + - Key: foo + Value: bar + Port: 1150 + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "myCluster": { + "Type": "AWS::Redshift::Cluster", + "Properties": { + "MasterUserPassword": { + "Ref": "MasterUserPassword" + }, + "NodeType": "ds2.xlarge", + "ClusterType": "single-node", + "Tags": [ + { + "Value": "bar", + "Key": "foo" + } + ], + "PubliclyAccessible": false, + "DBName": "mydb", + "MasterUsername": "master", + "Port": "1150" + } + } + } + } + +``` diff --git a/docs/queries/cloudformation-queries/aws/a5366a50-932f-4085-896b-41402714a388.md b/docs/queries/cloudformation-queries/aws/a5366a50-932f-4085-896b-41402714a388.md new file mode 100644 index 00000000000..9b49ee2e436 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a5366a50-932f-4085-896b-41402714a388.md @@ -0,0 +1,241 @@ +--- +title: Connection Between CloudFront Origin Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a5366a50-932f-4085-896b-41402714a388 +- **Query name:** Connection Between CloudFront Origin Not Encrypted +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/connection_between_cloudfront_origin_not_encrypted) + +### Description +Checks if the connection between the CloudFront and the origin server is encrypted
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="13 30" +#this is a problematic code where the query should report a result(s) +AWSTemplateFormatVersion: "2010-09-09" +Resources: + cloudfrontdistribution_1: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + DefaultCacheBehavior: + ViewerProtocolPolicy: allow-all + LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + IPV6Enabled: true + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: 60 + OriginReadTimeout: 30 + Tags: + - Key: name + Value: example + cloudfrontdistribution_2: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + CacheBehaviors: + ViewerProtocolPolicy: allow-all + LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + DefaultCacheBehavior: + LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + IPV6Enabled: true + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: 60 + OriginReadTimeout: 30 + Tags: + - Key: name + Value: example +``` +```json title="Postitive test num. 2 - json file" hl_lines="56 19" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "cloudfrontdistribution_1": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "CacheBehaviors": [ + { + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + } + ], + "DefaultCacheBehavior": { + "ViewerProtocolPolicy": "allow-all", + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + }, + "IPV6Enabled": true, + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": 60, + "OriginReadTimeout": 30 + } + } + ] + }, + "Tags": [ + { + "Key": "name", + "Value": "example" + } + ] + } + }, + "cloudfrontdistribution_2": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Tags": [ + { + "Key": "name", + "Value": "example" + } + ], + "CacheBehaviors": { + "ViewerProtocolPolicy": "allow-all", + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + }, + "DefaultCacheBehavior": { + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + }, + "IPV6Enabled": true, + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": 60, + "OriginReadTimeout": 30 + } + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +AWSTemplateFormatVersion: "2010-09-09" +Resources: + cloudfrontdistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + DefaultCacheBehavior: + LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + IPV6Enabled: true + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: 60 + OriginReadTimeout: 30 + Tags: + - Key: name + Value: example +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "cloudfrontdistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "DefaultCacheBehavior": { + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + }, + "IPV6Enabled": true, + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": 60, + "OriginReadTimeout": 30 + } + } + ], + "CacheBehaviors": [ + { + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + } + ] + }, + "Tags": [ + { + "Key": "name", + "Value": "example" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/a58d1a2d-4078-4b80-855b-84cc3f7f4540.md b/docs/queries/cloudformation-queries/aws/a58d1a2d-4078-4b80-855b-84cc3f7f4540.md new file mode 100644 index 00000000000..98ec68310d6 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a58d1a2d-4078-4b80-855b-84cc3f7f4540.md @@ -0,0 +1,124 @@ +--- +title: IAM Group Inline Policies +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a58d1a2d-4078-4b80-855b-84cc3f7f4540 +- **Query name:** IAM Group Inline Policies +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_groups_inline_policies) + +### Description +IAM Groups should not use inline policies and instead use managed policies. If a group is deleted, the inline policy is also deleted
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::Group + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn +``` +```json title="Postitive test num. 2 - json file" hl_lines="12" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::Group", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::Group +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::Group" + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/a71ecabe-03b6-456a-b3bc-d1a39aa20c98.md b/docs/queries/cloudformation-queries/aws/a71ecabe-03b6-456a-b3bc-d1a39aa20c98.md new file mode 100644 index 00000000000..d47a7e8a104 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a71ecabe-03b6-456a-b3bc-d1a39aa20c98.md @@ -0,0 +1,73 @@ +--- +title: Serverless Function Without Tags +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a71ecabe-03b6-456a-b3bc-d1a39aa20c98 +- **Query name:** Serverless Function Without Tags +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_sam/serverless_function_without_tags) + +### Description +AWS Serverless Function should have associated tags
+[Documentation](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tags) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function1: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + +``` diff --git a/docs/queries/cloudformation-queries/aws/a7f8ac28-eed1-483d-87c8-4c325f022572.md b/docs/queries/cloudformation-queries/aws/a7f8ac28-eed1-483d-87c8-4c325f022572.md new file mode 100644 index 00000000000..3d7b936f57c --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a7f8ac28-eed1-483d-87c8-4c325f022572.md @@ -0,0 +1,90 @@ +--- +title: Serverless Function Environment Variables Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a7f8ac28-eed1-483d-87c8-4c325f022572 +- **Query name:** Serverless Function Environment Variables Not Encrypted +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_sam/serverless_function_environment_variables_not_encrypted) + +### Description +AWS Serverless Function should encrypt environment variables
+[Documentation](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-kmskeyarn) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + DeadLetterConfig: + TargetArn: arn:aws:sqs:us-east-1:2324243535:aaa + Type: SQS + Environment: + Variables: + key: value + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function1: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + DeadLetterConfig: + TargetArn: arn:aws:sqs:us-east-1:2324243535:aaa + Type: SQS + Environment: + Variables: + key: value + KmsKeyArn: arn:aws:kms:us-west-1:123456789123:key/12345678-12cc-45bb-98aa-9876543210cc + + +``` diff --git a/docs/queries/cloudformation-queries/aws/a964d6e3-8e1e-4d93-8120-61fa640dd55a.md b/docs/queries/cloudformation-queries/aws/a964d6e3-8e1e-4d93-8120-61fa640dd55a.md new file mode 100644 index 00000000000..48607f13933 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a964d6e3-8e1e-4d93-8120-61fa640dd55a.md @@ -0,0 +1,332 @@ +--- +title: IAM User Without Password Reset +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a964d6e3-8e1e-4d93-8120-61fa640dd55a +- **Query name:** IAM User Without Password Reset +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/user_iam_missing_password_reset_required) + +### Description +IAM User Login Profile should exist and have PasswordResetRequired property set to true
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-user-loginprofile.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + PasswordResetRequired: false + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + newuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + topuser: + Type: AWS::IAM::User + Properties: + Path: "/" + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + +``` +
Postitive test num. 4 - json file + +```json hl_lines="38" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Properties": { + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + } + ], + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd", + "PasswordResetRequired": false + } + }, + "Type": "AWS::IAM::User" + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="9" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "newuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + } + ] + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "topuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "Policies": [ + { + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ], + "Effect": "Allow" + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + }, + "PolicyName": "giveaccesstoqueueonly" + } + ] + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + PasswordResetRequired: true + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd", + "PasswordResetRequired": true + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/a976d63f-af0e-46e8-b714-8c1a9c4bf768.md b/docs/queries/cloudformation-queries/aws/a976d63f-af0e-46e8-b714-8c1a9c4bf768.md new file mode 100644 index 00000000000..2fab87f045f --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/a976d63f-af0e-46e8-b714-8c1a9c4bf768.md @@ -0,0 +1,594 @@ +--- +title: MSK Cluster Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a976d63f-af0e-46e8-b714-8c1a9c4bf768 +- **Query name:** MSK Cluster Encryption Disabled +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/msk_cluster_encryption_disabled) + +### Description +Ensure MSK Cluster encryption in rest and transit is enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-msk-cluster.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +Description: MSK Cluster with all properties +Resources: + TestCluster5: + Type: 'AWS::MSK::Cluster' + Properties: + ClusterName: ClusterWithAllProperties + KafkaVersion: 2.2.1 + NumberOfBrokerNodes: 3 + EnhancedMonitoring: PER_BROKER + OpenMonitoring: + Prometheus: + JmxExporter: + EnabledInBroker: "true" + NodeExporter: + EnabledInBroker: "true" + ConfigurationInfo: + Arn: ReplaceWithConfigurationArn + Revision: 1 + ClientAuthentication: + Tls: + CertificateAuthorityArnList: + - ReplaceWithCAArn + Tags: + Environment: Test + Owner: QATeam + BrokerNodeGroupInfo: + BrokerAZDistribution: DEFAULT + InstanceType: kafka.m5.large + SecurityGroups: + - ReplaceWithSecurityGroupId + StorageInfo: + EBSStorageInfo: + VolumeSize: 100 + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +Description: MSK Cluster with all properties +Resources: + TestCluster6: + Type: 'AWS::MSK::Cluster' + Properties: + ClusterName: ClusterWithAllProperties + KafkaVersion: 2.2.1 + NumberOfBrokerNodes: 3 + EnhancedMonitoring: PER_BROKER + EncryptionInfo: + EncryptionAtRest: + DataVolumeKMSKeyId: ReplaceWithKmsKeyArn + EncryptionInTransit: + ClientBroker: PLAINTEXT + OpenMonitoring: + Prometheus: + JmxExporter: + EnabledInBroker: "true" + NodeExporter: + EnabledInBroker: "true" + ConfigurationInfo: + Arn: ReplaceWithConfigurationArn + Revision: 1 + ClientAuthentication: + Tls: + CertificateAuthorityArnList: + - ReplaceWithCAArn + Tags: + Environment: Test + Owner: QATeam + BrokerNodeGroupInfo: + BrokerAZDistribution: DEFAULT + InstanceType: kafka.m5.large + SecurityGroups: + - ReplaceWithSecurityGroupId + StorageInfo: + EBSStorageInfo: + VolumeSize: 100 + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="14" +Description: MSK Cluster with all properties +Resources: + TestCluster7: + Type: 'AWS::MSK::Cluster' + Properties: + ClusterName: ClusterWithAllProperties + KafkaVersion: 2.2.1 + NumberOfBrokerNodes: 3 + EnhancedMonitoring: PER_BROKER + EncryptionInfo: + EncryptionAtRest: + DataVolumeKMSKeyId: ReplaceWithKmsKeyArn + EncryptionInTransit: + InCluster: false + OpenMonitoring: + Prometheus: + JmxExporter: + EnabledInBroker: "true" + NodeExporter: + EnabledInBroker: "true" + ConfigurationInfo: + Arn: ReplaceWithConfigurationArn + Revision: 1 + ClientAuthentication: + Tls: + CertificateAuthorityArnList: + - ReplaceWithCAArn + Tags: + Environment: Test + Owner: QATeam + BrokerNodeGroupInfo: + BrokerAZDistribution: DEFAULT + InstanceType: kafka.m5.large + SecurityGroups: + - ReplaceWithSecurityGroupId + StorageInfo: + EBSStorageInfo: + VolumeSize: 100 + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + +``` +
Postitive test num. 4 - json file + +```json hl_lines="6" +{ + "Description": "MSK Cluster with all properties", + "Resources": { + "TestCluster8": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "ClusterName": "ClusterWithAllProperties", + "KafkaVersion": "2.2.1", + "NumberOfBrokerNodes": 3, + "EnhancedMonitoring": "PER_BROKER", + "OpenMonitoring": { + "Prometheus": { + "JmxExporter": { + "EnabledInBroker": "true" + }, + "NodeExporter": { + "EnabledInBroker": "true" + } + } + }, + "ConfigurationInfo": { + "Arn": "ReplaceWithConfigurationArn", + "Revision": 1 + }, + "ClientAuthentication": { + "Tls": { + "CertificateAuthorityArnList": [ + "ReplaceWithCAArn" + ] + } + }, + "Tags": { + "Environment": "Test", + "Owner": "QATeam" + }, + "BrokerNodeGroupInfo": { + "BrokerAZDistribution": "DEFAULT", + "InstanceType": "kafka.m5.large", + "SecurityGroups": [ + "ReplaceWithSecurityGroupId" + ], + "StorageInfo": { + "EBSStorageInfo": { + "VolumeSize": 100 + } + }, + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ] + } + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="16" +{ + "Description": "MSK Cluster with all properties", + "Resources": { + "TestCluster9": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "ClusterName": "ClusterWithAllProperties", + "KafkaVersion": "2.2.1", + "NumberOfBrokerNodes": 3, + "EnhancedMonitoring": "PER_BROKER", + "EncryptionInfo": { + "EncryptionAtRest": { + "DataVolumeKMSKeyId": "ReplaceWithKmsKeyArn" + }, + "EncryptionInTransit": { + "ClientBroker": "PLAINTEXT" + } + }, + "OpenMonitoring": { + "Prometheus": { + "JmxExporter": { + "EnabledInBroker": "true" + }, + "NodeExporter": { + "EnabledInBroker": "true" + } + } + }, + "ConfigurationInfo": { + "Arn": "ReplaceWithConfigurationArn", + "Revision": 1 + }, + "ClientAuthentication": { + "Tls": { + "CertificateAuthorityArnList": [ + "ReplaceWithCAArn" + ] + } + }, + "Tags": { + "Environment": "Test", + "Owner": "QATeam" + }, + "BrokerNodeGroupInfo": { + "BrokerAZDistribution": "DEFAULT", + "InstanceType": "kafka.m5.large", + "SecurityGroups": [ + "ReplaceWithSecurityGroupId" + ], + "StorageInfo": { + "EBSStorageInfo": { + "VolumeSize": 100 + } + }, + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ] + } + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="16" +{ + "Description": "MSK Cluster with all properties", + "Resources": { + "TestCluster10": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "ClusterName": "ClusterWithAllProperties", + "KafkaVersion": "2.2.1", + "NumberOfBrokerNodes": 3, + "EnhancedMonitoring": "PER_BROKER", + "EncryptionInfo": { + "EncryptionAtRest": { + "DataVolumeKMSKeyId": "ReplaceWithKmsKeyArn" + }, + "EncryptionInTransit": { + "InCluster": "false" + } + }, + "OpenMonitoring": { + "Prometheus": { + "JmxExporter": { + "EnabledInBroker": "true" + }, + "NodeExporter": { + "EnabledInBroker": "true" + } + } + }, + "ConfigurationInfo": { + "Arn": "ReplaceWithConfigurationArn", + "Revision": 1 + }, + "ClientAuthentication": { + "Tls": { + "CertificateAuthorityArnList": [ + "ReplaceWithCAArn" + ] + } + }, + "Tags": { + "Environment": "Test", + "Owner": "QATeam" + }, + "BrokerNodeGroupInfo": { + "BrokerAZDistribution": "DEFAULT", + "InstanceType": "kafka.m5.large", + "SecurityGroups": [ + "ReplaceWithSecurityGroupId" + ], + "StorageInfo": { + "EBSStorageInfo": { + "VolumeSize": 100 + } + }, + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ] + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Description: MSK Cluster with all properties +Resources: + TestCluster: + Type: 'AWS::MSK::Cluster' + Properties: + ClusterName: ClusterWithAllProperties + KafkaVersion: 2.2.1 + NumberOfBrokerNodes: 3 + EnhancedMonitoring: PER_BROKER + EncryptionInfo: + EncryptionAtRest: + DataVolumeKMSKeyId: ReplaceWithKmsKeyArn + EncryptionInTransit: + ClientBroker: TLS + InCluster: true + OpenMonitoring: + Prometheus: + JmxExporter: + EnabledInBroker: "true" + NodeExporter: + EnabledInBroker: "true" + ConfigurationInfo: + Arn: ReplaceWithConfigurationArn + Revision: 1 + ClientAuthentication: + Tls: + CertificateAuthorityArnList: + - ReplaceWithCAArn + Tags: + Environment: Test + Owner: QATeam + BrokerNodeGroupInfo: + BrokerAZDistribution: DEFAULT + InstanceType: kafka.m5.large + SecurityGroups: + - ReplaceWithSecurityGroupId + StorageInfo: + EBSStorageInfo: + VolumeSize: 100 + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + +``` +```yaml title="Negative test num. 2 - yaml file" +Description: MSK Cluster with all properties +Resources: + TestCluster2: + Type: 'AWS::MSK::Cluster' + Properties: + ClusterName: ClusterWithAllProperties + KafkaVersion: 2.2.1 + NumberOfBrokerNodes: 3 + EnhancedMonitoring: PER_BROKER + EncryptionInfo: + EncryptionAtRest: + DataVolumeKMSKeyId: ReplaceWithKmsKeyArn + EncryptionInTransit: + ClientBroker: TLS + OpenMonitoring: + Prometheus: + JmxExporter: + EnabledInBroker: "true" + NodeExporter: + EnabledInBroker: "true" + ConfigurationInfo: + Arn: ReplaceWithConfigurationArn + Revision: 1 + ClientAuthentication: + Tls: + CertificateAuthorityArnList: + - ReplaceWithCAArn + Tags: + Environment: Test + Owner: QATeam + BrokerNodeGroupInfo: + BrokerAZDistribution: DEFAULT + InstanceType: kafka.m5.large + SecurityGroups: + - ReplaceWithSecurityGroupId + StorageInfo: + EBSStorageInfo: + VolumeSize: 100 + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + +``` +```json title="Negative test num. 3 - json file" +{ + "Description": "MSK Cluster with all properties", + "Resources": { + "TestCluster3": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "ClusterName": "ClusterWithAllProperties", + "KafkaVersion": "2.2.1", + "NumberOfBrokerNodes": 3, + "EnhancedMonitoring": "PER_BROKER", + "EncryptionInfo": { + "EncryptionAtRest": { + "DataVolumeKMSKeyId": "ReplaceWithKmsKeyArn" + }, + "EncryptionInTransit": { + "ClientBroker": "TLS", + "InCluster": true + } + }, + "OpenMonitoring": { + "Prometheus": { + "JmxExporter": { + "EnabledInBroker": "true" + }, + "NodeExporter": { + "EnabledInBroker": "true" + } + } + }, + "ConfigurationInfo": { + "Arn": "ReplaceWithConfigurationArn", + "Revision": 1 + }, + "ClientAuthentication": { + "Tls": { + "CertificateAuthorityArnList": [ + "ReplaceWithCAArn" + ] + } + }, + "Tags": { + "Environment": "Test", + "Owner": "QATeam" + }, + "BrokerNodeGroupInfo": { + "BrokerAZDistribution": "DEFAULT", + "InstanceType": "kafka.m5.large", + "SecurityGroups": [ + "ReplaceWithSecurityGroupId" + ], + "StorageInfo": { + "EBSStorageInfo": { + "VolumeSize": 100 + } + }, + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ] + } + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "Description": "MSK Cluster with all properties", + "Resources": { + "TestCluster4": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "ClusterName": "ClusterWithAllProperties", + "KafkaVersion": "2.2.1", + "NumberOfBrokerNodes": 3, + "EnhancedMonitoring": "PER_BROKER", + "EncryptionInfo": { + "EncryptionAtRest": { + "DataVolumeKMSKeyId": "ReplaceWithKmsKeyArn" + }, + "EncryptionInTransit": { + "ClientBroker": "TLS" + } + }, + "OpenMonitoring": { + "Prometheus": { + "JmxExporter": { + "EnabledInBroker": "true" + }, + "NodeExporter": { + "EnabledInBroker": "true" + } + } + }, + "ConfigurationInfo": { + "Arn": "ReplaceWithConfigurationArn", + "Revision": 1 + }, + "ClientAuthentication": { + "Tls": { + "CertificateAuthorityArnList": [ + "ReplaceWithCAArn" + ] + } + }, + "Tags": { + "Environment": "Test", + "Owner": "QATeam" + }, + "BrokerNodeGroupInfo": { + "BrokerAZDistribution": "DEFAULT", + "InstanceType": "kafka.m5.large", + "SecurityGroups": [ + "ReplaceWithSecurityGroupId" + ], + "StorageInfo": { + "EBSStorageInfo": { + "VolumeSize": 100 + } + }, + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ] + } + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/acc78859-765e-4011-a229-a65ea57db252.md b/docs/queries/cloudformation-queries/aws/acc78859-765e-4011-a229-a65ea57db252.md new file mode 100644 index 00000000000..f6f33c6fe83 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/acc78859-765e-4011-a229-a65ea57db252.md @@ -0,0 +1,188 @@ +--- +title: S3 Bucket Allows Delete Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** acc78859-765e-4011-a229-a65ea57db252 +- **Query name:** S3 Bucket Allows Delete Action From All Principals +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_allows_delete_actions_from_all_principals) + +### Description +S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="22 7" +#this is a problematic code where the query should report a result(s) +Resources: + SampleBucketPolicy3: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: "DeleteObject" + Effect: Allow + Resource: "*" + Principal: "*" + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + SampleBucketPolicy4: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: + - "DeleteObject" + - "GetObject" + Effect: Allow + Resource: "*" + Principal: "*" + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9 35" +{ + "Resources": { + "SampleBucketPolicy5": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "DeleteObject", + "Effect": "Allow", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + }, + "SampleBucketPolicy6": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "DeleteObject", + "GetObject" + ], + "Effect": "Allow", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + SampleBucketPolicy1: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: + - 's3:DeleteObject' + Effect: Deny + Resource: '*' + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "SampleBucketPolicy2": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:DeleteObject" + ], + "Effect": "Deny", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/ad21e616-5026-4b9d-990d-5b007bfe679c.md b/docs/queries/cloudformation-queries/aws/ad21e616-5026-4b9d-990d-5b007bfe679c.md new file mode 100644 index 00000000000..c4173c7cb41 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ad21e616-5026-4b9d-990d-5b007bfe679c.md @@ -0,0 +1,439 @@ +--- +title: Auto Scaling Group With No Associated ELB +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ad21e616-5026-4b9d-990d-5b007bfe679c +- **Query name:** Auto Scaling Group With No Associated ELB +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/auto_scaling_group_with_no_associated_elb) + +### Description +AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="28 60 87" +#this is a problematic code where the query should report a result(s) +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateName: !Sub ${AWS::StackName}-launch-template + LaunchTemplateData: + BlockDeviceMappings: + - Ebs: + VolumeSize: 22 + VolumeType: gp2 + DeleteOnTermination: true + Encrypted: true + DeviceName: /dev/xvdcz + CreditSpecification: + CpuCredits: Unlimited + ImageId: ami-02354e95b39ca8dec + InstanceType: t2.micro + KeyName: my-key-pair-useast1 + Monitoring: + Enabled: true + SecurityGroupIds: + - sg-7c227019 + - sg-903004f8 + myASG: + Type: AWS::AutoScaling::AutoScalingGroup + Properties: + AutoScalingGroupName: myASG + MinSize: "1" + MaxSize: "6" + DesiredCapacity: "2" + HealthCheckGracePeriod: 300 + LaunchTemplate: + LaunchTemplateId: !Ref myLaunchTemplate + Version: !GetAtt myLaunchTemplate.LatestVersionNumber + VPCZoneIdentifier: + - !Ref myPublicSubnet1 + - !Ref myPublicSubnet2 + MetricsCollection: + - Granularity: "1Minute" + Metrics: + - "GroupMinSize" + - "GroupMaxSize" + Tags: + - Key: Environment + Value: Production + PropagateAtLaunch: "true" + - Key: Purpose + Value: WebServerGroup + PropagateAtLaunch: "false" + myASG2: + Type: AWS::AutoScaling::AutoScalingGroup + Properties: + AutoScalingGroupName: myASG2 + MinSize: "1" + MaxSize: "6" + DesiredCapacity: "2" + HealthCheckGracePeriod: 300 + LoadBalancerNames: [] + LaunchTemplate: + LaunchTemplateId: !Ref myLaunchTemplate + Version: !GetAtt myLaunchTemplate.LatestVersionNumber + VPCZoneIdentifier: + - !Ref myPublicSubnet1 + - !Ref myPublicSubnet2 + MetricsCollection: + - Granularity: "1Minute" + Metrics: + - "GroupMinSize" + - "GroupMaxSize" + Tags: + - Key: Environment + Value: Production + PropagateAtLaunch: "true" + - Key: Purpose + Value: WebServerGroup + PropagateAtLaunch: "false" + myASG3: + Type: AWS::AutoScaling::AutoScalingGroup + Properties: + AutoScalingGroupName: myASG + MinSize: "1" + MaxSize: "6" + DesiredCapacity: "2" + HealthCheckGracePeriod: 300 + LoadBalancerNames: [] + LaunchTemplate: + LaunchTemplateId: !Ref myLaunchTemplate + Version: !GetAtt myLaunchTemplate.LatestVersionNumber + VPCZoneIdentifier: + - !Ref myPublicSubnet1 + - !Ref myPublicSubnet2 + MetricsCollection: + - Granularity: "1Minute" + Metrics: + - "GroupMinSize" + - "GroupMaxSize" + Tags: + - Key: Environment + Value: Production + PropagateAtLaunch: "true" + - Key: Purpose + Value: WebServerGroup + PropagateAtLaunch: "false" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="78 126 38" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myLaunchTemplate": { + "Type": "AWS::EC2::LaunchTemplate", + "Properties": { + "LaunchTemplateName": "${AWS::StackName}-launch-template", + "LaunchTemplateData": { + "InstanceType": "t2.micro", + "KeyName": "my-key-pair-useast1", + "Monitoring": { + "Enabled": true + }, + "SecurityGroupIds": [ + "sg-7c227019", + "sg-903004f8" + ], + "BlockDeviceMappings": [ + { + "Ebs": { + "VolumeSize": 22, + "VolumeType": "gp2", + "DeleteOnTermination": true, + "Encrypted": true + }, + "DeviceName": "/dev/xvdcz" + } + ], + "CreditSpecification": { + "CpuCredits": "Unlimited" + }, + "ImageId": "ami-02354e95b39ca8dec" + } + } + }, + "myASG": { + "Type": "AWS::AutoScaling::AutoScalingGroup", + "Properties": { + "HealthCheckGracePeriod": 300, + "LaunchTemplate": { + "LaunchTemplateId": "myLaunchTemplate", + "Version": "myLaunchTemplate.LatestVersionNumber" + }, + "VPCZoneIdentifier": [ + "myPublicSubnet1", + "myPublicSubnet2" + ], + "MetricsCollection": [ + { + "Granularity": "1Minute", + "Metrics": [ + "GroupMinSize", + "GroupMaxSize" + ] + } + ], + "AutoScalingGroupName": "myASG", + "MaxSize": "6", + "DesiredCapacity": "2", + "MinSize": "1", + "Tags": [ + { + "Key": "Environment", + "Value": "Production", + "PropagateAtLaunch": "true" + }, + { + "Key": "Purpose", + "Value": "WebServerGroup", + "PropagateAtLaunch": "false" + } + ] + } + }, + "myASG2": { + "Type": "AWS::AutoScaling::AutoScalingGroup", + "Properties": { + "LoadBalancerNames": [], + "LaunchTemplate": { + "Version": "myLaunchTemplate.LatestVersionNumber", + "LaunchTemplateId": "myLaunchTemplate" + }, + "VPCZoneIdentifier": [ + "myPublicSubnet1", + "myPublicSubnet2" + ], + "MinSize": "1", + "MaxSize": "6", + "HealthCheckGracePeriod": 300, + "Tags": [ + { + "Value": "Production", + "PropagateAtLaunch": "true", + "Key": "Environment" + }, + { + "Key": "Purpose", + "Value": "WebServerGroup", + "PropagateAtLaunch": "false" + } + ], + "AutoScalingGroupName": "myASG2", + "DesiredCapacity": "2", + "MetricsCollection": [ + { + "Granularity": "1Minute", + "Metrics": [ + "GroupMinSize", + "GroupMaxSize" + ] + } + ] + } + }, + "myASG3": { + "Type": "AWS::AutoScaling::AutoScalingGroup", + "Properties": { + "VPCZoneIdentifier": [ + "myPublicSubnet1", + "myPublicSubnet2" + ], + "MaxSize": "6", + "MinSize": "1", + "DesiredCapacity": "2", + "HealthCheckGracePeriod": 300, + "LoadBalancerNames": [], + "LaunchTemplate": { + "LaunchTemplateId": "myLaunchTemplate", + "Version": "myLaunchTemplate.LatestVersionNumber" + }, + "MetricsCollection": [ + { + "Granularity": "1Minute", + "Metrics": [ + "GroupMinSize", + "GroupMaxSize" + ] + } + ], + "Tags": [ + { + "Key": "Environment", + "Value": "Production", + "PropagateAtLaunch": "true" + }, + { + "Key": "Purpose", + "Value": "WebServerGroup", + "PropagateAtLaunch": "false" + } + ], + "AutoScalingGroupName": "myASG" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateName: !Sub ${AWS::StackName}-launch-template + LaunchTemplateData: + BlockDeviceMappings: + - Ebs: + VolumeSize: 22 + VolumeType: gp2 + DeleteOnTermination: true + Encrypted: true + DeviceName: /dev/xvdcz + CreditSpecification: + CpuCredits: Unlimited + ImageId: ami-02354e95b39ca8dec + InstanceType: t2.micro + KeyName: my-key-pair-useast1 + Monitoring: + Enabled: true + SecurityGroupIds: + - sg-7c227019 + - sg-903004f8 + myASG: + Type: AWS::AutoScaling::AutoScalingGroup + Properties: + AutoScalingGroupName: myASG + MinSize: "1" + MaxSize: "6" + DesiredCapacity: "2" + HealthCheckGracePeriod: 300 + LoadBalancerNames: + - elb_1 + - elb_2 + LaunchTemplate: + LaunchTemplateId: !Ref myLaunchTemplate + Version: !GetAtt myLaunchTemplate.LatestVersionNumber + VPCZoneIdentifier: + - !Ref myPublicSubnet1 + - !Ref myPublicSubnet2 + MetricsCollection: + - Granularity: "1Minute" + Metrics: + - "GroupMinSize" + - "GroupMaxSize" + Tags: + - Key: Environment + Value: Production + PropagateAtLaunch: "true" + - Key: Purpose + Value: WebServerGroup + PropagateAtLaunch: "false" +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "myLaunchTemplate": { + "Type": "AWS::EC2::LaunchTemplate", + "Properties": { + "LaunchTemplateName": "${AWS::StackName}-launch-template", + "LaunchTemplateData": { + "ImageId": "ami-02354e95b39ca8dec", + "InstanceType": "t2.micro", + "KeyName": "my-key-pair-useast1", + "Monitoring": { + "Enabled": true + }, + "SecurityGroupIds": [ + "sg-7c227019", + "sg-903004f8" + ], + "BlockDeviceMappings": [ + { + "Ebs": { + "Encrypted": true, + "VolumeSize": 22, + "VolumeType": "gp2", + "DeleteOnTermination": true + }, + "DeviceName": "/dev/xvdcz" + } + ], + "CreditSpecification": { + "CpuCredits": "Unlimited" + } + } + } + }, + "myASG": { + "Type": "AWS::AutoScaling::AutoScalingGroup", + "Properties": { + "Tags": [ + { + "Key": "Environment", + "Value": "Production", + "PropagateAtLaunch": "true" + }, + { + "Key": "Purpose", + "Value": "WebServerGroup", + "PropagateAtLaunch": "false" + } + ], + "AutoScalingGroupName": "myASG", + "MaxSize": "6", + "HealthCheckGracePeriod": 300, + "LoadBalancerNames": [ + "elb_1", + "elb_2" + ], + "LaunchTemplate": { + "LaunchTemplateId": "myLaunchTemplate", + "Version": "myLaunchTemplate.LatestVersionNumber" + }, + "VPCZoneIdentifier": [ + "myPublicSubnet1", + "myPublicSubnet2" + ], + "MetricsCollection": [ + { + "Granularity": "1Minute", + "Metrics": [ + "GroupMinSize", + "GroupMaxSize" + ] + } + ], + "MinSize": "1", + "DesiredCapacity": "2" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/ad7444cf-817a-4765-a79e-2145f7981faf.md b/docs/queries/cloudformation-queries/aws/ad7444cf-817a-4765-a79e-2145f7981faf.md new file mode 100644 index 00000000000..7b8d6905016 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ad7444cf-817a-4765-a79e-2145f7981faf.md @@ -0,0 +1,212 @@ +--- +title: Shield Advanced Not In Use +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ad7444cf-817a-4765-a79e-2145f7981faf +- **Query name:** Shield Advanced Not In Use +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/shield_advanced_not_in_use) + +### Description +AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-fms-policy.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +Resources: + HostedZone: + Type: AWS::Route53::HostedZone + Properties: + Name: "HostedZone" + QueryLoggingConfig: + CloudWatchLogsLogGroupArn: "SomeCloudWatchLogGroupArn" + Policy: + Type: AWS::FMS::Policy + Properties: + ExcludeResourceTags: true + ResourceTags: + - Key: resourceTag1 + Value: value + - Key: resourceTag2 + Value: value + IncludeMap: + ACCOUNT: + - !Ref AWS::AccountId + PolicyName: TaggedPolicy + RemediationEnabled: false + ResourceType: ResourceTypeList + ResourceTypeList: + - AWS::GlobalAccelerator::Accelerator + SecurityServicePolicyData: + Type: SHIELD_ADVANCED + DeleteAllPolicyResources: false + Tags: + - Key: tag1 + Value: value + - Key: tag2 + Value: value + +``` +```json title="Postitive test num. 2 - json file" hl_lines="3" +{ + "Resources": { + "HostedZone": { + "Properties": { + "Name": "HostedZone", + "QueryLoggingConfig": { + "CloudWatchLogsLogGroupArn": "SomeCloudWatchLogGroupArn" + } + }, + "Type": "AWS::Route53::HostedZone" + }, + "Policy": { + "Properties": { + "DeleteAllPolicyResources": false, + "ExcludeResourceTags": true, + "IncludeMap": { + "ACCOUNT": [ + "AWS::AccountId" + ] + }, + "PolicyName": "TaggedPolicy", + "RemediationEnabled": false, + "ResourceTags": [ + { + "Key": "resourceTag1", + "Value": "value" + }, + { + "Key": "resourceTag2", + "Value": "value" + } + ], + "ResourceType": "ResourceTypeList", + "ResourceTypeList": [ + "AWS::GlobalAccelerator::Accelerator" + ], + "SecurityServicePolicyData": { + "Type": "SHIELD_ADVANCED" + }, + "Tags": [ + { + "Key": "tag1", + "Value": "value" + }, + { + "Key": "tag2", + "Value": "value" + } + ] + }, + "Type": "AWS::FMS::Policy" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MyEIP: + Type: AWS::EC2::EIP + Properties: + InstanceId: !Ref Logical name of an AWS::EC2::Instance resource + Policy2: + Type: AWS::FMS::Policy + Properties: + ExcludeResourceTags: true + ResourceTags: + - Key: resourceTag1 + Value: value + - Key: resourceTag2 + Value: value + IncludeMap: + ACCOUNT: + - !Ref AWS::AccountId + PolicyName: TaggedPolicy + RemediationEnabled: false + ResourceType: ResourceTypeList + ResourceTypeList: + - AWS::EC2::EIP + SecurityServicePolicyData: + Type: SHIELD_ADVANCED + DeleteAllPolicyResources: false + Tags: + - Key: tag1 + Value: value + - Key: tag2 + Value: value + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyEIP": { + "Properties": { + "InstanceId": "Logical name of an AWS::EC2::Instance resource" + }, + "Type": "AWS::EC2::EIP" + }, + "Policy2": { + "Properties": { + "DeleteAllPolicyResources": false, + "ExcludeResourceTags": true, + "IncludeMap": { + "ACCOUNT": [ + "AWS::AccountId" + ] + }, + "PolicyName": "TaggedPolicy", + "RemediationEnabled": false, + "ResourceTags": [ + { + "Key": "resourceTag1", + "Value": "value" + }, + { + "Key": "resourceTag2", + "Value": "value" + } + ], + "ResourceType": "ResourceTypeList", + "ResourceTypeList": [ + "AWS::EC2::EIP" + ], + "SecurityServicePolicyData": { + "Type": "SHIELD_ADVANCED" + }, + "Tags": [ + { + "Key": "tag1", + "Value": "value" + }, + { + "Key": "tag2", + "Value": "value" + } + ] + }, + "Type": "AWS::FMS::Policy" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/adcd0082-e90b-4b63-862b-21899f6e6a48.md b/docs/queries/cloudformation-queries/aws/adcd0082-e90b-4b63-862b-21899f6e6a48.md new file mode 100644 index 00000000000..8722fe89ecb --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/adcd0082-e90b-4b63-862b-21899f6e6a48.md @@ -0,0 +1,169 @@ +--- +title: Security Groups With Meta IP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** adcd0082-e90b-4b63-862b-21899f6e6a48 +- **Query name:** Security Groups With Meta IP +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_groups_with_meta_ip) + +### Description +Security Groups allows 0.0.0.0/0 for all ports and protocols.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="19" +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + KeyName: mykey + ImageId: '' + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 +``` +```json title="Postitive test num. 2 - json file" hl_lines="24" +{ + "Resources": { + "Ec2Instance": { + "Properties": { + "SecurityGroups": [ + "InstanceSecurityGroup" + ], + "KeyName": "mykey", + "ImageId": "" + }, + "Type": "AWS::EC2::Instance" + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "FromPort": 0, + "ToPort": 65535, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + KeyName: mykey + ImageId: '' + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 127.0.0.1/32 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 127.0.0.1/33 +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Ec2Instance": { + "Properties": { + "SecurityGroups": [ + "InstanceSecurityGroup" + ], + "KeyName": "mykey", + "ImageId": "" + }, + "Type": "AWS::EC2::Instance" + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "ToPort": 80, + "CidrIp": "127.0.0.1/32", + "IpProtocol": "tcp", + "FromPort": 80 + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "127.0.0.1/33" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/ae03f542-1423-402f-9cef-c834e7ee9583.md b/docs/queries/cloudformation-queries/aws/ae03f542-1423-402f-9cef-c834e7ee9583.md new file mode 100644 index 00000000000..1ca0d6c8cf3 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ae03f542-1423-402f-9cef-c834e7ee9583.md @@ -0,0 +1,253 @@ +--- +title: Lambda Functions Without Unique IAM Roles +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ae03f542-1423-402f-9cef-c834e7ee9583 +- **Query name:** Lambda Functions Without Unique IAM Roles +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/lambda_functions_without_unique_iam_roles) + +### Description +AWS Lambda Functions should not share IAM roles to ensure they will have the minimum privileges needed to perform the required tasks
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 41" +AWSTemplateFormatVersion: '2010-09-09' +Description: Lambda function with cfn-response. +Resources: + Primer01: + Type: AWS::Lambda::Function + Properties: + Runtime: nodejs12.x + Role: arn:aws:iam::123456789012:role/lambda-role + Handler: index.handler + Code: + ZipFile: | + var aws = require('aws-sdk') + var response = require('cfn-response') + exports.handler = function(event, context) { + console.log("REQUEST RECEIVED:\n" + JSON.stringify(event)) + // For Delete requests, immediately send a SUCCESS response. + if (event.RequestType == "Delete") { + response.send(event, context, "SUCCESS") + return + } + var responseStatus = "FAILED" + var responseData = {} + var functionName = event.ResourceProperties.FunctionName + var lambda = new aws.Lambda() + lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) { + if (err) { + responseData = {Error: "Invoke call failed"} + console.log(responseData.Error + ":\n", err) + } + else responseStatus = "SUCCESS" + response.send(event, context, responseStatus, responseData) + }) + } + Description: Invoke a function during stack creation. + TracingConfig: + Mode: Active + Primer02: + Type: AWS::Lambda::Function + Properties: + Runtime: nodejs12.x + Role: arn:aws:iam::123456789012:role/lambda-role + Handler: index.handler + Code: + ZipFile: | + var aws = require('aws-sdk') + var response = require('cfn-response') + exports.handler = function(event, context) { + console.log("REQUEST RECEIVED:\n" + JSON.stringify(event)) + // For Delete requests, immediately send a SUCCESS response. + if (event.RequestType == "Delete") { + response.send(event, context, "SUCCESS") + return + } + var responseStatus = "FAILED" + var responseData = {} + var functionName = event.ResourceProperties.FunctionName + var lambda = new aws.Lambda() + lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) { + if (err) { + responseData = {Error: "Invoke call failed"} + console.log(responseData.Error + ":\n", err) + } + else responseStatus = "SUCCESS" + response.send(event, context, responseStatus, responseData) + }) + } + Description: Invoke a function during stack creation. + TracingConfig: + Mode: Active +``` +```json title="Postitive test num. 2 - json file" hl_lines="24 7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Lambda function with cfn-response.", + "Resources": { + "Primer01": { + "Properties": { + "Role": "arn:aws:iam::123456789012:role/lambda-role", + "Handler": "index.handler", + "Code": { + "ZipFile": "var aws = require('aws-sdk')\nvar response = require('cfn-response')\nexports.handler = function(event, context) {\n console.log(\"REQUEST RECEIVED:\\n\" + JSON.stringify(event))\n // For Delete requests, immediately send a SUCCESS response.\n if (event.RequestType == \"Delete\") {\n response.send(event, context, \"SUCCESS\")\n return\n }\n var responseStatus = \"FAILED\"\n var responseData = {}\n var functionName = event.ResourceProperties.FunctionName\n var lambda = new aws.Lambda()\n lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) {\n if (err) {\n responseData = {Error: \"Invoke call failed\"}\n console.log(responseData.Error + \":\\n\", err)\n }\n else responseStatus = \"SUCCESS\"\n response.send(event, context, responseStatus, responseData)\n })\n}\n" + }, + "Description": "Invoke a function during stack creation.", + "TracingConfig": { + "Mode": "Active" + }, + "Runtime": "nodejs12.x" + }, + "Type": "AWS::Lambda::Function" + }, + "Primer02": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Runtime": "nodejs12.x", + "Role": "arn:aws:iam::123456789012:role/lambda-role", + "Handler": "index.handler", + "Code": { + "ZipFile": "var aws = require('aws-sdk')\nvar response = require('cfn-response')\nexports.handler = function(event, context) {\n console.log(\"REQUEST RECEIVED:\\n\" + JSON.stringify(event))\n // For Delete requests, immediately send a SUCCESS response.\n if (event.RequestType == \"Delete\") {\n response.send(event, context, \"SUCCESS\")\n return\n }\n var responseStatus = \"FAILED\"\n var responseData = {}\n var functionName = event.ResourceProperties.FunctionName\n var lambda = new aws.Lambda()\n lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) {\n if (err) {\n responseData = {Error: \"Invoke call failed\"}\n console.log(responseData.Error + \":\\n\", err)\n }\n else responseStatus = \"SUCCESS\"\n response.send(event, context, responseStatus, responseData)\n })\n}\n" + }, + "Description": "Invoke a function during stack creation.", + "TracingConfig": { + "Mode": "Active" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Description: Lambda function with cfn-response. +Resources: + Primer01: + Type: AWS::Lambda::Function + Properties: + Runtime: nodejs12.x + Role: arn:aws:iam::123456789012:role/lambda-role + Handler: index.handler + Code: + ZipFile: | + var aws = require('aws-sdk') + var response = require('cfn-response') + exports.handler = function(event, context) { + console.log("REQUEST RECEIVED:\n" + JSON.stringify(event)) + // For Delete requests, immediately send a SUCCESS response. + if (event.RequestType == "Delete") { + response.send(event, context, "SUCCESS") + return + } + var responseStatus = "FAILED" + var responseData = {} + var functionName = event.ResourceProperties.FunctionName + var lambda = new aws.Lambda() + lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) { + if (err) { + responseData = {Error: "Invoke call failed"} + console.log(responseData.Error + ":\n", err) + } + else responseStatus = "SUCCESS" + response.send(event, context, responseStatus, responseData) + }) + } + Description: Invoke a function during stack creation. + TracingConfig: + Mode: Active + Primer02: + Type: AWS::Lambda::Function + Properties: + Runtime: nodejs12.x + Role: arn:aws:iam::123456789012:role/lambda-ex + Handler: index.handler + Code: + ZipFile: | + var aws = require('aws-sdk') + var response = require('cfn-response') + exports.handler = function(event, context) { + console.log("REQUEST RECEIVED:\n" + JSON.stringify(event)) + // For Delete requests, immediately send a SUCCESS response. + if (event.RequestType == "Delete") { + response.send(event, context, "SUCCESS") + return + } + var responseStatus = "FAILED" + var responseData = {} + var functionName = event.ResourceProperties.FunctionName + var lambda = new aws.Lambda() + lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) { + if (err) { + responseData = {Error: "Invoke call failed"} + console.log(responseData.Error + ":\n", err) + } + else responseStatus = "SUCCESS" + response.send(event, context, responseStatus, responseData) + }) + } + Description: Invoke a function during stack creation. + TracingConfig: + Mode: Active +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Lambda function with cfn-response.", + "Resources": { + "Primer01": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Runtime": "nodejs12.x", + "Role": "arn:aws:iam::123456789012:role/lambda-role", + "Handler": "index.handler", + "Code": { + "ZipFile": "var aws = require('aws-sdk')\nvar response = require('cfn-response')\nexports.handler = function(event, context) {\n console.log(\"REQUEST RECEIVED:\\n\" + JSON.stringify(event))\n // For Delete requests, immediately send a SUCCESS response.\n if (event.RequestType == \"Delete\") {\n response.send(event, context, \"SUCCESS\")\n return\n }\n var responseStatus = \"FAILED\"\n var responseData = {}\n var functionName = event.ResourceProperties.FunctionName\n var lambda = new aws.Lambda()\n lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) {\n if (err) {\n responseData = {Error: \"Invoke call failed\"}\n console.log(responseData.Error + \":\\n\", err)\n }\n else responseStatus = \"SUCCESS\"\n response.send(event, context, responseStatus, responseData)\n })\n}\n" + }, + "Description": "Invoke a function during stack creation.", + "TracingConfig": { + "Mode": "Active" + } + } + }, + "Primer02": { + "Type": "AWS::Lambda::Function", + "Properties": { + "TracingConfig": { + "Mode": "Active" + }, + "Runtime": "nodejs12.x", + "Role": "arn:aws:iam::123456789012:role/lambda-ex", + "Handler": "index.handler", + "Code": { + "ZipFile": "var aws = require('aws-sdk')\nvar response = require('cfn-response')\nexports.handler = function(event, context) {\n console.log(\"REQUEST RECEIVED:\\n\" + JSON.stringify(event))\n // For Delete requests, immediately send a SUCCESS response.\n if (event.RequestType == \"Delete\") {\n response.send(event, context, \"SUCCESS\")\n return\n }\n var responseStatus = \"FAILED\"\n var responseData = {}\n var functionName = event.ResourceProperties.FunctionName\n var lambda = new aws.Lambda()\n lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) {\n if (err) {\n responseData = {Error: \"Invoke call failed\"}\n console.log(responseData.Error + \":\\n\", err)\n }\n else responseStatus = \"SUCCESS\"\n response.send(event, context, responseStatus, responseData)\n })\n}\n" + }, + "Description": "Invoke a function during stack creation." + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/ae53ce91-42b5-46bf-a84f-9a13366a4f13.md b/docs/queries/cloudformation-queries/aws/ae53ce91-42b5-46bf-a84f-9a13366a4f13.md new file mode 100644 index 00000000000..115a1462300 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ae53ce91-42b5-46bf-a84f-9a13366a4f13.md @@ -0,0 +1,121 @@ +--- +title: SNS Topic is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ae53ce91-42b5-46bf-a84f-9a13366a4f13 +- **Query name:** SNS Topic is Publicly Accessible +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/sns_topic_is_publicly_accessible) + +### Description +SNS Topic Policy should not allow any principal to access
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: '2010-09-09' +Description: '' +Resources: + snsPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + PolicyDocument: + Statement: [ + { + "Sid": "MyTopicPolicy", + "Effect": "Allow", + "Principal": "*", + "Action": ["sns:Publish"], + "Resource": "arn:aws:sns:MyTopic" + }] + +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "", + "Resources": { + "mysnspolicy0" : { + "Type" : "AWS::SNS::TopicPolicy", + "Properties" : { + "PolicyDocument" : { + "Id" : "MyTopicPolicy", + "Version" : "2012-10-17", + "Statement" : [ { + "Sid" : "My-statement-id", + "Effect" : "Allow", + "Principal" : "*", + "Action" : "sns:Publish", + "Resource" : "*" + } ] + }, + "Topics" : [ { "Ref" : "MySNSTopic" } ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Description: '' +Resources: + snsPolicy: + Type: AWS::SNS::TopicPolicy + Properties: + PolicyDocument: + Statement: [ + { + "Sid": "MyTopicPolicy", + "Effect": "Allow", + "Principal": "otherPrincipal", + "Action": ["sns:Publish"], + "Resource": "arn:aws:sns:MyTopic" + }] + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "", + "Resources": { + "mysnspolicy0" : { + "Type" : "AWS::SNS::TopicPolicy", + "Properties" : { + "PolicyDocument" : { + "Id" : "MyTopicPolicy", + "Version" : "2012-10-17", + "Statement" : [ { + "Sid" : "My-statement-id", + "Effect" : "Allow", + "Principal" : "otherPrincipal", + "Action" : "sns:Publish", + "Resource" : "*" + } ] + }, + "Topics" : [ { "Ref" : "MySNSTopic" } ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/b1b20ae3-8fa7-4af5-a74d-a2145920fcb1.md b/docs/queries/cloudformation-queries/aws/b1b20ae3-8fa7-4af5-a74d-a2145920fcb1.md new file mode 100644 index 00000000000..52c673bcbcf --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/b1b20ae3-8fa7-4af5-a74d-a2145920fcb1.md @@ -0,0 +1,257 @@ +--- +title: IAM Password Without Minimum Length +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b1b20ae3-8fa7-4af5-a74d-a2145920fcb1 +- **Query name:** IAM Password Without Minimum Length +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_password_without_minimum_length) + +### Description +IAM password should have the required minimum length
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + - PolicyName: giveaccesstotopiconly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sns:* + Resource: + - !Ref mytopic + - Effect: Deny + Action: + - sns:* + NotResource: + - !Ref mytopic +``` +```json title="Postitive test num. 2 - json file" hl_lines="10" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + }, + { + "PolicyName": "giveaccesstotopiconly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sns:*" + ], + "Resource": [ + "mytopic" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sns:*" + ], + "NotResource": [ + "mytopic" + ] + } + ] + } + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd123asw + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + - PolicyName: giveaccesstotopiconly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sns:* + Resource: + - !Ref mytopic + - Effect: Deny + Action: + - sns:* + NotResource: + - !Ref mytopic +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd123asw" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Resource": [ + "myqueue.Arn" + ], + "Effect": "Allow", + "Action": [ + "sqs:*" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + }, + { + "PolicyName": "giveaccesstotopiconly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sns:*" + ], + "Resource": [ + "mytopic" + ] + }, + { + "Action": [ + "sns:*" + ], + "NotResource": [ + "mytopic" + ], + "Effect": "Deny" + } + ] + } + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/b2e8752c-3497-4255-98d2-e4ae5b46bbf5.md b/docs/queries/cloudformation-queries/aws/b2e8752c-3497-4255-98d2-e4ae5b46bbf5.md new file mode 100644 index 00000000000..8862a7f6673 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/b2e8752c-3497-4255-98d2-e4ae5b46bbf5.md @@ -0,0 +1,108 @@ +--- +title: S3 Bucket Without Server-side-encryption +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b2e8752c-3497-4255-98d2-e4ae5b46bbf5 +- **Query name:** S3 Bucket Without Server-side-encryption +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_without_server_side_encryption) + +### Description +S3 Buckets should have server-side encryption at rest enabled to protect sensitive data
+[Documentation](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +#this is a problematic code where the query should report a result(s) +AWSTemplateFormatVersion: '2010-09-09' +Description: S3 bucket without default encryption +Resources: + S3Bucket: + Type: 'AWS::S3::Bucket' + Properties: + BucketName: + 'Fn::Sub': 'bucket-${AWS::Region}-${AWS::AccountId}' + DeletionPolicy: Delete +``` +```json title="Postitive test num. 2 - json file" hl_lines="5" +{ + "Resources": { + "S3Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": { + "Fn::Sub": "bucket-${AWS::Region}-${AWS::AccountId}" + } + }, + "DeletionPolicy": "Delete" + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "S3 bucket without default encryption" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +AWSTemplateFormatVersion: '2010-09-09' +Description: S3 bucket with default encryption +Resources: + EncryptedS3Bucket: + Type: 'AWS::S3::Bucket' + Properties: + BucketName: + 'Fn::Sub': 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: 'aws:kms' + KMSMasterKeyID: KMS-KEY-ARN + DeletionPolicy: Delete +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "S3 bucket with default encryption", + "Resources": { + "EncryptedS3Bucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": { + "Fn::Sub": "encryptedbucket-${AWS::Region}-${AWS::AccountId}" + }, + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "aws:kms", + "KMSMasterKeyID": "KMS-KEY-ARN" + } + } + ] + } + }, + "DeletionPolicy": "Delete" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/b3de4e4c-14be-4159-b99d-9ad194365e4c.md b/docs/queries/cloudformation-queries/aws/b3de4e4c-14be-4159-b99d-9ad194365e4c.md new file mode 100644 index 00000000000..555f87cd085 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/b3de4e4c-14be-4159-b99d-9ad194365e4c.md @@ -0,0 +1,113 @@ +--- +title: EC2 Instance Subnet Has Public IP Mapping On Launch +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b3de4e4c-14be-4159-b99d-9ad194365e4c +- **Query name:** EC2 Instance Subnet Has Public IP Mapping On Launch +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ec2_instance_subnet_has_public_ip_mapping_on_launch) + +### Description +EC2 Instance Subnet should not have MapPublicIpOnLaunch set to true
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-subnet.html#cfn-ec2-subnet-mappubliciponlaunch) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + mySubnet: + Type: AWS::EC2::Subnet + Properties: + MapPublicIpOnLaunch: true + VpcId: myVPC + CidrBlock: 10.0.0.0/24 + AvailabilityZone: "us-east-1a" + Tags: + - Key: foo + Value: bar + +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "mySubnet": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "MapPublicIpOnLaunch": true, + "VpcId": "myVPC", + "CidrBlock": "10.0.0.0/24", + "AvailabilityZone": "us-east-1a", + "Tags": [ + { + "Key": "foo", + "Value": "bar" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + mySubnet: + Type: AWS::EC2::Subnet + Properties: + MapPublicIpOnLaunch: false + VpcId: myVPC + CidrBlock: 10.0.0.0/24 + AvailabilityZone: "us-east-1a" + Tags: + - Key: foo + Value: bar + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "mySubnet": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "Tags": [ + { + "Key": "foo", + "Value": "bar" + } + ], + "MapPublicIpOnLaunch": false, + "VpcId": "myVPC", + "CidrBlock": "10.0.0.0/24", + "AvailabilityZone": "us-east-1a" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/b4d9c12b-bfba-4aeb-9cb8-2358546d8041.md b/docs/queries/cloudformation-queries/aws/b4d9c12b-bfba-4aeb-9cb8-2358546d8041.md new file mode 100644 index 00000000000..d030e5dd70b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/b4d9c12b-bfba-4aeb-9cb8-2358546d8041.md @@ -0,0 +1,159 @@ +--- +title: Vulnerable Default SSL Certificate +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b4d9c12b-bfba-4aeb-9cb8-2358546d8041 +- **Query name:** Vulnerable Default SSL Certificate +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/vulnerable_default_ssl_certificate) + +### Description +CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + ViewerCertificate: + AcmCertificateArn: arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="8" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + ViewerCertificate: + CloudfrontDefaultCertificate: true + +``` +
Postitive test num. 4 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": "true" + } + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="8" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "ViewerCertificate": { + "AcmCertificateArn": "arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="9" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "ViewerCertificate": { + "CloudfrontDefaultCertificate": "true" + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: 'AWS::CloudFront::Distribution' + Properties: + DistributionConfig: + ViewerCertificate: + AcmCertificateArn: arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 + MinimumProtocolVersion: TLS1.2_2019 + SslSupportMethod: sni_only + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "ViewerCertificate": { + "AcmCertificateArn": "some arn", + "MinimumProtocolVersion": "TLS1.2_2019", + "SslSupportMethod": "sni_only" + } + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83.md b/docs/queries/cloudformation-queries/aws/b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83.md new file mode 100644 index 00000000000..eeec31bc0fd --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83.md @@ -0,0 +1,132 @@ +--- +title: BOM - AWS S3 Buckets +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b5d6a2e0-8f15-4664-bd5b-68ec5c9bab83 +- **Query name:** BOM - AWS S3 Buckets +- **Platform:** CloudFormation +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_bom/s3_bucket) + +### Description +A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating S3 bucket +Resources: + MyBucket: + Type: AWS::S3::Bucket + Properties: + AccessControl: BucketOwnerFullControl + BucketName: jenkins-artifacts + VersioningConfiguration: + Status: Enabled + Tags: + - Key: CostCenter + Value: ITEngineering + - Key: Type + Value: CICD + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: 'aws:kms' + KMSMasterKeyID: KMS-KEY-ARN + SampleBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref MyBucket + PolicyDocument: + Version: 2012-10-17 + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: !Join + - '' + - - 'arn:aws:s3:::' + - !Ref DOC-EXAMPLE-BUCKET + - /* + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating S3 bucket", + "Resources": { + "JenkinsArtifacts03": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "jenkins-artifacts", + "VersioningConfiguration": { + "Status": "Enabled" + }, + "Tags": [ + { + "Key": "CostCenter", + "Value": "ITEngineering" + }, + { + "Key": "Type", + "Value": "CICD" + } + ], + "AccessControl": "BucketOwnerFullControl" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": "true" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/b7063015-6c31-4658-a8e7-14f98f37fd42.md b/docs/queries/cloudformation-queries/aws/b7063015-6c31-4658-a8e7-14f98f37fd42.md new file mode 100644 index 00000000000..6d5e796bc6f --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/b7063015-6c31-4658-a8e7-14f98f37fd42.md @@ -0,0 +1,157 @@ +--- +title: EBS Volume Without KmsKeyId +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b7063015-6c31-4658-a8e7-14f98f37fd42 +- **Query name:** EBS Volume Without KmsKeyId +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ebs_volume_without_kms_key_id) + +### Description +EBS Volume should specify a KmsKeyId value
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-ebs-volume.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating ECS service +Resources: + NewVolume: + Type: AWS::EC2::Volume + Properties: + Size: 100 + Encrypted: true + AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone + Tags: + - Key: MyTag + Value: TagValue + DeletionPolicy: Snapshot +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating ECS service", + "Resources": { + "NewVolume": { + "Type": "AWS::EC2::Volume", + "Properties": { + "Size": 100, + "Encrypted": true, + "AvailabilityZone": "Ec2Instance.AvailabilityZone", + "Tags": [ + { + "Key": "MyTag", + "Value": "TagValue" + } + ] + }, + "DeletionPolicy": "Snapshot" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Creating ECS service +Resources: + MyKey: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + NewVolume: + Type: AWS::EC2::Volume + Properties: + Size: 100 + Encrypted: true + AvailabilityZone: !GetAtt Ec2Instance.AvailabilityZone + Tags: + - Key: MyTag + Value: TagValue + KmsKeyId: !Ref MyKey + DeletionPolicy: Snapshot +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + }, + "Action": "kms:*", + "Resource": "*" + } + ] + } + } + }, + "NewVolume": { + "DeletionPolicy": "Snapshot", + "Type": "AWS::EC2::Volume", + "Properties": { + "KmsKeyId": "MyKey", + "Size": 100, + "Encrypted": true, + "AvailabilityZone": "Ec2Instance.AvailabilityZone", + "Tags": [ + { + "Key": "MyTag", + "Value": "TagValue" + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Creating ECS service" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/ba766c53-fe71-4bbb-be35-b6803f2ef13e.md b/docs/queries/cloudformation-queries/aws/ba766c53-fe71-4bbb-be35-b6803f2ef13e.md new file mode 100644 index 00000000000..f8774c011c3 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ba766c53-fe71-4bbb-be35-b6803f2ef13e.md @@ -0,0 +1,85 @@ +--- +title: ElastiCache Without VPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ba766c53-fe71-4bbb-be35-b6803f2ef13e +- **Query name:** ElastiCache Without VPC +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elasticache_without_vpc) + +### Description +ElastiCache should be launched in a Virtual Private Cloud (VPC)
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-cachesubnetgroupname) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +Resources: + ElasticacheCluster: + Type: 'AWS::ElastiCache::CacheCluster' + Properties: + Engine: memcached + CacheNodeType: cache.t2.micro + NumCacheNodes: '1' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="5" +{ + "Resources": { + "ElasticacheCluster": { + "Type": "AWS::ElastiCache::CacheCluster", + "Properties": { + "CacheNodeType": "cache.m3.medium", + "Engine": "memcached", + "NumCacheNodes": "1" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + ElasticacheCluster: + Type: 'AWS::ElastiCache::CacheCluster' + Properties: + Engine: memcached + CacheNodeType: cache.t2.micro + NumCacheNodes: '1' + CacheSubnetGroupName: default + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "ElasticacheCluster": { + "Type": "AWS::ElastiCache::CacheCluster", + "Properties": { + "CacheNodeType": "cache.m3.medium", + "Engine": "memcached", + "NumCacheNodes": "1", + "CacheSubnetGroupName": "default" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/bdf8dcb4-75df-4370-92c4-606e4ae6c4d3.md b/docs/queries/cloudformation-queries/aws/bdf8dcb4-75df-4370-92c4-606e4ae6c4d3.md new file mode 100644 index 00000000000..722326e64df --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/bdf8dcb4-75df-4370-92c4-606e4ae6c4d3.md @@ -0,0 +1,150 @@ +--- +title: Redshift Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bdf8dcb4-75df-4370-92c4-606e4ae6c4d3 +- **Query name:** Redshift Publicly Accessible +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/redshift_publicly_accessible) + +### Description +AWS Redshift Clusters must not be publicly accessible, which means the attribute 'PubliclyAccessible' must be set to false
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 4" +Resources: + myCluster: + Type: "AWS::Redshift::Cluster" + Properties: + DBName: "mydb" + MasterUsername: "master" + MasterUserPassword: + Ref: "MasterUserPassword" + NodeType: "ds2.xlarge" + ClusterType: "single-node" + Tags: + - Key: foo + Value: bar + myCluster2: + Type: "AWS::Redshift::Cluster" + Properties: + PubliclyAccessible: true + DBName: "mydb" + MasterUsername: "master" + MasterUserPassword: + Ref: "MasterUserPassword" + NodeType: "ds2.xlarge" + ClusterType: "single-node" + Tags: + - Key: foo + Value: bar + +``` +```json title="Postitive test num. 2 - json file" hl_lines="5 30" +{ + "Resources": { + "myCluster": { + "Type": "AWS::Redshift::Cluster", + "Properties": { + "NodeType": "ds2.xlarge", + "ClusterType": "single-node", + "Tags": [ + { + "Key": "foo", + "Value": "bar" + } + ], + "DBName": "mydb", + "MasterUsername": "master", + "MasterUserPassword": { + "Ref": "MasterUserPassword" + } + } + }, + "myCluster2": { + "Type": "AWS::Redshift::Cluster", + "Properties": { + "Tags": [ + { + "Key": "foo", + "Value": "bar" + } + ], + "PubliclyAccessible": true, + "DBName": "mydb", + "MasterUsername": "master", + "MasterUserPassword": { + "Ref": "MasterUserPassword" + }, + "NodeType": "ds2.xlarge", + "ClusterType": "single-node" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + myCluster: + Type: "AWS::Redshift::Cluster" + Properties: + PubliclyAccessible: false + DBName: "mydb" + MasterUsername: "master" + MasterUserPassword: + Ref: "MasterUserPassword" + NodeType: "ds2.xlarge" + ClusterType: "single-node" + Tags: + - Key: foo + Value: bar + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "myCluster": { + "Type": "AWS::Redshift::Cluster", + "Properties": { + "MasterUserPassword": { + "Ref": "MasterUserPassword" + }, + "NodeType": "ds2.xlarge", + "ClusterType": "single-node", + "Tags": [ + { + "Value": "bar", + "Key": "foo" + } + ], + "PubliclyAccessible": false, + "DBName": "mydb", + "MasterUsername": "master" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/be5b230d-4371-4a28-a441-85dc760e2aa3.md b/docs/queries/cloudformation-queries/aws/be5b230d-4371-4a28-a441-85dc760e2aa3.md new file mode 100644 index 00000000000..95763940b23 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/be5b230d-4371-4a28-a441-85dc760e2aa3.md @@ -0,0 +1,135 @@ +--- +title: IoT Policy Allows Wildcard Resource +hide: + toc: true + navigation: true +--- + + + +- **Query id:** be5b230d-4371-4a28-a441-85dc760e2aa3 +- **Query name:** IoT Policy Allows Wildcard Resource +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iot_policy_allows_wildcard_resource) + +### Description +IoT Policy should not allow Resource to be set as *
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iot-policy.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + IoTPolicy: + Type: AWS::IoT::Policy + Properties: + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - iot:Connect + Resource: "*" + - Effect: Deny + Action: + - sqs:* + NotResource: my-hardcoded-arn + PolicyName: PolicyName + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "Description": "A sample template", + "Resources": { + "IoTPolicy": { + "Type": "AWS::IoT::Policy", + "Properties": { + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "iot:Connect" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": "my-hardcoded-arn" + } + ] + }, + "PolicyName": "PolicyName" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + IoTPolicy: + Type: AWS::IoT::Policy + Properties: + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - iot:Connect + Resource: + - arn:aws:iot:us-east-1:123456789012:client/client1 + PolicyName: PolicyName + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "IoTPolicy": { + "Type": "AWS::IoT::Policy", + "Properties": { + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iot:Connect" + ], + "Resource": [ + "arn:aws:iot:us-east-1:123456789012:client/client1" + ] + } + ] + }, + "PolicyName": "PolicyName" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/be96849c-3df6-49c2-bc16-778a7be2519c.md b/docs/queries/cloudformation-queries/aws/be96849c-3df6-49c2-bc16-778a7be2519c.md new file mode 100644 index 00000000000..025de777e5c --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/be96849c-3df6-49c2-bc16-778a7be2519c.md @@ -0,0 +1,191 @@ +--- +title: Secure Ciphers Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** be96849c-3df6-49c2-bc16-778a7be2519c +- **Query name:** Secure Ciphers Disabled +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/secure_ciphers_disabled) + +### Description +Check if secure ciphers aren't used in CloudFront
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="26" +#this is a problematic code where the query should report a result(s) +AWSTemplateFormatVersion: "2010-09-09" +Resources: + cloudfrontdistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + DefaultCacheBehavior: + LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + IPV6Enabled: true + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: 60 + OriginReadTimeout: 30 + Tags: + - Key: name + Value: example + ViewerCertificate: + CloudFrontDefaultCertificate: false + MinimumProtocolVersion: SSLv3 +``` +```json title="Postitive test num. 2 - json file" hl_lines="44" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "cloudfrontdistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": 60, + "OriginReadTimeout": 30 + } + } + ], + "CacheBehaviors": [ + { + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + } + ], + "DefaultCacheBehavior": { + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + }, + "IPV6Enabled": true + }, + "Tags": [ + { + "Key": "name", + "Value": "example" + } + ], + "ViewerCertificate": { + "CloudFrontDefaultCertificate": false, + "MinimumProtocolVersion": "SSLv3" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +AWSTemplateFormatVersion: "2010-09-09" +Resources: + cloudfrontdistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + DefaultCacheBehavior: + LambdaFunctionAssociations: + - EventType: viewer-request + LambdaFunctionARN: examp + IPV6Enabled: true + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: 60 + OriginReadTimeout: 30 + Tags: + - Key: name + Value: example + ViewerCertificate: + CloudFrontDefaultCertificate: true +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "cloudfrontdistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "CacheBehaviors": [ + { + "LambdaFunctionAssociations": [ + { + "EventType": "viewer-request", + "LambdaFunctionARN": "examp" + } + ] + } + ], + "DefaultCacheBehavior": { + "LambdaFunctionAssociations": [ + { + "LambdaFunctionARN": "examp", + "EventType": "viewer-request" + } + ] + }, + "IPV6Enabled": true, + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": 60, + "OriginReadTimeout": 30 + } + } + ] + }, + "Tags": [ + { + "Key": "name", + "Value": "example" + } + ], + "ViewerCertificate": { + "CloudFrontDefaultCertificate": true + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/bf4473f1-c8a2-4b1b-8134-bd32efabab93.md b/docs/queries/cloudformation-queries/aws/bf4473f1-c8a2-4b1b-8134-bd32efabab93.md new file mode 100644 index 00000000000..a6e86f92e13 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/bf4473f1-c8a2-4b1b-8134-bd32efabab93.md @@ -0,0 +1,193 @@ +--- +title: Neptune Database Cluster Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bf4473f1-c8a2-4b1b-8134-bd32efabab93 +- **Query name:** Neptune Database Cluster Encryption Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/neptune_database_cluster_encryption_disabled) + +### Description +Neptune database cluster storage should have encryption enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-neptune-dbcluster.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="27" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + NeptuneDBCluster: + Type: AWS::Neptune::DBCluster + Properties: + AssociatedRoles: + - DBClusterRole + AvailabilityZones: + - String + DBClusterIdentifier: String + DBClusterParameterGroupName: String + DBSubnetGroupName: String + DeletionProtection: true + EnableCloudwatchLogsExports: + - String + EngineVersion: String + IamAuthEnabled: true + KmsKeyId: String + Port: 8182 + PreferredBackupWindow: String + PreferredMaintenanceWindow: String + RestoreToTime: String + RestoreType: String + SnapshotIdentifier: String + SourceDBClusterIdentifier: String + StorageEncrypted: false + Tags: + - Tag + UseLatestRestorableTime: true + VpcSecurityGroupIds: + - String + +``` +```json title="Postitive test num. 2 - json file" hl_lines="21" +{ + "Resources": { + "NeptuneDBCluster": { + "Type": "AWS::Neptune::DBCluster", + "Properties": { + "DBClusterIdentifier": "String", + "EnableCloudwatchLogsExports": [ + "String" + ], + "EngineVersion": "String", + "Port": 8182, + "SourceDBClusterIdentifier": "String", + "Tags": [ + "Tag" + ], + "AssociatedRoles": [ + "DBClusterRole" + ], + "DBSubnetGroupName": "String", + "RestoreToTime": "String", + "StorageEncrypted": false, + "UseLatestRestorableTime": true, + "DBClusterParameterGroupName": "String", + "PreferredBackupWindow": "String", + "SnapshotIdentifier": "String", + "IamAuthEnabled": true, + "DeletionProtection": true, + "KmsKeyId": "String", + "PreferredMaintenanceWindow": "String", + "RestoreType": "String", + "VpcSecurityGroupIds": [ + "String" + ], + "AvailabilityZones": [ + "String" + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + NeptuneDBCluster: + Type: AWS::Neptune::DBCluster + Properties: + AssociatedRoles: + - DBClusterRole + AvailabilityZones: + - String + DBClusterIdentifier: String + DBClusterParameterGroupName: String + DBSubnetGroupName: String + DeletionProtection: true + EnableCloudwatchLogsExports: + - String + EngineVersion: String + IamAuthEnabled: true + KmsKeyId: String + Port: 8182 + PreferredBackupWindow: String + PreferredMaintenanceWindow: String + RestoreToTime: String + RestoreType: String + SnapshotIdentifier: String + SourceDBClusterIdentifier: String + StorageEncrypted: true + Tags: + - Tag + UseLatestRestorableTime: true + VpcSecurityGroupIds: + - String + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "NeptuneDBCluster": { + "Type": "AWS::Neptune::DBCluster", + "Properties": { + "AvailabilityZones": [ + "String" + ], + "VpcSecurityGroupIds": [ + "String" + ], + "Tags": [ + "Tag" + ], + "EnableCloudwatchLogsExports": [ + "String" + ], + "EngineVersion": "String", + "IamAuthEnabled": true, + "KmsKeyId": "String", + "PreferredMaintenanceWindow": "String", + "RestoreToTime": "String", + "SnapshotIdentifier": "String", + "AssociatedRoles": [ + "DBClusterRole" + ], + "DBClusterIdentifier": "String", + "DBClusterParameterGroupName": "String", + "DeletionProtection": true, + "Port": 8182, + "PreferredBackupWindow": "String", + "StorageEncrypted": true, + "DBSubnetGroupName": "String", + "RestoreType": "String", + "SourceDBClusterIdentifier": "String", + "UseLatestRestorableTime": true + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/bf89373a-be40-4c04-99f5-746742dfd7f3.md b/docs/queries/cloudformation-queries/aws/bf89373a-be40-4c04-99f5-746742dfd7f3.md new file mode 100644 index 00000000000..c86e0328da9 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/bf89373a-be40-4c04-99f5-746742dfd7f3.md @@ -0,0 +1,419 @@ +--- +title: EMR Without VPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bf89373a-be40-4c04-99f5-746742dfd7f3 +- **Query name:** EMR Without VPC +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/emr_wihout_vpc) + +### Description +Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticmapreduce-cluster-jobflowinstancesconfig.html#cfn-elasticmapreduce-cluster-jobflowinstancesconfig-ec2subnetid) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="23" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + CustomAmiId: + Type: String + InstanceType: + Type: String + ReleaseLabel: + Type: String + SubnetId: + Type: String + TerminationProtected: + Type: String + Default: 'false' + ElasticMapReducePrincipal: + Type: String + Ec2Principal: + Type: String +Resources: + cluster: + Type: AWS::EMR::Cluster + Properties: + CustomAmiId: !Ref CustomAmiId + Instances: + MasterInstanceGroup: + InstanceCount: 1 + InstanceType: !Ref InstanceType + Market: ON_DEMAND + Name: cfnMaster + CoreInstanceGroup: + InstanceCount: 1 + InstanceType: !Ref InstanceType + Market: ON_DEMAND + Name: cfnCore + TerminationProtected: !Ref TerminationProtected + Name: CFNtest + JobFlowRole: !Ref emrEc2InstanceProfile + ServiceRole: !Ref emrRole + ReleaseLabel: !Ref ReleaseLabel + VisibleToAllUsers: true + Tags: + - Key: key1 + Value: value1 + emrRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: !Ref ElasticMapReducePrincipal + Action: 'sts:AssumeRole' + Path: / + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole' + emrEc2Role: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: !Ref Ec2Principal + Action: 'sts:AssumeRole' + Path: / + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role' + emrEc2InstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: + - !Ref emrEc2Role + +``` +```json title="Postitive test num. 2 - json file" hl_lines="32" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters" : { + "CustomAmiId" : { + "Type" : "String" + }, + "InstanceType" : { + "Type" : "String" + }, + "ReleaseLabel" : { + "Type" : "String" + }, + "SubnetId" : { + "Type" : "String" + }, + "TerminationProtected" : { + "Type" : "String", + "Default" : "false" + }, + "ElasticMapReducePrincipal" : { + "Type" : "String" + }, + "Ec2Principal" : { + "Type" : "String" + } + }, + "Resources": { + "cluster": { + "Type": "AWS::EMR::Cluster", + "Properties": { + "CustomAmiId" : {"Ref" : "CustomAmiId"}, + "Instances": { + "MasterInstanceGroup": { + "InstanceCount": 1, + "InstanceType": {"Ref" : "InstanceType"}, + "Market": "ON_DEMAND", + "Name": "cfnMaster" + }, + "CoreInstanceGroup": { + "InstanceCount": 1, + "InstanceType": {"Ref" : "InstanceType"}, + "Market": "ON_DEMAND", + "Name": "cfnCore" + }, + "TerminationProtected" : {"Ref" : "TerminationProtected"} + }, + "Name": "CFNtest", + "JobFlowRole" : {"Ref": "emrEc2InstanceProfile"}, + "ServiceRole" : {"Ref": "emrRole"}, + "ReleaseLabel" : {"Ref" : "ReleaseLabel"}, + "VisibleToAllUsers" : true, + "Tags": [ + { + "Key": "key1", + "Value": "value1" + } + ] + } + }, + "emrRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": {"Ref" : "ElasticMapReducePrincipal"} + }, + "Action": "sts:AssumeRole" + } + ] + }, + "Path": "/", + "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole"] + } + }, + "emrEc2Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": {"Ref" : "Ec2Principal"} + }, + "Action": "sts:AssumeRole" + } + ] + }, + "Path": "/", + "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"] + } + }, + "emrEc2InstanceProfile": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Path": "/", + "Roles": [ { + "Ref": "emrEc2Role" + } ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Parameters: + CustomAmiId: + Type: String + InstanceType: + Type: String + ReleaseLabel: + Type: String + SubnetId: + Type: String + TerminationProtected: + Type: String + Default: 'false' + ElasticMapReducePrincipal: + Type: String + Ec2Principal: + Type: String +Resources: + cluster: + Type: AWS::EMR::Cluster + Properties: + CustomAmiId: !Ref CustomAmiId + Instances: + MasterInstanceGroup: + InstanceCount: 1 + InstanceType: !Ref InstanceType + Market: ON_DEMAND + Name: cfnMaster + CoreInstanceGroup: + InstanceCount: 1 + InstanceType: !Ref InstanceType + Market: ON_DEMAND + Name: cfnCore + TerminationProtected: !Ref TerminationProtected + Ec2SubnetId: !Ref SubnetId + Name: CFNtest + JobFlowRole: !Ref emrEc2InstanceProfile + ServiceRole: !Ref emrRole + ReleaseLabel: !Ref ReleaseLabel + VisibleToAllUsers: true + Tags: + - Key: key1 + Value: value1 + emrRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: !Ref ElasticMapReducePrincipal + Action: 'sts:AssumeRole' + Path: / + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole' + emrEc2Role: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2008-10-17 + Statement: + - Sid: '' + Effect: Allow + Principal: + Service: !Ref Ec2Principal + Action: 'sts:AssumeRole' + Path: / + ManagedPolicyArns: + - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role' + emrEc2InstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: + - !Ref emrEc2Role + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters" : { + "CustomAmiId" : { + "Type" : "String" + }, + "InstanceType" : { + "Type" : "String" + }, + "ReleaseLabel" : { + "Type" : "String" + }, + "SubnetId" : { + "Type" : "String" + }, + "TerminationProtected" : { + "Type" : "String", + "Default" : "false" + }, + "ElasticMapReducePrincipal" : { + "Type" : "String" + }, + "Ec2Principal" : { + "Type" : "String" + } + }, + "Resources": { + "cluster": { + "Type": "AWS::EMR::Cluster", + "Properties": { + "CustomAmiId" : {"Ref" : "CustomAmiId"}, + "Instances": { + "MasterInstanceGroup": { + "InstanceCount": 1, + "InstanceType": {"Ref" : "InstanceType"}, + "Market": "ON_DEMAND", + "Name": "cfnMaster" + }, + "CoreInstanceGroup": { + "InstanceCount": 1, + "InstanceType": {"Ref" : "InstanceType"}, + "Market": "ON_DEMAND", + "Name": "cfnCore" + }, + "TerminationProtected" : {"Ref" : "TerminationProtected"}, + "Ec2SubnetId" : {"Ref" : "SubnetId"} + }, + "Name": "CFNtest", + "JobFlowRole" : {"Ref": "emrEc2InstanceProfile"}, + "ServiceRole" : {"Ref": "emrRole"}, + "ReleaseLabel" : {"Ref" : "ReleaseLabel"}, + "VisibleToAllUsers" : true, + "Tags": [ + { + "Key": "key1", + "Value": "value1" + } + ] + } + }, + "emrRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": {"Ref" : "ElasticMapReducePrincipal"} + }, + "Action": "sts:AssumeRole" + } + ] + }, + "Path": "/", + "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole"] + } + }, + "emrEc2Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2008-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": {"Ref" : "Ec2Principal"} + }, + "Action": "sts:AssumeRole" + } + ] + }, + "Path": "/", + "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"] + } + }, + "emrEc2InstanceProfile": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Path": "/", + "Roles": [ { + "Ref": "emrEc2Role" + } ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/c2eae442-d3ba-4cb1-84ca-1db4f80eae3d.md b/docs/queries/cloudformation-queries/aws/c2eae442-d3ba-4cb1-84ca-1db4f80eae3d.md new file mode 100644 index 00000000000..a6b07a9fb68 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/c2eae442-d3ba-4cb1-84ca-1db4f80eae3d.md @@ -0,0 +1,123 @@ +--- +title: Lambda Function Without Dead Letter Queue +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c2eae442-d3ba-4cb1-84ca-1db4f80eae3d +- **Query name:** Lambda Function Without Dead Letter Queue +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/lambda_function_without_dead_letter_queue) + +### Description +AWS Lambda Function should be configured for a Dead Letter Queue(DLQ)
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#cfn-lambda-function-deadletterconfig) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: '2010-09-09' +Description: VPC function. +Resources: + Function: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: arn:aws:iam::123456789012:role/lambda-role + Code: + S3Bucket: my-bucket + S3Key: function.zip + Runtime: nodejs12.x + Timeout: 5 + TracingConfig: + Mode: Active + VpcConfig: + SecurityGroupIds: + - sg-085912345678492fb + SubnetIds: + - subnet-071f712345678e7c8 + - subnet-07fd123456788a036 + Tags: + - Key: Description + Value: VPC Function + - Key: Type + Value: AWS Lambda Function + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="27 6" +AWSTemplateFormatVersion: '2010-09-09' +Description: VPC function. +Resources: + Function2: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: arn:aws:iam::123456789012:role/lambda-role + Code: + S3Bucket: my-bucket + S3Key: function.zip + Runtime: nodejs12.x + Timeout: 5 + TracingConfig: + Mode: Active + VpcConfig: + SecurityGroupIds: + - sg-085912345678492fb + SubnetIds: + - subnet-071f712345678e7c8 + - subnet-07fd123456788a036 + Tags: + - Key: Description + Value: VPC Function + - Key: Type + Value: AWS Lambda Function + DeadLetterConfig: + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Description: VPC function. +Resources: + Function3: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: arn:aws:iam::123456789012:role/lambda-role + Code: + S3Bucket: my-bucket + S3Key: function.zip + Runtime: nodejs12.x + Timeout: 5 + TracingConfig: + Mode: Active + VpcConfig: + SecurityGroupIds: + - sg-085912345678492fb + SubnetIds: + - subnet-071f712345678e7c8 + - subnet-07fd123456788a036 + Tags: + - Key: Description + Value: VPC Function + - Key: Type + Value: AWS Lambda Function + DeadLetterConfig: + TargetArn: arn:aws:sqs:us-east-1:2324243535:aaa + +``` diff --git a/docs/queries/cloudformation-queries/aws/c333e906-8d8b-4275-b999-78b6318f8dc6.md b/docs/queries/cloudformation-queries/aws/c333e906-8d8b-4275-b999-78b6318f8dc6.md new file mode 100644 index 00000000000..5969fd08fad --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/c333e906-8d8b-4275-b999-78b6318f8dc6.md @@ -0,0 +1,255 @@ +--- +title: DynamoDB With Not Recommented Table Billing Mode +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c333e906-8d8b-4275-b999-78b6318f8dc6 +- **Query name:** DynamoDB With Not Recommented Table Billing Mode +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/dynamodb_with_table_billing_mode_not_recommended) + +### Description +Checks if DynamoDB Table Billing Mode is set to either PAY_PER_REQUEST or PROVISIONED
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#cfn-dynamodb-table-attributedef) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + myDynamoDBTable: + Type: AWS::DynamoDB::Table + Properties: + AttributeDefinitions: + - + AttributeName: "Album" + AttributeType: "S" + - + AttributeName: "Artist" + AttributeType: "S" + BillingMode: "PayPal" + KeySchema: + - + AttributeName: "Album" + KeyType: "HASH" + - + AttributeName: "Artist" + KeyType: "RANGE" + TableName: "myTableName" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="16" +{ + "Resources": { + "myDynamoDBTable": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "Album", + "AttributeType": "S" + }, + { + "AttributeName": "Artist", + "AttributeType": "S" + } + ], + "BillingMode": "PayPal", + "KeySchema": [ + { + "AttributeName": "Album", + "KeyType": "HASH" + }, + { + "AttributeName": "Artist", + "KeyType": "RANGE" + } + ], + "TableName": "myTableName" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + myDynamoDBTable: + Type: AWS::DynamoDB::Table + Properties: + AttributeDefinitions: + - + AttributeName: "Album" + AttributeType: "S" + - + AttributeName: "Artist" + AttributeType: "S" + KeySchema: + - + AttributeName: "Album" + KeyType: "HASH" + - + AttributeName: "Artist" + KeyType: "RANGE" + ProvisionedThroughput: + ReadCapacityUnits: "5" + WriteCapacityUnits: "5" + TableName: "myTableName" + myDynamoDBTable2: + Type: AWS::DynamoDB::Table + Properties: + AttributeDefinitions: + - + AttributeName: "Album" + AttributeType: "S" + - + AttributeName: "Artist" + AttributeType: "S" + BillingMode: "PAY_PER_REQUEST" + KeySchema: + - + AttributeName: "Album" + KeyType: "HASH" + - + AttributeName: "Artist" + KeyType: "RANGE" + TableName: "myTableName" + myDynamoDBTable3: + Type: AWS::DynamoDB::Table + Properties: + AttributeDefinitions: + - + AttributeName: "Album" + AttributeType: "S" + - + AttributeName: "Artist" + AttributeType: "S" + BillingMode: "PROVISIONED" + KeySchema: + - + AttributeName: "Album" + KeyType: "HASH" + - + AttributeName: "Artist" + KeyType: "RANGE" + ProvisionedThroughput: + ReadCapacityUnits: "5" + WriteCapacityUnits: "5" + TableName: "myTableName" + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDynamoDBTable": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "TableName": "myTableName", + "AttributeDefinitions": [ + { + "AttributeName": "Album", + "AttributeType": "S" + }, + { + "AttributeType": "S", + "AttributeName": "Artist" + } + ], + "KeySchema": [ + { + "AttributeName": "Album", + "KeyType": "HASH" + }, + { + "AttributeName": "Artist", + "KeyType": "RANGE" + } + ], + "ProvisionedThroughput": { + "ReadCapacityUnits": "5", + "WriteCapacityUnits": "5" + } + } + }, + "myDynamoDBTable2": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "TableName": "myTableName", + "AttributeDefinitions": [ + { + "AttributeType": "S", + "AttributeName": "Album" + }, + { + "AttributeName": "Artist", + "AttributeType": "S" + } + ], + "BillingMode": "PAY_PER_REQUEST", + "KeySchema": [ + { + "AttributeName": "Album", + "KeyType": "HASH" + }, + { + "AttributeName": "Artist", + "KeyType": "RANGE" + } + ] + } + }, + "myDynamoDBTable3": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "AttributeDefinitions": [ + { + "AttributeName": "Album", + "AttributeType": "S" + }, + { + "AttributeName": "Artist", + "AttributeType": "S" + } + ], + "BillingMode": "PROVISIONED", + "KeySchema": [ + { + "KeyType": "HASH", + "AttributeName": "Album" + }, + { + "AttributeName": "Artist", + "KeyType": "RANGE" + } + ], + "ProvisionedThroughput": { + "ReadCapacityUnits": "5", + "WriteCapacityUnits": "5" + }, + "TableName": "myTableName" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/c3ce69fd-e3df-49c6-be78-1db3f802261c.md b/docs/queries/cloudformation-queries/aws/c3ce69fd-e3df-49c6-be78-1db3f802261c.md new file mode 100644 index 00000000000..3b41fb04ff2 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/c3ce69fd-e3df-49c6-be78-1db3f802261c.md @@ -0,0 +1,410 @@ +--- +title: S3 Bucket CloudTrail Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c3ce69fd-e3df-49c6-be78-1db3f802261c +- **Query name:** S3 Bucket CloudTrail Logging Disabled +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_cloudtrail_logging_disabled) + +### Description +Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable when the Service used is CloudTrail
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#cfn-s3-bucket-loggingconfig) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + mybucketVulnerable: + Type: "AWS::S3::Bucket" + DeletionPolicy: Retain + Properties: + ReplicationConfiguration: + Role: + Fn::GetAtt: + - WorkItemBucketBackupRole + - Arn + Rules: + - Destination: + Bucket: + Fn::Join: + - "" + - - "arn:aws:s3:::" + - Fn::Join: + - "-" + - - Ref: "AWS::Region" + - Ref: "AWS::StackName" + - replicationbucket + StorageClass: STANDARD + Id: Backup + Prefix: "" + Status: Enabled + VersioningConfiguration: + Status: Enabled + WorkItemBucketBackupRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: + - "sts:AssumeRole" + Effect: Allow + Principal: + Service: + - s3.amazonaws.com + sampleBucketPolicy: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: + Ref: mybucketVulnerable + PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: + Fn::Join: + - '' + - - 'arn:aws:s3:::' + - Ref: DOC-EXAMPLE-BUCKET + - /* + Principal: + Service: 'cloudtrail.amazonaws.com' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="67" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "WorkItemBucketBackupRole": { + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "s3.amazonaws.com" + ] + } + } + ] + } + }, + "Type": "AWS::IAM::Role" + }, + "sampleBucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "mybucketVulnerable" + }, + "PolicyDocument": { + "Statement": [ + { + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "/*" + ] + ] + }, + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + }, + "Action": [ + "s3:GetObject" + ], + "Effect": "Allow" + } + ] + } + } + }, + "mybucketVulnerable": { + "Properties": { + "ReplicationConfiguration": { + "Role": { + "Fn::GetAtt": [ + "WorkItemBucketBackupRole", + "Arn" + ] + }, + "Rules": [ + { + "Destination": { + "Bucket": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "AWS::Region" + }, + { + "Ref": "AWS::StackName" + }, + "replicationbucket" + ] + ] + } + ] + ] + }, + "StorageClass": "STANDARD" + }, + "Id": "Backup", + "Prefix": "", + "Status": "Enabled" + } + ] + }, + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Retain" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + mybucket: + Type: "AWS::S3::Bucket" + DeletionPolicy: Retain + Properties: + ReplicationConfiguration: + Role: + Fn::GetAtt: + - WorkItemBucketBackupRole + - Arn + Rules: + - Destination: + Bucket: + Fn::Join: + - "" + - - "arn:aws:s3:::" + - "Fn::Join": + - "-" + - - Ref: "AWS::Region" + - Ref: "AWS::StackName" + - replicationbucket + StorageClass: STANDARD + Id: Backup + Prefix: "" + Status: Enabled + VersioningConfiguration: + Status: Enabled + LoggingConfiguration: + DestinationBucketName: LoggingBucket + LogFilePrefix: loga/ + WorkItemBucketBackupRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: + - "sts:AssumeRole" + Effect: Allow + Principal: + Service: + - s3.amazonaws.com + SampleBucketPolicy: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: + Ref: mybucket + PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Allow + Resource: + 'Fn::Join': + - '' + - - 'arn:aws:s3:::' + - Ref: DOC-EXAMPLE-BUCKET + - /* + Principal: + Service: 'cloudtrail.amazonaws.com' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "mybucket": { + "Type": "AWS::S3::Bucket", + "DeletionPolicy": "Retain", + "Properties": { + "ReplicationConfiguration": { + "Role": { + "Fn::GetAtt": [ + "WorkItemBucketBackupRole", + "Arn" + ] + }, + "Rules": [ + { + "Destination": { + "Bucket": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Fn::Join": [ + "-", + [ + { + "Ref": "AWS::Region" + }, + { + "Ref": "AWS::StackName" + }, + "replicationbucket" + ] + ] + } + ] + ] + }, + "StorageClass": "STANDARD" + }, + "Id": "Backup", + "Prefix": "", + "Status": "Enabled" + } + ] + }, + "VersioningConfiguration": { + "Status": "Enabled" + }, + "LoggingConfiguration": { + "DestinationBucketName": "LoggingBucket", + "LogFilePrefix": "loga/" + } + } + }, + "WorkItemBucketBackupRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow", + "Principal": { + "Service": [ + "s3.amazonaws.com" + ] + } + } + ] + } + } + }, + "SampleBucketPolicy": { + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetObject" + ], + "Effect": "Allow", + "Resource": { + "Fn::Join": [ + "", + [ + "arn:aws:s3:::", + { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "/*" + ] + ] + }, + "Principal": { + "Service": "cloudtrail.amazonaws.com" + }, + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + }, + "Bucket": { + "Ref": "mybucket" + } + }, + "Type": "AWS::S3::BucketPolicy" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/c44c95fc-ae92-4bb8-bdf8-bb9bc412004a.md b/docs/queries/cloudformation-queries/aws/c44c95fc-ae92-4bb8-bdf8-bb9bc412004a.md new file mode 100644 index 00000000000..774299769ee --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/c44c95fc-ae92-4bb8-bdf8-bb9bc412004a.md @@ -0,0 +1,382 @@ +--- +title: EC2 Public Instance Exposed Through Subnet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c44c95fc-ae92-4bb8-bdf8-bb9bc412004a +- **Query name:** EC2 Public Instance Exposed Through Subnet +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ec2_public_instance_exposed_through_subnet) + +### Description +EC2 instances with public IP addresses shouldn't allow for unrestricted traffic to their subnets
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-route.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="28" +Resources: + myVPC_1: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/16 + EnableDnsSupport: false + EnableDnsHostnames: false + InstanceTenancy: dedicated + InternetGateway: + Type: AWS::EC2::InternetGateway + VPCGatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref myVPC_1 + myRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref myVPC_1 + myRoute: + Type: AWS::EC2::Route + DependsOn: VPCGatewayAttachment + Properties: + RouteTableId: !Ref myRouteTable + DestinationCidrBlock: 0.0.0.0/0 + DestinationIpv6CidrBlock: ::/0 + GatewayId: !Ref InternetGateway + mySubnet: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref myVPC_1 + CidrBlock: 10.0.0.0/24 + AvailabilityZone: "us-east-1a" + mySubnetRouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref mySubnet + RouteTableId: !Ref myRouteTable + Ec2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: ami-0ff8a91507f77f867 + KeyName: !Ref Keyname + NetworkInterfaces: + - AssociatePublicIpAddress: true + DeviceIndex: "0" + SubnetId: !Ref mySubnet + +``` +```json title="Postitive test num. 2 - json file" hl_lines="3" +{ + "Resources": { + "mySubnet": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": "us-east-1a", + "VpcId": "myVPC_1", + "CidrBlock": "10.0.0.0/24" + } + }, + "mySubnetRouteTableAssociation": { + "Properties": { + "SubnetId": "mySubnet", + "RouteTableId": "myRouteTable" + }, + "Type": "AWS::EC2::SubnetRouteTableAssociation" + }, + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "ami-0ff8a91507f77f867", + "KeyName": "Keyname", + "NetworkInterfaces": [ + { + "SubnetId": "mySubnet", + "AssociatePublicIpAddress": true, + "DeviceIndex": "0" + } + ] + } + }, + "myVPC_1": { + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsSupport": false, + "EnableDnsHostnames": false, + "InstanceTenancy": "dedicated" + }, + "Type": "AWS::EC2::VPC" + }, + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway" + }, + "VPCGatewayAttachment": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "InternetGatewayId": "InternetGateway", + "VpcId": "myVPC_1" + } + }, + "myRouteTable": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": "myVPC_1" + } + }, + "myRoute": { + "Type": "AWS::EC2::Route", + "DependsOn": "VPCGatewayAttachment", + "Properties": { + "RouteTableId": "myRouteTable", + "DestinationCidrBlock": "0.0.0.0/0", + "DestinationIpv6CidrBlock": "::/0", + "GatewayId": "InternetGateway" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + myVPC_1: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/16 + EnableDnsSupport: false + EnableDnsHostnames: false + InstanceTenancy: dedicated + InternetGateway: + Type: AWS::EC2::InternetGateway + VPCGatewayAttachment: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref InternetGateway + VpcId: !Ref myVPC_1 + myRouteTable: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref myVPC_1 + myRoute: + Type: AWS::EC2::Route + DependsOn: VPCGatewayAttachment + Properties: + RouteTableId: !Ref myRouteTable + DestinationCidrBlock: 0.0.0.0/0 + DestinationIpv6CidrBlock: ::/0 + GatewayId: !Ref InternetGateway + mySubnet: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref myVPC_1 + CidrBlock: 10.0.0.0/24 + AvailabilityZone: "us-east-1a" + mySubnetRouteTableAssociation: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref mySubnet + RouteTableId: !Ref myRouteTable + Ec2Instance: + Type: AWS::EC2::Instance + Properties: + ImageId: ami-0ff8a91507f77f867 + KeyName: !Ref Keyname + NetworkInterfaces: + - AssociatePublicIpAddress: false + DeviceIndex: "0" + SubnetId: !Ref mySubnet + +``` +```yaml title="Negative test num. 2 - yaml file" + +Resources: + myVPC_3: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/16 + EnableDnsSupport: false + EnableDnsHostnames: false + InstanceTenancy: dedicated + InternetGateway_2: + Type: AWS::EC2::InternetGateway + VPCGatewayAttachment_2: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: !Ref InternetGateway_2 + VpcId: !Ref myVPC_3 + myRouteTable_2: + Type: AWS::EC2::RouteTable + Properties: + VpcId: !Ref myVPC_3 + mySubnet_2: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref myVPC_3 + CidrBlock: 10.0.0.0/24 + AvailabilityZone: "us-east-1a" + mySubnetRouteTableAssociation_2: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + SubnetId: !Ref mySubnet_2 + RouteTableId: !Ref myRouteTable_2 + Ec2Instance_2: + Type: AWS::EC2::Instance + Properties: + ImageId: ami-0ff8a91507f77f867 + KeyName: !Ref Keyname + NetworkInterfaces: + - AssociatePublicIpAddress: true + DeviceIndex: "0" + SubnetId: !Ref mySubnet_2 + +``` +```json title="Negative test num. 3 - json file" +{ + "Resources": { + "mySubnet": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": "myVPC_1", + "CidrBlock": "10.0.0.0/24", + "AvailabilityZone": "us-east-1a" + } + }, + "mySubnetRouteTableAssociation": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": "myRouteTable", + "SubnetId": "mySubnet" + } + }, + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "ami-0ff8a91507f77f867", + "KeyName": "Keyname", + "NetworkInterfaces": [ + { + "DeviceIndex": "0", + "SubnetId": "mySubnet", + "AssociatePublicIpAddress": false + } + ] + } + }, + "myVPC_1": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsSupport": false, + "EnableDnsHostnames": false, + "InstanceTenancy": "dedicated" + } + }, + "InternetGateway": { + "Type": "AWS::EC2::InternetGateway" + }, + "VPCGatewayAttachment": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "InternetGatewayId": "InternetGateway", + "VpcId": "myVPC_1" + } + }, + "myRouteTable": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": "myVPC_1" + } + }, + "myRoute": { + "Type": "AWS::EC2::Route", + "DependsOn": "VPCGatewayAttachment", + "Properties": { + "GatewayId": "InternetGateway", + "RouteTableId": "myRouteTable", + "DestinationCidrBlock": "0.0.0.0/0", + "DestinationIpv6CidrBlock": "::/0" + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "myVPC_3": { + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsSupport": false, + "EnableDnsHostnames": false, + "InstanceTenancy": "dedicated" + }, + "Type": "AWS::EC2::VPC" + }, + "InternetGateway_2": { + "Type": "AWS::EC2::InternetGateway" + }, + "VPCGatewayAttachment_2": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "VpcId": "myVPC_3", + "InternetGatewayId": "InternetGateway_2" + } + }, + "myRouteTable_2": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "VpcId": "myVPC_3" + } + }, + "mySubnet_2": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "VpcId": "myVPC_3", + "CidrBlock": "10.0.0.0/24", + "AvailabilityZone": "us-east-1a" + } + }, + "mySubnetRouteTableAssociation_2": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "SubnetId": "mySubnet_2", + "RouteTableId": "myRouteTable_2" + } + }, + "Ec2Instance_2": { + "Type": "AWS::EC2::Instance", + "Properties": { + "NetworkInterfaces": [ + { + "AssociatePublicIpAddress": true, + "DeviceIndex": "0", + "SubnetId": "mySubnet_2" + } + ], + "ImageId": "ami-0ff8a91507f77f867", + "KeyName": "Keyname" + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621.md b/docs/queries/cloudformation-queries/aws/c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621.md new file mode 100644 index 00000000000..615069882a0 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621.md @@ -0,0 +1,279 @@ +--- +title: ELBv2 ALB Access Log Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c62e8b7d-1fdf-4050-ac4c-76ba9e1d9621 +- **Query name:** ELBv2 ALB Access Log Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elb_v2_alb_access_log_disabled) + +### Description +ELBv2 ALBs should have access log enabled to capture detailed information about requests sent to your load balancer.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-loadbalancer-loadbalancerattributes.html#cfn-elasticloadbalancingv2-loadbalancer-loadbalancerattributes-key) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +AWSTemplateFormatVersion: "2010-09-09" +Description: A simple EC2 instance +Parameters: + EnvironmentName: + Description: An environment name that will be prefixed to resource names + Type: String + + VPC: + Type: AWS::EC2::VPC::Id + Description: Choose which VPC the Application Load Balancer should be deployed to + + Subnets: + Description: Choose which subnets the Application Load Balancer should be deployed to + Type: List + + SecurityGroup: + Description: Select the Security Group to apply to the Application Load Balancer + Type: AWS::EC2::SecurityGroup::Id +Resources: + LoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: !Ref EnvironmentName + Subnets: !Ref Subnets + SecurityGroups: + - !Ref SecurityGroup + Tags: + - Key: Name + Value: !Ref EnvironmentName + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +AWSTemplateFormatVersion: "2010-09-09" +Description: A simple EC2 instance +Parameters: + EnvironmentName: + Description: An environment name that will be prefixed to resource names + Type: String + + VPC: + Type: AWS::EC2::VPC::Id + Description: Choose which VPC the Application Load Balancer should be deployed to + + Subnets: + Description: Choose which subnets the Application Load Balancer should be deployed to + Type: List + + SecurityGroup: + Description: Select the Security Group to apply to the Application Load Balancer + Type: AWS::EC2::SecurityGroup::Id +Resources: + LoadBalancertest: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: !Ref EnvironmentName + Subnets: !Ref Subnets + SecurityGroups: + - !Ref SecurityGroup + Tags: + - Key: Name + Value: !Ref EnvironmentName + LoadBalancerAttributes: + - Key: access_logs.s3.enabled + Value: false + +``` +```json title="Postitive test num. 3 - json file" hl_lines="23" +{ + "Parameters": { + "SecurityGroup": { + "Description": "Select the Security Group to apply to the Application Load Balancer", + "Type": "AWS::EC2::SecurityGroup::Id" + }, + "EnvironmentName": { + "Description": "An environment name that will be prefixed to resource names", + "Type": "String" + }, + "VPC": { + "Type": "AWS::EC2::VPC::Id", + "Description": "Choose which VPC the Application Load Balancer should be deployed to" + }, + "Subnets": { + "Description": "Choose which subnets the Application Load Balancer should be deployed to", + "Type": "List\u003cAWS::EC2::Subnet::Id\u003e" + } + }, + "Resources": { + "LoadBalancer": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "Name": "EnvironmentName", + "Subnets": "Subnets", + "SecurityGroups": [ + "SecurityGroup" + ], + "Tags": [ + { + "Key": "Name", + "Value": "EnvironmentName" + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A simple EC2 instance" +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="36" +{ + "Description": "A simple EC2 instance", + "Parameters": { + "SecurityGroup": { + "Description": "Select the Security Group to apply to the Application Load Balancer", + "Type": "AWS::EC2::SecurityGroup::Id" + }, + "EnvironmentName": { + "Description": "An environment name that will be prefixed to resource names", + "Type": "String" + }, + "VPC": { + "Type": "AWS::EC2::VPC::Id", + "Description": "Choose which VPC the Application Load Balancer should be deployed to" + }, + "Subnets": { + "Description": "Choose which subnets the Application Load Balancer should be deployed to", + "Type": "List\u003cAWS::EC2::Subnet::Id\u003e" + } + }, + "Resources": { + "LoadBalancertest": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "Name": "EnvironmentName", + "Subnets": "Subnets", + "SecurityGroups": [ + "SecurityGroup" + ], + "Tags": [ + { + "Value": "EnvironmentName", + "Key": "Name" + } + ], + "LoadBalancerAttributes": [ + { + "Key": "access_logs.s3.enabled", + "Value": false + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A simple EC2 instance +Parameters: + EnvironmentName: + Description: An environment name that will be prefixed to resource names + Type: String + + VPC: + Type: AWS::EC2::VPC::Id + Description: Choose which VPC the Application Load Balancer should be deployed to + + Subnets: + Description: Choose which subnets the Application Load Balancer should be deployed to + Type: List + + SecurityGroup: + Description: Select the Security Group to apply to the Application Load Balancer + Type: AWS::EC2::SecurityGroup::Id +Resources: + LoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: !Ref EnvironmentName + Subnets: !Ref Subnets + SecurityGroups: + - !Ref SecurityGroup + Tags: + - Key: Name + Value: !Ref EnvironmentName + LoadBalancerAttributes: + - Key: access_logs.s3.enabled + Value: true + +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "A simple EC2 instance", + "Parameters": { + "EnvironmentName": { + "Description": "An environment name that will be prefixed to resource names", + "Type": "String" + }, + "VPC": { + "Type": "AWS::EC2::VPC::Id", + "Description": "Choose which VPC the Application Load Balancer should be deployed to" + }, + "Subnets": { + "Description": "Choose which subnets the Application Load Balancer should be deployed to", + "Type": "List\u003cAWS::EC2::Subnet::Id\u003e" + }, + "SecurityGroup": { + "Description": "Select the Security Group to apply to the Application Load Balancer", + "Type": "AWS::EC2::SecurityGroup::Id" + } + }, + "Resources": { + "LoadBalancer": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "SecurityGroups": [ + "SecurityGroup" + ], + "Tags": [ + { + "Key": "Name", + "Value": "EnvironmentName" + } + ], + "LoadBalancerAttributes": [ + { + "Key": "access_logs.s3.enabled", + "Value": true + } + ], + "Name": "EnvironmentName", + "Subnets": "Subnets" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/c689f51b-9203-43b3-9d8b-caed123f706c.md b/docs/queries/cloudformation-queries/aws/c689f51b-9203-43b3-9d8b-caed123f706c.md new file mode 100644 index 00000000000..63868c7a1ad --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/c689f51b-9203-43b3-9d8b-caed123f706c.md @@ -0,0 +1,144 @@ +--- +title: BOM - AWS Elasticache +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c689f51b-9203-43b3-9d8b-caed123f706c +- **Query name:** BOM - AWS Elasticache +- **Platform:** CloudFormation +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_bom/elasticache) + +### Description +A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +Resources: + ElasticacheCluster: + Type: 'AWS::ElastiCache::CacheCluster' + Properties: + Engine: memcached + CacheNodeType: cache.t2.micro + NumCacheNodes: '1' + CacheSubnetGroupName: default + CacheSecurityGroupNames: + - !Ref CacheSecurityGroup + CacheSecurityGroup: + Type: AWS::ElastiCache::SecurityGroup + Properties: + Description: My ElastiCache Security Group + SecurityGroupIngress: + Type: AWS::ElastiCache::SecurityGroupIngress + Properties: + CacheSecurityGroupName: !Ref CacheSecurityGroup + EC2SecurityGroupName: !Ref SecurityGroup + SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: !Ref myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="3" +{ + "Resources": { + "ElasticacheCluster": { + "Type": "AWS::ElastiCache::CacheCluster", + "Properties": { + "CacheNodeType": "cache.m3.medium", + "Engine": "memcached", + "NumCacheNodes": "1", + "CacheSubnetGroupName": "default" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="2" +Resources: + ElasticacheCluster: + Type: 'AWS::ElastiCache::CacheCluster' + Properties: + Engine: memcached + CacheNodeType: cache.t2.micro + NumCacheNodes: '1' + CacheSubnetGroupName: default + CacheSecurityGroupNames: + - !Ref CacheSecurityGroup2 + CacheSecurityGroup2: + Type: AWS::ElastiCache::SecurityGroup + Properties: + Description: My ElastiCache Security Group + SecurityGroupIngress2: + Type: AWS::ElastiCache::SecurityGroupIngress + Properties: + CacheSecurityGroupName: !Ref CacheSecurityGroup2 + EC2SecurityGroupName: !Ref SecurityGroup2 + SecurityGroup2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: !Ref myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 1.2.3.4/28 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": "true" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/c757c6a3-ac87-4b9d-b28d-e5a5add6a315.md b/docs/queries/cloudformation-queries/aws/c757c6a3-ac87-4b9d-b28d-e5a5add6a315.md new file mode 100644 index 00000000000..94377c033fe --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/c757c6a3-ac87-4b9d-b28d-e5a5add6a315.md @@ -0,0 +1,68 @@ +--- +title: Serverless API X-Ray Tracing Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c757c6a3-ac87-4b9d-b28d-e5a5add6a315 +- **Query name:** Serverless API X-Ray Tracing Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_sam/serverless_api_xray_tracing_disabled) + +### Description +AWS Serverless API should have X-Ray Tracing enabled
+[Documentation](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-tracingenabled) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + StageName: prod + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="9" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi2: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + ApiGatewayApi3: + Type: AWS::Serverless::Api + Properties: + StageName: prod + TracingEnabled: true + +``` diff --git a/docs/queries/cloudformation-queries/aws/c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22.md b/docs/queries/cloudformation-queries/aws/c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22.md new file mode 100644 index 00000000000..03044315620 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22.md @@ -0,0 +1,109 @@ +--- +title: Secrets Manager Should Specify KmsKeyId +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c8ae9ba9-c2f7-4e5c-b32e-a4b7712d4d22 +- **Query name:** Secrets Manager Should Specify KmsKeyId +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/secrets_manager_should_specify_kms_key_id) + +### Description +Secrets Manager Secret should explicitly specify KmsKeyId, this will allow the secret to be shared cross-account
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-secretsmanager-secret.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + SecretsManagerSecret: + Type: AWS::SecretsManager::Secret + Properties: + Description: String + GenerateSecretString: + GenerateSecretString + Name: String + SecretString: + String + Tags: + - Tag +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "SecretsManagerSecret": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "Name": "String", + "SecretString": "String", + "Tags": [ + "Tag" + ], + "Description": "String", + "GenerateSecretString": "GenerateSecretString" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + SecretsManagerSecret: + Type: AWS::SecretsManager::Secret + Properties: + Description: String + GenerateSecretString: + GenerateSecretString + KmsKeyId: String + Name: String + SecretString: + String + Tags: + - Tag +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "SecretsManagerSecret": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "Description": "String", + "GenerateSecretString": "GenerateSecretString", + "KmsKeyId": "String", + "Name": "String", + "SecretString": "String", + "Tags": [ + "Tag" + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/c8dee387-a2e6-4a73-a942-183c975549ac.md b/docs/queries/cloudformation-queries/aws/c8dee387-a2e6-4a73-a942-183c975549ac.md new file mode 100644 index 00000000000..91eca703a89 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/c8dee387-a2e6-4a73-a942-183c975549ac.md @@ -0,0 +1,267 @@ +--- +title: DynamoDB With Aws Owned CMK +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c8dee387-a2e6-4a73-a942-183c975549ac +- **Query name:** DynamoDB With Aws Owned CMK +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/dynamodb_with_aws_owned_cmk) + +### Description +AWS DynamoDb should be encrypted using AWS Managed CMK, instead of AWS-owned CMK. To verify this, SSEEnabled must be verified if false for AWS-owned CMK or true for AWS-Managed CMK. Default value is false.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dynamodb-table-ssespecification.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: Sample CloudFormation template for DynamoDB with AWS-Owned CMK +Resources: + DynamoDBOnDemandTable2: + Type: "AWS::DynamoDB::Table" + Properties: + TableName: "dynamodb-kms-0" + AttributeDefinitions: + - AttributeName: pk + AttributeType: S + KeySchema: + - AttributeName: pk + KeyType: HASH + BillingMode: PAY_PER_REQUEST + SSESpecification: + SSEEnabled: false + SSEType: "KMS" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-11" +Description: Sample CloudFormation template for DynamoDB with AWS-Owned CMK +Resources: + DynamoDBOnDemandTable4: + Type: "AWS::DynamoDB::Table" + Properties: + TableName: "dynamodb-kms-2" + AttributeDefinitions: + - AttributeName: pk + AttributeType: S + KeySchema: + - AttributeName: pk + KeyType: HASH + BillingMode: PAY_PER_REQUEST + SSESpecification: + SSEType: "KMS" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-10" +Description: Sample CloudFormation template for DynamoDB with AWS-Owned CMK +Resources: + DynamoDBOnDemandTable5: + Type: "AWS::DynamoDB::Table" + Properties: + TableName: "dynamodb-kms-3" + AttributeDefinitions: + - AttributeName: pk + AttributeType: S + KeySchema: + - AttributeName: pk + KeyType: HASH + BillingMode: PAY_PER_REQUEST + +``` +
Postitive test num. 4 - json file + +```json hl_lines="5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample CloudFormation template for DynamoDB with AWS-Owned CMK", + "Resources": { + "DynamoDBOnDemandTable2": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "TableName": "dynamodb-kms-0", + "AttributeDefinitions": [ + { + "AttributeName": "pk", + "AttributeType": "S" + } + ], + "KeySchema": [ + { + "AttributeName": "pk", + "KeyType": "HASH" + } + ], + "BillingMode": "PAY_PER_REQUEST", + "SSESpecification": { + "SSEEnabled": false, + "SSEType": "KMS" + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: Sample CloudFormation template for DynamoDB with customer managed CMK +Resources: + dynamodbKMSKey: + Type: AWS::KMS::Key + Properties: + Description: "An example CMK" + KeyPolicy: + Version: "2012-10-17" + Id: "key-default-1" + Statement: + - Sid: "Allow administration of the key" + Effect: "Allow" + Principal: + AWS: "arn:aws:iam::123456789012:user/ana" + Action: + - "kms:Create*" + - "kms:Describe*" + - "kms:Enable*" + - "kms:List*" + - "kms:Put*" + - "kms:Update*" + - "kms:Revoke*" + - "kms:Disable*" + - "kms:Get*" + - "kms:Delete*" + - "kms:ScheduleKeyDeletion" + - "kms:CancelKeyDeletion" + Resource: "*" + - Sid: "Allow use of the key" + Effect: "Allow" + Principal: + AWS: "arn:aws:iam::123456789012:user/ana" + Action: + - "kms:DescribeKey" + - "kms:Encrypt" + - "kms:Decrypt" + - "kms:ReEncrypt*" + - "kms:GenerateDataKey" + - "kms:GenerateDataKeyWithoutPlaintext" + Resource: "*" + + DynamoDBOnDemandTable1: + Type: "AWS::DynamoDB::Table" + Properties: + TableName: "dynamodb-kms" + AttributeDefinitions: + - AttributeName: pk + AttributeType: S + KeySchema: + - AttributeName: pk + KeyType: HASH + BillingMode: PAY_PER_REQUEST + SSESpecification: + KMSMasterKeyId: !Ref dynamodbKMSKey + SSEEnabled: true + SSEType: "KMS" + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "dynamodbKMSKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "Description": "An example CMK", + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Allow administration of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/ana" + }, + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" + ], + "Resource": "*" + }, + { + "Sid": "Allow use of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/ana" + }, + "Action": [ + "kms:DescribeKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "*" + } + ] + } + } + }, + "DynamoDBOnDemandTable1": { + "Type": "AWS::DynamoDB::Table", + "Properties": { + "BillingMode": "PAY_PER_REQUEST", + "SSESpecification": { + "KMSMasterKeyId": "dynamodbKMSKey", + "SSEEnabled": true, + "SSEType": "KMS" + }, + "TableName": "dynamodb-kms", + "AttributeDefinitions": [ + { + "AttributeName": "pk", + "AttributeType": "S" + } + ], + "KeySchema": [ + { + "AttributeName": "pk", + "KeyType": "HASH" + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Sample CloudFormation template for DynamoDB with customer managed CMK" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/c9846969-d066-431f-9b34-8c4abafe422a.md b/docs/queries/cloudformation-queries/aws/c9846969-d066-431f-9b34-8c4abafe422a.md new file mode 100644 index 00000000000..ce509441a68 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/c9846969-d066-431f-9b34-8c4abafe422a.md @@ -0,0 +1,111 @@ +--- +title: Remote Desktop Port Open To Internet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c9846969-d066-431f-9b34-8c4abafe422a +- **Query name:** Remote Desktop Port Open To Internet +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet) + +### Description +The Remote Desktop port is open to the internet in a Security Group
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow rdp to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 3389 + ToPort: 3389 + CidrIp: 0.0.0.0/0 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="10" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow rdp to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 3389, + "ToPort": 3389, + "CidrIp": "0.0.0.0/0" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow rdp to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 3389 + ToPort: 3389 + CidrIp: 192.168.0.0/16 + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow rdp to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 3389, + "ToPort": 3389, + "CidrIp": "192.168.0.0/16" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/cb2f612b-ed42-4ff5-9fb9-255c73d39a18.md b/docs/queries/cloudformation-queries/aws/cb2f612b-ed42-4ff5-9fb9-255c73d39a18.md new file mode 100644 index 00000000000..4e3c8d7a7ca --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/cb2f612b-ed42-4ff5-9fb9-255c73d39a18.md @@ -0,0 +1,78 @@ +--- +title: Serverless Function Without Dead Letter Queue +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cb2f612b-ed42-4ff5-9fb9-255c73d39a18 +- **Query name:** Serverless Function Without Dead Letter Queue +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_sam/serverless_function_without_dead_letter_queue) + +### Description +AWS Serverless Function should be configured for a Dead Letter Queue(DLQ)
+[Documentation](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-deadletterqueue) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function1: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + DeadLetterConfig: + TargetArn: arn:aws:sqs:us-east-1:2324243535:aaa + Type: SQS + +``` diff --git a/docs/queries/cloudformation-queries/aws/cc8b294f-006f-4f8f-b5bb-0a9140c33131.md b/docs/queries/cloudformation-queries/aws/cc8b294f-006f-4f8f-b5bb-0a9140c33131.md new file mode 100644 index 00000000000..505c2c352f4 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/cc8b294f-006f-4f8f-b5bb-0a9140c33131.md @@ -0,0 +1,143 @@ +--- +title: Wildcard In ACM Certificate Domain Name +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cc8b294f-006f-4f8f-b5bb-0a9140c33131 +- **Query name:** Wildcard In ACM Certificate Domain Name +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/wildcard_in_acm_certificate_domain_name) + +### Description +ACM Certificate should not use wildcards (*) in the domain name
+[Documentation](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +AWSTemplateFormatVersion: '2010-09-09' +Parameters: + DomainName: + Description: "Domain for which you are requesting a cert" + Type: String + Default: example.com #Put your own domain name here + HostedZoneId: + Description: "hosted zone id in which CNAME record for the validation needs to be added" + Type: String + Default: XYZABCDERYH #Put the hosted zone id in which CNAME record for the validation needs to be added + +Resources: + Certificate: + Type: AWS::CertificateManager::Certificate + Properties: + DomainName: "*" + DomainValidationOptions: + - DomainName: !Ref DomainName + HostedZoneId: !Ref HostedZoneId + ValidationMethod: 'DNS' +``` +```json title="Postitive test num. 2 - json file" hl_lines="19" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "HostedZoneId": { + "Type": "String", + "Default": "XYZABCDERYH", + "Description": "hosted zone id in which CNAME record for the validation needs to be added" + }, + "DomainName": { + "Description": "Domain for which you are requesting a cert", + "Type": "String", + "Default": "example.com" + } + }, + "Resources": { + "Certificate": { + "Type": "AWS::CertificateManager::Certificate", + "Properties": { + "DomainName": "*", + "DomainValidationOptions": [ + { + "DomainName": "DomainName", + "HostedZoneId": "HostedZoneId" + } + ], + "ValidationMethod": "DNS" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Parameters: + DomainName: + Description: "Domain for which you are requesting a cert" + Type: String + Default: example.com #Put your own domain name here + HostedZoneId: + Description: "hosted zone id in which CNAME record for the validation needs to be added" + Type: String + Default: XYZABCDERYH #Put the hosted zone id in which CNAME record for the validation needs to be added + +Resources: + Certificate: + Type: AWS::CertificateManager::Certificate + Properties: + DomainName: CMDomain + DomainValidationOptions: + - DomainName: !Ref DomainName + HostedZoneId: !Ref HostedZoneId + ValidationMethod: 'DNS' +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "DomainName": { + "Type": "String", + "Default": "example.com", + "Description": "Domain for which you are requesting a cert" + }, + "HostedZoneId": { + "Description": "hosted zone id in which CNAME record for the validation needs to be added", + "Type": "String", + "Default": "XYZABCDERYH" + } + }, + "Resources": { + "Certificate": { + "Type": "AWS::CertificateManager::Certificate", + "Properties": { + "DomainName": "CMDomain", + "DomainValidationOptions": [ + { + "HostedZoneId": "HostedZoneId", + "DomainName": "DomainName" + } + ], + "ValidationMethod": "DNS" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md b/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md new file mode 100644 index 00000000000..c7ca4304428 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md @@ -0,0 +1,169 @@ +--- +title: Security Groups With Exposed Admin Ports +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cdbb0467-2957-4a77-9992-7b55b29df7b7 +- **Query name:** Security Groups With Exposed Admin Ports +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports) + +### Description +Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + KeyName: mykey + ImageId: '' + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 20 + ToPort: 20 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 +``` +```json title="Postitive test num. 2 - json file" hl_lines="19" +{ + "Resources": { + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "", + "SecurityGroups": [ + "InstanceSecurityGroup" + ], + "KeyName": "mykey" + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": 20, + "ToPort": 20 + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "GroupDescription": "Allow http to client host" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + KeyName: mykey + ImageId: '' + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 127.0.0.1/32 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 127.0.0.1/33 +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "SecurityGroups": [ + "InstanceSecurityGroup" + ], + "KeyName": "mykey", + "ImageId": "" + } + }, + "InstanceSecurityGroup": { + "Properties": { + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "127.0.0.1/32" + } + ], + "SecurityGroupEgress": [ + { + "CidrIp": "127.0.0.1/33", + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80 + } + ], + "GroupDescription": "Allow http to client host" + }, + "Type": "AWS::EC2::SecurityGroup" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/cfdef2e5-1fe4-4ef4-bea8-c56e08963150.md b/docs/queries/cloudformation-queries/aws/cfdef2e5-1fe4-4ef4-bea8-c56e08963150.md new file mode 100644 index 00000000000..dac62e1036c --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/cfdef2e5-1fe4-4ef4-bea8-c56e08963150.md @@ -0,0 +1,145 @@ +--- +title: ElastiCache Nodes Not Created Across Multi AZ +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cfdef2e5-1fe4-4ef4-bea8-c56e08963150 +- **Query name:** ElastiCache Nodes Not Created Across Multi AZ +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elasticache_nodes_not_created_across_multi_az) + +### Description +ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + myCacheCluster3: + Type: 'AWS::ElastiCache::CacheCluster' + Properties: + AZMode: single-az + CacheNodeType: cache.m3.medium + Engine: memcached + NumCacheNodes: '3' + PreferredAvailabilityZones: + - us-west-2a + - us-west-2a + - us-west-2b + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + myCacheCluster4: + Type: 'AWS::ElastiCache::CacheCluster' + Properties: + CacheNodeType: cache.m3.medium + Engine: memcached + NumCacheNodes: '3' + PreferredAvailabilityZones: + - us-west-2a + - us-west-2a + - us-west-2b + +``` +```json title="Postitive test num. 3 - json file" hl_lines="6" +{ + "Resources": { + "myCacheCluster5": { + "Type": "AWS::ElastiCache::CacheCluster", + "Properties": { + "AZMode": "single-az", + "CacheNodeType": "cache.m3.medium", + "Engine": "memcached", + "NumCacheNodes": "3", + "PreferredAvailabilityZones": [ + "us-west-2a", + "us-west-2a", + "us-west-2b" + ] + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="5" +{ + "Resources": { + "myCacheCluster6": { + "Type": "AWS::ElastiCache::CacheCluster", + "Properties": { + "CacheNodeType": "cache.m3.medium", + "Engine": "memcached", + "NumCacheNodes": "3", + "PreferredAvailabilityZones": [ + "us-west-2a", + "us-west-2a", + "us-west-2b" + ] + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + myCacheCluster: + Type: 'AWS::ElastiCache::CacheCluster' + Properties: + AZMode: cross-az + CacheNodeType: cache.m3.medium + Engine: memcached + NumCacheNodes: '3' + PreferredAvailabilityZones: + - us-west-2a + - us-west-2a + - us-west-2b + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "myCacheCluster2": { + "Type": "AWS::ElastiCache::CacheCluster", + "Properties": { + "AZMode": "cross-az", + "CacheNodeType": "cache.m3.medium", + "Engine": "memcached", + "NumCacheNodes": "3", + "PreferredAvailabilityZones": [ + "us-west-2a", + "us-west-2a", + "us-west-2b" + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/d24389b4-b209-4ff0-8345-dc7a4569dcdd.md b/docs/queries/cloudformation-queries/aws/d24389b4-b209-4ff0-8345-dc7a4569dcdd.md new file mode 100644 index 00000000000..c94cccbd6a9 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/d24389b4-b209-4ff0-8345-dc7a4569dcdd.md @@ -0,0 +1,313 @@ +--- +title: ECS Task Definition HealthCheck Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d24389b4-b209-4ff0-8345-dc7a4569dcdd +- **Query name:** ECS Task Definition HealthCheck Missing +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ecs_task_definition_healthcheck_missing) + +### Description +Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of tasks
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-healthcheck.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="47" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + MyEC2Instance: + Type: "AWS::EC2::Instance" + Properties: + ImageId: "ami-0ff8a91507f77f867" + InstanceType: t2.micro + KeyName: testkey + BlockDeviceMappings: + - DeviceName: /dev/sdm + Ebs: + VolumeType: io1 + Iops: 200 + DeleteOnTermination: false + VolumeSize: 20 + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: + Ref: "AppName1" + MountPoints: + - SourceVolume: "my-vol" + ContainerPath: "/var/www/my-vol" + Image: "amazon/amazon-ecs-sample" + Cpu: 256 + PortMappings: + - ContainerPort: + Ref: "AppContainerPort" + HostPort: + Ref: "AppHostPort" + EntryPoint: + - "/usr/sbin/apache2" + - "-D" + - "FOREGROUND" + HealthCheck: + Command: + - CMD-SHELL + - curl -f http://localhost:8080/ || exit 1 + Interval: 30 + Retries: 3 + StartPeriod: 1 + Timeout: 5 + Memory: 512 + Essential: true + - Name: + Ref: "AppName" + MountPoints: + - SourceVolume: "my-vol" + ContainerPath: "/var/www/my-vol" + Image: "amazon/amazon-ecs-sample" + Cpu: 256 + PortMappings: + - ContainerPort: + Ref: "AppContainerPort" + HostPort: + Ref: "AppHostPort" + EntryPoint: + - "/usr/sbin/apache2" + - "-D" + - "FOREGROUND" + Memory: 512 + Essential: true + Volumes: + - Host: + SourcePath: "/var/lib/docker/vfs/dir/" + Name: "my-vol" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="29" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "MyEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/sdm", + "Ebs": { + "DeleteOnTermination": false, + "VolumeSize": 20, + "VolumeType": "io1", + "Iops": 200 + } + } + ], + "ImageId": "ami-0ff8a91507f77f867", + "InstanceType": "t2.micro", + "KeyName": "testkey" + } + }, + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": 256, + "PortMappings": [ + { + "HostPort": { + "Ref": "AppHostPort" + }, + "ContainerPort": { + "Ref": "AppContainerPort" + } + } + ], + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": 512, + "Essential": true, + "Name": { + "Ref": "AppName" + } + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + MyEC2Instance: + Type: "AWS::EC2::Instance" + Properties: + ImageId: "ami-0ff8a91507f77f867" + InstanceType: t2.micro + KeyName: testkey + BlockDeviceMappings: + - DeviceName: /dev/sdm + Ebs: + VolumeType: io1 + Iops: 200 + DeleteOnTermination: false + VolumeSize: 20 + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: + Ref: "AppName" + MountPoints: + - SourceVolume: "my-vol" + ContainerPath: "/var/www/my-vol" + Image: "amazon/amazon-ecs-sample" + Cpu: 256 + PortMappings: + - ContainerPort: + Ref: "AppContainerPort" + HostPort: + Ref: "AppHostPort" + EntryPoint: + - "/usr/sbin/apache2" + - "-D" + - "FOREGROUND" + HealthCheck: + Command: + - CMD-SHELL + - curl -f http://localhost:8080/ || exit 1 + Interval: 30 + Retries: 3 + StartPeriod: 1 + Timeout: 5 + Memory: 512 + Essential: true + Volumes: + - Host: + SourcePath: "/var/lib/docker/vfs/dir/" + Name: "my-vol" + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "MyEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "ami-0ff8a91507f77f867", + "InstanceType": "t2.micro", + "KeyName": "testkey", + "BlockDeviceMappings": [ + { + "Ebs": { + "VolumeType": "io1", + "Iops": 200, + "DeleteOnTermination": false, + "VolumeSize": 20 + }, + "DeviceName": "/dev/sdm" + } + ] + } + }, + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ], + "ContainerDefinitions": [ + { + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": 512, + "PortMappings": [ + { + "ContainerPort": { + "Ref": "AppContainerPort" + }, + "HostPort": { + "Ref": "AppHostPort" + } + } + ], + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": 256, + "HealthCheck": { + "Command": [ + "CMD-SHELL", + "curl -f http://localhost:8080/ || exit 1" + ], + "Interval": 30, + "Retries": 3, + "StartPeriod": 1, + "Timeout": 5 + }, + "Essential": true, + "Name": { + "Ref": "AppName" + } + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/d53323be-dde6-4457-9a43-42df737e71d2.md b/docs/queries/cloudformation-queries/aws/d53323be-dde6-4457-9a43-42df737e71d2.md new file mode 100644 index 00000000000..53c980b1870 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/d53323be-dde6-4457-9a43-42df737e71d2.md @@ -0,0 +1,89 @@ +--- +title: BOM - AWS Kinesis +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d53323be-dde6-4457-9a43-42df737e71d2 +- **Query name:** BOM - AWS Kinesis +- **Platform:** CloudFormation +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_bom/kinesis) + +### Description +A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3" +Description: Kinesis +Resources: + MyStream: + Type: AWS::Kinesis::Stream + Properties: + Name: MyKinesisStream1 + RetentionPeriodHours: 168 + ShardCount: 3 + StreamEncryption: + EncryptionType: KMS + KeyId: !Ref myKey + +``` +```json title="Postitive test num. 2 - json file" hl_lines="4" +{ + "Description": "Kinesis", + "Resources": { + "MyStream2": { + "Type": "AWS::Kinesis::Stream", + "Properties": { + "Name": "MyKinesisStream2", + "RetentionPeriodHours": 168, + "ShardCount": 3 + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": "true" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/d6653eee-2d4d-4e6a-976f-6794a497999a.md b/docs/queries/cloudformation-queries/aws/d6653eee-2d4d-4e6a-976f-6794a497999a.md new file mode 100644 index 00000000000..d466b0f6288 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/d6653eee-2d4d-4e6a-976f-6794a497999a.md @@ -0,0 +1,265 @@ +--- +title: API Gateway With Invalid Compression +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d6653eee-2d4d-4e6a-976f-6794a497999a +- **Query name:** API Gateway With Invalid Compression +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_with_invalid_compression) + +### Description +API Gateway should have valid compression, which means attribute 'MinimumCompressionSize' should be set and its value should be greater than -1 and smaller than 10485760.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + RestApi3: + Type: AWS::ApiGateway::RestApi + Properties: + Body: + swagger: 2.0 + info: + version: 0.0.1 + title: test + basePath: /pete + schemes: + - https + definitions: + Empty: + type: object + MinimumCompressionSize: -1 + Name: myApi + Parameters: + endpointConfigurationTypes: REGIONAL + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="17" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + RestApi4: + Type: AWS::ApiGateway::RestApi + Properties: + Body: + swagger: 2.0 + info: + version: 0.0.1 + title: test + basePath: /pete + schemes: + - https + definitions: + Empty: + type: object + MinimumCompressionSize: 10485760 + Name: myApi + Parameters: + endpointConfigurationTypes: REGIONAL + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + RestApi5: + Type: AWS::ApiGateway::RestApi + Properties: + Body: + swagger: 2.0 + info: + version: 0.0.1 + title: test + basePath: /pete + schemes: + - https + definitions: + Empty: + type: object + Name: myApi + Parameters: + endpointConfigurationTypes: REGIONAL + +``` +
Postitive test num. 4 - json file + +```json hl_lines="22" +{ + "Resources": { + "RestApi6": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "swagger": 2, + "info": { + "version": "0.0.1", + "title": "test" + }, + "basePath": "/pete", + "schemes": [ + "https" + ], + "definitions": { + "Empty": { + "type": "object" + } + } + }, + "MinimumCompressionSize": -1, + "Name": "myApi", + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="22" +{ + "Resources": { + "RestApi7": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "swagger": 2, + "info": { + "version": "0.0.1", + "title": "test" + }, + "basePath": "/pete", + "schemes": [ + "https" + ], + "definitions": { + "Empty": { + "type": "object" + } + } + }, + "MinimumCompressionSize": 10485760, + "Name": "myApi", + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="5" +{ + "Resources": { + "RestApi8": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "swagger": 2, + "info": { + "version": "0.0.1", + "title": "test" + }, + "basePath": "/pete", + "schemes": [ + "https" + ], + "definitions": { + "Empty": { + "type": "object" + } + } + }, + "Name": "myApi", + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + RestApi: + Type: AWS::ApiGateway::RestApi + Properties: + Body: + swagger: 2.0 + info: + version: 0.0.1 + title: test + basePath: /pete + schemes: + - https + definitions: + Empty: + type: object + MinimumCompressionSize: 0 + Name: myApi + Parameters: + endpointConfigurationTypes: REGIONAL + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "RestApi2": { + "Type": "AWS::ApiGateway::RestApi", + "Properties": { + "Body": { + "swagger": 2, + "info": { + "version": "0.0.1", + "title": "test" + }, + "basePath": "/pete", + "schemes": [ + "https" + ], + "definitions": { + "Empty": { + "type": "object" + } + } + }, + "MinimumCompressionSize": 0, + "Name": "myApi", + "Parameters": { + "endpointConfigurationTypes": "REGIONAL" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/d71b5fd7-9020-4b2d-9ec8-b3839faa2744.md b/docs/queries/cloudformation-queries/aws/d71b5fd7-9020-4b2d-9ec8-b3839faa2744.md new file mode 100644 index 00000000000..618ced36158 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/d71b5fd7-9020-4b2d-9ec8-b3839faa2744.md @@ -0,0 +1,213 @@ +--- +title: Support Has No Role Associated +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d71b5fd7-9020-4b2d-9ec8-b3839faa2744 +- **Query name:** Support Has No Role Associated +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/support_has_no_role_associated) + +### Description +Check if any AWS Support policy does not have any role and users and group associated, which means that is not being managed.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 4 28" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + noRoles: + Type: AWS::IAM::Policy + Properties: + PolicyName: AWSSupportAccess + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: ["*"] + Resource: "*" + Users: ["SomeUser"] + Groups: ["SomeGroup"] + noUsers: + Type: AWS::IAM::Policy + Properties: + PolicyName: AWSSupportAccess + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: ["*"] + Resource: "*" + Roles: ["SomeRole"] + Groups: ["SomeGroup"] + noGroups: + Type: AWS::IAM::Policy + Properties: + PolicyName: AWSSupportAccess + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: ["*"] + Resource: "*" + Roles: ["SomeRole"] + Users: ["SomeUser"] + + + +``` +```json title="Postitive test num. 2 - json file" hl_lines="29 53 5" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "noRoles": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "AWSSupportAccess", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "*" + ], + "Resource": "*" + } + ] + }, + "Users": [ + "SomeUser" + ], + "Groups": [ + "SomeGroup" + ] + } + }, + "noUsers": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "AWSSupportAccess", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "*" + ], + "Resource": "*" + } + ] + }, + "Roles": [ + "SomeRole" + ], + "Groups": [ + "SomeGroup" + ] + } + }, + "noGroups": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "AWSSupportAccess", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "*" + ], + "Resource": "*" + } + ] + }, + "Roles": [ + "SomeRole" + ], + "Users": [ + "SomeUser" + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + MyPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: mygrouppolicy + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:GetObject + - s3:PutObject + - s3:PutObjectAcl + Resource: arn:aws:s3:::myAWSBucket/* + Groups: + - myexistinggroup1 + - !Ref mygroup + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "MyPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "mygrouppolicy", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:PutObjectAcl" + ], + "Resource": "arn:aws:s3:::myAWSBucket/*", + "Effect": "Allow" + } + ] + }, + "Groups": [ + "myexistinggroup1", + "mygroup" + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/d72a7869-e8b9-4e12-bcd2-e8be10b39fa7.md b/docs/queries/cloudformation-queries/aws/d72a7869-e8b9-4e12-bcd2-e8be10b39fa7.md new file mode 100644 index 00000000000..8010d0a260c --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/d72a7869-e8b9-4e12-bcd2-e8be10b39fa7.md @@ -0,0 +1,258 @@ +--- +title: IAM Password Without Symbol +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d72a7869-e8b9-4e12-bcd2-e8be10b39fa7 +- **Query name:** IAM Password Without Symbol +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_password_without_symbol) + +### Description +IAM password should have the required symbols
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myPassWord23423re + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + - PolicyName: giveaccesstotopiconly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sns:* + Resource: + - !Ref mytopic + - Effect: Deny + Action: + - sns:* + NotResource: + - !Ref mytopic +``` +```json title="Postitive test num. 2 - json file" hl_lines="10" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myPassWord23423re" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ], + "Effect": "Allow" + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + }, + { + "PolicyName": "giveaccesstotopiconly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sns:*" + ], + "Resource": [ + "mytopic" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sns:*" + ], + "NotResource": [ + "mytopic" + ] + } + ] + } + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + - PolicyName: giveaccesstotopiconly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sns:* + Resource: + - !Ref mytopic + - Effect: Deny + Action: + - sns:* + NotResource: + - !Ref mytopic + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + }, + { + "PolicyName": "giveaccesstotopiconly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sns:*" + ], + "Resource": [ + "mytopic" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sns:*" + ], + "NotResource": [ + "mytopic" + ] + } + ] + } + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/d7467bb6-3ed1-4c82-8095-5e7a818d0aad.md b/docs/queries/cloudformation-queries/aws/d7467bb6-3ed1-4c82-8095-5e7a818d0aad.md new file mode 100644 index 00000000000..6922b9d79e4 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/d7467bb6-3ed1-4c82-8095-5e7a818d0aad.md @@ -0,0 +1,195 @@ +--- +title: CodeBuild Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d7467bb6-3ed1-4c82-8095-5e7a818d0aad +- **Query name:** CodeBuild Not Encrypted +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/codebuild_not_encrypted) + +### Description +CodeBuild Project should be encrypted, which means 'EncryptionKey' should be defined
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + CodeBuildProject: + Project: + Type: AWS::CodeBuild::Project + Properties: + Name: myProjectName + Description: A description about my project + ServiceRole: !GetAtt ServiceRole.Arn + Artifacts: + Type: no_artifacts + Environment: + Type: LINUX_CONTAINER + ComputeType: BUILD_GENERAL1_SMALL + Image: aws/codebuild/java:openjdk-8 + EnvironmentVariables: + - Name: varName + Type: varType + Value: varValue + Source: + Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c + Type: S3 + TimeoutInMinutes: 10 + Tags: + - Key: Key1 + Value: Value1 + - Key: Key2 + Value: Value2 +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "CodeBuildProject": { + "Project": { + "Type": "AWS::CodeBuild::Project", + "Properties": { + "Description": "A description about my project", + "ServiceRole": "ServiceRole.Arn", + "Artifacts": { + "Type": "no_artifacts" + }, + "Environment": { + "Image": "aws/codebuild/java:openjdk-8", + "EnvironmentVariables": [ + { + "Name": "varName", + "Type": "varType", + "Value": "varValue" + } + ], + "Type": "LINUX_CONTAINER", + "ComputeType": "BUILD_GENERAL1_SMALL" + }, + "Source": { + "Location": "codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c", + "Type": "S3" + }, + "TimeoutInMinutes": 10, + "Tags": [ + { + "Key": "Key1", + "Value": "Value1" + }, + { + "Key": "Key2", + "Value": "Value2" + } + ], + "Name": "myProjectName" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + CodeBuildProject: + Project: + Type: AWS::CodeBuild::Project + Properties: + Name: myProjectName + Description: A description about my project + EncryptionKey: "alias/alias-name" + ServiceRole: !GetAtt ServiceRole.Arn + Artifacts: + Type: no_artifacts + Environment: + Type: LINUX_CONTAINER + ComputeType: BUILD_GENERAL1_SMALL + Image: aws/codebuild/java:openjdk-8 + EnvironmentVariables: + - Name: varName + Type: varType + Value: varValue + Source: + Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c + Type: S3 + TimeoutInMinutes: 10 + Tags: + - Key: Key1 + Value: Value1 + - Key: Key2 + Value: Value2 +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "CodeBuildProject": { + "Project": { + "Type": "AWS::CodeBuild::Project", + "Properties": { + "Name": "myProjectName", + "Description": "A description about my project", + "TimeoutInMinutes": 10, + "EncryptionKey": "alias/alias-name", + "ServiceRole": "ServiceRole.Arn", + "Artifacts": { + "Type": "no_artifacts" + }, + "Environment": { + "Type": "LINUX_CONTAINER", + "ComputeType": "BUILD_GENERAL1_SMALL", + "Image": "aws/codebuild/java:openjdk-8", + "EnvironmentVariables": [ + { + "Name": "varName", + "Type": "varType", + "Value": "varValue" + } + ] + }, + "Source": { + "Location": "codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c", + "Type": "S3" + }, + "Tags": [ + { + "Key": "Key1", + "Value": "Value1" + }, + { + "Key": "Key2", + "Value": "Value2" + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/d926aa95-0a04-4abc-b20c-acf54afe38a1.md b/docs/queries/cloudformation-queries/aws/d926aa95-0a04-4abc-b20c-acf54afe38a1.md new file mode 100644 index 00000000000..7ead2981bfe --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/d926aa95-0a04-4abc-b20c-acf54afe38a1.md @@ -0,0 +1,299 @@ +--- +title: ElasticSearch Encryption With KMS Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d926aa95-0a04-4abc-b20c-acf54afe38a1 +- **Query name:** ElasticSearch Encryption With KMS Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elasticsearch_domain_encryption_with_kms_disabled) + +### Description +Check if any ElasticSearch domain isn't encrypted with KMS.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticsearch-domain.html#cfn-elasticsearch-domain-encryptionatrestoptions) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Resources: + ElasticsearchDomain: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: "test" + ElasticsearchClusterConfig: + DedicatedMasterEnabled: "true" + InstanceCount: "2" + ZoneAwarenessEnabled: "true" + InstanceType: "m3.medium.elasticsearch" + DedicatedMasterType: "m3.medium.elasticsearch" + DedicatedMasterCount: "3" + EncryptionAtRestOptions: + Enabled: true + EBSOptions: + EBSEnabled: true + Iops: 0 + VolumeSize: 20 + VolumeType: "gp2" + SnapshotOptions: + AutomatedSnapshotStartHour: "0" + AccessPolicies: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Principal: + AWS: "arn:aws:iam::123456789012:user/es-user" + Action: "es:*" + Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*" + AdvancedOptions: + rest.action.multi.allow_explicit_index: "true" + + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "Description": "Creates RDS Cluster", + "Resources": { + "ElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "EncryptionAtRestOptions": { + "Enabled": true + }, + "EBSOptions": { + "EBSEnabled": true, + "Iops": 0, + "VolumeSize": 20, + "VolumeType": "gp2" + }, + "SnapshotOptions": { + "AutomatedSnapshotStartHour": "0" + }, + "AccessPolicies": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/es-user" + }, + "Action": "es:*", + "Resource": "arn:aws:es:us-east-1:846973539254:domain/test/*" + } + ] + }, + "AdvancedOptions": { + "rest.action.multi.allow_explicit_index": "true" + }, + "DomainName": "test", + "ElasticsearchClusterConfig": { + "DedicatedMasterType": "m3.medium.elasticsearch", + "DedicatedMasterCount": "3", + "DedicatedMasterEnabled": "true", + "InstanceCount": "2", + "ZoneAwarenessEnabled": "true", + "InstanceType": "m3.medium.elasticsearch" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster2 +Resources: + ElasticsearchDomain: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: "test" + ElasticsearchClusterConfig: + DedicatedMasterEnabled: "true" + InstanceCount: "2" + ZoneAwarenessEnabled: "true" + InstanceType: "m3.medium.elasticsearch" + DedicatedMasterType: "m3.medium.elasticsearch" + DedicatedMasterCount: "3" + EBSOptions: + EBSEnabled: true + Iops: 0 + VolumeSize: 20 + VolumeType: "gp2" + SnapshotOptions: + AutomatedSnapshotStartHour: "0" + AccessPolicies: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Principal: + AWS: "arn:aws:iam::123456789012:user/es-user" + Action: "es:*" + Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*" + AdvancedOptions: + rest.action.multi.allow_explicit_index: "true" + + +``` +
Postitive test num. 4 - json file + +```json hl_lines="6" +{ + "Description": "Creates RDS Cluster2", + "Resources": { + "ElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "EBSOptions": { + "EBSEnabled": true, + "Iops": 0, + "VolumeSize": 20, + "VolumeType": "gp2" + }, + "SnapshotOptions": { + "AutomatedSnapshotStartHour": "0" + }, + "AccessPolicies": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/es-user" + }, + "Action": "es:*", + "Resource": "arn:aws:es:us-east-1:846973539254:domain/test/*" + } + ] + }, + "AdvancedOptions": { + "rest.action.multi.allow_explicit_index": "true" + }, + "DomainName": "test", + "ElasticsearchClusterConfig": { + "DedicatedMasterType": "m3.medium.elasticsearch", + "DedicatedMasterCount": "3", + "DedicatedMasterEnabled": "true", + "InstanceCount": "2", + "ZoneAwarenessEnabled": "true", + "InstanceType": "m3.medium.elasticsearch" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Resources: + ElasticsearchDomain: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: "test" + ElasticsearchClusterConfig: + DedicatedMasterEnabled: "true" + InstanceCount: "2" + ZoneAwarenessEnabled: "true" + InstanceType: "m3.medium.elasticsearch" + DedicatedMasterType: "m3.medium.elasticsearch" + DedicatedMasterCount: "3" + EncryptionAtRestOptions: + Enabled: true + KmsKeyId: "some-kms-key-id" + EBSOptions: + EBSEnabled: true + Iops: 0 + VolumeSize: 20 + VolumeType: "gp2" + SnapshotOptions: + AutomatedSnapshotStartHour: "0" + AccessPolicies: + Version: "2012-10-17" + Statement: + - + Effect: "Allow" + Principal: + AWS: "arn:aws:iam::123456789012:user/es-user" + Action: "es:*" + Resource: "arn:aws:es:us-east-1:846973539254:domain/test/*" + AdvancedOptions: + rest.action.multi.allow_explicit_index: "true" + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "ElasticsearchDomain": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "AccessPolicies": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/es-user" + }, + "Action": "es:*", + "Resource": "arn:aws:es:us-east-1:846973539254:domain/test/*" + } + ] + }, + "AdvancedOptions": { + "rest.action.multi.allow_explicit_index": "true" + }, + "DomainName": "test", + "ElasticsearchClusterConfig": { + "DedicatedMasterCount": "3", + "DedicatedMasterEnabled": "true", + "InstanceCount": "2", + "ZoneAwarenessEnabled": "true", + "InstanceType": "m3.medium.elasticsearch", + "DedicatedMasterType": "m3.medium.elasticsearch" + }, + "EncryptionAtRestOptions": { + "Enabled": true, + "KmsKeyId": "some-kms-key-id" + }, + "EBSOptions": { + "EBSEnabled": true, + "Iops": 0, + "VolumeSize": 20, + "VolumeType": "gp2" + }, + "SnapshotOptions": { + "AutomatedSnapshotStartHour": "0" + } + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Creates RDS Cluster" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/da905474-7454-43c0-b8d2-5756ab951aba.md b/docs/queries/cloudformation-queries/aws/da905474-7454-43c0-b8d2-5756ab951aba.md new file mode 100644 index 00000000000..af8e75f79b1 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/da905474-7454-43c0-b8d2-5756ab951aba.md @@ -0,0 +1,149 @@ +--- +title: KMS Key With Vulnerable Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** da905474-7454-43c0-b8d2-5756ab951aba +- **Query name:** KMS Key With Vulnerable Policy +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/kms_key_with_vulnerable_policy) + +### Description +Checks if the policy is vulnerable and needs updating.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keypolicy) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="8 9 4 5" +{ + "Resources": { + "RSASigningKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "Description": "RSA-3047 asymmetric CMK for signing and verification", + "KeySpec": "RSA_3072", + "KeyUsage": "SIGN_VERIFY", + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "*" + }, + "Action": "kms:*", + "Resource": "*" + } + ] + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8 9 4 5" +Resources: + RSASigningKey: + Type: AWS::KMS::Key + Properties: + Description: RSA-3047 asymmetric CMK for signing and verification + KeySpec: RSA_3072 + KeyUsage: SIGN_VERIFY + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: '*' + Action: kms:* + Resource: '*' + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "Resources": { + "RSASigningKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "Description": "RSA-3047 asymmetric CMK for signing and verification", + "KeySpec": "RSA_3072", + "KeyUsage": "SIGN_VERIFY", + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Allow administration of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/Admin" + }, + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" + ], + "Resource": "*" + } + ] + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +Resources: + RSASigningKey: + Type: AWS::KMS::Key + Properties: + Description: RSA-3047 asymmetric CMK for signing and verification + KeySpec: RSA_3072 + KeyUsage: SIGN_VERIFY + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Allow use of the key + Effect: Allow + Principal: + AWS: arn:aws:iam::111122223333:role/Developer + Action: + - kms:Sign + - kms:Verify + - kms:DescribeKey + Resource: '*' + +``` diff --git a/docs/queries/cloudformation-queries/aws/dae9c373-8287-462f-8746-6f93dad93610.md b/docs/queries/cloudformation-queries/aws/dae9c373-8287-462f-8746-6f93dad93610.md new file mode 100644 index 00000000000..869d4ddf2fa --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/dae9c373-8287-462f-8746-6f93dad93610.md @@ -0,0 +1,287 @@ +--- +title: Security Group Egress With Port Range +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dae9c373-8287-462f-8746-6f93dad93610 +- **Query name:** Security Group Egress With Port Range +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_group_egress_with_port_range) + +### Description +AWS Security Group Egress should have a single port
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 22" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 87 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 87 + CidrIp: 0.0.0.0/0 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Postitive test num. 2 - json file" hl_lines="32 5" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "Description": "TCP", + "FromPort": 80, + "ToPort": 87, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ], + "SecurityGroupEgress": [ + { + "Description": "TCP", + "FromPort": 80, + "ToPort": 87, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ] + } + }, + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "Description": "TCP" + } + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + Description: TCP + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 0 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: TCP + IpProtocol: tcp + FromPort: 0 + ToPort: 0 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "InstanceSecurityGroup": { + "Properties": { + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "Description": "TCP" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "Description": "TCP", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "GroupDescription": "Allow http to client host" + }, + "Type": "AWS::EC2::SecurityGroup" + }, + "OutboundRule": { + "Properties": { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 0, + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "Description": "TCP" + }, + "Type": "AWS::EC2::SecurityGroupEgress" + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "Description": "TCP", + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 0, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/dc17ee4b-ddf2-4e23-96e8-7a36abad1303.md b/docs/queries/cloudformation-queries/aws/dc17ee4b-ddf2-4e23-96e8-7a36abad1303.md new file mode 100644 index 00000000000..aa56888c2dd --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/dc17ee4b-ddf2-4e23-96e8-7a36abad1303.md @@ -0,0 +1,269 @@ +--- +title: CloudFront Without Minimum Protocol TLS 1.2 +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dc17ee4b-ddf2-4e23-96e8-7a36abad1303 +- **Query name:** CloudFront Without Minimum Protocol TLS 1.2 +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudfront_without_minimum_protocol_tls_1.2) + +### Description +CloudFront Minimum Protocol version should be at least TLS 1.2
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-distribution.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + cloudfrontdistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: string-value + LambdaFunctionARN: string-value + DefaultCacheBehavior: + LambdaFunctionAssociations: + - EventType: string-value + LambdaFunctionARN: string-value + IPV6Enabled: boolean-value + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: integer-value + OriginReadTimeout: integer-value + ViewerCertificate: + AcmCertificateArn: String + CloudFrontDefaultCertificate: true + IamCertificateId: String + MinimumProtocolVersion: "TLSv1.1_2016" + SslSupportMethod: String + Tags: + - Key: string-value + Value: string-value + cloudfrontdistribution2: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: string-value + LambdaFunctionARN: string-value + DefaultCacheBehavior: + LambdaFunctionAssociations: + - EventType: string-value + LambdaFunctionARN: string-value + IPV6Enabled: boolean-value + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: integer-value + OriginReadTimeout: integer-value + Tags: + - Key: string-value + Value: string-value + +``` +```json title="Postitive test num. 2 - json file" hl_lines="11 55" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "cloudfrontdistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": true, + "ViewerCertificate": { + "IamCertificateId": "String", + "MinimumProtocolVersion": "TLSv1.1_2016", + "SslSupportMethod": "String", + "AcmCertificateArn": "String", + "CloudFrontDefaultCertificate": true + }, + "CacheBehaviors": [ + { + "LambdaFunctionAssociations": [ + { + "EventType": "string-value", + "LambdaFunctionARN": "string-value" + } + ] + } + ], + "DefaultCacheBehavior": { + "LambdaFunctionAssociations": [ + { + "EventType": "string-value", + "LambdaFunctionARN": "string-value" + } + ] + }, + "IPV6Enabled": "boolean-value", + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": "integer-value", + "OriginReadTimeout": "integer-value" + } + } + ] + }, + "Tags": [ + { + "Key": "string-value", + "Value": "string-value" + } + ] + } + }, + "cloudfrontdistribution2": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": true, + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": "integer-value", + "OriginReadTimeout": "integer-value" + } + } + ], + "CacheBehaviors": [ + { + "LambdaFunctionAssociations": [ + { + "EventType": "string-value", + "LambdaFunctionARN": "string-value" + } + ] + } + ], + "DefaultCacheBehavior": { + "LambdaFunctionAssociations": [ + { + "LambdaFunctionARN": "string-value", + "EventType": "string-value" + } + ] + }, + "IPV6Enabled": "boolean-value" + }, + "Tags": [ + { + "Key": "string-value", + "Value": "string-value" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + cloudfrontdistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + CacheBehaviors: + - LambdaFunctionAssociations: + - EventType: string-value + LambdaFunctionARN: string-value + DefaultCacheBehavior: + LambdaFunctionAssociations: + - EventType: string-value + LambdaFunctionARN: string-value + IPV6Enabled: boolean-value + Origins: + - CustomOriginConfig: + OriginKeepaliveTimeout: integer-value + OriginReadTimeout: integer-value + ViewerCertificate: + AcmCertificateArn: String + CloudFrontDefaultCertificate: true + IamCertificateId: String + MinimumProtocolVersion: "TLSv1.2_2018" + SslSupportMethod: String + Tags: + - Key: string-value + Value: string-value + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "cloudfrontdistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "CacheBehaviors": [ + { + "LambdaFunctionAssociations": [ + { + "EventType": "string-value", + "LambdaFunctionARN": "string-value" + } + ] + } + ], + "DefaultCacheBehavior": { + "LambdaFunctionAssociations": [ + { + "EventType": "string-value", + "LambdaFunctionARN": "string-value" + } + ] + }, + "IPV6Enabled": "boolean-value", + "Origins": [ + { + "CustomOriginConfig": { + "OriginKeepaliveTimeout": "integer-value", + "OriginReadTimeout": "integer-value" + } + } + ], + "ViewerCertificate": { + "IamCertificateId": "String", + "MinimumProtocolVersion": "TLSv1.2_2018", + "SslSupportMethod": "String", + "AcmCertificateArn": "String", + "CloudFrontDefaultCertificate": true + } + }, + "Tags": [ + { + "Key": "string-value", + "Value": "string-value" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/dc1ab429-1481-4540-9b1d-280e3f15f1f8.md b/docs/queries/cloudformation-queries/aws/dc1ab429-1481-4540-9b1d-280e3f15f1f8.md new file mode 100644 index 00000000000..8c08237fd64 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/dc1ab429-1481-4540-9b1d-280e3f15f1f8.md @@ -0,0 +1,98 @@ +--- +title: Serverless Function Without X-Ray Tracing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dc1ab429-1481-4540-9b1d-280e3f15f1f8 +- **Query name:** Serverless Function Without X-Ray Tracing +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_sam/serverless_function_without_x-ray_tracing) + +### Description +AWS Serverless Function should have Tracing enabled. For this, property 'Tracing' should have the value 'Active'
+[Documentation](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tracing) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function1: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function2: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + Tracing: PassThrough + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Transform: AWS::Serverless-2016-10-31 +Description: AWS SAM template with a simple API definition +Resources: + Function3: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tags: + - Key: Type + Value: AWS Serverless Function + Tracing: Active + +``` diff --git a/docs/queries/cloudformation-queries/aws/dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md b/docs/queries/cloudformation-queries/aws/dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md new file mode 100644 index 00000000000..115211f81d3 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/dd0971a6-09c3-4168-8474-a7ef8fbfd99d.md @@ -0,0 +1,115 @@ +--- +title: Memcached Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dd0971a6-09c3-4168-8474-a7ef8fbfd99d +- **Query name:** Memcached Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/memcached_disabled) + +### Description +Check if the Memcached is disabled on the ElastiCache
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticache-cache-cluster.html#cfn-elasticache-cachecluster-engine) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + ElasticacheCluster3: + Type: 'AWS::ElastiCache::CacheCluster' + Properties: + Engine: redis + CacheNodeType: cache.t2.micro + NumCacheNodes: '1' + VpcSecurityGroupIds: + - !GetAtt + - ElasticacheSecurityGroup + - GroupId + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "Description": "A sample template", + "Resources": { + "ElasticacheCluster4": { + "Type": "AWS::ElastiCache::CacheCluster", + "Properties": { + "Engine": "redis", + "CacheNodeType": "cache.t2.micro", + "NumCacheNodes": "1", + "VpcSecurityGroupIds": [ + { + "Fn::GetAtt": [ + "ElasticacheSecurityGroup", + "GroupId" + ] + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + ElasticacheCluster: + Type: 'AWS::ElastiCache::CacheCluster' + Properties: + Engine: memcached + CacheNodeType: cache.t2.micro + NumCacheNodes: '1' + VpcSecurityGroupIds: + - !GetAtt + - ElasticacheSecurityGroup + - GroupId + +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "A sample template", + "Resources": { + "ElasticacheCluster2": { + "Type": "AWS::ElastiCache::CacheCluster", + "Properties": { + "Engine": "memcached", + "CacheNodeType": "cache.t2.micro", + "NumCacheNodes": "1", + "VpcSecurityGroupIds": [ + { + "Fn::GetAtt": [ + "ElasticacheSecurityGroup", + "GroupId" + ] + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md b/docs/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md new file mode 100644 index 00000000000..01ce69498d1 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md @@ -0,0 +1,111 @@ +--- +title: HTTP Port Open To Internet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ddfc4eaa-af23-409f-b96c-bf5c45dc4daa +- **Query name:** HTTP Port Open To Internet +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/http_port_open) + +### Description +The HTTP port is open to the internet in a Security Group
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="10" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 192.168.0.0/16 + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "192.168.0.0/16" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/de38e1d5-54cb-4111-a868-6f7722695007.md b/docs/queries/cloudformation-queries/aws/de38e1d5-54cb-4111-a868-6f7722695007.md new file mode 100644 index 00000000000..cbd680d92f7 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/de38e1d5-54cb-4111-a868-6f7722695007.md @@ -0,0 +1,329 @@ +--- +title: DB Instance Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** de38e1d5-54cb-4111-a868-6f7722695007 +- **Query name:** DB Instance Publicly Accessible +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/db_instance_publicly_accessible) + +### Description +RDS must not be defined with public interface, which means the attribute 'PubliclyAccessible' must be set to false.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="69" +#this is a problematic code where the query should report a result(s) +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + Description": "AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: + Sample template showing how to create a DB instance with Enhanced Monitoring enabled. + **WARNING** This template creates an RDS DB instance. You will be billed for the AWS + resources used if you create a stack from this template. +Parameters: + DBInstanceID: + Default: mydbinstance + Description: My database instance + Type: String + MinLength: '1' + MaxLength: '63' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: >- + Must begin with a letter and must not end with a hyphen or contain two + consecutive hyphens. + DBName: + Default: mydb + Description: My database + Type: String + MinLength: '1' + MaxLength: '64' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. + DBInstanceClass: + Default: db.m5.large + Description: DB instance class + Type: String + ConstraintDescription: Must select a valid DB instance type. + DBAllocatedStorage: + Default: '50' + Description: The size of the database (GiB) + Type: Number + MinValue: '5' + MaxValue: '1024' + ConstraintDescription: must be between 20 and 65536 GiB. + DBUsername: + NoEcho: 'true' + Description: Username for MySQL database access + Type: String + MinLength: '1' + MaxLength: '16' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: 'true' + Description: Password MySQL database access + Type: String + MinLength: '8' + MaxLength: '41' + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: must contain only alphanumeric characters. +Resources: + MyDB: + Type: 'AWS::RDS::DBInstance' + Properties: + DBInstanceIdentifier: !Ref DBInstanceID + DBName: !Ref DBName + DBInstanceClass: !Ref DBInstanceClass + AllocatedStorage: !Ref DBAllocatedStorage + Engine: MySQL + EngineVersion: 8.0.16 + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + MonitoringInterval: '60' + MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role' + PubliclyAccessible: true +``` +```json title="Postitive test num. 2 - json file" hl_lines="61" +{ + "Description": "Description\": \"AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: Sample template showing how to create a DB instance with Enhanced Monitoring enabled. **WARNING** This template creates an RDS DB instance. You will be billed for the AWS resources used if you create a stack from this template.", + "Parameters": { + "DBInstanceClass": { + "Description": "DB instance class", + "Type": "String", + "ConstraintDescription": "Must select a valid DB instance type.", + "Default": "db.m5.large" + }, + "DBAllocatedStorage": { + "ConstraintDescription": "must be between 20 and 65536 GiB.", + "Default": "50", + "Description": "The size of the database (GiB)", + "Type": "Number", + "MinValue": "5", + "MaxValue": "1024" + }, + "DBUsername": { + "MinLength": "1", + "MaxLength": "16", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.", + "NoEcho": "true", + "Description": "Username for MySQL database access", + "Type": "String" + }, + "DBPassword": { + "Type": "String", + "MinLength": "8", + "MaxLength": "41", + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "must contain only alphanumeric characters.", + "NoEcho": "true", + "Description": "Password MySQL database access" + }, + "DBInstanceID": { + "Default": "mydbinstance", + "Description": "My database instance", + "Type": "String", + "MinLength": "1", + "MaxLength": "63", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens." + }, + "DBName": { + "ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters.", + "Default": "mydb", + "Description": "My database", + "Type": "String", + "MinLength": "1", + "MaxLength": "64", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*" + } + }, + "Resources": { + "MyDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "MasterUsername": "DBUsername", + "MasterUserPassword": "DBPassword", + "PubliclyAccessible": true, + "DBInstanceIdentifier": "DBInstanceID", + "DBName": "DBName", + "AllocatedStorage": "DBAllocatedStorage", + "MonitoringInterval": "60", + "MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role", + "DBInstanceClass": "DBInstanceClass", + "Engine": "MySQL", + "EngineVersion": "8.0.16" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + Description": "AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: + Sample template showing how to create a DB instance with Enhanced Monitoring enabled. + **WARNING** This template creates an RDS DB instance. You will be billed for the AWS + resources used if you create a stack from this template. +Parameters: + DBInstanceID: + Default: mydbinstance + Description: My database instance + Type: String + MinLength: '1' + MaxLength: '63' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: >- + Must begin with a letter and must not end with a hyphen or contain two + consecutive hyphens. + DBName: + Default: mydb + Description: My database + Type: String + MinLength: '1' + MaxLength: '64' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. + DBInstanceClass: + Default: db.m5.large + Description: DB instance class + Type: String + ConstraintDescription: Must select a valid DB instance type. + DBAllocatedStorage: + Default: '50' + Description: The size of the database (GiB) + Type: Number + MinValue: '5' + MaxValue: '1024' + ConstraintDescription: must be between 20 and 65536 GiB. + DBUsername: + NoEcho: 'true' + Description: Username for MySQL database access + Type: String + MinLength: '1' + MaxLength: '16' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: 'true' + Description: Password MySQL database access + Type: String + MinLength: '8' + MaxLength: '41' + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: must contain only alphanumeric characters. +Resources: + MyDB: + Type: 'AWS::RDS::DBInstance' + Properties: + DBInstanceIdentifier: !Ref DBInstanceID + DBName: !Ref DBName + DBInstanceClass: !Ref DBInstanceClass + AllocatedStorage: !Ref DBAllocatedStorage + Engine: MySQL + EngineVersion: 8.0.16 + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + MonitoringInterval: '60' + MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role' + PubliclyAccessible: false + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "AllocatedStorage": "DBAllocatedStorage", + "EngineVersion": "8.0.16", + "MasterUserPassword": "DBPassword", + "MonitoringInterval": "60", + "DBInstanceIdentifier": "DBInstanceID", + "DBName": "DBName", + "DBInstanceClass": "DBInstanceClass", + "Engine": "MySQL", + "MasterUsername": "DBUsername", + "MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role", + "PubliclyAccessible": false + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Description\": \"AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: Sample template showing how to create a DB instance with Enhanced Monitoring enabled. **WARNING** This template creates an RDS DB instance. You will be billed for the AWS resources used if you create a stack from this template.", + "Parameters": { + "DBPassword": { + "NoEcho": "true", + "Description": "Password MySQL database access", + "Type": "String", + "MinLength": "8", + "MaxLength": "41", + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "must contain only alphanumeric characters." + }, + "DBInstanceID": { + "MinLength": "1", + "MaxLength": "63", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens.", + "Default": "mydbinstance", + "Description": "My database instance", + "Type": "String" + }, + "DBName": { + "Default": "mydb", + "Description": "My database", + "Type": "String", + "MinLength": "1", + "MaxLength": "64", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters." + }, + "DBInstanceClass": { + "Default": "db.m5.large", + "Description": "DB instance class", + "Type": "String", + "ConstraintDescription": "Must select a valid DB instance type." + }, + "DBAllocatedStorage": { + "Description": "The size of the database (GiB)", + "Type": "Number", + "MinValue": "5", + "MaxValue": "1024", + "ConstraintDescription": "must be between 20 and 65536 GiB.", + "Default": "50" + }, + "DBUsername": { + "MinLength": "1", + "MaxLength": "16", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.", + "NoEcho": "true", + "Description": "Username for MySQL database access", + "Type": "String" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/de76a0d6-66d5-45c9-9022-f05545b85c78.md b/docs/queries/cloudformation-queries/aws/de76a0d6-66d5-45c9-9022-f05545b85c78.md new file mode 100644 index 00000000000..e4ec7f4e8cc --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/de76a0d6-66d5-45c9-9022-f05545b85c78.md @@ -0,0 +1,175 @@ +--- +title: Redshift Cluster Without KMS CMK +hide: + toc: true + navigation: true +--- + + + +- **Query id:** de76a0d6-66d5-45c9-9022-f05545b85c78 +- **Query name:** Redshift Cluster Without KMS CMK +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/redshift_cluster_without_kms_cmk) + +### Description +AWS Redshift Cluster should have KMS CMK defined
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-cluster.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: 2010-09-09 +Description: Redshift Stack +Resources: + RedshiftCluster: + Type: AWS::Redshift::Cluster + Properties: + ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup + ClusterType: !If [ SingleNode, single-node, multi-node ] + NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #' + DBName: !Sub ${DatabaseName} + IamRoles: + - !GetAtt RawDataBucketAccessRole.Arn + MasterUserPassword: !Ref MasterUserPassword + MasterUsername: !Ref MasterUsername + PubliclyAccessible: true + NodeType: dc1.large + Port: 5439 + VpcSecurityGroupIds: + - !Sub ${RedshiftSecurityGroup} + PreferredMaintenanceWindow: Sun:09:15-Sun:09:45 + DataBucket: + Type: AWS::S3::Bucket + Properties: + BucketName: !Sub ${DataBucketName} +``` +```json title="Postitive test num. 2 - json file" hl_lines="12" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Redshift Stack", + "Resources": { + "DataBucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "${DataBucketName}" + } + }, + "RedshiftCluster": { + "Properties": { + "NodeType": "dc1.large", + "Port": 5439, + "VpcSecurityGroupIds": [ + "${RedshiftSecurityGroup}" + ], + "ClusterSubnetGroupName": "RedshiftClusterSubnetGroup", + "ClusterType": [ + "SingleNode", + "single-node", + "multi-node" + ], + "MasterUserPassword": "MasterUserPassword", + "MasterUsername": "MasterUsername", + "PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45", + "NumberOfNodes": [ + "SingleNode", + "AWS::NoValue", + "RedshiftNodeCount" + ], + "DBName": "${DatabaseName}", + "IamRoles": [ + "RawDataBucketAccessRole.Arn" + ], + "PubliclyAccessible": true + }, + "Type": "AWS::Redshift::Cluster" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: Redshift Stack +Resources: + RedshiftCluster: + Type: AWS::Redshift::Cluster + Properties: + ClusterSubnetGroupName: !Ref RedshiftClusterSubnetGroup + ClusterType: !If [ SingleNode, single-node, multi-node ] + NumberOfNodes: !If [ SingleNode, !Ref 'AWS::NoValue', !Ref RedshiftNodeCount ] #' + DBName: !Sub ${DatabaseName} + IamRoles: + - !GetAtt RawDataBucketAccessRole.Arn + MasterUserPassword: !Ref MasterUserPassword + MasterUsername: !Ref MasterUsername + PubliclyAccessible: true + NodeType: dc1.large + Port: 5439 + VpcSecurityGroupIds: + - !Sub ${RedshiftSecurityGroup} + PreferredMaintenanceWindow: Sun:09:15-Sun:09:45 + KmsKeyId: wewewewewefsa + DataBucket: + Type: AWS::S3::Bucket + Properties: + BucketName: !Sub ${DataBucketName} +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Redshift Stack", + "Resources": { + "RedshiftCluster": { + "Type": "AWS::Redshift::Cluster", + "Properties": { + "IamRoles": [ + "RawDataBucketAccessRole.Arn" + ], + "PubliclyAccessible": true, + "NodeType": "dc1.large", + "Port": 5439, + "VpcSecurityGroupIds": [ + "${RedshiftSecurityGroup}" + ], + "PreferredMaintenanceWindow": "Sun:09:15-Sun:09:45", + "ClusterType": [ + "SingleNode", + "single-node", + "multi-node" + ], + "NumberOfNodes": [ + "SingleNode", + "AWS::NoValue", + "RedshiftNodeCount" + ], + "DBName": "${DatabaseName}", + "MasterUserPassword": "MasterUserPassword", + "MasterUsername": "MasterUsername", + "KmsKeyId": "wewewewewefsa", + "ClusterSubnetGroupName": "RedshiftClusterSubnetGroup" + } + }, + "DataBucket": { + "Properties": { + "BucketName": "${DataBucketName}" + }, + "Type": "AWS::S3::Bucket" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/de77cd9f-0e8b-46cc-b4a4-b6b436838642.md b/docs/queries/cloudformation-queries/aws/de77cd9f-0e8b-46cc-b4a4-b6b436838642.md new file mode 100644 index 00000000000..6be839294c0 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/de77cd9f-0e8b-46cc-b4a4-b6b436838642.md @@ -0,0 +1,279 @@ +--- +title: CloudFront Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** de77cd9f-0e8b-46cc-b4a4-b6b436838642 +- **Query name:** CloudFront Logging Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cloudfront_logging_disabled) + +### Description +AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined
+[Documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/logging-and-monitoring.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution1: + Type: AWS::CloudFront::Distribution + Properties: + DefaultCacheBehavior: + AllowedMethods: + - GET + - HEAD + - OPTIONS + TargetOriginId: myS3Origin + ForwardedValues: + QueryString: 'false' + Cookies: + Forward: none + TrustedSigners: + - 1234567890EX + ViewerProtocolPolicy: allow-all + DistributionConfig: + Origins: + - DomainName: mybucket.s3.amazonaws.com + Id: myS3Origin + S3OriginConfig: + OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z + Enabled: 'true' + Comment: Some comment + DefaultRootObject: index.html + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution2: + Type: AWS::CloudFront::Distribution + Properties: + DefaultCacheBehavior: + AllowedMethods: + - GET + - HEAD + - OPTIONS + TargetOriginId: myS3Origin + ForwardedValues: + QueryString: 'false' + Cookies: + Forward: none + TrustedSigners: + - 1234567890EX + ViewerProtocolPolicy: allow-all + DistributionConfig: + Origins: + - DomainName: mybucket.s3.amazonaws.com + Id: myS3Origin + S3OriginConfig: + OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z + Enabled: 'true' + Comment: Some comment + DefaultRootObject: index.html + Logging: + IncludeCookies: 'false' + Bucket: mylogs.amazonaws.com + Prefix: myprefix + +``` +```json title="Postitive test num. 3 - json file" hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution1": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DefaultCacheBehavior": { + "AllowedMethods": [ + "GET", + "HEAD", + "OPTIONS" + ], + "TargetOriginId": "myS3Origin", + "ForwardedValues": { + "QueryString": "false", + "Cookies": { + "Forward": "none" + } + }, + "TrustedSigners": [ + "1234567890EX" + ], + "ViewerProtocolPolicy": "allow-all" + }, + "DistributionConfig": { + "Origins": [ + { + "DomainName": "mybucket.s3.amazonaws.com", + "Id": "myS3Origin", + "S3OriginConfig": { + "OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z" + } + } + ], + "Enabled": "true", + "Comment": "Some comment", + "DefaultRootObject": "index.html" + } + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="40" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution2": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DefaultCacheBehavior": { + "AllowedMethods": [ + "GET", + "HEAD", + "OPTIONS" + ], + "TargetOriginId": "myS3Origin", + "ForwardedValues": { + "QueryString": "false", + "Cookies": { + "Forward": "none" + } + }, + "TrustedSigners": [ + "1234567890EX" + ], + "ViewerProtocolPolicy": "allow-all" + }, + "DistributionConfig": { + "Origins": [ + { + "S3OriginConfig": { + "OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z" + }, + "DomainName": "mybucket.s3.amazonaws.com", + "Id": "myS3Origin" + } + ], + "Enabled": "true", + "Comment": "Some comment", + "DefaultRootObject": "index.html", + "Logging": { + "IncludeCookies": "false", + "Bucket": "mylogs.amazonaws.com", + "Prefix": "myprefix" + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution3: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Origins: + - DomainName: mybucket.s3.amazonaws.com + Id: myS3Origin + S3OriginConfig: + OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z + Enabled: 'true' + Comment: Some comment + DefaultRootObject: index.html + Logging: + IncludeCookies: 'false' + Bucket: mylogs.s3.amazonaws.com + Prefix: myprefix + DefaultCacheBehavior: + AllowedMethods: + - GET + - HEAD + - OPTIONS + TargetOriginId: myS3Origin + ForwardedValues: + QueryString: 'false' + Cookies: + Forward: none + TrustedSigners: + - 1234567890EX + ViewerProtocolPolicy: allow-all + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution3": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Logging": { + "IncludeCookies": "false", + "Bucket": "mylogs.s3.amazonaws.com", + "Prefix": "myprefix" + }, + "Origins": [ + { + "DomainName": "mybucket.s3.amazonaws.com", + "Id": "myS3Origin", + "S3OriginConfig": { + "OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z" + } + } + ], + "Enabled": "true", + "Comment": "Some comment", + "DefaultRootObject": "index.html" + } + }, + "DefaultCacheBehavior": { + "ForwardedValues": { + "Cookies": { + "Forward": "none" + }, + "QueryString": "false" + }, + "TrustedSigners": [ + "1234567890EX" + ], + "ViewerProtocolPolicy": "allow-all", + "AllowedMethods": [ + "GET", + "HEAD", + "OPTIONS" + ], + "TargetOriginId": "myS3Origin" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/dfb56e5d-ee68-446e-b32a-657b62befe69.md b/docs/queries/cloudformation-queries/aws/dfb56e5d-ee68-446e-b32a-657b62befe69.md new file mode 100644 index 00000000000..20173d8d6ed --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/dfb56e5d-ee68-446e-b32a-657b62befe69.md @@ -0,0 +1,378 @@ +--- +title: Amplify Branch Basic Auth Config Password Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dfb56e5d-ee68-446e-b32a-657b62befe69 +- **Query name:** Amplify Branch Basic Auth Config Password Exposed +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed) + +### Description +Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amplify-branch.html#cfn-amplify-branch-basicauthconfig) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="18" +Resources: + NewAmpApp1: + Type: AWS::Amplify::Branch + Properties: + AppId: String + BranchName: String + BuildSpec: String + Description: String + EnableAutoBuild: false + EnablePerformanceMode: false + EnablePullRequestPreview: false + EnvironmentVariables: + - EnvironmentVariable + PullRequestEnvironmentName: String + Stage: String + BasicAuthConfig: + EnableBasicAuth: true + Password: "@skdsjdk0234!AB" + Username: admin + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +Parameters: + ParentPassword: + Description: 'Password' + Type: String + Default: "@skdsjdk0234!AB" + ParentUsername: + Description: 'Username' + Type: String + Default: "" +Resources: + NewAmpApp4: + Type: AWS::Amplify::Branch + Properties: + AppId: String + BranchName: String + BuildSpec: String + Description: String + EnableAutoBuild: false + EnablePerformanceMode: false + EnablePullRequestPreview: false + EnvironmentVariables: + - EnvironmentVariable + PullRequestEnvironmentName: String + Stage: String + BasicAuthConfig: + EnableBasicAuth: true + Password: !Ref ParentPassword + Username: !Ref ParentUsername + +``` +```json title="Postitive test num. 3 - json file" hl_lines="19" +{ + "Resources": { + "NewAmpApp1": { + "Type": "AWS::Amplify::Branch", + "Properties": { + "BranchName": "String", + "EnableAutoBuild": false, + "EnvironmentVariables": [ + "EnvironmentVariable" + ], + "PullRequestEnvironmentName": "String", + "AppId": "String", + "Description": "String", + "EnablePerformanceMode": false, + "EnablePullRequestPreview": false, + "Stage": "String", + "BasicAuthConfig": { + "EnableBasicAuth": true, + "Password": "@skdsjdk0234!AB", + "Username": "admin" + }, + "BuildSpec": "String" + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="35" +{ + "Resources": { + "NewAmpApp4": { + "Properties": { + "BasicAuthConfig": { + "EnableBasicAuth": true, + "Password": "ParentPassword", + "Username": "ParentUsername" + }, + "AppId": "String", + "Description": "String", + "EnableAutoBuild": false, + "EnablePerformanceMode": false, + "EnablePullRequestPreview": false, + "EnvironmentVariables": [ + "EnvironmentVariable" + ], + "Stage": "String", + "BranchName": "String", + "BuildSpec": "String", + "PullRequestEnvironmentName": "String" + }, + "Type": "AWS::Amplify::Branch" + } + }, + "Parameters": { + "ParentUsername": { + "Description": "Username", + "Type": "String", + "Default": "" + }, + "ParentPassword": { + "Description": "Password", + "Type": "String", + "Default": "@skdsjdk0234!AB" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + NewAmpApp: + Type: AWS::Amplify::App + Properties: + BuildSpec: String + CustomHeaders: String + Description: String + EnableBranchAutoDeletion: true + IAMServiceRole: String + Name: NewAmpApp + OauthToken: String + Repository: String + BasicAuthConfig : + EnableBasicAuth: true + Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' + Username: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}' + MyAmpAppSecretManagerRotater: + Type: AWS::SecretsManager::Secret + Properties: + Description: 'This is my amp app instance secret' + GenerateSecretString: + SecretStringTemplate: '{"username": "admin"}' + GenerateStringKey: 'password' + PasswordLength: 16 + ExcludeCharacters: '"@/\' + +``` +```yaml title="Negative test num. 2 - yaml file" + +Parameters: + ParentPassword: + Description: 'Password' + Type: String + ParentUsername: + Description: 'Username' + Type: String +Resources: + NewAmpApp1: + Type: AWS::Amplify::Branch + Properties: + AppId: String + BranchName: String + BuildSpec: String + Description: String + EnableAutoBuild: false + EnablePerformanceMode: false + EnablePullRequestPreview: false + EnvironmentVariables: + - EnvironmentVariable + PullRequestEnvironmentName: String + Stage: String + BasicAuthConfig: + EnableBasicAuth: true + Password: !Ref ParentPassword + Username: !Ref ParentUsername + + +``` +```yaml title="Negative test num. 3 - yaml file" + +Parameters: + ParentPassword: + Description: 'Password' + Type: String + Default: "" + NoEcho: true + ParentUsername: + Description: 'Username' + Type: String + Default: "" +Resources: + NewAmpApp4: + Type: AWS::Amplify::Branch + Properties: + AppId: String + BranchName: String + BuildSpec: String + Description: String + EnableAutoBuild: false + EnablePerformanceMode: false + EnablePullRequestPreview: false + EnvironmentVariables: + - EnvironmentVariable + PullRequestEnvironmentName: String + Stage: String + BasicAuthConfig: + EnableBasicAuth: true + Password: !Ref ParentPassword + Username: !Ref ParentUsername + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "NewAmpApp": { + "Type": "AWS::Amplify::App", + "Properties": { + "EnableBranchAutoDeletion": true, + "IAMServiceRole": "String", + "Name": "NewAmpApp", + "OauthToken": "String", + "Repository": "String", + "BasicAuthConfig": { + "EnableBasicAuth": true, + "Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}", + "Username": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::username}}" + }, + "BuildSpec": "String", + "CustomHeaders": "String", + "Description": "String" + } + }, + "MyAmpAppSecretManagerRotater": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "Description": "This is my amp app instance secret", + "GenerateSecretString": { + "SecretStringTemplate": "{\"username\": \"admin\"}", + "GenerateStringKey": "password", + "PasswordLength": 16, + "ExcludeCharacters": "\"@/\\" + } + } + } + } +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "Parameters": { + "ParentPassword": { + "Description": "Password", + "Type": "String" + }, + "ParentUsername": { + "Description": "Username", + "Type": "String" + } + }, + "Resources": { + "NewAmpApp1": { + "Type": "AWS::Amplify::Branch", + "Properties": { + "AppId": "String", + "BranchName": "String", + "EnableAutoBuild": false, + "EnablePerformanceMode": false, + "EnablePullRequestPreview": false, + "BasicAuthConfig": { + "EnableBasicAuth": true, + "Password": "ParentPassword", + "Username": "ParentUsername" + }, + "BuildSpec": "String", + "Description": "String", + "EnvironmentVariables": [ + "EnvironmentVariable" + ], + "PullRequestEnvironmentName": "String", + "Stage": "String" + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "Resources": { + "NewAmpApp4": { + "Type": "AWS::Amplify::Branch", + "Properties": { + "EnableAutoBuild": false, + "EnablePullRequestPreview": false, + "EnvironmentVariables": [ + "EnvironmentVariable" + ], + "Stage": "String", + "AppId": "String", + "BranchName": "String", + "BuildSpec": "String", + "Description": "String", + "BasicAuthConfig": { + "EnableBasicAuth": true, + "Password": "ParentPassword", + "Username": "ParentUsername" + }, + "EnablePerformanceMode": false, + "PullRequestEnvironmentName": "String" + } + } + }, + "Parameters": { + "ParentPassword": { + "Description": "Password", + "Type": "String", + "Default": "" + }, + "ParentUsername": { + "Description": "Username", + "Type": "String", + "Default": "" + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/e200a6f3-c589-49ec-9143-7421d4a2c845.md b/docs/queries/cloudformation-queries/aws/e200a6f3-c589-49ec-9143-7421d4a2c845.md new file mode 100644 index 00000000000..5f2dad4d1b3 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/e200a6f3-c589-49ec-9143-7421d4a2c845.md @@ -0,0 +1,116 @@ +--- +title: ELB With Security Group Without Inbound Rules +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e200a6f3-c589-49ec-9143-7421d4a2c845 +- **Query name:** ELB With Security Group Without Inbound Rules +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules) + +### Description +An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound rules
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupingress) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + sgwithoutingress: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Limits security group egress traffic + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + SecurityGroups: + - sgwithoutingress +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "sgwithoutingress": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Limits security group egress traffic" + } + }, + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "SecurityGroups": [ + "sgwithoutingress" + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + sgwithingress: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + SecurityGroups: + - sgwithingress +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "sgwithingress": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Limits security group egress traffic", + "SecurityGroupIngress": [ + { + "ToPort": 80, + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": 80 + } + ] + } + }, + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "SecurityGroups": [ + "sgwithingress" + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md b/docs/queries/cloudformation-queries/aws/e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md new file mode 100644 index 00000000000..0ac18b3c6df --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md @@ -0,0 +1,2284 @@ +--- +title: Fully Open Ingress +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5 +- **Query name:** Fully Open Ingress +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/fully_open_ingress) + +### Description +ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses
+[Documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-base-security-group) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 24" +AWSTemplateFormatVersion: '2010-09-09' +Parameters: + VpcId: + Type: AWS::EC2::VPC::Id + Description: Select a VPC that allows instances access to the Internet. + SubnetId: + Type: List + Description: Select at two subnets in your selected VPC. +Resources: + ECSCluster: + Type: AWS::ECS::Cluster + EcsSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: ECS Security Group + VpcId: !Ref 'VpcId' + EcsSecurityGroupHTTPinbound02: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref 'EcsSecurityGroup' + IpProtocol: tcp + FromPort: 80 + ToPort: 0 + CidrIp: 0.0.0.0/0 + EcsSecurityGroupSSHinbound: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref 'EcsSecurityGroup' + IpProtocol: tcp + FromPort: 22 + ToPort: 0 + CidrIp: 0.0.0.0/0 + EcsSecurityGroupALBports: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref 'EcsSecurityGroup' + IpProtocol: tcp + FromPort: 31000 + ToPort: 61000 + SourceSecurityGroupId: !Ref 'EcsSecurityGroup' + CloudwatchLogsGroup: + Type: AWS::Logs::LogGroup + Properties: + LogGroupName: !Join ['-', [ECSLogGroup, !Ref 'AWS::StackName']] + RetentionInDays: 14 + TaskDefinition: + Type: AWS::ECS::TaskDefinition + Properties: + Family: !Join ['', [!Ref 'AWS::StackName', -ecs-demo-app]] + ContainerDefinitions: + - Name: simple-app + Cpu: 10 + Essential: true + Image: httpd:2.4 + Memory: 300 + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-group: !Ref 'CloudwatchLogsGroup' + awslogs-region: !Ref 'AWS::Region' + awslogs-stream-prefix: ecs-demo-app + MountPoints: + - ContainerPath: /usr/local/apache2/htdocs + SourceVolume: my-vol + PortMappings: + - ContainerPort: 80 + - Name: busybox + Cpu: 10 + Command: ['/bin/sh -c "while true; do echo '' Amazon ECS + Sample App'' > bottom; cat top date bottom > /usr/local/apache2/htdocs/index.html + ; sleep 1; done"'] + EntryPoint: [sh, -c] + Essential: false + Image: busybox + Memory: 200 + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-group: !Ref 'CloudwatchLogsGroup' + awslogs-region: !Ref 'AWS::Region' + awslogs-stream-prefix: ecs-demo-app + VolumesFrom: + - SourceContainer: simple-app + Volumes: + - Name: my-vol + ECSALB: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: ECSALB + Scheme: internet-facing + LoadBalancerAttributes: + - Key: idle_timeout.timeout_seconds + Value: '30' + Subnets: !Ref 'SubnetId' + SecurityGroups: [!Ref 'EcsSecurityGroup'] + ALBListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref 'ECSTG' + LoadBalancerArn: !Ref 'ECSALB' + Port: 80 + Protocol: HTTP + ECSALBListenerRule: + Type: AWS::ElasticLoadBalancingV2::ListenerRule + Properties: + Actions: + - Type: forward + TargetGroupArn: !Ref 'ECSTG' + Conditions: + - Field: path-pattern + Values: [/] + ListenerArn: !Ref 'ALBListener' + Priority: 1 + ECSTG: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + HealthCheckIntervalSeconds: 10 + HealthCheckPath: / + HealthCheckProtocol: HTTP + HealthCheckTimeoutSeconds: 5 + HealthyThresholdCount: 2 + Name: ECSTG + Port: 80 + Protocol: HTTP + UnhealthyThresholdCount: 2 + VpcId: !Ref 'VpcId' + ECSAutoScalingGroup: + Type: AWS::AutoScaling::AutoScalingGroup + Properties: + VPCZoneIdentifier: !Ref 'SubnetId' + LaunchConfigurationName: !Ref 'ContainerInstances' + MinSize: '1' + MaxSize: 4 + DesiredCapacity: 2 + CreationPolicy: + ResourceSignal: + Timeout: PT15M + UpdatePolicy: + AutoScalingReplacingUpdate: + WillReplace: true + ContainerInstances: + Type: AWS::AutoScaling::LaunchConfiguration + Properties: + ImageId: ami-128731982dhash + SecurityGroups: [!Ref 'EcsSecurityGroup'] + InstanceType: t2.small + IamInstanceProfile: !Ref 'EC2InstanceProfile' + KeyName: my-ssh-key + UserData: + Fn::Base64: !Sub | + #!/bin/bash -xe + echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config + yum install -y aws-cfn-bootstrap + /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region} + service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref 'ECSCluster' + DesiredCount: 1 + LoadBalancers: + - ContainerName: simple-app + ContainerPort: 80 + TargetGroupArn: !Ref 'ECSTG' + Role: !Ref 'ECSServiceRole' + TaskDefinition: !Ref 'TaskDefinition' + ECSServiceRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [ecs.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: ecs-service + PolicyDocument: + Statement: + - Effect: Allow + Action: ['elasticloadbalancing:DeregisterInstancesFromLoadBalancer', 'elasticloadbalancing:DeregisterTargets', + 'elasticloadbalancing:Describe*', 'elasticloadbalancing:RegisterInstancesWithLoadBalancer', + 'elasticloadbalancing:RegisterTargets', 'ec2:Describe*', 'ec2:AuthorizeSecurityGroupIngress'] + Resource: '*' + ServiceScalingTarget: + Type: AWS::ApplicationAutoScaling::ScalableTarget + Properties: + MaxCapacity: 2 + MinCapacity: 1 + ResourceId: !Join ['', [service/, !Ref 'ECSCluster', /, !GetAtt [service, Name]]] + RoleARN: !GetAtt [AutoscalingRole, Arn] + ScalableDimension: ecs:service:DesiredCount + ServiceNamespace: ecs + ServiceScalingPolicy: + Type: AWS::ApplicationAutoScaling::ScalingPolicy + Properties: + PolicyName: AStepPolicy + PolicyType: StepScaling + ScalingTargetId: !Ref 'ServiceScalingTarget' + StepScalingPolicyConfiguration: + AdjustmentType: PercentChangeInCapacity + Cooldown: 60 + MetricAggregationType: Average + StepAdjustments: + - MetricIntervalLowerBound: 0 + ScalingAdjustment: 200 + ALB500sAlarmScaleUp: + Type: AWS::CloudWatch::Alarm + Properties: + EvaluationPeriods: 1 + Statistic: Average + Threshold: 10 + AlarmDescription: Alarm if our ALB generates too many HTTP 500s. + Period: 60 + AlarmActions: [!Ref 'ServiceScalingPolicy'] + Namespace: AWS/ApplicationELB + Dimensions: + - Name: LoadBalancer + Value: !GetAtt + - ECSALB + - LoadBalancerFullName + ComparisonOperator: GreaterThanThreshold + MetricName: HTTPCode_ELB_5XX_Count + EC2Role: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [ec2.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: ecs-service + PolicyDocument: + Statement: + - Effect: Allow + Action: ['ecs:CreateCluster', 'ecs:DeregisterContainerInstance', 'ecs:DiscoverPollEndpoint', + 'ecs:Poll', 'ecs:RegisterContainerInstance', 'ecs:StartTelemetrySession', + 'ecs:Submit*', 'logs:CreateLogStream', 'logs:PutLogEvents'] + Resource: '*' + AutoscalingRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [application-autoscaling.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: service-autoscaling + PolicyDocument: + Statement: + - Effect: Allow + Action: ['application-autoscaling:*', 'cloudwatch:DescribeAlarms', 'cloudwatch:PutMetricAlarm', + 'ecs:DescribeServices', 'ecs:UpdateService'] + Resource: '*' + EC2InstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [!Ref 'EC2Role'] +Outputs: + ecsservice: + Value: !Ref 'service' + ecscluster: + Value: !Ref 'ECSCluster' + ECSALB: + Description: Your ALB DNS URL + Value: !Join ['', [!GetAtt [ECSALB, DNSName]]] + taskdef: + Value: !Ref 'TaskDefinition' + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="24" +AWSTemplateFormatVersion: '2010-09-09' +Parameters: + VpcId: + Type: AWS::EC2::VPC::Id + Description: Select a VPC that allows instances access to the Internet. + SubnetId: + Type: List + Description: Select at two subnets in your selected VPC. +Resources: + ECSCluster: + Type: AWS::ECS::Cluster + EcsSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: ECS Security Group + VpcId: !Ref 'VpcId' + EcsSecurityGroupHTTPinbound: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref 'EcsSecurityGroup' + IpProtocol: tcp + FromPort: 80 + ToPort: 0 + CidrIp: 0.0.0.0/0 + EcsSecurityGroupSSHinbound: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref 'EcsSecurityGroup' + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + EcsSecurityGroupALBports: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref 'EcsSecurityGroup' + IpProtocol: tcp + FromPort: 31000 + ToPort: 61000 + SourceSecurityGroupId: !Ref 'EcsSecurityGroup' + CloudwatchLogsGroup: + Type: AWS::Logs::LogGroup + Properties: + LogGroupName: !Join ['-', [ECSLogGroup, !Ref 'AWS::StackName']] + RetentionInDays: 14 + TaskDefinition: + Type: AWS::ECS::TaskDefinition + Properties: + Family: !Join ['', [!Ref 'AWS::StackName', -ecs-demo-app]] + ContainerDefinitions: + - Name: simple-app + Cpu: 10 + Essential: true + Image: httpd:2.4 + Memory: 300 + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-group: !Ref 'CloudwatchLogsGroup' + awslogs-region: !Ref 'AWS::Region' + awslogs-stream-prefix: ecs-demo-app + MountPoints: + - ContainerPath: /usr/local/apache2/htdocs + SourceVolume: my-vol + PortMappings: + - ContainerPort: 80 + - Name: busybox + Cpu: 10 + Command: ['/bin/sh -c "while true; do echo '' Amazon ECS + Sample App'' > bottom; cat top date bottom > /usr/local/apache2/htdocs/index.html + ; sleep 1; done"'] + EntryPoint: [sh, -c] + Essential: false + Image: busybox + Memory: 200 + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-group: !Ref 'CloudwatchLogsGroup' + awslogs-region: !Ref 'AWS::Region' + awslogs-stream-prefix: ecs-demo-app + VolumesFrom: + - SourceContainer: simple-app + Volumes: + - Name: my-vol + ECSALB: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: ECSALB + Scheme: internet-facing + LoadBalancerAttributes: + - Key: idle_timeout.timeout_seconds + Value: '30' + Subnets: !Ref 'SubnetId' + SecurityGroups: [!Ref 'EcsSecurityGroup'] + ALBListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref 'ECSTG' + LoadBalancerArn: !Ref 'ECSALB' + Port: 80 + Protocol: HTTP + ECSALBListenerRule: + Type: AWS::ElasticLoadBalancingV2::ListenerRule + Properties: + Actions: + - Type: forward + TargetGroupArn: !Ref 'ECSTG' + Conditions: + - Field: path-pattern + Values: [/] + ListenerArn: !Ref 'ALBListener' + Priority: 1 + ECSTG: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + HealthCheckIntervalSeconds: 10 + HealthCheckPath: / + HealthCheckProtocol: HTTP + HealthCheckTimeoutSeconds: 5 + HealthyThresholdCount: 2 + Name: ECSTG + Port: 80 + Protocol: HTTP + UnhealthyThresholdCount: 2 + VpcId: !Ref 'VpcId' + ECSAutoScalingGroup: + Type: AWS::AutoScaling::AutoScalingGroup + Properties: + VPCZoneIdentifier: !Ref 'SubnetId' + LaunchConfigurationName: !Ref 'ContainerInstances' + MinSize: '1' + MaxSize: 4 + DesiredCapacity: 2 + CreationPolicy: + ResourceSignal: + Timeout: PT15M + UpdatePolicy: + AutoScalingReplacingUpdate: + WillReplace: true + ContainerInstances: + Type: AWS::AutoScaling::LaunchConfiguration + Properties: + ImageId: ami-09bee01cc997a78a6 + SecurityGroups: [!Ref 'EcsSecurityGroup'] + InstanceType: t2.small + IamInstanceProfile: !Ref 'EC2InstanceProfile' + KeyName: my-ssh-key + UserData: + Fn::Base64: !Sub | + #!/bin/bash -xe + echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config + yum install -y aws-cfn-bootstrap + /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region} + service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref 'ECSCluster' + DesiredCount: 1 + LoadBalancers: + - ContainerName: simple-app + ContainerPort: 80 + TargetGroupArn: !Ref 'ECSTG' + Role: !Ref 'ECSServiceRole' + TaskDefinition: !Ref 'TaskDefinition' + ECSServiceRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [ecs.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: ecs-service + PolicyDocument: + Statement: + - Effect: Allow + Action: ['elasticloadbalancing:DeregisterInstancesFromLoadBalancer', 'elasticloadbalancing:DeregisterTargets', + 'elasticloadbalancing:Describe*', 'elasticloadbalancing:RegisterInstancesWithLoadBalancer', + 'elasticloadbalancing:RegisterTargets', 'ec2:Describe*', 'ec2:AuthorizeSecurityGroupIngress'] + Resource: '*' + ServiceScalingTarget: + Type: AWS::ApplicationAutoScaling::ScalableTarget + Properties: + MaxCapacity: 2 + MinCapacity: 1 + ResourceId: !Join ['', [service/, !Ref 'ECSCluster', /, !GetAtt [service, Name]]] + RoleARN: !GetAtt [AutoscalingRole, Arn] + ScalableDimension: ecs:service:DesiredCount + ServiceNamespace: ecs + ServiceScalingPolicy: + Type: AWS::ApplicationAutoScaling::ScalingPolicy + Properties: + PolicyName: AStepPolicy + PolicyType: StepScaling + ScalingTargetId: !Ref 'ServiceScalingTarget' + StepScalingPolicyConfiguration: + AdjustmentType: PercentChangeInCapacity + Cooldown: 60 + MetricAggregationType: Average + StepAdjustments: + - MetricIntervalLowerBound: 0 + ScalingAdjustment: 200 + ALB500sAlarmScaleUp: + Type: AWS::CloudWatch::Alarm + Properties: + EvaluationPeriods: 1 + Statistic: Average + Threshold: 10 + AlarmDescription: Alarm if our ALB generates too many HTTP 500s. + Period: 60 + AlarmActions: [!Ref 'ServiceScalingPolicy'] + Namespace: AWS/ApplicationELB + Dimensions: + - Name: LoadBalancer + Value: !GetAtt + - ECSALB + - LoadBalancerFullName + ComparisonOperator: GreaterThanThreshold + MetricName: HTTPCode_ELB_5XX_Count + EC2Role: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [ec2.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: ecs-service + PolicyDocument: + Statement: + - Effect: Allow + Action: ['ecs:CreateCluster', 'ecs:DeregisterContainerInstance', 'ecs:DiscoverPollEndpoint', + 'ecs:Poll', 'ecs:RegisterContainerInstance', 'ecs:StartTelemetrySession', + 'ecs:Submit*', 'logs:CreateLogStream', 'logs:PutLogEvents'] + Resource: '*' + AutoscalingRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [application-autoscaling.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: service-autoscaling + PolicyDocument: + Statement: + - Effect: Allow + Action: ['application-autoscaling:*', 'cloudwatch:DescribeAlarms', 'cloudwatch:PutMetricAlarm', + 'ecs:DescribeServices', 'ecs:UpdateService'] + Resource: '*' + EC2InstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [!Ref 'EC2Role'] + + +``` +```json title="Postitive test num. 3 - json file" hl_lines="115 326" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "VpcId": { + "Type": "AWS::EC2::VPC::Id", + "Description": "Select a VPC that allows instances access to the Internet." + }, + "SubnetId": { + "Type": "List\u003cAWS::EC2::Subnet::Id\u003e", + "Description": "Select at two subnets in your selected VPC." + } + }, + "Resources": { + "ECSCluster": { + "Type": "AWS::ECS::Cluster" + }, + "EcsSecurityGroupALBports": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "IpProtocol": "tcp", + "FromPort": 31000, + "ToPort": 61000, + "SourceSecurityGroupId": "EcsSecurityGroup", + "GroupId": "EcsSecurityGroup" + } + }, + "ECSServiceRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ecs.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "ecs-service", + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:Describe*", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:RegisterTargets", + "ec2:Describe*", + "ec2:AuthorizeSecurityGroupIngress" + ], + "Resource": "*", + "Effect": "Allow" + } + ] + } + } + ] + } + }, + "AutoscalingRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "application-autoscaling.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "service-autoscaling", + "PolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "application-autoscaling:*", + "cloudwatch:DescribeAlarms", + "cloudwatch:PutMetricAlarm", + "ecs:DescribeServices", + "ecs:UpdateService" + ], + "Resource": "*" + } + ] + } + } + ] + } + }, + "EcsSecurityGroupSSHinbound": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "ToPort": 0, + "CidrIp": "0.0.0.0/0", + "GroupId": "EcsSecurityGroup", + "IpProtocol": "tcp", + "FromPort": 22 + } + }, + "ECSALB": { + "Properties": { + "Name": "ECSALB", + "Scheme": "internet-facing", + "LoadBalancerAttributes": [ + { + "Key": "idle_timeout.timeout_seconds", + "Value": "30" + } + ], + "Subnets": "SubnetId", + "SecurityGroups": [ + "EcsSecurityGroup" + ] + }, + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer" + }, + "ECSAutoScalingGroup": { + "Type": "AWS::AutoScaling::AutoScalingGroup", + "Properties": { + "VPCZoneIdentifier": "SubnetId", + "LaunchConfigurationName": "ContainerInstances", + "MinSize": "1", + "MaxSize": 4, + "DesiredCapacity": 2 + }, + "CreationPolicy": { + "ResourceSignal": { + "Timeout": "PT15M" + } + }, + "UpdatePolicy": { + "AutoScalingReplacingUpdate": { + "WillReplace": true + } + } + }, + "ServiceScalingTarget": { + "Type": "AWS::ApplicationAutoScaling::ScalableTarget", + "Properties": { + "MaxCapacity": 2, + "MinCapacity": 1, + "ResourceId": [ + "", + [ + "service/", + "ECSCluster", + "/", + [ + "service", + "Name" + ] + ] + ], + "RoleARN": [ + "AutoscalingRole", + "Arn" + ], + "ScalableDimension": "ecs:service:DesiredCount", + "ServiceNamespace": "ecs" + } + }, + "ServiceScalingPolicy": { + "Type": "AWS::ApplicationAutoScaling::ScalingPolicy", + "Properties": { + "PolicyType": "StepScaling", + "ScalingTargetId": "ServiceScalingTarget", + "StepScalingPolicyConfiguration": { + "StepAdjustments": [ + { + "MetricIntervalLowerBound": 0, + "ScalingAdjustment": 200 + } + ], + "AdjustmentType": "PercentChangeInCapacity", + "Cooldown": 60, + "MetricAggregationType": "Average" + }, + "PolicyName": "AStepPolicy" + } + }, + "EC2Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ec2.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "ecs-service", + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "ecs:CreateCluster", + "ecs:DeregisterContainerInstance", + "ecs:DiscoverPollEndpoint", + "ecs:Poll", + "ecs:RegisterContainerInstance", + "ecs:StartTelemetrySession", + "ecs:Submit*", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "*", + "Effect": "Allow" + } + ] + } + } + ] + } + }, + "ECSTG": { + "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Properties": { + "HealthCheckIntervalSeconds": 10, + "HealthCheckProtocol": "HTTP", + "HealthCheckTimeoutSeconds": 5, + "Name": "ECSTG", + "Port": 80, + "Protocol": "HTTP", + "HealthCheckPath": "/", + "HealthyThresholdCount": 2, + "UnhealthyThresholdCount": 2, + "VpcId": "VpcId" + } + }, + "service": { + "Type": "AWS::ECS::Service", + "Properties": { + "Cluster": "ECSCluster", + "DesiredCount": 1, + "LoadBalancers": [ + { + "ContainerName": "simple-app", + "ContainerPort": 80, + "TargetGroupArn": "ECSTG" + } + ], + "Role": "ECSServiceRole", + "TaskDefinition": "TaskDefinition" + } + }, + "ALB500sAlarmScaleUp": { + "Properties": { + "Threshold": 10, + "Dimensions": [ + { + "Name": "LoadBalancer", + "Value": [ + "ECSALB", + "LoadBalancerFullName" + ] + } + ], + "ComparisonOperator": "GreaterThanThreshold", + "MetricName": "HTTPCode_ELB_5XX_Count", + "EvaluationPeriods": 1, + "AlarmDescription": "Alarm if our ALB generates too many HTTP 500s.", + "Period": 60, + "AlarmActions": [ + "ServiceScalingPolicy" + ], + "Namespace": "AWS/ApplicationELB", + "Statistic": "Average" + }, + "Type": "AWS::CloudWatch::Alarm" + }, + "EC2InstanceProfile": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Path": "/", + "Roles": [ + "EC2Role" + ] + } + }, + "EcsSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": "VpcId", + "GroupDescription": "ECS Security Group" + } + }, + "EcsSecurityGroupHTTPinbound02": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": "EcsSecurityGroup", + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 0, + "CidrIp": "0.0.0.0/0" + } + }, + "CloudwatchLogsGroup": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": [ + "-", + [ + "ECSLogGroup", + "AWS::StackName" + ] + ], + "RetentionInDays": 14 + } + }, + "TaskDefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "Family": [ + "", + [ + "AWS::StackName", + "-ecs-demo-app" + ] + ], + "ContainerDefinitions": [ + { + "Name": "simple-app", + "Cpu": 10, + "Essential": true, + "Image": "httpd:2.4", + "Memory": 300, + "LogConfiguration": { + "LogDriver": "awslogs", + "Options": { + "awslogs-group": "CloudwatchLogsGroup", + "awslogs-region": "AWS::Region", + "awslogs-stream-prefix": "ecs-demo-app" + } + }, + "MountPoints": [ + { + "ContainerPath": "/usr/local/apache2/htdocs", + "SourceVolume": "my-vol" + } + ], + "PortMappings": [ + { + "ContainerPort": 80 + } + ] + }, + { + "VolumesFrom": [ + { + "SourceContainer": "simple-app" + } + ], + "Name": "busybox", + "Cpu": 10, + "Command": [ + "/bin/sh -c \"while true; do echo '\u003chtml\u003e \u003chead\u003e \u003ctitle\u003eAmazon ECS Sample App\u003c/title\u003e\u003c/head\u003e\u003c/html\u003e' \u003e bottom; cat top date bottom \u003e /usr/local/apache2/htdocs/index.html ; sleep 1; done\"" + ], + "Image": "busybox", + "Memory": 200, + "LogConfiguration": { + "LogDriver": "awslogs", + "Options": { + "awslogs-stream-prefix": "ecs-demo-app", + "awslogs-group": "CloudwatchLogsGroup", + "awslogs-region": "AWS::Region" + } + }, + "EntryPoint": [ + "sh", + "-c" + ], + "Essential": false + } + ], + "Volumes": [ + { + "Name": "my-vol" + } + ] + } + }, + "ALBListener": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "LoadBalancerArn": "ECSALB", + "Port": 80, + "Protocol": "HTTP", + "DefaultActions": [ + { + "Type": "forward", + "TargetGroupArn": "ECSTG" + } + ] + } + }, + "ECSALBListenerRule": { + "Type": "AWS::ElasticLoadBalancingV2::ListenerRule", + "Properties": { + "Actions": [ + { + "Type": "forward", + "TargetGroupArn": "ECSTG" + } + ], + "Conditions": [ + { + "Values": [ + "/" + ], + "Field": "path-pattern" + } + ], + "ListenerArn": "ALBListener", + "Priority": 1 + } + }, + "ContainerInstances": { + "Type": "AWS::AutoScaling::LaunchConfiguration", + "Properties": { + "ImageId": "ami-128731982dhash", + "SecurityGroups": [ + "EcsSecurityGroup" + ], + "InstanceType": "t2.small", + "IamInstanceProfile": "EC2InstanceProfile", + "KeyName": "my-ssh-key", + "UserData": { + "Fn::Base64": "#!/bin/bash -xe\necho ECS_CLUSTER=${ECSCluster} \u003e\u003e /etc/ecs/ecs.config\nyum install -y aws-cfn-bootstrap\n/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}\n" + } + } + } + }, + "Outputs": { + "ecscluster": { + "Value": "ECSCluster" + }, + "ECSALB": { + "Description": "Your ALB DNS URL", + "Value": [ + "", + [ + [ + "ECSALB", + "DNSName" + ] + ] + ] + }, + "taskdef": { + "Value": "TaskDefinition" + }, + "ecsservice": { + "Value": "service" + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="268" +{ + "Resources": { + "TaskDefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "Family": [ + "", + [ + "AWS::StackName", + "-ecs-demo-app" + ] + ], + "ContainerDefinitions": [ + { + "Essential": true, + "Image": "httpd:2.4", + "Memory": 300, + "LogConfiguration": { + "LogDriver": "awslogs", + "Options": { + "awslogs-group": "CloudwatchLogsGroup", + "awslogs-region": "AWS::Region", + "awslogs-stream-prefix": "ecs-demo-app" + } + }, + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/usr/local/apache2/htdocs" + } + ], + "PortMappings": [ + { + "ContainerPort": 80 + } + ], + "Name": "simple-app", + "Cpu": 10 + }, + { + "EntryPoint": [ + "sh", + "-c" + ], + "Essential": false, + "Memory": 200, + "Command": [ + "/bin/sh -c \"while true; do echo '\u003chtml\u003e \u003chead\u003e \u003ctitle\u003eAmazon ECS Sample App\u003c/title\u003e\u003c/head\u003e\u003cbody\u003e\u003c/body\u003e\u003c/html\u003e' \u003e bottom; cat top date bottom \u003e /usr/local/apache2/htdocs/index.html ; sleep 1; done\"" + ], + "Cpu": 10, + "Image": "busybox", + "LogConfiguration": { + "LogDriver": "awslogs", + "Options": { + "awslogs-stream-prefix": "ecs-demo-app", + "awslogs-group": "CloudwatchLogsGroup", + "awslogs-region": "AWS::Region" + } + }, + "VolumesFrom": [ + { + "SourceContainer": "simple-app" + } + ], + "Name": "busybox" + } + ], + "Volumes": [ + { + "Name": "my-vol" + } + ] + } + }, + "ALBListener": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "DefaultActions": [ + { + "Type": "forward", + "TargetGroupArn": "ECSTG" + } + ], + "LoadBalancerArn": "ECSALB", + "Port": 80, + "Protocol": "HTTP" + } + }, + "ECSServiceRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ecs.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "ecs-service", + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:Describe*", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:RegisterTargets", + "ec2:Describe*", + "ec2:AuthorizeSecurityGroupIngress" + ], + "Resource": "*", + "Effect": "Allow" + } + ] + } + } + ] + } + }, + "ALB500sAlarmScaleUp": { + "Type": "AWS::CloudWatch::Alarm", + "Properties": { + "Period": 60, + "Dimensions": [ + { + "Name": "LoadBalancer", + "Value": [ + "ECSALB", + "LoadBalancerFullName" + ] + } + ], + "ComparisonOperator": "GreaterThanThreshold", + "AlarmDescription": "Alarm if our ALB generates too many HTTP 500s.", + "Statistic": "Average", + "Threshold": 10, + "AlarmActions": [ + "ServiceScalingPolicy" + ], + "Namespace": "AWS/ApplicationELB", + "MetricName": "HTTPCode_ELB_5XX_Count", + "EvaluationPeriods": 1 + } + }, + "service": { + "Type": "AWS::ECS::Service", + "Properties": { + "TaskDefinition": "TaskDefinition", + "Cluster": "ECSCluster", + "DesiredCount": 1, + "LoadBalancers": [ + { + "ContainerName": "simple-app", + "ContainerPort": 80, + "TargetGroupArn": "ECSTG" + } + ], + "Role": "ECSServiceRole" + } + }, + "EcsSecurityGroupSSHinbound": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": "EcsSecurityGroup", + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0" + } + }, + "EcsSecurityGroupALBports": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "FromPort": 31000, + "ToPort": 61000, + "SourceSecurityGroupId": "EcsSecurityGroup", + "GroupId": "EcsSecurityGroup", + "IpProtocol": "tcp" + } + }, + "CloudwatchLogsGroup": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 14, + "LogGroupName": [ + "-", + [ + "ECSLogGroup", + "AWS::StackName" + ] + ] + } + }, + "ECSALB": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "Scheme": "internet-facing", + "LoadBalancerAttributes": [ + { + "Key": "idle_timeout.timeout_seconds", + "Value": "30" + } + ], + "Subnets": "SubnetId", + "SecurityGroups": [ + "EcsSecurityGroup" + ], + "Name": "ECSALB" + } + }, + "ECSALBListenerRule": { + "Type": "AWS::ElasticLoadBalancingV2::ListenerRule", + "Properties": { + "Actions": [ + { + "Type": "forward", + "TargetGroupArn": "ECSTG" + } + ], + "Conditions": [ + { + "Field": "path-pattern", + "Values": [ + "/" + ] + } + ], + "ListenerArn": "ALBListener", + "Priority": 1 + } + }, + "ContainerInstances": { + "Type": "AWS::AutoScaling::LaunchConfiguration", + "Properties": { + "IamInstanceProfile": "EC2InstanceProfile", + "KeyName": "my-ssh-key", + "UserData": { + "Fn::Base64": "#!/bin/bash -xe\necho ECS_CLUSTER=${ECSCluster} \u003e\u003e /etc/ecs/ecs.config\nyum install -y aws-cfn-bootstrap\n/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}\n" + }, + "ImageId": "ami-09bee01cc997a78a6", + "SecurityGroups": [ + "EcsSecurityGroup" + ], + "InstanceType": "t2.small" + } + }, + "ECSCluster": { + "Type": "AWS::ECS::Cluster" + }, + "EcsSecurityGroupHTTPinbound": { + "Properties": { + "GroupId": "EcsSecurityGroup", + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 0, + "CidrIp": "0.0.0.0/0" + }, + "Type": "AWS::EC2::SecurityGroupIngress" + }, + "ECSTG": { + "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Properties": { + "Name": "ECSTG", + "Port": 80, + "VpcId": "VpcId", + "HealthCheckPath": "/", + "HealthCheckProtocol": "HTTP", + "HealthyThresholdCount": 2, + "Protocol": "HTTP", + "UnhealthyThresholdCount": 2, + "HealthCheckIntervalSeconds": 10, + "HealthCheckTimeoutSeconds": 5 + } + }, + "ServiceScalingTarget": { + "Type": "AWS::ApplicationAutoScaling::ScalableTarget", + "Properties": { + "MaxCapacity": 2, + "MinCapacity": 1, + "ResourceId": [ + "", + [ + "service/", + "ECSCluster", + "/", + [ + "service", + "Name" + ] + ] + ], + "RoleARN": [ + "AutoscalingRole", + "Arn" + ], + "ScalableDimension": "ecs:service:DesiredCount", + "ServiceNamespace": "ecs" + } + }, + "AutoscalingRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "application-autoscaling.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "service-autoscaling", + "PolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "application-autoscaling:*", + "cloudwatch:DescribeAlarms", + "cloudwatch:PutMetricAlarm", + "ecs:DescribeServices", + "ecs:UpdateService" + ], + "Resource": "*" + } + ] + } + } + ] + } + }, + "EcsSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "ECS Security Group", + "VpcId": "VpcId" + } + }, + "ECSAutoScalingGroup": { + "CreationPolicy": { + "ResourceSignal": { + "Timeout": "PT15M" + } + }, + "UpdatePolicy": { + "AutoScalingReplacingUpdate": { + "WillReplace": true + } + }, + "Type": "AWS::AutoScaling::AutoScalingGroup", + "Properties": { + "VPCZoneIdentifier": "SubnetId", + "LaunchConfigurationName": "ContainerInstances", + "MinSize": "1", + "MaxSize": 4, + "DesiredCapacity": 2 + } + }, + "ServiceScalingPolicy": { + "Type": "AWS::ApplicationAutoScaling::ScalingPolicy", + "Properties": { + "PolicyName": "AStepPolicy", + "PolicyType": "StepScaling", + "ScalingTargetId": "ServiceScalingTarget", + "StepScalingPolicyConfiguration": { + "AdjustmentType": "PercentChangeInCapacity", + "Cooldown": 60, + "MetricAggregationType": "Average", + "StepAdjustments": [ + { + "MetricIntervalLowerBound": 0, + "ScalingAdjustment": 200 + } + ] + } + } + }, + "EC2Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Principal": { + "Service": [ + "ec2.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ], + "Effect": "Allow" + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "ecs-service", + "PolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecs:CreateCluster", + "ecs:DeregisterContainerInstance", + "ecs:DiscoverPollEndpoint", + "ecs:Poll", + "ecs:RegisterContainerInstance", + "ecs:StartTelemetrySession", + "ecs:Submit*", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "*" + } + ] + } + } + ] + } + }, + "EC2InstanceProfile": { + "Properties": { + "Path": "/", + "Roles": [ + "EC2Role" + ] + }, + "Type": "AWS::IAM::InstanceProfile" + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "VpcId": { + "Type": "AWS::EC2::VPC::Id", + "Description": "Select a VPC that allows instances access to the Internet." + }, + "SubnetId": { + "Type": "List\u003cAWS::EC2::Subnet::Id\u003e", + "Description": "Select at two subnets in your selected VPC." + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Parameters: + VpcId: + Type: AWS::EC2::VPC::Id + Description: Select a VPC that allows instances access to the Internet. + SubnetId: + Type: List + Description: Select at two subnets in your selected VPC. +Resources: + ECSCluster: + Type: AWS::ECS::Cluster + EcsSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: ECS Security Group + VpcId: !Ref 'VpcId' + EcsSecurityGroupHTTPinbound: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref 'EcsSecurityGroup' + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + EcsSecurityGroupSSHinbound: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref 'EcsSecurityGroup' + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + EcsSecurityGroupALBports: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref 'EcsSecurityGroup' + IpProtocol: tcp + FromPort: 31000 + ToPort: 61000 + SourceSecurityGroupId: !Ref 'EcsSecurityGroup' + CloudwatchLogsGroup: + Type: AWS::Logs::LogGroup + Properties: + LogGroupName: !Join ['-', [ECSLogGroup, !Ref 'AWS::StackName']] + RetentionInDays: 14 + TaskDefinition: + Type: AWS::ECS::TaskDefinition + Properties: + Family: !Join ['', [!Ref 'AWS::StackName', -ecs-demo-app]] + ContainerDefinitions: + - Name: simple-app + Cpu: 10 + Essential: true + Image: httpd:2.4 + Memory: 300 + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-group: !Ref 'CloudwatchLogsGroup' + awslogs-region: !Ref 'AWS::Region' + awslogs-stream-prefix: ecs-demo-app + MountPoints: + - ContainerPath: /usr/local/apache2/htdocs + SourceVolume: my-vol + PortMappings: + - ContainerPort: 80 + - Name: busybox + Cpu: 10 + Command: ['/bin/sh -c "while true; do echo '' Amazon ECS + Sample App'' > bottom; cat top date bottom > /usr/local/apache2/htdocs/index.html + ; sleep 1; done"'] + EntryPoint: [sh, -c] + Essential: false + Image: busybox + Memory: 200 + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-group: !Ref 'CloudwatchLogsGroup' + awslogs-region: !Ref 'AWS::Region' + awslogs-stream-prefix: ecs-demo-app + VolumesFrom: + - SourceContainer: simple-app + Volumes: + - Name: my-vol + ECSALB: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Name: ECSALB + Scheme: internet-facing + LoadBalancerAttributes: + - Key: idle_timeout.timeout_seconds + Value: '30' + Subnets: !Ref 'SubnetId' + SecurityGroups: [!Ref 'EcsSecurityGroup'] + ALBListener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + DefaultActions: + - Type: forward + TargetGroupArn: !Ref 'ECSTG' + LoadBalancerArn: !Ref 'ECSALB' + Port: 80 + Protocol: HTTP + ECSALBListenerRule: + Type: AWS::ElasticLoadBalancingV2::ListenerRule + Properties: + Actions: + - Type: forward + TargetGroupArn: !Ref 'ECSTG' + Conditions: + - Field: path-pattern + Values: [/] + ListenerArn: !Ref 'ALBListener' + Priority: 1 + ECSTG: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + HealthCheckIntervalSeconds: 10 + HealthCheckPath: / + HealthCheckProtocol: HTTP + HealthCheckTimeoutSeconds: 5 + HealthyThresholdCount: 2 + Name: ECSTG + Port: 80 + Protocol: HTTP + UnhealthyThresholdCount: 2 + VpcId: !Ref 'VpcId' + ECSAutoScalingGroup: + Type: AWS::AutoScaling::AutoScalingGroup + Properties: + VPCZoneIdentifier: !Ref 'SubnetId' + LaunchConfigurationName: !Ref 'ContainerInstances' + MinSize: '1' + MaxSize: 4 + DesiredCapacity: 2 + CreationPolicy: + ResourceSignal: + Timeout: PT15M + UpdatePolicy: + AutoScalingReplacingUpdate: + WillReplace: true + ContainerInstances: + Type: AWS::AutoScaling::LaunchConfiguration + Properties: + ImageId: ami-09bee01cc997a78a6 + SecurityGroups: [!Ref 'EcsSecurityGroup'] + InstanceType: t2.small + IamInstanceProfile: !Ref 'EC2InstanceProfile' + KeyName: my-ssh-key + UserData: + Fn::Base64: !Sub | + #!/bin/bash -xe + echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config + yum install -y aws-cfn-bootstrap + /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region} + service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref 'ECSCluster' + DesiredCount: 1 + LoadBalancers: + - ContainerName: simple-app + ContainerPort: 80 + TargetGroupArn: !Ref 'ECSTG' + Role: !Ref 'ECSServiceRole' + TaskDefinition: !Ref 'taskdefinition' + ECSServiceRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [ecs.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: ecs-service + PolicyDocument: + Statement: + - Effect: Allow + Action: ['elasticloadbalancing:DeregisterInstancesFromLoadBalancer', 'elasticloadbalancing:DeregisterTargets', + 'elasticloadbalancing:Describe*', 'elasticloadbalancing:RegisterInstancesWithLoadBalancer', + 'elasticloadbalancing:RegisterTargets', 'ec2:Describe*', 'ec2:AuthorizeSecurityGroupIngress'] + Resource: '*' + ServiceScalingTarget: + Type: AWS::ApplicationAutoScaling::ScalableTarget + Properties: + MaxCapacity: 2 + MinCapacity: 1 + ResourceId: !Join ['', [service/, !Ref 'ECSCluster', /, !GetAtt [service, Name]]] + RoleARN: !GetAtt [AutoscalingRole, Arn] + ScalableDimension: ecs:service:DesiredCount + ServiceNamespace: ecs + ServiceScalingPolicy: + Type: AWS::ApplicationAutoScaling::ScalingPolicy + Properties: + PolicyName: AStepPolicy + PolicyType: StepScaling + ScalingTargetId: !Ref 'ServiceScalingTarget' + StepScalingPolicyConfiguration: + AdjustmentType: PercentChangeInCapacity + Cooldown: 60 + MetricAggregationType: Average + StepAdjustments: + - MetricIntervalLowerBound: 0 + ScalingAdjustment: 200 + ALB500sAlarmScaleUp: + Type: AWS::CloudWatch::Alarm + Properties: + EvaluationPeriods: 1 + Statistic: Average + Threshold: 10 + AlarmDescription: Alarm if our ALB generates too many HTTP 500s. + Period: 60 + AlarmActions: [!Ref 'ServiceScalingPolicy'] + Namespace: AWS/ApplicationELB + Dimensions: + - Name: LoadBalancer + Value: !GetAtt + - ECSALB + - LoadBalancerFullName + ComparisonOperator: GreaterThanThreshold + MetricName: HTTPCode_ELB_5XX_Count + EC2Role: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [ec2.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: ecs-service + PolicyDocument: + Statement: + - Effect: Allow + Action: ['ecs:CreateCluster', 'ecs:DeregisterContainerInstance', 'ecs:DiscoverPollEndpoint', + 'ecs:Poll', 'ecs:RegisterContainerInstance', 'ecs:StartTelemetrySession', + 'ecs:Submit*', 'logs:CreateLogStream', 'logs:PutLogEvents'] + Resource: '*' + AutoscalingRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: [application-autoscaling.amazonaws.com] + Action: ['sts:AssumeRole'] + Path: / + Policies: + - PolicyName: service-autoscaling + PolicyDocument: + Statement: + - Effect: Allow + Action: ['application-autoscaling:*', 'cloudwatch:DescribeAlarms', 'cloudwatch:PutMetricAlarm', + 'ecs:DescribeServices', 'ecs:UpdateService'] + Resource: '*' + EC2InstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: / + Roles: [!Ref 'EC2Role'] + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "VpcId": { + "Type": "AWS::EC2::VPC::Id", + "Description": "Select a VPC that allows instances access to the Internet." + }, + "SubnetId": { + "Description": "Select at two subnets in your selected VPC.", + "Type": "List\u003cAWS::EC2::Subnet::Id\u003e" + } + }, + "Resources": { + "EcsSecurityGroupHTTPinbound": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "CidrIp": "0.0.0.0/0", + "GroupId": "EcsSecurityGroup", + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80 + } + }, + "EcsSecurityGroupALBports": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": "EcsSecurityGroup", + "IpProtocol": "tcp", + "FromPort": 31000, + "ToPort": 61000, + "SourceSecurityGroupId": "EcsSecurityGroup" + } + }, + "CloudwatchLogsGroup": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "LogGroupName": [ + "-", + [ + "ECSLogGroup", + "AWS::StackName" + ] + ], + "RetentionInDays": 14 + } + }, + "ALBListener": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "DefaultActions": [ + { + "Type": "forward", + "TargetGroupArn": "ECSTG" + } + ], + "LoadBalancerArn": "ECSALB", + "Port": 80, + "Protocol": "HTTP" + } + }, + "ECSALBListenerRule": { + "Type": "AWS::ElasticLoadBalancingV2::ListenerRule", + "Properties": { + "Actions": [ + { + "TargetGroupArn": "ECSTG", + "Type": "forward" + } + ], + "Conditions": [ + { + "Field": "path-pattern", + "Values": [ + "/" + ] + } + ], + "ListenerArn": "ALBListener", + "Priority": 1 + } + }, + "ALB500sAlarmScaleUp": { + "Properties": { + "Dimensions": [ + { + "Name": "LoadBalancer", + "Value": [ + "ECSALB", + "LoadBalancerFullName" + ] + } + ], + "ComparisonOperator": "GreaterThanThreshold", + "MetricName": "HTTPCode_ELB_5XX_Count", + "Statistic": "Average", + "Threshold": 10, + "AlarmDescription": "Alarm if our ALB generates too many HTTP 500s.", + "Period": 60, + "EvaluationPeriods": 1, + "AlarmActions": [ + "ServiceScalingPolicy" + ], + "Namespace": "AWS/ApplicationELB" + }, + "Type": "AWS::CloudWatch::Alarm" + }, + "AutoscalingRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "application-autoscaling.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "service-autoscaling", + "PolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "application-autoscaling:*", + "cloudwatch:DescribeAlarms", + "cloudwatch:PutMetricAlarm", + "ecs:DescribeServices", + "ecs:UpdateService" + ], + "Resource": "*" + } + ] + } + } + ] + } + }, + "ECSCluster": { + "Type": "AWS::ECS::Cluster" + }, + "ECSServiceRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ecs.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "ecs-service", + "PolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:Describe*", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:RegisterTargets", + "ec2:Describe*", + "ec2:AuthorizeSecurityGroupIngress" + ], + "Resource": "*" + } + ] + } + } + ] + } + }, + "ServiceScalingPolicy": { + "Type": "AWS::ApplicationAutoScaling::ScalingPolicy", + "Properties": { + "PolicyName": "AStepPolicy", + "PolicyType": "StepScaling", + "ScalingTargetId": "ServiceScalingTarget", + "StepScalingPolicyConfiguration": { + "Cooldown": 60, + "MetricAggregationType": "Average", + "StepAdjustments": [ + { + "MetricIntervalLowerBound": 0, + "ScalingAdjustment": 200 + } + ], + "AdjustmentType": "PercentChangeInCapacity" + } + } + }, + "EC2InstanceProfile": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Path": "/", + "Roles": [ + "EC2Role" + ] + } + }, + "ECSAutoScalingGroup": { + "Type": "AWS::AutoScaling::AutoScalingGroup", + "Properties": { + "VPCZoneIdentifier": "SubnetId", + "LaunchConfigurationName": "ContainerInstances", + "MinSize": "1", + "MaxSize": 4, + "DesiredCapacity": 2 + }, + "CreationPolicy": { + "ResourceSignal": { + "Timeout": "PT15M" + } + }, + "UpdatePolicy": { + "AutoScalingReplacingUpdate": { + "WillReplace": true + } + } + }, + "ECSALB": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "Scheme": "internet-facing", + "LoadBalancerAttributes": [ + { + "Key": "idle_timeout.timeout_seconds", + "Value": "30" + } + ], + "Subnets": "SubnetId", + "SecurityGroups": [ + "EcsSecurityGroup" + ], + "Name": "ECSALB" + } + }, + "ECSTG": { + "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Properties": { + "Name": "ECSTG", + "Protocol": "HTTP", + "HealthCheckPath": "/", + "HealthCheckTimeoutSeconds": 5, + "HealthyThresholdCount": 2, + "UnhealthyThresholdCount": 2, + "VpcId": "VpcId", + "HealthCheckIntervalSeconds": 10, + "HealthCheckProtocol": "HTTP", + "Port": 80 + } + }, + "EC2Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ec2.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/", + "Policies": [ + { + "PolicyName": "ecs-service", + "PolicyDocument": { + "Statement": [ + { + "Resource": "*", + "Effect": "Allow", + "Action": [ + "ecs:CreateCluster", + "ecs:DeregisterContainerInstance", + "ecs:DiscoverPollEndpoint", + "ecs:Poll", + "ecs:RegisterContainerInstance", + "ecs:StartTelemetrySession", + "ecs:Submit*", + "logs:CreateLogStream", + "logs:PutLogEvents" + ] + } + ] + } + } + ] + } + }, + "TaskDefinition": { + "Properties": { + "Volumes": [ + { + "Name": "my-vol" + } + ], + "Family": [ + "", + [ + "AWS::StackName", + "-ecs-demo-app" + ] + ], + "ContainerDefinitions": [ + { + "Image": "httpd:2.4", + "Memory": 300, + "LogConfiguration": { + "LogDriver": "awslogs", + "Options": { + "awslogs-group": "CloudwatchLogsGroup", + "awslogs-region": "AWS::Region", + "awslogs-stream-prefix": "ecs-demo-app" + } + }, + "MountPoints": [ + { + "ContainerPath": "/usr/local/apache2/htdocs", + "SourceVolume": "my-vol" + } + ], + "PortMappings": [ + { + "ContainerPort": 80 + } + ], + "Name": "simple-app", + "Cpu": 10, + "Essential": true + }, + { + "VolumesFrom": [ + { + "SourceContainer": "simple-app" + } + ], + "Cpu": 10, + "EntryPoint": [ + "sh", + "-c" + ], + "Essential": false, + "Image": "busybox", + "Memory": 200, + "LogConfiguration": { + "LogDriver": "awslogs", + "Options": { + "awslogs-stream-prefix": "ecs-demo-app", + "awslogs-group": "CloudwatchLogsGroup", + "awslogs-region": "AWS::Region" + } + }, + "Name": "busybox", + "Command": [ + "/bin/sh -c \"while true; do echo '\u003chtml\u003e \u003chead\u003e \u003ctitle\u003eAmazon ECS Sample App\u003c/title\u003e\u003c/head\u003e\u003cbody\u003e\u003c/body\u003e\u003c/html\u003e' \u003e bottom; cat top date bottom \u003e /usr/local/apache2/htdocs/index.html ; sleep 1; done\"" + ] + } + ] + }, + "Type": "AWS::ECS::TaskDefinition" + }, + "EcsSecurityGroupSSHinbound": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "ToPort": 22, + "CidrIp": "0.0.0.0/0", + "GroupId": "EcsSecurityGroup", + "IpProtocol": "tcp", + "FromPort": 22 + } + }, + "ContainerInstances": { + "Type": "AWS::AutoScaling::LaunchConfiguration", + "Properties": { + "ImageId": "ami-09bee01cc997a78a6", + "SecurityGroups": [ + "EcsSecurityGroup" + ], + "InstanceType": "t2.small", + "IamInstanceProfile": "EC2InstanceProfile", + "KeyName": "my-ssh-key", + "UserData": { + "Fn::Base64": "#!/bin/bash -xe\necho ECS_CLUSTER=${ECSCluster} \u003e\u003e /etc/ecs/ecs.config\nyum install -y aws-cfn-bootstrap\n/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}\n" + } + } + }, + "service": { + "Type": "AWS::ECS::Service", + "Properties": { + "Cluster": "ECSCluster", + "DesiredCount": 1, + "LoadBalancers": [ + { + "ContainerPort": 80, + "TargetGroupArn": "ECSTG", + "ContainerName": "simple-app" + } + ], + "Role": "ECSServiceRole", + "TaskDefinition": "taskdefinition" + } + }, + "ServiceScalingTarget": { + "Properties": { + "MinCapacity": 1, + "ResourceId": [ + "", + [ + "service/", + "ECSCluster", + "/", + [ + "service", + "Name" + ] + ] + ], + "RoleARN": [ + "AutoscalingRole", + "Arn" + ], + "ScalableDimension": "ecs:service:DesiredCount", + "ServiceNamespace": "ecs", + "MaxCapacity": 2 + }, + "Type": "AWS::ApplicationAutoScaling::ScalableTarget" + }, + "EcsSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "ECS Security Group", + "VpcId": "VpcId" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/e4239438-e639-44aa-adb8-866e400e3ade.md b/docs/queries/cloudformation-queries/aws/e4239438-e639-44aa-adb8-866e400e3ade.md new file mode 100644 index 00000000000..4b9f1b0fba7 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/e4239438-e639-44aa-adb8-866e400e3ade.md @@ -0,0 +1,105 @@ +--- +title: IAM Policy On User +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e4239438-e639-44aa-adb8-866e400e3ade +- **Query name:** IAM Policy On User +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_policy_on_user) + +### Description +IAM policies should be applied to groups and not to users
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +#this is a problematic code where the query should report a result(s) +Resources: + BadPolicy: + Type: AWS::IAM::Policy + Properties: + Description: Policy for something. + Path: "/" + PolicyDocument: + Version: '2012-10-17' + Statement: [] + Users: + - Ref: TestUser +``` +```json title="Postitive test num. 2 - json file" hl_lines="12" +{ + "Resources": { + "BadPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "Description": "Policy for something.", + "Path": "/", + "PolicyDocument": { + "Statement": [], + "Version": "2012-10-17" + }, + "Users": [ + { + "Ref": "TestUser" + } + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + GoodPolicy: + Type: AWS::IAM::Policy + Properties: + Description: Policy for something. + Path: "/" + PolicyDocument: + Version: '2012-10-17' + Statement: [] + Groups: + - user_group +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "GoodPolicy": { + "Properties": { + "Description": "Policy for something.", + "Path": "/", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [] + }, + "Groups": [ + "user_group" + ] + }, + "Type": "AWS::IAM::Policy" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/e42a3ef0-5325-4667-84bf-075ba1c9d58e.md b/docs/queries/cloudformation-queries/aws/e42a3ef0-5325-4667-84bf-075ba1c9d58e.md new file mode 100644 index 00000000000..0f65013e8aa --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/e42a3ef0-5325-4667-84bf-075ba1c9d58e.md @@ -0,0 +1,135 @@ +--- +title: EC2 Instance Using Default VPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e42a3ef0-5325-4667-84bf-075ba1c9d58e +- **Query name:** EC2 Instance Using Default VPC +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ec2_instance_using_default_vpc) + +### Description +EC2 Instances should not be configured under a default VPC network
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-subnetid) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +Resources: + DefaultVPC: + Type: AWS::EC2::Instance + Properties: + ImageId: "ami-79fd7eee" + KeyName: "testkey" + SubnetId: !Ref PublicSubnetA2 + PublicSubnetA2: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref DefaultVPC + CidrBlock: 10.1.10.0/24 + AvailabilityZone: !Select [ 0, !GetAZs ] # Obtenha o primeiro AZ na lista + Tags: + - Key: Name + Value: !Sub ${AWS::StackName}-Public-A + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "Resources": { + "DefaultVPC": { + "Properties": { + "ImageId": "ami-79fd7eee", + "KeyName": "testkey", + "SubnetId": "PublicSubnetA2" + }, + "Type": "AWS::EC2::Instance" + }, + "PublicSubnetA2": { + "Properties": { + "AvailabilityZone": [ + 0, + "" + ], + "CidrBlock": "10.1.10.0/24", + "Tags": [ + { + "Key": "Name", + "Value": "${AWS::StackName}-Public-A" + } + ], + "VpcId": "DefaultVPC" + }, + "Type": "AWS::EC2::Subnet" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + DefaultVPC: + Type: AWS::EC2::Instance + Properties: + ImageId: "ami-79fd7eee" + KeyName: "testkey" + SubnetId: !Ref PublicSubnetA22 + PublicSubnetA22: + Type: AWS::EC2::Subnet + Properties: + VpcId: !Ref VPC + CidrBlock: 10.1.10.0/24 + AvailabilityZone: !Select [ 0, !GetAZs ] # Obtenha o primeiro AZ na lista + Tags: + - Key: Name + Value: !Sub ${AWS::StackName}-Public-A + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "DefaultVPC": { + "Properties": { + "ImageId": "ami-79fd7eee", + "KeyName": "testkey", + "SubnetId": "PublicSubnetA22" + }, + "Type": "AWS::EC2::Instance" + }, + "PublicSubnetA22": { + "Properties": { + "AvailabilityZone": [ + 0, + "" + ], + "CidrBlock": "10.1.10.0/24", + "Tags": [ + { + "Key": "Name", + "Value": "${AWS::StackName}-Public-A" + } + ], + "VpcId": "VPC" + }, + "Type": "AWS::EC2::Subnet" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/e4ee3903-9225-4b6a-bdfb-e62dbadef821.md b/docs/queries/cloudformation-queries/aws/e4ee3903-9225-4b6a-bdfb-e62dbadef821.md new file mode 100644 index 00000000000..b2aa2c09ca3 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/e4ee3903-9225-4b6a-bdfb-e62dbadef821.md @@ -0,0 +1,320 @@ +--- +title: ElastiCache With Disabled at Rest Encryption +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e4ee3903-9225-4b6a-bdfb-e62dbadef821 +- **Query name:** ElastiCache With Disabled at Rest Encryption +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elasticache_with_disabled_at_rest_encryption) + +### Description +Ensure AWS ElastiCache Redis clusters have encryption for data at rest enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticache-replicationgroup.html#cfn-elasticache-replicationgroup-atrestencryptionenabled) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +AWSTemplateFormatVersion: '2010-09-09' +Description: 'State: ElastiCache redis, a cloudonaut.io template' +Resources: + ReplicationGroup: + DeletionPolicy: Snapshot + UpdateReplacePolicy: Snapshot + Type: AWS::ElastiCache::ReplicationGroup + Properties: + ReplicationGroupDescription: !Ref 'AWS::StackName' + AtRestEncryptionEnabled: false + AuthToken: !If [HasAuthToken, !Ref AuthToken, !Ref 'AWS::NoValue'] + AutomaticFailoverEnabled: !If [HasAutomaticFailoverEnabled, true, false] + CacheNodeType: !Ref CacheNodeType + CacheParameterGroupName: !Ref CacheParameterGroup + CacheSubnetGroupName: !Ref CacheSubnetGroupName + Engine: redis + EngineVersion: !Ref EngineVersion + KmsKeyId: !If [HasKmsKey, {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyId'}, !Ref 'AWS::NoValue'] + NotificationTopicArn: !If [HasAlertTopic, {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}, !Ref 'AWS::NoValue'] + NumNodeGroups: !Ref NumShards + ReplicasPerNodeGroup: !Ref NumReplicas + PreferredMaintenanceWindow: 'sat:07:00-sat:08:00' + SecurityGroupIds: + - !Ref SecurityGroup + SnapshotName: !If [HasSnapshotName, !Ref SnapshotName, !Ref 'AWS::NoValue'] + SnapshotRetentionLimit: !Ref SnapshotRetentionLimit + SnapshotWindow: '00:00-03:00' + TransitEncryptionEnabled: !Ref TransitEncryption + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +AWSTemplateFormatVersion: '2010-09-09' +Description: 'State: ElastiCache redis, a cloudonaut.io template' +Resources: + MyReplicationGroup: + DeletionPolicy: Snapshot + UpdateReplacePolicy: Snapshot + Type: AWS::ElastiCache::ReplicationGroup + Properties: + ReplicationGroupDescription: !Ref 'AWS::StackName' + AuthToken: !If [HasAuthToken, !Ref AuthToken, !Ref 'AWS::NoValue'] + AutomaticFailoverEnabled: !If [HasAutomaticFailoverEnabled, true, false] + CacheNodeType: !Ref CacheNodeType + CacheParameterGroupName: !Ref CacheParameterGroup + CacheSubnetGroupName: !Ref CacheSubnetGroupName + Engine: redis + EngineVersion: !Ref EngineVersion + KmsKeyId: !If [HasKmsKey, {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyId'}, !Ref 'AWS::NoValue'] + NotificationTopicArn: !If [HasAlertTopic, {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}, !Ref 'AWS::NoValue'] + NumNodeGroups: !Ref NumShards + ReplicasPerNodeGroup: !Ref NumReplicas + PreferredMaintenanceWindow: 'sat:07:00-sat:08:00' + SecurityGroupIds: + - !Ref SecurityGroup + SnapshotName: !If [HasSnapshotName, !Ref SnapshotName, !Ref 'AWS::NoValue'] + SnapshotRetentionLimit: !Ref SnapshotRetentionLimit + SnapshotWindow: '00:00-03:00' + TransitEncryptionEnabled: !Ref TransitEncryption + UpdatePolicy: + UseOnlineResharding: true + +``` +```json title="Postitive test num. 3 - json file" hl_lines="19" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "State: ElastiCache redis, a cloudonaut.io template", + "Resources": { + "ReplicationGroup": { + "DeletionPolicy": "Snapshot", + "UpdateReplacePolicy": "Snapshot", + "Type": "AWS::ElastiCache::ReplicationGroup", + "Properties": { + "AutomaticFailoverEnabled": [ + "HasAutomaticFailoverEnabled", + true, + false + ], + "CacheNodeType": "CacheNodeType", + "CacheParameterGroupName": "CacheParameterGroup", + "CacheSubnetGroupName": "CacheSubnetGroupName", + "EngineVersion": "EngineVersion", + "AtRestEncryptionEnabled": false, + "KmsKeyId": [ + "HasKmsKey", + { + "Fn::ImportValue": "${ParentKmsKeyStack}-KeyId" + }, + "AWS::NoValue" + ], + "NotificationTopicArn": [ + "HasAlertTopic", + { + "Fn::ImportValue": "${ParentAlertStack}-TopicARN" + }, + "AWS::NoValue" + ], + "SnapshotRetentionLimit": "SnapshotRetentionLimit", + "TransitEncryptionEnabled": "TransitEncryption", + "ReplicationGroupDescription": "AWS::StackName", + "Engine": "redis", + "ReplicasPerNodeGroup": "NumReplicas", + "PreferredMaintenanceWindow": "sat:07:00-sat:08:00", + "SecurityGroupIds": [ + "SecurityGroup" + ], + "SnapshotName": [ + "HasSnapshotName", + "SnapshotName", + "AWS::NoValue" + ], + "AuthToken": [ + "HasAuthToken", + "AuthToken", + "AWS::NoValue" + ], + "NumNodeGroups": "NumShards", + "SnapshotWindow": "00:00-03:00" + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "State: ElastiCache redis, a cloudonaut.io template", + "Resources": { + "MyReplicationGroup": { + "Type": "AWS::ElastiCache::ReplicationGroup", + "Properties": { + "ReplicationGroupDescription": "AWS::StackName", + "AutomaticFailoverEnabled": [ + "HasAutomaticFailoverEnabled", + true, + false + ], + "EngineVersion": "EngineVersion", + "SecurityGroupIds": [ + "SecurityGroup" + ], + "SnapshotName": [ + "HasSnapshotName", + "SnapshotName", + "AWS::NoValue" + ], + "AuthToken": [ + "HasAuthToken", + "AuthToken", + "AWS::NoValue" + ], + "CacheParameterGroupName": "CacheParameterGroup", + "CacheSubnetGroupName": "CacheSubnetGroupName", + "NumNodeGroups": "NumShards", + "PreferredMaintenanceWindow": "sat:07:00-sat:08:00", + "SnapshotRetentionLimit": "SnapshotRetentionLimit", + "CacheNodeType": "CacheNodeType", + "KmsKeyId": [ + "HasKmsKey", + { + "Fn::ImportValue": "${ParentKmsKeyStack}-KeyId" + }, + "AWS::NoValue" + ], + "NotificationTopicArn": [ + "HasAlertTopic", + { + "Fn::ImportValue": "${ParentAlertStack}-TopicARN" + }, + "AWS::NoValue" + ], + "ReplicasPerNodeGroup": "NumReplicas", + "Engine": "redis", + "SnapshotWindow": "00:00-03:00", + "TransitEncryptionEnabled": "TransitEncryption" + }, + "UpdatePolicy": { + "UseOnlineResharding": true + }, + "DeletionPolicy": "Snapshot", + "UpdateReplacePolicy": "Snapshot" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Description: 'State: ElastiCache redis, a cloudonaut.io template' +Resources: + ReplicationGroup: + DeletionPolicy: Snapshot + UpdateReplacePolicy: Snapshot + Type: AWS::ElastiCache::ReplicationGroup + Properties: + ReplicationGroupDescription: !Ref 'AWS::StackName' + AtRestEncryptionEnabled: true + AuthToken: !If [HasAuthToken, !Ref AuthToken, !Ref 'AWS::NoValue'] + AutomaticFailoverEnabled: !If [HasAutomaticFailoverEnabled, true, false] + CacheNodeType: !Ref CacheNodeType + CacheParameterGroupName: !Ref CacheParameterGroup + CacheSubnetGroupName: !Ref CacheSubnetGroupName + Engine: redis + EngineVersion: !Ref EngineVersion + KmsKeyId: !If [HasKmsKey, {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyId'}, !Ref 'AWS::NoValue'] + NotificationTopicArn: !If [HasAlertTopic, {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}, !Ref 'AWS::NoValue'] + NumNodeGroups: !Ref NumShards + ReplicasPerNodeGroup: !Ref NumReplicas + PreferredMaintenanceWindow: 'sat:07:00-sat:08:00' + SecurityGroupIds: + - !Ref SecurityGroup + SnapshotName: !If [HasSnapshotName, !Ref SnapshotName, !Ref 'AWS::NoValue'] + SnapshotRetentionLimit: !Ref SnapshotRetentionLimit + SnapshotWindow: '00:00-03:00' + TransitEncryptionEnabled: !Ref TransitEncryption + UpdatePolicy: + UseOnlineResharding: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "State: ElastiCache redis, a cloudonaut.io template", + "Resources": { + "ReplicationGroup": { + "Properties": { + "CacheParameterGroupName": "CacheParameterGroup", + "EngineVersion": "EngineVersion", + "KmsKeyId": [ + "HasKmsKey", + { + "Fn::ImportValue": "${ParentKmsKeyStack}-KeyId" + }, + "AWS::NoValue" + ], + "ReplicasPerNodeGroup": "NumReplicas", + "AuthToken": [ + "HasAuthToken", + "AuthToken", + "AWS::NoValue" + ], + "CacheNodeType": "CacheNodeType", + "CacheSubnetGroupName": "CacheSubnetGroupName", + "NotificationTopicArn": [ + "HasAlertTopic", + { + "Fn::ImportValue": "${ParentAlertStack}-TopicARN" + }, + "AWS::NoValue" + ], + "SnapshotWindow": "00:00-03:00", + "AutomaticFailoverEnabled": [ + "HasAutomaticFailoverEnabled", + true, + false + ], + "Engine": "redis", + "NumNodeGroups": "NumShards", + "SnapshotRetentionLimit": "SnapshotRetentionLimit", + "ReplicationGroupDescription": "AWS::StackName", + "PreferredMaintenanceWindow": "sat:07:00-sat:08:00", + "SecurityGroupIds": [ + "SecurityGroup" + ], + "SnapshotName": [ + "HasSnapshotName", + "SnapshotName", + "AWS::NoValue" + ], + "TransitEncryptionEnabled": "TransitEncryption", + "AtRestEncryptionEnabled": true + }, + "UpdatePolicy": { + "UseOnlineResharding": true + }, + "DeletionPolicy": "Snapshot", + "UpdateReplacePolicy": "Snapshot", + "Type": "AWS::ElastiCache::ReplicationGroup" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/e4f54ff4-d352-40e8-a096-5141073c37a2.md b/docs/queries/cloudformation-queries/aws/e4f54ff4-d352-40e8-a096-5141073c37a2.md new file mode 100644 index 00000000000..6fa2ec42019 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/e4f54ff4-d352-40e8-a096-5141073c37a2.md @@ -0,0 +1,128 @@ +--- +title: CDN Configuration Is Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e4f54ff4-d352-40e8-a096-5141073c37a2 +- **Query name:** CDN Configuration Is Missing +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cdn_configuration_is_missing) + +### Description +Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6 7" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: 'AWS::CloudFront::Distribution' + Properties: + DistributionConfig: + Enabled: 'false' + Comment: Somecomment + DefaultRootObject: index.html + Logging: + IncludeCookies: 'true' + Bucket: mylogs.s3.amazonaws.com + Prefix: myprefix + +``` +```json title="Postitive test num. 2 - json file" hl_lines="15 7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Comment": "Somecomment", + "DefaultRootObject": "index.html", + "Logging": { + "IncludeCookies": "true", + "Bucket": "mylogs.s3.amazonaws.com", + "Prefix": "myprefix" + }, + "Enabled": "false" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: 'AWS::CloudFront::Distribution' + Properties: + DistributionConfig: + Origins: + - DomainName: www.example.com + Id: myCustomOrigin + CustomOriginConfig: + HTTPPort: '80' + HTTPSPort: '443' + OriginProtocolPolicy: http-only + Enabled: 'true' + Comment: Somecomment + DefaultRootObject: index.html + Logging: + IncludeCookies: 'true' + Bucket: mylogs.s3.amazonaws.com + Prefix: myprefix +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": "true", + "Comment": "Somecomment", + "DefaultRootObject": "index.html", + "Logging": { + "IncludeCookies": "true", + "Bucket": "mylogs.s3.amazonaws.com", + "Prefix": "myprefix" + }, + "Origins": [ + { + "DomainName": "www.example.com", + "Id": "myCustomOrigin", + "CustomOriginConfig": { + "OriginProtocolPolicy": "http-only", + "HTTPPort": "80", + "HTTPSPort": "443" + } + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/e519ed6a-8328-4b69-8eb7-8fa549ac3050.md b/docs/queries/cloudformation-queries/aws/e519ed6a-8328-4b69-8eb7-8fa549ac3050.md new file mode 100644 index 00000000000..507ce7290bf --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/e519ed6a-8328-4b69-8eb7-8fa549ac3050.md @@ -0,0 +1,358 @@ +--- +title: MQ Broker Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e519ed6a-8328-4b69-8eb7-8fa549ac3050 +- **Query name:** MQ Broker Logging Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/mq_broker_logging_disabled) + +### Description +Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-amazonmq-broker.html#cfn-amazonmq-broker-logs) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="42 84 22 88 63" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create a basic ActiveMQ broker" +Resources: + BasicBroker3: + Type: "AWS::AmazonMQ::Broker" + Properties: + BrokerName: MyBasicBroker + DeploymentMode: SINGLE_INSTANCE + EngineType: ActiveMQ + EngineVersion: "5.15.0" + HostInstanceType: mq.t2.micro + PubliclyAccessible: false + Users: + - + ConsoleAccess: "true" + Groups: + - MyGroup + Password: + Ref: "BrokerPassword" + Username: + Ref: "BrokerUsername" + Logs: + General: true + BasicBroker4: + Type: "AWS::AmazonMQ::Broker" + Properties: + BrokerName: MyBasicBroker + DeploymentMode: SINGLE_INSTANCE + EngineType: ActiveMQ + EngineVersion: "5.15.0" + HostInstanceType: mq.t2.micro + PubliclyAccessible: false + Users: + - + ConsoleAccess: "true" + Groups: + - MyGroup + Password: + Ref: "BrokerPassword" + Username: + Ref: "BrokerUsername" + Logs: + Audit: true + BasicBroker5: + Type: "AWS::AmazonMQ::Broker" + Properties: + BrokerName: MyBasicBroker + DeploymentMode: SINGLE_INSTANCE + EngineType: ActiveMQ + EngineVersion: "5.15.0" + HostInstanceType: mq.t2.micro + PubliclyAccessible: false + Users: + - + ConsoleAccess: "true" + Groups: + - MyGroup + Password: + Ref: "BrokerPassword" + Username: + Ref: "BrokerUsername" + Logs: + General: false + Audit: true + BasicBroker6: + Type: "AWS::AmazonMQ::Broker" + Properties: + BrokerName: MyBasicBroker + DeploymentMode: SINGLE_INSTANCE + EngineType: ActiveMQ + EngineVersion: "5.15.0" + HostInstanceType: mq.t2.micro + PubliclyAccessible: false + Users: + - + ConsoleAccess: "true" + Groups: + - MyGroup + Password: + Ref: "BrokerPassword" + Username: + Ref: "BrokerUsername" + Logs: + Audit: false + General: true + BasicBroker7: + Type: "AWS::AmazonMQ::Broker" + Properties: + BrokerName: MyBasicBroker + DeploymentMode: SINGLE_INSTANCE + EngineType: ActiveMQ + EngineVersion: "5.15.0" + HostInstanceType: mq.t2.micro + PubliclyAccessible: false + Users: + - + ConsoleAccess: "true" + Groups: + - MyGroup + Password: + Ref: "BrokerPassword" + Username: + Ref: "BrokerUsername" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="115 85 56 121 28" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create a basic ActiveMQ broker", + "Resources": { + "BasicBroker8": { + "Type": "AWS::AmazonMQ::Broker", + "Properties": { + "BrokerName": "MyBasicBroker", + "DeploymentMode": "SINGLE_INSTANCE", + "EngineType": "ActiveMQ", + "EngineVersion": "5.15.0", + "HostInstanceType": "mq.t2.micro", + "Users": [ + { + "ConsoleAccess": "true", + "Groups": [ + "MyGroup" + ], + "Password": { + "Ref": "BrokerPassword" + }, + "Username": { + "Ref": "BrokerUsername" + } + } + ], + "PubliclyAccessible": false, + "Logs": { + "General": true + } + } + }, + "BasicBroker9": { + "Type": "AWS::AmazonMQ::Broker", + "Properties": { + "BrokerName": "MyBasicBroker", + "DeploymentMode": "SINGLE_INSTANCE", + "EngineType": "ActiveMQ", + "EngineVersion": "5.15.0", + "HostInstanceType": "mq.t2.micro", + "Users": [ + { + "ConsoleAccess": "true", + "Groups": [ + "MyGroup" + ], + "Password": { + "Ref": "BrokerPassword" + }, + "Username": { + "Ref": "BrokerUsername" + } + } + ], + "PubliclyAccessible": false, + "Logs": { + "Audit": true + } + } + }, + "BasicBroker10": { + "Type": "AWS::AmazonMQ::Broker", + "Properties": { + "BrokerName": "MyBasicBroker", + "DeploymentMode": "SINGLE_INSTANCE", + "EngineType": "ActiveMQ", + "EngineVersion": "5.15.0", + "HostInstanceType": "mq.t2.micro", + "Users": [ + { + "ConsoleAccess": "true", + "Groups": [ + "MyGroup" + ], + "Password": { + "Ref": "BrokerPassword" + }, + "Username": { + "Ref": "BrokerUsername" + } + } + ], + "PubliclyAccessible": false, + "Logs": { + "General": false, + "Audit": true + } + } + }, + "BasicBroker11": { + "Type": "AWS::AmazonMQ::Broker", + "Properties": { + "BrokerName": "MyBasicBroker", + "DeploymentMode": "SINGLE_INSTANCE", + "EngineType": "ActiveMQ", + "EngineVersion": "5.15.0", + "HostInstanceType": "mq.t2.micro", + "Users": [ + { + "ConsoleAccess": "true", + "Groups": [ + "MyGroup" + ], + "Password": { + "Ref": "BrokerPassword" + }, + "Username": { + "Ref": "BrokerUsername" + } + } + ], + "PubliclyAccessible": false, + "Logs": { + "General": true, + "Audit": false + } + } + }, + "BasicBroker12": { + "Type": "AWS::AmazonMQ::Broker", + "Properties": { + "BrokerName": "MyBasicBroker", + "DeploymentMode": "SINGLE_INSTANCE", + "EngineType": "ActiveMQ", + "EngineVersion": "5.15.0", + "HostInstanceType": "mq.t2.micro", + "Users": [ + { + "ConsoleAccess": "true", + "Groups": [ + "MyGroup" + ], + "Password": { + "Ref": "BrokerPassword" + }, + "Username": { + "Ref": "BrokerUsername" + } + } + ], + "PubliclyAccessible": false + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create a basic ActiveMQ broker" +Resources: + BasicBroker: + Type: "AWS::AmazonMQ::Broker" + Properties: + AutoMinorVersionUpgrade: "false" + BrokerName: MyBasicBroker + DeploymentMode: SINGLE_INSTANCE + EncryptionOptions: + UseAwsOwnedKey: true + EngineType: ActiveMQ + EngineVersion: "5.15.0" + HostInstanceType: mq.t2.micro + PubliclyAccessible: false + Users: + - + ConsoleAccess: "true" + Groups: + - MyGroup + Password: + Ref: "BrokerPassword" + Username: + Ref: "BrokerUsername" + Logs: + General: true + Audit: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Create a basic ActiveMQ broker", + "Resources": { + "BasicBroker2": { + "Type": "AWS::AmazonMQ::Broker", + "Properties": { + "BrokerName": "MyBasicBroker", + "DeploymentMode": "SINGLE_INSTANCE", + "EncryptionOptions": { + "UseAwsOwnedKey": true + }, + "EngineType": "ActiveMQ", + "EngineVersion": "5.15.0", + "HostInstanceType": "mq.t2.micro", + "Users": [ + { + "ConsoleAccess": "true", + "Groups": [ + "MyGroup" + ], + "Password": { + "Ref": "BrokerPassword" + }, + "Username": { + "Ref": "BrokerUsername" + } + } + ], + "AutoMinorVersionUpgrade": "false", + "Logs": { + "General": true, + "Audit": true + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/e52395b4-250b-4c60-81d5-2e58c1d37abc.md b/docs/queries/cloudformation-queries/aws/e52395b4-250b-4c60-81d5-2e58c1d37abc.md new file mode 100644 index 00000000000..b7cd52dde2f --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/e52395b4-250b-4c60-81d5-2e58c1d37abc.md @@ -0,0 +1,350 @@ +--- +title: Default KMS Key Usage +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e52395b4-250b-4c60-81d5-2e58c1d37abc +- **Query name:** Default KMS Key Usage +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/default_kms_key_usage) + +### Description +When `StorageEncrypted` is set to true, `KmsKeyId` should be defined, to avoid the use of the default KMS Key
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24" +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + AWS CloudFormation Sample Template +Parameters: + DBUsername: + NoEcho: 'true' + Description: Username for MySQL database access + Type: String + MinLength: '1' + MaxLength: '16' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: 'true' + Description: Password MySQL database access + Type: String + MinLength: '8' + MaxLength: '41' + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: must contain only alphanumeric characters. +Resources: + RDSCluster1: + Type: 'AWS::RDS::DBCluster' + Properties: + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + DBClusterIdentifier: my-serverless-cluster + Engine: aurora + EngineVersion: 5.6.10a + EngineMode: serverless + ScalingConfiguration: + AutoPause: true + MinCapacity: 4 + MaxCapacity: 32 + SecondsUntilAutoPause: 1000 + StorageEncrypted: true + +``` +```json title="Postitive test num. 2 - json file" hl_lines="25" +{ + "Parameters": { + "DBUsername": { + "NoEcho": "true", + "Description": "Username for MySQL database access", + "Type": "String", + "MinLength": "1", + "MaxLength": "16", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters." + }, + "DBPassword": { + "Type": "String", + "MinLength": "8", + "MaxLength": "41", + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "must contain only alphanumeric characters.", + "NoEcho": "true", + "Description": "Password MySQL database access" + } + }, + "Resources": { + "RDSCluster1": { + "Type": "AWS::RDS::DBCluster", + "Properties": { + "DBClusterIdentifier": "my-serverless-cluster", + "Engine": "aurora", + "EngineVersion": "5.6.10a", + "EngineMode": "serverless", + "ScalingConfiguration": { + "AutoPause": true, + "MinCapacity": 4, + "MaxCapacity": 32, + "SecondsUntilAutoPause": 1000 + }, + "StorageEncrypted": true, + "MasterUsername": "DBUsername", + "MasterUserPassword": "DBPassword" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "AWS CloudFormation Sample Template" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyKey: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: !Ref DBInstanceType + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + KmsKeyId: !Ref MyKey + StorageEncrypted: true + + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + AWS CloudFormation Sample Template +Parameters: + DBUsername: + NoEcho: 'true' + Description: Username for MySQL database access + Type: String + MinLength: '1' + MaxLength: '16' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: 'true' + Description: Password MySQL database access + Type: String + MinLength: '8' + MaxLength: '41' + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: must contain only alphanumeric characters. +Resources: + MyKey-0: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + RDSCluster: + Type: 'AWS::RDS::DBCluster' + Properties: + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + DBClusterIdentifier: my-serverless-cluster + Engine: aurora + EngineVersion: 5.6.10a + EngineMode: serverless + ScalingConfiguration: + AutoPause: true + MinCapacity: 4 + MaxCapacity: 32 + SecondsUntilAutoPause: 1000 + KmsKeyId: !Ref MyKey-0 + StorageEncrypted: true + +``` +```json title="Negative test num. 3 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "RDS Storage Encrypted", + "Parameters": { + "SourceDBInstanceIdentifier": { + "Type": "String" + }, + "DBInstanceType": { + "Type": "String" + }, + "SourceRegion": { + "Type": "String" + } + }, + "Resources": { + "MyKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1", + "Statement": [ + { + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + }, + "Action": "kms:*", + "Resource": "*", + "Sid": "Enable IAM User Permissions", + "Effect": "Allow" + } + ] + } + } + }, + "MyDBSmall": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "SourceRegion": "SourceRegion", + "KmsKeyId": "MyKey", + "StorageEncrypted": true, + "DBInstanceClass": "DBInstanceType", + "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier" + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "AWS CloudFormation Sample Template", + "Parameters": { + "DBUsername": { + "MaxLength": "16", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.", + "NoEcho": "true", + "Description": "Username for MySQL database access", + "Type": "String", + "MinLength": "1" + }, + "DBPassword": { + "Type": "String", + "MinLength": "8", + "MaxLength": "41", + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "must contain only alphanumeric characters.", + "NoEcho": "true", + "Description": "Password MySQL database access" + } + }, + "Resources": { + "MyKey-0": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + }, + "Action": "kms:*", + "Resource": "*" + } + ] + } + } + }, + "RDSCluster": { + "Type": "AWS::RDS::DBCluster", + "Properties": { + "StorageEncrypted": true, + "MasterUsername": "DBUsername", + "DBClusterIdentifier": "my-serverless-cluster", + "ScalingConfiguration": { + "MinCapacity": 4, + "MaxCapacity": 32, + "SecondsUntilAutoPause": 1000, + "AutoPause": true + }, + "EngineMode": "serverless", + "KmsKeyId": "MyKey-0", + "MasterUserPassword": "DBPassword", + "Engine": "aurora", + "EngineVersion": "5.6.10a" + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/e649a218-d099-4550-86a4-1231e1fcb60d.md b/docs/queries/cloudformation-queries/aws/e649a218-d099-4550-86a4-1231e1fcb60d.md new file mode 100644 index 00000000000..c5858505fa0 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/e649a218-d099-4550-86a4-1231e1fcb60d.md @@ -0,0 +1,1215 @@ +--- +title: Low RDS Backup Retention Period +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e649a218-d099-4550-86a4-1231e1fcb60d +- **Query name:** Low RDS Backup Retention Period +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/low_rds_backup_retention_period) + +### Description +AWS RDS backup retention policy should be at least 7 days
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbcluster.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="52" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Parameters: + PMDatabaseEngine: + Type: String + Default: "MySQL" + Description: "Database engine, Aurora, MySQL or PostgreSQL" + PMRDSSG: + Description: "Select the Security Group to use for the ELB" + Type: "AWS::EC2::SecurityGroup::Id" + PMDatabaseEngineVer: + Type: String + Description: "Database engine ver" + PMDatabaseUsername: + NoEcho: 'true' + Type: String + Description: "Database admin account name" + PMDatabasePassword: + NoEcho: 'true' + Type: String + Description: "Database admin account password" + PMDBClusterParameterGroupName: + Description: "Db Parameter Groupname" + Type: String + PMDatabaseInstanceClass: + Type: String + Default: "db.t2.micro" + Description: "Database instance class" + PMPrivateSubnets: + Description: "Subnets to launch instances into" + Type: "List" + PMServerEnv: + Description: "Server Environment name." + ConstraintDescription: "Choose an Environment from the drop down" + Type: String + PMDBClusterIdentifier: + Description: "Db Cluster Name." + Type: String + +Resources: + DatabaseCluster: + Type: "AWS::RDS::DBCluster" + Properties: + VpcSecurityGroupIds: + - Ref: "PMRDSSG" + Engine: !Ref "PMDatabaseEngine" + EngineVersion: !Ref "PMDatabaseEngineVer" + MasterUsername: !Ref "PMDatabaseUsername" + MasterUserPassword: !Ref "PMDatabasePassword" + DBClusterParameterGroupName: !Ref "RDSDBClusterParameterGroup" + StorageEncrypted: true + BackupRetentionPeriod: 3 + PreferredBackupWindow: '12:00-13:00' + PreferredMaintenanceWindow: 'mon:13:00-mon:14:00' + + Database1: + Type: "AWS::RDS::DBInstance" + Properties: + Engine: !Ref "PMDatabaseEngine" + DBClusterIdentifier: !Ref "DatabaseCluster" + DBInstanceClass: !Ref "PMDatabaseInstanceClass" + DBSubnetGroupName: !Ref "DbSubnetGroup" + DBInstanceIdentifier: !Sub "${PMDBClusterIdentifier}-db1" + + Database2: + Type: "AWS::RDS::DBInstance" + Properties: + Engine: !Ref "PMDatabaseEngine" + DBClusterIdentifier: !Ref "DatabaseCluster" + DBInstanceClass: !Ref "PMDatabaseInstanceClass" + DBSubnetGroupName: !Ref "DbSubnetGroup" + DBInstanceIdentifier: !Sub "${PMDBClusterIdentifier}-db2" + + DbSubnetGroup: + Type: "AWS::RDS::DBSubnetGroup" + Properties: + DBSubnetGroupDescription: !Sub "${PMServerEnv} RDS DB subnet group" + SubnetIds: + Ref: "PMPrivateSubnets" + + RDSDBClusterParameterGroup: + Type: "AWS::RDS::DBClusterParameterGroup" + Properties: + Description: "CloudFormation Sample Aurora Cluster Parameter Group" + Family: !Ref "PMDBClusterParameterGroupName" + Parameters: + time_zone: "UTC" + collation_connection: "utf8_general_ci" + character_set_database: "utf8" + +Outputs: + RdsDbId: + Description: "RDS Database Cluster ID" + Value: !Ref "DatabaseCluster" + RdsEndpointAdd: + Description: "RDS Database Endpoint" + Value: !GetAtt "DatabaseCluster.Endpoint.Address" + RdsReadEndpointAdd: + Description: "RDS Read Database Endpoint" + Value: !GetAtt "DatabaseCluster.ReadEndpoint.Address" + RdsEndpointPort: + Description: "RDS Database Port" + Value: !GetAtt "DatabaseCluster.Endpoint.Port" + DbUser: + Description: "RDS Database admin account user" + Value: !Ref "PMDatabaseUsername" + DbPassword: + Description: "RDS Database admin account password" + Value: !Ref "PMDatabasePassword" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="35" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyKey: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: !Ref DBInstanceType + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + KmsKeyId: !Ref MyKey + BackupRetentionPeriod: 6 +Outputs: + InstanceId: + Description: InstanceId of the newly created RDS Instance + Value: !Ref MyDBSmall + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="22" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + DBUser: + NoEcho: true + Description: The database admin account username + Type: String + MinLength: 1 + MaxLength: 16 + AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: true + Description: The database admin account password + Type: String + MinLength: 1 + MaxLength: 41 + AllowedPattern: "[a-zA-Z0-9]*" + ConstraintDescription: must contain only alphanumeric characters. +Resources: + MyDB: + Type: "AWS::RDS::DBInstance" + Properties: + AllocatedStorage: '5' + DBInstanceClass: db.t2.small + Engine: MySQL + EngineVersion: '5.5' + MasterUsername: !Ref DBUser + MasterUserPassword: !Ref DBPassword + DBParameterGroupName: !Ref MyRDSParamGroup + MyRDSParamGroup: + Type: "AWS::RDS::DBParameterGroup" + Properties: + Family: MySQL5.5 + Description: CloudFormation Sample Database Parameter Group + Parameters: + autocommit: '1' + general_log: '1' + old_passwords: '0' + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="43" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Parameters: + PMDatabaseEngine: + Type: String + Default: "MySQL" + Description: "Database engine, Aurora, MySQL or PostgreSQL" + PMRDSSG: + Description: "Select the Security Group to use for the ELB" + Type: "AWS::EC2::SecurityGroup::Id" + PMDatabaseEngineVer: + Type: String + Description: "Database engine ver" + PMDatabaseUsername: + NoEcho: 'true' + Type: String + Description: "Database admin account name" + PMDatabasePassword: + NoEcho: 'true' + Type: String + Description: "Database admin account password" + PMDBClusterParameterGroupName: + Description: "Db Parameter Groupname" + Type: String + PMDatabaseInstanceClass: + Type: String + Default: "db.t2.micro" + Description: "Database instance class" + PMPrivateSubnets: + Description: "Subnets to launch instances into" + Type: "List" + PMServerEnv: + Description: "Server Environment name." + ConstraintDescription: "Choose an Environment from the drop down" + Type: String + PMDBClusterIdentifier: + Description: "Db Cluster Name." + Type: String + +Resources: + BadDatabaseCluster: + Type: "AWS::RDS::DBCluster" + Properties: + VpcSecurityGroupIds: + - Ref: "PMRDSSG" + Engine: !Ref "PMDatabaseEngine" + EngineVersion: !Ref "PMDatabaseEngineVer" + MasterUsername: !Ref "PMDatabaseUsername" + MasterUserPassword: !Ref "PMDatabasePassword" + DBClusterParameterGroupName: !Ref "RDSDBClusterParameterGroup" + StorageEncrypted: true + PreferredBackupWindow: '12:00-13:00' + PreferredMaintenanceWindow: 'mon:13:00-mon:14:00' + + Database1: + Type: "AWS::RDS::DBInstance" + Properties: + Engine: !Ref "PMDatabaseEngine" + DBClusterIdentifier: !Ref "DatabaseCluster" + DBInstanceClass: !Ref "PMDatabaseInstanceClass" + DBSubnetGroupName: !Ref "DbSubnetGroup" + DBInstanceIdentifier: !Sub "${PMDBClusterIdentifier}-db1" + + Database2: + Type: "AWS::RDS::DBInstance" + Properties: + Engine: !Ref "PMDatabaseEngine" + DBClusterIdentifier: !Ref "DatabaseCluster" + DBInstanceClass: !Ref "PMDatabaseInstanceClass" + DBSubnetGroupName: !Ref "DbSubnetGroup" + DBInstanceIdentifier: !Sub "${PMDBClusterIdentifier}-db2" + + DbSubnetGroup: + Type: "AWS::RDS::DBSubnetGroup" + Properties: + DBSubnetGroupDescription: !Sub "${PMServerEnv} RDS DB subnet group" + SubnetIds: + Ref: "PMPrivateSubnets" + + RDSDBClusterParameterGroup: + Type: "AWS::RDS::DBClusterParameterGroup" + Properties: + Description: "CloudFormation Sample Aurora Cluster Parameter Group" + Family: !Ref "PMDBClusterParameterGroupName" + Parameters: + time_zone: "UTC" + collation_connection: "utf8_general_ci" + character_set_database: "utf8" + +Outputs: + RdsDbId: + Description: "RDS Database Cluster ID" + Value: !Ref "DatabaseCluster" + RdsEndpointAdd: + Description: "RDS Database Endpoint" + Value: !GetAtt "DatabaseCluster.Endpoint.Address" + RdsReadEndpointAdd: + Description: "RDS Read Database Endpoint" + Value: !GetAtt "DatabaseCluster.ReadEndpoint.Address" + RdsEndpointPort: + Description: "RDS Database Port" + Value: !GetAtt "DatabaseCluster.Endpoint.Port" + DbUser: + Description: "RDS Database admin account user" + Value: !Ref "PMDatabaseUsername" + DbPassword: + Description: "RDS Database admin account password" + Value: !Ref "PMDatabasePassword" + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="113" +{ + "Outputs": { + "RdsDbId": { + "Description": "RDS Database Cluster ID", + "Value": "DatabaseCluster" + }, + "RdsEndpointAdd": { + "Description": "RDS Database Endpoint", + "Value": "DatabaseCluster.Endpoint.Address" + }, + "RdsReadEndpointAdd": { + "Description": "RDS Read Database Endpoint", + "Value": "DatabaseCluster.ReadEndpoint.Address" + }, + "RdsEndpointPort": { + "Description": "RDS Database Port", + "Value": "DatabaseCluster.Endpoint.Port" + }, + "DbUser": { + "Description": "RDS Database admin account user", + "Value": "PMDatabaseUsername" + }, + "DbPassword": { + "Description": "RDS Database admin account password", + "Value": "PMDatabasePassword" + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Creates RDS Cluster", + "Parameters": { + "PMRDSSG": { + "Description": "Select the Security Group to use for the ELB", + "Type": "AWS::EC2::SecurityGroup::Id" + }, + "PMPrivateSubnets": { + "Description": "Subnets to launch instances into", + "Type": "List\u003cAWS::EC2::Subnet::Id\u003e" + }, + "PMServerEnv": { + "Description": "Server Environment name.", + "ConstraintDescription": "Choose an Environment from the drop down", + "Type": "String" + }, + "PMDBClusterIdentifier": { + "Type": "String", + "Description": "Db Cluster Name." + }, + "PMDBClusterParameterGroupName": { + "Description": "Db Parameter Groupname", + "Type": "String" + }, + "PMDatabaseInstanceClass": { + "Type": "String", + "Default": "db.t2.micro", + "Description": "Database instance class" + }, + "PMDatabaseEngine": { + "Type": "String", + "Default": "MySQL", + "Description": "Database engine, Aurora, MySQL or PostgreSQL" + }, + "PMDatabaseEngineVer": { + "Type": "String", + "Description": "Database engine ver" + }, + "PMDatabaseUsername": { + "NoEcho": "true", + "Type": "String", + "Description": "Database admin account name" + }, + "PMDatabasePassword": { + "Description": "Database admin account password", + "NoEcho": "true", + "Type": "String" + } + }, + "Resources": { + "Database2": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "Engine": "PMDatabaseEngine", + "DBClusterIdentifier": "DatabaseCluster", + "DBInstanceClass": "PMDatabaseInstanceClass", + "DBSubnetGroupName": "DbSubnetGroup", + "DBInstanceIdentifier": "${PMDBClusterIdentifier}-db2" + } + }, + "DbSubnetGroup": { + "Type": "AWS::RDS::DBSubnetGroup", + "Properties": { + "DBSubnetGroupDescription": "${PMServerEnv} RDS DB subnet group", + "SubnetIds": { + "Ref": "PMPrivateSubnets" + } + } + }, + "RDSDBClusterParameterGroup": { + "Properties": { + "Description": "CloudFormation Sample Aurora Cluster Parameter Group", + "Family": "PMDBClusterParameterGroupName", + "Parameters": { + "time_zone": "UTC", + "collation_connection": "utf8_general_ci", + "character_set_database": "utf8" + } + }, + "Type": "AWS::RDS::DBClusterParameterGroup" + }, + "DatabaseCluster": { + "Type": "AWS::RDS::DBCluster", + "Properties": { + "StorageEncrypted": true, + "BackupRetentionPeriod": 3, + "MasterUsername": "PMDatabaseUsername", + "MasterUserPassword": "PMDatabasePassword", + "DBClusterParameterGroupName": "RDSDBClusterParameterGroup", + "PreferredBackupWindow": "12:00-13:00", + "PreferredMaintenanceWindow": "mon:13:00-mon:14:00", + "VpcSecurityGroupIds": [ + { + "Ref": "PMRDSSG" + } + ], + "Engine": "PMDatabaseEngine", + "EngineVersion": "PMDatabaseEngineVer" + } + }, + "Database1": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "DBInstanceIdentifier": "${PMDBClusterIdentifier}-db1", + "Engine": "PMDatabaseEngine", + "DBClusterIdentifier": "DatabaseCluster", + "DBInstanceClass": "PMDatabaseInstanceClass", + "DBSubnetGroupName": "DbSubnetGroup" + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="55" +{ + "Outputs": { + "InstanceId": { + "Description": "InstanceId of the newly created RDS Instance", + "Value": "MyDBSmall" + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "RDS Storage Encrypted", + "Parameters": { + "SourceDBInstanceIdentifier": { + "Type": "String" + }, + "DBInstanceType": { + "Type": "String" + }, + "SourceRegion": { + "Type": "String" + } + }, + "Resources": { + "MyKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1", + "Statement": [ + { + "Action": "kms:*", + "Resource": "*", + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + } + } + ] + } + } + }, + "MyDBSmall": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier", + "SourceRegion": "SourceRegion", + "KmsKeyId": "MyKey", + "BackupRetentionPeriod": 6, + "DBInstanceClass": "DBInstanceType" + } + } + } +} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="26" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "DBUser": { + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.", + "NoEcho": true, + "Description": "The database admin account username", + "Type": "String", + "MinLength": 1, + "MaxLength": 16 + }, + "DBPassword": { + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "must contain only alphanumeric characters.", + "NoEcho": true, + "Description": "The database admin account password", + "Type": "String", + "MinLength": 1, + "MaxLength": 41 + } + }, + "Resources": { + "MyDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "AllocatedStorage": "5", + "DBInstanceClass": "db.t2.small", + "Engine": "MySQL", + "EngineVersion": "5.5", + "MasterUsername": "DBUser", + "MasterUserPassword": "DBPassword", + "DBParameterGroupName": "MyRDSParamGroup" + } + }, + "MyRDSParamGroup": { + "Type": "AWS::RDS::DBParameterGroup", + "Properties": { + "Family": "MySQL5.5", + "Description": "CloudFormation Sample Database Parameter Group", + "Parameters": { + "general_log": "1", + "old_passwords": "0", + "autocommit": "1" + } + } + } + } +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="54" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Creates RDS Cluster", + "Parameters": { + "PMDatabaseEngineVer": { + "Type": "String", + "Description": "Database engine ver" + }, + "PMDatabaseUsername": { + "NoEcho": "true", + "Type": "String", + "Description": "Database admin account name" + }, + "PMDatabasePassword": { + "Type": "String", + "Description": "Database admin account password", + "NoEcho": "true" + }, + "PMDBClusterParameterGroupName": { + "Description": "Db Parameter Groupname", + "Type": "String" + }, + "PMDBClusterIdentifier": { + "Description": "Db Cluster Name.", + "Type": "String" + }, + "PMDatabaseEngine": { + "Type": "String", + "Default": "MySQL", + "Description": "Database engine, Aurora, MySQL or PostgreSQL" + }, + "PMRDSSG": { + "Description": "Select the Security Group to use for the ELB", + "Type": "AWS::EC2::SecurityGroup::Id" + }, + "PMDatabaseInstanceClass": { + "Type": "String", + "Default": "db.t2.micro", + "Description": "Database instance class" + }, + "PMPrivateSubnets": { + "Description": "Subnets to launch instances into", + "Type": "List\u003cAWS::EC2::Subnet::Id\u003e" + }, + "PMServerEnv": { + "ConstraintDescription": "Choose an Environment from the drop down", + "Type": "String", + "Description": "Server Environment name." + } + }, + "Resources": { + "BadDatabaseCluster": { + "Type": "AWS::RDS::DBCluster", + "Properties": { + "PreferredMaintenanceWindow": "mon:13:00-mon:14:00", + "VpcSecurityGroupIds": [ + { + "Ref": "PMRDSSG" + } + ], + "EngineVersion": "PMDatabaseEngineVer", + "MasterUsername": "PMDatabaseUsername", + "StorageEncrypted": true, + "Engine": "PMDatabaseEngine", + "MasterUserPassword": "PMDatabasePassword", + "DBClusterParameterGroupName": "RDSDBClusterParameterGroup", + "PreferredBackupWindow": "12:00-13:00" + } + }, + "Database1": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "Engine": "PMDatabaseEngine", + "DBClusterIdentifier": "DatabaseCluster", + "DBInstanceClass": "PMDatabaseInstanceClass", + "DBSubnetGroupName": "DbSubnetGroup", + "DBInstanceIdentifier": "${PMDBClusterIdentifier}-db1" + } + }, + "Database2": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "Engine": "PMDatabaseEngine", + "DBClusterIdentifier": "DatabaseCluster", + "DBInstanceClass": "PMDatabaseInstanceClass", + "DBSubnetGroupName": "DbSubnetGroup", + "DBInstanceIdentifier": "${PMDBClusterIdentifier}-db2" + } + }, + "DbSubnetGroup": { + "Type": "AWS::RDS::DBSubnetGroup", + "Properties": { + "DBSubnetGroupDescription": "${PMServerEnv} RDS DB subnet group", + "SubnetIds": { + "Ref": "PMPrivateSubnets" + } + } + }, + "RDSDBClusterParameterGroup": { + "Type": "AWS::RDS::DBClusterParameterGroup", + "Properties": { + "Description": "CloudFormation Sample Aurora Cluster Parameter Group", + "Family": "PMDBClusterParameterGroupName", + "Parameters": { + "collation_connection": "utf8_general_ci", + "character_set_database": "utf8", + "time_zone": "UTC" + } + } + } + }, + "Outputs": { + "RdsReadEndpointAdd": { + "Value": "DatabaseCluster.ReadEndpoint.Address", + "Description": "RDS Read Database Endpoint" + }, + "RdsEndpointPort": { + "Description": "RDS Database Port", + "Value": "DatabaseCluster.Endpoint.Port" + }, + "DbUser": { + "Value": "PMDatabaseUsername", + "Description": "RDS Database admin account user" + }, + "DbPassword": { + "Description": "RDS Database admin account password", + "Value": "PMDatabasePassword" + }, + "RdsDbId": { + "Description": "RDS Database Cluster ID", + "Value": "DatabaseCluster" + }, + "RdsEndpointAdd": { + "Description": "RDS Database Endpoint", + "Value": "DatabaseCluster.Endpoint.Address" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: Creates RDS Cluster +Parameters: + PMDatabaseEngine: + Type: String + Default: "MySQL" + Description: "Database engine, Aurora, MySQL or PostgreSQL" + PMRDSSG: + Description: "Select the Security Group to use for the ELB" + Type: "AWS::EC2::SecurityGroup::Id" + PMDatabaseEngineVer: + Type: String + Description: "Database engine ver" + PMDatabaseUsername: + NoEcho: 'true' + Type: String + Description: "Database admin account name" + PMDatabasePassword: + NoEcho: 'true' + Type: String + Description: "Database admin account password" + PMDBClusterParameterGroupName: + Description: "Db Parameter Groupname" + Type: String + PMDatabaseInstanceClass: + Type: String + Default: "db.t2.micro" + Description: "Database instance class" + PMPrivateSubnets: + Description: "Subnets to launch instances into" + Type: "List" + PMServerEnv: + Description: "Server Environment name." + ConstraintDescription: "Choose an Environment from the drop down" + Type: String + PMDBClusterIdentifier: + Description: "Db Cluster Name." + Type: String + +Resources: + DatabaseCluster: + Type: "AWS::RDS::DBCluster" + Properties: + VpcSecurityGroupIds: + - Ref: "PMRDSSG" + Engine: !Ref "PMDatabaseEngine" + EngineVersion: !Ref "PMDatabaseEngineVer" + MasterUsername: !Ref "PMDatabaseUsername" + MasterUserPassword: !Ref "PMDatabasePassword" + DBClusterParameterGroupName: !Ref "RDSDBClusterParameterGroup" + StorageEncrypted: true + BackupRetentionPeriod: 16 + PreferredBackupWindow: '12:00-13:00' + PreferredMaintenanceWindow: 'mon:13:00-mon:14:00' + + Database1: + Type: "AWS::RDS::DBInstance" + Properties: + Engine: !Ref "PMDatabaseEngine" + DBClusterIdentifier: !Ref "DatabaseCluster" + DBInstanceClass: !Ref "PMDatabaseInstanceClass" + DBSubnetGroupName: !Ref "DbSubnetGroup" + DBInstanceIdentifier: !Sub "${PMDBClusterIdentifier}-db1" + + Database2: + Type: "AWS::RDS::DBInstance" + Properties: + Engine: !Ref "PMDatabaseEngine" + DBClusterIdentifier: !Ref "DatabaseCluster" + DBInstanceClass: !Ref "PMDatabaseInstanceClass" + DBSubnetGroupName: !Ref "DbSubnetGroup" + DBInstanceIdentifier: !Sub "${PMDBClusterIdentifier}-db2" + + DbSubnetGroup: + Type: "AWS::RDS::DBSubnetGroup" + Properties: + DBSubnetGroupDescription: !Sub "${PMServerEnv} RDS DB subnet group" + SubnetIds: + Ref: "PMPrivateSubnets" + + RDSDBClusterParameterGroup: + Type: "AWS::RDS::DBClusterParameterGroup" + Properties: + Description: "CloudFormation Sample Aurora Cluster Parameter Group" + Family: !Ref "PMDBClusterParameterGroupName" + Parameters: + time_zone: "UTC" + collation_connection: "utf8_general_ci" + character_set_database: "utf8" + +Outputs: + RdsDbId: + Description: "RDS Database Cluster ID" + Value: !Ref "DatabaseCluster" + RdsEndpointAdd: + Description: "RDS Database Endpoint" + Value: !GetAtt "DatabaseCluster.Endpoint.Address" + RdsReadEndpointAdd: + Description: "RDS Read Database Endpoint" + Value: !GetAtt "DatabaseCluster.ReadEndpoint.Address" + RdsEndpointPort: + Description: "RDS Database Port" + Value: !GetAtt "DatabaseCluster.Endpoint.Port" + DbUser: + Description: "RDS Database admin account user" + Value: !Ref "PMDatabaseUsername" + DbPassword: + Description: "RDS Database admin account password" + Value: !Ref "PMDatabasePassword" + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyKey: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: !Ref DBInstanceType + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + KmsKeyId: !Ref MyKey + BackupRetentionPeriod: 7 +Outputs: + InstanceId: + Description: InstanceId of the newly created RDS Instance + Value: !Ref MyDBSmall + +``` +```yaml title="Negative test num. 3 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Parameters: + DBUser: + NoEcho: true + Description: The database admin account username + Type: String + MinLength: 1 + MaxLength: 16 + AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: true + Description: The database admin account password + Type: String + MinLength: 1 + MaxLength: 41 + AllowedPattern: "[a-zA-Z0-9]*" + ConstraintDescription: must contain only alphanumeric characters. +Resources: + MyDB: + Type: "AWS::RDS::DBInstance" + Properties: + AllocatedStorage: '5' + DBInstanceClass: db.t2.small + Engine: MySQL + EngineVersion: '5.5' + MasterUsername: !Ref DBUser + MasterUserPassword: !Ref DBPassword + DBParameterGroupName: !Ref MyRDSParamGroup + BackupRetentionPeriod: 10 + MyRDSParamGroup: + Type: "AWS::RDS::DBParameterGroup" + Properties: + Family: MySQL5.5 + Description: CloudFormation Sample Database Parameter Group + Parameters: + autocommit: '1' + general_log: '1' + old_passwords: '0' + +``` +
Negative test num. 4 - json file + +```json +{ + "Parameters": { + "PMDatabaseEngineVer": { + "Description": "Database engine ver", + "Type": "String" + }, + "PMDatabaseUsername": { + "NoEcho": "true", + "Type": "String", + "Description": "Database admin account name" + }, + "PMDatabaseInstanceClass": { + "Type": "String", + "Default": "db.t2.micro", + "Description": "Database instance class" + }, + "PMRDSSG": { + "Description": "Select the Security Group to use for the ELB", + "Type": "AWS::EC2::SecurityGroup::Id" + }, + "PMDatabasePassword": { + "Description": "Database admin account password", + "NoEcho": "true", + "Type": "String" + }, + "PMDBClusterParameterGroupName": { + "Type": "String", + "Description": "Db Parameter Groupname" + }, + "PMPrivateSubnets": { + "Description": "Subnets to launch instances into", + "Type": "List\u003cAWS::EC2::Subnet::Id\u003e" + }, + "PMServerEnv": { + "ConstraintDescription": "Choose an Environment from the drop down", + "Type": "String", + "Description": "Server Environment name." + }, + "PMDBClusterIdentifier": { + "Type": "String", + "Description": "Db Cluster Name." + }, + "PMDatabaseEngine": { + "Type": "String", + "Default": "MySQL", + "Description": "Database engine, Aurora, MySQL or PostgreSQL" + } + }, + "Resources": { + "DatabaseCluster": { + "Properties": { + "PreferredMaintenanceWindow": "mon:13:00-mon:14:00", + "Engine": "PMDatabaseEngine", + "StorageEncrypted": true, + "MasterUsername": "PMDatabaseUsername", + "MasterUserPassword": "PMDatabasePassword", + "DBClusterParameterGroupName": "RDSDBClusterParameterGroup", + "BackupRetentionPeriod": 16, + "PreferredBackupWindow": "12:00-13:00", + "VpcSecurityGroupIds": [ + { + "Ref": "PMRDSSG" + } + ], + "EngineVersion": "PMDatabaseEngineVer" + }, + "Type": "AWS::RDS::DBCluster" + }, + "Database1": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "Engine": "PMDatabaseEngine", + "DBClusterIdentifier": "DatabaseCluster", + "DBInstanceClass": "PMDatabaseInstanceClass", + "DBSubnetGroupName": "DbSubnetGroup", + "DBInstanceIdentifier": "${PMDBClusterIdentifier}-db1" + } + }, + "Database2": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "DBInstanceIdentifier": "${PMDBClusterIdentifier}-db2", + "Engine": "PMDatabaseEngine", + "DBClusterIdentifier": "DatabaseCluster", + "DBInstanceClass": "PMDatabaseInstanceClass", + "DBSubnetGroupName": "DbSubnetGroup" + } + }, + "DbSubnetGroup": { + "Type": "AWS::RDS::DBSubnetGroup", + "Properties": { + "DBSubnetGroupDescription": "${PMServerEnv} RDS DB subnet group", + "SubnetIds": { + "Ref": "PMPrivateSubnets" + } + } + }, + "RDSDBClusterParameterGroup": { + "Type": "AWS::RDS::DBClusterParameterGroup", + "Properties": { + "Description": "CloudFormation Sample Aurora Cluster Parameter Group", + "Family": "PMDBClusterParameterGroupName", + "Parameters": { + "time_zone": "UTC", + "collation_connection": "utf8_general_ci", + "character_set_database": "utf8" + } + } + } + }, + "Outputs": { + "RdsEndpointAdd": { + "Value": "DatabaseCluster.Endpoint.Address", + "Description": "RDS Database Endpoint" + }, + "RdsReadEndpointAdd": { + "Description": "RDS Read Database Endpoint", + "Value": "DatabaseCluster.ReadEndpoint.Address" + }, + "RdsEndpointPort": { + "Description": "RDS Database Port", + "Value": "DatabaseCluster.Endpoint.Port" + }, + "DbUser": { + "Description": "RDS Database admin account user", + "Value": "PMDatabaseUsername" + }, + "DbPassword": { + "Value": "PMDatabasePassword", + "Description": "RDS Database admin account password" + }, + "RdsDbId": { + "Description": "RDS Database Cluster ID", + "Value": "DatabaseCluster" + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Creates RDS Cluster" +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "Parameters": { + "SourceDBInstanceIdentifier": { + "Type": "String" + }, + "DBInstanceType": { + "Type": "String" + }, + "SourceRegion": { + "Type": "String" + } + }, + "Resources": { + "MyKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1", + "Statement": [ + { + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + }, + "Action": "kms:*", + "Resource": "*", + "Sid": "Enable IAM User Permissions", + "Effect": "Allow" + } + ] + } + } + }, + "MyDBSmall": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier", + "SourceRegion": "SourceRegion", + "KmsKeyId": "MyKey", + "BackupRetentionPeriod": 7, + "DBInstanceClass": "DBInstanceType" + } + } + }, + "Outputs": { + "InstanceId": { + "Description": "InstanceId of the newly created RDS Instance", + "Value": "MyDBSmall" + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "RDS Storage Encrypted" +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Parameters": { + "DBUser": { + "MinLength": 1, + "MaxLength": 16, + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.", + "NoEcho": true, + "Description": "The database admin account username", + "Type": "String" + }, + "DBPassword": { + "MinLength": 1, + "MaxLength": 41, + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "must contain only alphanumeric characters.", + "NoEcho": true, + "Description": "The database admin account password", + "Type": "String" + } + }, + "Resources": { + "MyDB": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "EngineVersion": "5.5", + "MasterUsername": "DBUser", + "MasterUserPassword": "DBPassword", + "DBParameterGroupName": "MyRDSParamGroup", + "BackupRetentionPeriod": 10, + "AllocatedStorage": "5", + "DBInstanceClass": "db.t2.small", + "Engine": "MySQL" + } + }, + "MyRDSParamGroup": { + "Type": "AWS::RDS::DBParameterGroup", + "Properties": { + "Family": "MySQL5.5", + "Description": "CloudFormation Sample Database Parameter Group", + "Parameters": { + "autocommit": "1", + "general_log": "1", + "old_passwords": "0" + } + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/e835bd0d-65da-49f7-b6d1-b646da8727e6.md b/docs/queries/cloudformation-queries/aws/e835bd0d-65da-49f7-b6d1-b646da8727e6.md new file mode 100644 index 00000000000..9e419e81fa6 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/e835bd0d-65da-49f7-b6d1-b646da8727e6.md @@ -0,0 +1,135 @@ +--- +title: IAM Policy Grants 'AssumeRole' Permission Across All Services +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e835bd0d-65da-49f7-b6d1-b646da8727e6 +- **Query name:** IAM Policy Grants 'AssumeRole' Permission Across All Services +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services) + +### Description +IAM Policy should not grant 'AssumeRole' permission across all services.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + mypolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: mygrouppolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: ["sts:AssumeRole"] + Resource: "*" + Users: ["SomeUser"] + +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "Description": "A sample template", + "Resources": { + "mypolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "mygrouppolicy", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sts:AssumeRole" + ], + "Resource": "*" + } + ] + }, + "Users": [ + "SomeUser" + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + MyPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: mygrouppolicy + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:GetObject + - s3:PutObject + - s3:PutObjectAcl + Resource: arn:aws:s3:::myAWSBucket/* + Groups: + - myexistinggroup1 + - !Ref mygroup + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "MyPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "mygrouppolicy", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:PutObject", + "s3:PutObjectAcl" + ], + "Resource": "arn:aws:s3:::myAWSBucket/*" + } + ] + }, + "Groups": [ + "myexistinggroup1", + "mygroup" + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/ea33fcf7-394b-4d11-a228-985c5d08f205.md b/docs/queries/cloudformation-queries/aws/ea33fcf7-394b-4d11-a228-985c5d08f205.md new file mode 100644 index 00000000000..a01edb45b98 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ea33fcf7-394b-4d11-a228-985c5d08f205.md @@ -0,0 +1,161 @@ +--- +title: Default Security Groups With Unrestricted Traffic +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ea33fcf7-394b-4d11-a228-985c5d08f205 +- **Query name:** Default Security Groups With Unrestricted Traffic +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic) + +### Description +Check if default security group does not restrict all inbound and outbound traffic.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +Parameters: + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance + Type: 'AWS::EC2::KeyPair::KeyName' +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + - MyExistingSecurityGroup + KeyName: !Ref KeyName + ImageId: ami-7a11e213 + InstanceSecurityGroup: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupName: default + GroupDescription: Enable SSH access via port 22 + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: '22' + ToPort: '22' + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: '22' + ToPort: '22' + CidrIp: 0.0.0.0/0 +``` +```json title="Postitive test num. 2 - json file" hl_lines="21" +{ + "Parameters": { + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName" + } + }, + "Resources": { + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "SecurityGroups": [ + "InstanceSecurityGroup", + "MyExistingSecurityGroup" + ], + "KeyName": "KeyName", + "ImageId": "ami-7a11e213" + } + }, + "InstanceSecurityGroup": { + "Properties": { + "GroupName": "default", + "GroupDescription": "Enable SSH access via port 22", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": "22", + "ToPort": "22", + "CidrIp": "0.0.0.0/0" + } + ], + "SecurityGroupEgress": [ + { + "FromPort": "22", + "ToPort": "22", + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp" + } + ] + }, + "Type": "AWS::EC2::SecurityGroup" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Parameters: + KeyName: + Description: The EC2 Key Pair to allow SSH access to the instance + Type: 'AWS::EC2::KeyPair::KeyName' +Resources: + Ec2Instance: + Type: 'AWS::EC2::Instance' + Properties: + SecurityGroups: + - !Ref InstanceSecurityGroup + - MyExistingSecurityGroup + KeyName: !Ref KeyName + ImageId: ami-7a11e213 + InstanceSecurityGroup: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupName: default + GroupDescription: Enable SSH access via port 22 +``` +```json title="Negative test num. 2 - json file" +{ + "Parameters": { + "KeyName": { + "Description": "The EC2 Key Pair to allow SSH access to the instance", + "Type": "AWS::EC2::KeyPair::KeyName" + } + }, + "Resources": { + "Ec2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "SecurityGroups": [ + "InstanceSecurityGroup", + "MyExistingSecurityGroup" + ], + "KeyName": "KeyName", + "ImageId": "ami-7a11e213" + } + }, + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupName": "default", + "GroupDescription": "Enable SSH access via port 22" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/ed4c48b8-eccc-4881-95c1-09fdae23db25.md b/docs/queries/cloudformation-queries/aws/ed4c48b8-eccc-4881-95c1-09fdae23db25.md new file mode 100644 index 00000000000..6328ca7d960 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ed4c48b8-eccc-4881-95c1-09fdae23db25.md @@ -0,0 +1,189 @@ +--- +title: API Gateway Without SSL Certificate +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ed4c48b8-eccc-4881-95c1-09fdae23db25 +- **Query name:** API Gateway Without SSL Certificate +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_without_ssl_certificate) + +### Description +SSL Client Certificate should be enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + ProdApiGatewayStagePos: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + + +``` +```json title="Postitive test num. 2 - json file" hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "ProdApiGatewayStagePos2": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "MethodSettings": [ + { + "DataTraceEnabled": "false", + "ResourcePath": "/", + "HttpMethod": "GET", + "MetricsEnabled": "true" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "999" + }, + { + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "555", + "ResourcePath": "/stack", + "HttpMethod": "GET" + } + ], + "StageName": "Prod", + "RestApiId": "MyRestApi", + "DeploymentId": "TestDeployment", + "DocumentationVersion": "MyDocumentationVersion", + "Variables": { + "Stack": "Prod" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + ProdApiGatewayStageNeg: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "ProdApiGatewayStageNeg2": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "RestApiId": { + "Ref": "MyRestApi" + }, + "DeploymentId": { + "Ref": "TestDeployment" + }, + "DocumentationVersion": { + "Ref": "MyDocumentationVersion" + }, + "ClientCertificateId": { + "Ref": "ClientCertificate" + }, + "Variables": { + "Stack": "Prod" + }, + "MethodSettings": [ + { + "ResourcePath": "/", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "999" + }, + { + "ResourcePath": "/stack", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "DataTraceEnabled": "false", + "ThrottlingBurstLimit": "555" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/edc95c10-7366-4f30-9b4b-f995c84eceb5.md b/docs/queries/cloudformation-queries/aws/edc95c10-7366-4f30-9b4b-f995c84eceb5.md new file mode 100644 index 00000000000..84adf51d236 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/edc95c10-7366-4f30-9b4b-f995c84eceb5.md @@ -0,0 +1,142 @@ +--- +title: IAM Policies Attached To User +hide: + toc: true + navigation: true +--- + + + +- **Query id:** edc95c10-7366-4f30-9b4b-f995c84eceb5 +- **Query name:** IAM Policies Attached To User +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_policies_attached_to_user) + +### Description +IAM policies should be attached only to groups or roles
+[Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 14" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd + ManagedPoliciesArns: [ + "arn:aws:iam::123456789012:policy/UsersManageOwnCredentials", + "arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCredentials" + ] + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn +``` +```json title="Postitive test num. 2 - json file" hl_lines="10 14" +{ + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + }, + "ManagedPoliciesArns": [ + "arn:aws:iam::123456789012:policy/UsersManageOwnCredentials", + "arn:aws:iam::123456789012:policy/division_abc/subdivision_xyz/UsersManageOwnCredentials" + ], + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "NotResource": [ + "myqueue.Arn" + ], + "Effect": "Deny", + "Action": [ + "sqs:*" + ] + } + ] + } + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rd +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rd" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/ee12ad32-2863-4c0f-b13f-28272d115028.md b/docs/queries/cloudformation-queries/aws/ee12ad32-2863-4c0f-b13f-28272d115028.md new file mode 100644 index 00000000000..b768386892c --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ee12ad32-2863-4c0f-b13f-28272d115028.md @@ -0,0 +1,295 @@ +--- +title: ELB Access Log Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ee12ad32-2863-4c0f-b13f-28272d115028 +- **Query name:** ELB Access Log Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elb_access_log_disabled) + +### Description +ELB should have access log enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-accessloggingpolicy.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: A simple EC2 instance +Resources: + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: "80" + InstanceProtocol: HTTP + LoadBalancerPort: "443" + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + HealthCheck: + Target: HTTP:80/ + HealthyThreshold: "2" + UnhealthyThreshold: "3" + Interval: "10" + Timeout: "5" + Policies: + - PolicyName: My-SSLNegotiation-Policy + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: Reference-Security-Policy + Value: ELBSecurityPolicy-TLS-1-2-2017-01 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="31" +AWSTemplateFormatVersion: "2010-09-09" +Description: A simple EC2 instance +Resources: + MyLoadBalancer2: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: "80" + InstanceProtocol: HTTP + LoadBalancerPort: "443" + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + HealthCheck: + Target: HTTP:80/ + HealthyThreshold: "2" + UnhealthyThreshold: "3" + Interval: "10" + Timeout: "5" + Policies: + - PolicyName: My-SSLNegotiation-Policy + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: Reference-Security-Policy + Value: ELBSecurityPolicy-TLS-1-2-2017-01 + AccessLoggingPolicy: + Enabled: false + S3BucketName: teste + +``` +```json title="Postitive test num. 3 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A simple EC2 instance", + "Resources": { + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "AvailabilityZones": [ + "us-east-2a" + ], + "CrossZone": true, + "Listeners": [ + { + "InstancePort": "80", + "InstanceProtocol": "HTTP", + "LoadBalancerPort": "443", + "Protocol": "HTTPS", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ], + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate" + } + ], + "HealthCheck": { + "Target": "HTTP:80/", + "HealthyThreshold": "2", + "UnhealthyThreshold": "3", + "Interval": "10", + "Timeout": "5" + }, + "Policies": [ + { + "PolicyName": "My-SSLNegotiation-Policy", + "PolicyType": "SSLNegotiationPolicyType", + "Attributes": [ + { + "Name": "Reference-Security-Policy", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + } + ] + } + ] + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="18" +{ + "Resources": { + "MyLoadBalancer2": { + "Properties": { + "Policies": [ + { + "PolicyType": "SSLNegotiationPolicyType", + "Attributes": [ + { + "Name": "Reference-Security-Policy", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + } + ], + "PolicyName": "My-SSLNegotiation-Policy" + } + ], + "AccessLoggingPolicy": { + "Enabled": false, + "S3BucketName": "teste" + }, + "AvailabilityZones": [ + "us-east-2a" + ], + "CrossZone": true, + "Listeners": [ + { + "InstancePort": "80", + "InstanceProtocol": "HTTP", + "LoadBalancerPort": "443", + "Protocol": "HTTPS", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ], + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate" + } + ], + "HealthCheck": { + "Interval": "10", + "Timeout": "5", + "Target": "HTTP:80/", + "HealthyThreshold": "2", + "UnhealthyThreshold": "3" + } + }, + "Type": "AWS::ElasticLoadBalancing::LoadBalancer" + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A simple EC2 instance" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A simple EC2 instance +Resources: + MyLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + AvailabilityZones: + - "us-east-2a" + CrossZone: true + Listeners: + - InstancePort: "80" + InstanceProtocol: HTTP + LoadBalancerPort: "443" + Protocol: HTTPS + PolicyNames: + - My-SSLNegotiation-Policy + SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate + HealthCheck: + Target: HTTP:80/ + HealthyThreshold: "2" + UnhealthyThreshold: "3" + Interval: "10" + Timeout: "5" + Policies: + - PolicyName: My-SSLNegotiation-Policy + PolicyType: SSLNegotiationPolicyType + Attributes: + - Name: Reference-Security-Policy + Value: ELBSecurityPolicy-TLS-1-2-2017-01 + AccessLoggingPolicy: + - Enabled: true + S3BucketName: teste + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A simple EC2 instance", + "Resources": { + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "Policies": [ + { + "PolicyName": "My-SSLNegotiation-Policy", + "PolicyType": "SSLNegotiationPolicyType", + "Attributes": [ + { + "Name": "Reference-Security-Policy", + "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" + } + ] + } + ], + "AccessLoggingPolicy": [ + { + "Enabled": true, + "S3BucketName": "teste" + } + ], + "AvailabilityZones": [ + "us-east-2a" + ], + "CrossZone": true, + "Listeners": [ + { + "LoadBalancerPort": "443", + "Protocol": "HTTPS", + "PolicyNames": [ + "My-SSLNegotiation-Policy" + ], + "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", + "InstancePort": "80", + "InstanceProtocol": "HTTP" + } + ], + "HealthCheck": { + "Timeout": "5", + "Target": "HTTP:80/", + "HealthyThreshold": "2", + "UnhealthyThreshold": "3", + "Interval": "10" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md b/docs/queries/cloudformation-queries/aws/ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md new file mode 100644 index 00000000000..ee3c805f062 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md @@ -0,0 +1,271 @@ +--- +title: Security Group Egress With All Protocols +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ee464fc2-54a6-4e22-b10a-c6dcd2474d0c +- **Query name:** Security Group Egress With All Protocols +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_group_egress_with_all_protocols) + +### Description +AWS Security Group Egress should not specify all protocols to prevent allow traffic on all ports
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-security-group-egress.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="21 14" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: -1 + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: -1 + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + IpProtocol: -1 + FromPort: 0 + ToPort: 65535 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + IpProtocol: -1 + FromPort: 0 + ToPort: 65535 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Postitive test num. 2 - json file" hl_lines="43 21" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": -1, + "FromPort": 80, + "ToPort": 80 + } + ], + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "IpProtocol": -1, + "FromPort": 80, + "ToPort": 80 + } + ] + } + }, + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "IpProtocol": -1, + "FromPort": 0, + "ToPort": 65535 + } + }, + "InboundRule": { + "Properties": { + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "IpProtocol": -1, + "FromPort": 0, + "ToPort": 65535, + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + } + }, + "Type": "AWS::EC2::SecurityGroupIngress" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + InstanceSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + OutboundRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + DestinationSecurityGroupId: + Fn::GetAtt: + - TargetSG + - GroupId + GroupId: + Fn::GetAtt: + - SourceSG + - GroupId + InboundRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + IpProtocol: tcp + FromPort: 0 + ToPort: 65535 + SourceSecurityGroupId: + Fn::GetAtt: + - SourceSG + - GroupId + GroupId: + Fn::GetAtt: + - TargetSG + - GroupId +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "OutboundRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "DestinationSecurityGroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + } + } + }, + "InboundRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "SourceSecurityGroupId": { + "Fn::GetAtt": [ + "SourceSG", + "GroupId" + ] + }, + "GroupId": { + "Fn::GetAtt": [ + "TargetSG", + "GroupId" + ] + }, + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535 + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/ef05a925-8568-4054-8ff1-f5ba82631c16.md b/docs/queries/cloudformation-queries/aws/ef05a925-8568-4054-8ff1-f5ba82631c16.md new file mode 100644 index 00000000000..f887fdf22c7 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ef05a925-8568-4054-8ff1-f5ba82631c16.md @@ -0,0 +1,189 @@ +--- +title: BOM - AWS EFS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ef05a925-8568-4054-8ff1-f5ba82631c16 +- **Query name:** BOM - AWS EFS +- **Platform:** CloudFormation +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws_bom/efs) + +### Description +A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create EFS system and Mount Targets for test VPC" +Resources: + FileSystemResource: + Type: 'AWS::EFS::FileSystem' + Properties: + AvailabilityZoneName: us-east-1a + BackupPolicy: + Status: ENABLED + Encrypted: true + LifecyclePolicies: + - TransitionToIA: AFTER_30_DAYS + FileSystemTags: + - Key: Name + Value: TestFileSystem + FileSystemPolicy: + Version: "2012-10-17" + Statement: + - Effect: "Allow" + Action: + - "elasticfilesystem:ClientMount" + Principal: + AWS: 'arn:aws:iam::111122223333:role/EfsReadOnly' + KmsKeyId: !GetAtt + - key + - Arn + +``` +```json title="Postitive test num. 2 - json file" hl_lines="4" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "FileSystemResource": { + "Properties": { + "AvailabilityZoneName": "us-east-1a", + "BackupPolicy": { + "Status": "ENABLED" + }, + "Encrypted": true, + "FileSystemPolicy": { + "Statement": [ + { + "Action": [ + "elasticfilesystem:ClientMount" + ], + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/EfsReadOnly" + } + } + ], + "Version": "2012-10-17" + }, + "FileSystemTags": [ + { + "Key": "Name", + "Value": "TestFileSystem" + } + ], + "KmsKeyId": [ + "key", + "Arn" + ], + "LifecyclePolicies": [ + { + "TransitionToIA": "AFTER_30_DAYS" + } + ] + }, + "Type": "AWS::EFS::FileSystem" + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +AWSTemplateFormatVersion: "2010-09-09" +Description: "Create EFS system and Mount Targets for test VPC" +Resources: + FileSystemResource: + Type: 'AWS::EFS::FileSystem' + Properties: + AvailabilityZoneName: us-east-1a + BackupPolicy: + Status: ENABLED + Encrypted: false + LifecyclePolicies: + - TransitionToIA: AFTER_30_DAYS + FileSystemTags: + - Key: Name + Value: TestFileSystem + +``` +
Postitive test num. 4 - json file + +```json hl_lines="4" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "FileSystemResource": { + "Properties": { + "AvailabilityZoneName": "us-east-1a", + "BackupPolicy": { + "Status": "ENABLED" + }, + "Encrypted": false, + "FileSystemTags": [ + { + "Key": "Name", + "Value": "TestFileSystem" + } + ], + "KmsKeyId": [ + "key", + "Arn" + ], + "LifecyclePolicies": [ + { + "TransitionToIA": "AFTER_30_DAYS" + } + ] + }, + "Type": "AWS::EFS::FileSystem" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + myDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + Enabled: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "Enabled": "true" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/f0104061-8bfc-4b45-8a7d-630eb502f281.md b/docs/queries/cloudformation-queries/aws/f0104061-8bfc-4b45-8a7d-630eb502f281.md new file mode 100644 index 00000000000..935caeeef78 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f0104061-8bfc-4b45-8a7d-630eb502f281.md @@ -0,0 +1,357 @@ +--- +title: Automatic Minor Upgrades Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f0104061-8bfc-4b45-8a7d-630eb502f281 +- **Query name:** Automatic Minor Upgrades Disabled +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/automatic_minor_upgrades_disabled) + +### Description +RDS instance should have automatic minor upgrades enabled, which means the attribute 'AutoMinorVersionUpgrade' must be set to true.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="58 82" +#this is a problematic code where the query should report a result(s) +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + Description": "AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: + Sample template showing how to create a DB instance with Enhanced Monitoring enabled. + **WARNING** This template creates an RDS DB instance. You will be billed for the AWS + resources used if you create a stack from this template. +Parameters: + DBInstanceID: + Default: mydbinstance + Description: My database instance + Type: String + MinLength: '1' + MaxLength: '63' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: >- + Must begin with a letter and must not end with a hyphen or contain two + consecutive hyphens. + DBName: + Default: mydb + Description: My database + Type: String + MinLength: '1' + MaxLength: '64' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. + DBInstanceClass: + Default: db.m5.large + Description: DB instance class + Type: String + ConstraintDescription: Must select a valid DB instance type. + DBAllocatedStorage: + Default: '50' + Description: The size of the database (GiB) + Type: Number + MinValue: '5' + MaxValue: '1024' + ConstraintDescription: must be between 20 and 65536 GiB. + DBUsername: + NoEcho: 'true' + Description: Username for MySQL database access + Type: String + MinLength: '1' + MaxLength: '16' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: 'true' + Description: Password MySQL database access + Type: String + MinLength: '8' + MaxLength: '41' + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: must contain only alphanumeric characters. +Resources: + MyDB: + Type: 'AWS::RDS::DBInstance' + Properties: + DBInstanceIdentifier: !Ref DBInstanceID + DBName: !Ref DBName + DBInstanceClass: !Ref DBInstanceClass + AllocatedStorage: !Ref DBAllocatedStorage + Engine: MySQL + EngineVersion: 8.0.16 + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + MonitoringInterval: '60' + MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role' + MyDB2: + Type: 'AWS::RDS::DBInstance' + Properties: + DBInstanceIdentifier: !Ref DBInstanceID + DBName: !Ref DBName + DBInstanceClass: !Ref DBInstanceClass + AllocatedStorage: !Ref DBAllocatedStorage + Engine: MySQL + EngineVersion: 8.0.16 + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + MonitoringInterval: '60' + MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role' + AutoMinorVersionUpgrade: false +``` +```json title="Postitive test num. 2 - json file" hl_lines="58 85" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Description\": \"AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: Sample template showing how to create a DB instance with Enhanced Monitoring enabled. **WARNING** This template creates an RDS DB instance. You will be billed for the AWS resources used if you create a stack from this template.", + "Parameters": { + "DBInstanceID": { + "Default": "mydbinstance", + "Description": "My database instance", + "Type": "String", + "MinLength": "1", + "MaxLength": "63", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens." + }, + "DBName": { + "Default": "mydb", + "Description": "My database", + "Type": "String", + "MinLength": "1", + "MaxLength": "64", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters." + }, + "DBInstanceClass": { + "Default": "db.m5.large", + "Description": "DB instance class", + "Type": "String", + "ConstraintDescription": "Must select a valid DB instance type." + }, + "DBAllocatedStorage": { + "Description": "The size of the database (GiB)", + "Type": "Number", + "MinValue": "5", + "MaxValue": "1024", + "ConstraintDescription": "must be between 20 and 65536 GiB.", + "Default": "50" + }, + "DBUsername": { + "NoEcho": "true", + "Description": "Username for MySQL database access", + "Type": "String", + "MinLength": "1", + "MaxLength": "16", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters." + }, + "DBPassword": { + "NoEcho": "true", + "Description": "Password MySQL database access", + "Type": "String", + "MinLength": "8", + "MaxLength": "41", + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "must contain only alphanumeric characters." + } + }, + "Resources": { + "MyDB": { + "Properties": { + "DBInstanceIdentifier": "DBInstanceID", + "DBInstanceClass": "DBInstanceClass", + "Engine": "MySQL", + "MasterUserPassword": "DBPassword", + "MonitoringInterval": "60", + "MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role", + "DBName": "DBName", + "AllocatedStorage": "DBAllocatedStorage", + "EngineVersion": "8.0.16", + "MasterUsername": "DBUsername" + }, + "Type": "AWS::RDS::DBInstance" + }, + "MyDB2": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "DBInstanceIdentifier": "DBInstanceID", + "DBInstanceClass": "DBInstanceClass", + "EngineVersion": "8.0.16", + "MasterUserPassword": "DBPassword", + "MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role", + "DBName": "DBName", + "AllocatedStorage": "DBAllocatedStorage", + "Engine": "MySQL", + "MasterUsername": "DBUsername", + "MonitoringInterval": "60", + "AutoMinorVersionUpgrade": false + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + Description": "AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: + Sample template showing how to create a DB instance with Enhanced Monitoring enabled. + **WARNING** This template creates an RDS DB instance. You will be billed for the AWS + resources used if you create a stack from this template. +Parameters: + DBInstanceID: + Default: mydbinstance + Description: My database instance + Type: String + MinLength: '1' + MaxLength: '63' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: >- + Must begin with a letter and must not end with a hyphen or contain two + consecutive hyphens. + DBName: + Default: mydb + Description: My database + Type: String + MinLength: '1' + MaxLength: '64' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. + DBInstanceClass: + Default: db.m5.large + Description: DB instance class + Type: String + ConstraintDescription: Must select a valid DB instance type. + DBAllocatedStorage: + Default: '50' + Description: The size of the database (GiB) + Type: Number + MinValue: '5' + MaxValue: '1024' + ConstraintDescription: must be between 20 and 65536 GiB. + DBUsername: + NoEcho: 'true' + Description: Username for MySQL database access + Type: String + MinLength: '1' + MaxLength: '16' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: 'true' + Description: Password MySQL database access + Type: String + MinLength: '8' + MaxLength: '41' + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: must contain only alphanumeric characters. +Resources: + MyDB: + Type: 'AWS::RDS::DBInstance' + Properties: + DBInstanceIdentifier: !Ref DBInstanceID + DBName: !Ref DBName + DBInstanceClass: !Ref DBInstanceClass + AllocatedStorage: !Ref DBAllocatedStorage + Engine: MySQL + EngineVersion: 8.0.16 + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + MonitoringInterval: '60' + MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role' + AutoMinorVersionUpgrade: true +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "Description\": \"AWS CloudFormation Sample Template for creating an Amazon RDS DB instance: Sample template showing how to create a DB instance with Enhanced Monitoring enabled. **WARNING** This template creates an RDS DB instance. You will be billed for the AWS resources used if you create a stack from this template.", + "Parameters": { + "DBInstanceClass": { + "Type": "String", + "ConstraintDescription": "Must select a valid DB instance type.", + "Default": "db.m5.large", + "Description": "DB instance class" + }, + "DBAllocatedStorage": { + "Default": "50", + "Description": "The size of the database (GiB)", + "Type": "Number", + "MinValue": "5", + "MaxValue": "1024", + "ConstraintDescription": "must be between 20 and 65536 GiB." + }, + "DBUsername": { + "NoEcho": "true", + "Description": "Username for MySQL database access", + "Type": "String", + "MinLength": "1", + "MaxLength": "16", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters." + }, + "DBPassword": { + "ConstraintDescription": "must contain only alphanumeric characters.", + "NoEcho": "true", + "Description": "Password MySQL database access", + "Type": "String", + "MinLength": "8", + "MaxLength": "41", + "AllowedPattern": "[a-zA-Z0-9]*" + }, + "DBInstanceID": { + "Default": "mydbinstance", + "Description": "My database instance", + "Type": "String", + "MinLength": "1", + "MaxLength": "63", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens." + }, + "DBName": { + "ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters.", + "Default": "mydb", + "Description": "My database", + "Type": "String", + "MinLength": "1", + "MaxLength": "64", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*" + } + }, + "Resources": { + "MyDB": { + "Properties": { + "EngineVersion": "8.0.16", + "MasterUsername": "DBUsername", + "MonitoringInterval": "60", + "MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role", + "AutoMinorVersionUpgrade": true, + "DBInstanceIdentifier": "DBInstanceID", + "DBInstanceClass": "DBInstanceClass", + "Engine": "MySQL", + "MasterUserPassword": "DBPassword", + "DBName": "DBName", + "AllocatedStorage": "DBAllocatedStorage" + }, + "Type": "AWS::RDS::DBInstance" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/f4c9b5f5-68b8-491f-9e48-4f96644a1d51.md b/docs/queries/cloudformation-queries/aws/f4c9b5f5-68b8-491f-9e48-4f96644a1d51.md new file mode 100644 index 00000000000..adc4437c021 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f4c9b5f5-68b8-491f-9e48-4f96644a1d51.md @@ -0,0 +1,368 @@ +--- +title: ECS Task Definition Invalid CPU or Memory +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f4c9b5f5-68b8-491f-9e48-4f96644a1d51 +- **Query name:** ECS Task Definition Invalid CPU or Memory +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ecs_task_definition_invalid_cpu_or_memory) + +### Description +In ECS Task Definition of FARGATE launch type if you specify an invalid CPU or Memory value, you will receive an error
+[Documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="27 53" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + ECSService: + Type: AWS::ECS::Service + DependsOn: + - Listener + Properties: + Role: + Ref: ECSServiceRole + TaskDefinition: + Ref: ECSTaskDefinition + DesiredCount: 1 + LoadBalancers: + - TargetGroupArn: + Ref: TargetGroup + ContainerPort: 80 + ContainerName: sample-app + Cluster: + Ref: ECSCluster + LaunchType: FARGATE + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: + Ref: "AppName" + MountPoints: + - SourceVolume: "my-vol" + ContainerPath: "/var/www/my-vol" + Image: "amazon/amazon-ecs-sample" + Cpu: 256 + PortMappings: + - ContainerPort: + Ref: "AppContainerPort" + HostPort: + Ref: "AppHostPort" + EntryPoint: + - "/usr/sbin/apache2" + - "-D" + - "FOREGROUND" + Memory: 4096 + Essential: true + Volumes: + - Host: + SourcePath: "/var/lib/docker/vfs/dir/" + Name: "my-vol" + taskdefinition2: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: + Ref: "AppName2" + MountPoints: + - SourceVolume: "my-vol" + ContainerPath: "/var/www/my-vol" + Image: "amazon/amazon-ecs-sample" + Cpu: 100 + PortMappings: + - ContainerPort: + Ref: "AppContainerPort" + HostPort: + Ref: "AppHostPort" + EntryPoint: + - "/usr/sbin/apache2" + - "-D" + - "FOREGROUND" + Memory: 4096 + Essential: true + Volumes: + - Host: + SourcePath: "/var/lib/docker/vfs/dir/" + Name: "my-vol" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="84 38" +{ + "Resources": { + "ECSService": { + "DependsOn": [ + "Listener" + ], + "Properties": { + "Role": { + "Ref": "ECSServiceRole" + }, + "TaskDefinition": { + "Ref": "ECSTaskDefinition" + }, + "DesiredCount": 1, + "LoadBalancers": [ + { + "TargetGroupArn": { + "Ref": "TargetGroup" + }, + "ContainerPort": 80, + "ContainerName": "sample-app" + } + ], + "Cluster": { + "Ref": "ECSCluster" + }, + "LaunchType": "FARGATE" + }, + "Type": "AWS::ECS::Service" + }, + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Essential": true, + "Name": { + "Ref": "AppName" + }, + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": 256, + "PortMappings": [ + { + "ContainerPort": { + "Ref": "AppContainerPort" + }, + "HostPort": { + "Ref": "AppHostPort" + } + } + ], + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": 4096 + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ] + } + }, + "taskdefinition2": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "Memory": 4096, + "Essential": true, + "Name": { + "Ref": "AppName2" + }, + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": 100, + "PortMappings": [ + { + "ContainerPort": { + "Ref": "AppContainerPort" + }, + "HostPort": { + "Ref": "AppHostPort" + } + } + ], + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ] + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + ECSService: + Type: AWS::ECS::Service + DependsOn: + - Listener + Properties: + Role: + Ref: ECSServiceRole + TaskDefinition: + Ref: ECSTaskDefinition + DesiredCount: 1 + LoadBalancers: + - TargetGroupArn: + Ref: TargetGroup + ContainerPort: 80 + ContainerName: sample-app + Cluster: + Ref: ECSCluster + LaunchType: FARGATE + taskdefinition: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: + Ref: "AppName" + MountPoints: + - SourceVolume: "my-vol" + ContainerPath: "/var/www/my-vol" + Image: "amazon/amazon-ecs-sample" + Cpu: 256 + PortMappings: + - ContainerPort: + Ref: "AppContainerPort" + HostPort: + Ref: "AppHostPort" + EntryPoint: + - "/usr/sbin/apache2" + - "-D" + - "FOREGROUND" + Memory: 512 + Essential: true + Volumes: + - Host: + SourcePath: "/var/lib/docker/vfs/dir/" + Name: "my-vol" + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "ECSService": { + "Properties": { + "LoadBalancers": [ + { + "TargetGroupArn": { + "Ref": "TargetGroup" + }, + "ContainerPort": 80, + "ContainerName": "sample-app" + } + ], + "Cluster": { + "Ref": "ECSCluster" + }, + "LaunchType": "FARGATE", + "Role": { + "Ref": "ECSServiceRole" + }, + "TaskDefinition": { + "Ref": "ECSTaskDefinition" + }, + "DesiredCount": 1 + }, + "Type": "AWS::ECS::Service", + "DependsOn": [ + "Listener" + ] + }, + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "PortMappings": [ + { + "ContainerPort": { + "Ref": "AppContainerPort" + }, + "HostPort": { + "Ref": "AppHostPort" + } + } + ], + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": 512, + "Essential": true, + "Name": { + "Ref": "AppName" + }, + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": 256 + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/f4cf35d6-da92-48de-ab70-57be2b2e6497.md b/docs/queries/cloudformation-queries/aws/f4cf35d6-da92-48de-ab70-57be2b2e6497.md new file mode 100644 index 00000000000..6b99f1732ce --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f4cf35d6-da92-48de-ab70-57be2b2e6497.md @@ -0,0 +1,257 @@ +--- +title: IAM Password Without Lowercase Letter +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f4cf35d6-da92-48de-ab70-57be2b2e6497 +- **Query name:** IAM Password Without Lowercase Letter +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter) + +### Description +IAM Password should have at least one lowercase letter
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: MY@SSW0RD12EDE + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + - PolicyName: giveaccesstotopiconly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sns:* + Resource: + - !Ref mytopic + - Effect: Deny + Action: + - sns:* + NotResource: + - !Ref mytopic +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "MY@SSW0RD12EDE" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "NotResource": [ + "myqueue.Arn" + ], + "Effect": "Deny", + "Action": [ + "sqs:*" + ] + } + ] + } + }, + { + "PolicyName": "giveaccesstotopiconly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sns:*" + ], + "Resource": [ + "mytopic" + ] + }, + { + "Action": [ + "sns:*" + ], + "NotResource": [ + "mytopic" + ], + "Effect": "Deny" + } + ] + } + } + ] + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + myuser: + Type: AWS::IAM::User + Properties: + Path: "/" + LoginProfile: + Password: myP@ssW0rdrwawdasd + Policies: + - PolicyName: giveaccesstoqueueonly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sqs:* + Resource: + - !GetAtt myqueue.Arn + - Effect: Deny + Action: + - sqs:* + NotResource: + - !GetAtt myqueue.Arn + - PolicyName: giveaccesstotopiconly + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - sns:* + Resource: + - !Ref mytopic + - Effect: Deny + Action: + - sns:* + NotResource: + - !Ref mytopic +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "myuser": { + "Type": "AWS::IAM::User", + "Properties": { + "Path": "/", + "LoginProfile": { + "Password": "myP@ssW0rdrwawdasd" + }, + "Policies": [ + { + "PolicyName": "giveaccesstoqueueonly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sqs:*" + ], + "Resource": [ + "myqueue.Arn" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sqs:*" + ], + "NotResource": [ + "myqueue.Arn" + ] + } + ] + } + }, + { + "PolicyName": "giveaccesstotopiconly", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "sns:*" + ], + "Resource": [ + "mytopic" + ] + }, + { + "Effect": "Deny", + "Action": [ + "sns:*" + ], + "NotResource": [ + "mytopic" + ] + } + ] + } + } + ] + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/f57f849c-883b-4cb7-85e7-f7b199dff163.md b/docs/queries/cloudformation-queries/aws/f57f849c-883b-4cb7-85e7-f7b199dff163.md new file mode 100644 index 00000000000..8a0eb703351 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f57f849c-883b-4cb7-85e7-f7b199dff163.md @@ -0,0 +1,220 @@ +--- +title: TCP/UDP Protocol Network ACL Entry Allows All Ports +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f57f849c-883b-4cb7-85e7-f7b199dff163 +- **Query name:** TCP/UDP Protocol Network ACL Entry Allows All Ports +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/tcp_or_udp_protocol_network_acl_entry_allows_all_ports) + +### Description +TCP/UDP protocol AWS Network ACL Entry should not allow all ports
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-network-acl-entry.html#cfn-ec2-networkaclentry-portrange) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 18 29 49" +Resources: + MyNACL: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: vpc-1122334455aabbccd + Tags: + - Key: Name + Value: NACLforSSHTraffic + InboundRule2: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 172.16.0.0/24 + PortRange: + From: 22 + InboundRule3: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 172.16.0.0/24 + PortRange: + To: 22 + InboundRule4: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 172.16.0.0/24 + InboundRule5: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 172.16.0.0/24 + PortRange: + From: 0 + To: 65535 +``` +```json title="Postitive test num. 2 - json file" hl_lines="40 61 21 47" +{ + "Resources": { + "MyNACL": { + "Type": "AWS::EC2::NetworkAcl", + "Properties": { + "VpcId": "vpc-1122334455aabbccd", + "Tags": [ + { + "Key": "Name", + "Value": "NACLforSSHTraffic" + } + ] + } + }, + "InboundRule2": { + "Properties": { + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow", + "CidrBlock": "172.16.0.0/24", + "PortRange": { + "From": 22 + }, + "NetworkAclId": { + "Ref": "MyNACL" + } + }, + "Type": "AWS::EC2::NetworkAclEntry" + }, + "InboundRule3": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow", + "CidrBlock": "172.16.0.0/24", + "PortRange": { + "To": 22 + } + } + }, + "InboundRule4": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow", + "CidrBlock": "172.16.0.0/24", + "NetworkAclId": { + "Ref": "MyNACL" + } + } + }, + "InboundRule5": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "CidrBlock": "172.16.0.0/24", + "PortRange": { + "To": 65535, + "From": 0 + }, + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100, + "Protocol": 6, + "RuleAction": "allow" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Resources: + MyNACL9: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: vpc-1122334455aabbccd + Tags: + - Key: Name + Value: NACLforSSHTraffic + InboundRule9: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: MyNACL + RuleNumber: 100 + Protocol: 6 + RuleAction: allow + CidrBlock: 172.16.0.0/24 + PortRange: + From: 22 + To: 22 +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "MyNACL9": { + "Type": "AWS::EC2::NetworkAcl", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "NACLforSSHTraffic" + } + ], + "VpcId": "vpc-1122334455aabbccd" + } + }, + "InboundRule9": { + "Type": "AWS::EC2::NetworkAclEntry", + "Properties": { + "Protocol": 6, + "RuleAction": "allow", + "CidrBlock": "172.16.0.0/24", + "PortRange": { + "From": 22, + "To": 22 + }, + "NetworkAclId": { + "Ref": "MyNACL" + }, + "RuleNumber": 100 + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/f6049677-ec4a-43af-8779-5190b6d03cba.md b/docs/queries/cloudformation-queries/aws/f6049677-ec4a-43af-8779-5190b6d03cba.md new file mode 100644 index 00000000000..2b4e2a9ce43 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f6049677-ec4a-43af-8779-5190b6d03cba.md @@ -0,0 +1,266 @@ +--- +title: KMS Allows Wildcard Principal +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f6049677-ec4a-43af-8779-5190b6d03cba +- **Query name:** KMS Allows Wildcard Principal +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/kms_allows_wildcard_principal) + +### Description +KMS Should not allow Principal parameter to be set as *
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + myKey: + Type: AWS::KMS::Key + Properties: + Description: An example symmetric CMK + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: "*" + Action: kms:* + Resource: '*' + - Sid: Allow administration of the key + Effect: Allow + Principal: + AWS: arn:aws:iam::123456789012:user/Alice + Action: + - kms:Create* + - kms:Describe* + - kms:Enable* + - kms:List* + - kms:Put* + - kms:Update* + - kms:Revoke* + - kms:Disable* + - kms:Get* + - kms:Delete* + - kms:ScheduleKeyDeletion + - kms:CancelKeyDeletion + Resource: '*' + - Sid: Allow use of the key + Effect: Allow + Principal: + AWS: arn:aws:iam::123456789012:user/Bob + Action: + - kms:DescribeKey + - kms:Encrypt + - kms:Decrypt + - kms:ReEncrypt* + - kms:GenerateDataKey + - kms:GenerateDataKeyWithoutPlaintext + Resource: '*' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="8" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "myKey": { + "Properties": { + "Description": "An example symmetric CMK", + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Resource": "*", + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": "*", + "Action": "kms:*" + }, + { + "Sid": "Allow administration of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/Alice" + }, + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" + ], + "Resource": "*" + }, + { + "Sid": "Allow use of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/Bob" + }, + "Action": [ + "kms:DescribeKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "*" + } + ] + } + }, + "Type": "AWS::KMS::Key" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: A sample template +Resources: + myKey: + Type: AWS::KMS::Key + Properties: + Description: An example symmetric CMK + KeyPolicy: + Version: '2012-10-17' + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: arn:aws:iam::111122223333:root + Action: kms:* + Resource: '*' + - Sid: Allow administration of the key + Effect: Allow + Principal: + AWS: arn:aws:iam::123456789012:user/Alice + Action: + - kms:Create* + - kms:Describe* + - kms:Enable* + - kms:List* + - kms:Put* + - kms:Update* + - kms:Revoke* + - kms:Disable* + - kms:Get* + - kms:Delete* + - kms:ScheduleKeyDeletion + - kms:CancelKeyDeletion + Resource: '*' + - Sid: Allow use of the key + Effect: Allow + Principal: + AWS: arn:aws:iam::123456789012:user/Bob + Action: + - kms:DescribeKey + - kms:Encrypt + - kms:Decrypt + - kms:ReEncrypt* + - kms:GenerateDataKey + - kms:GenerateDataKeyWithoutPlaintext + Resource: '*' + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "A sample template", + "Resources": { + "myKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "Description": "An example symmetric CMK", + "KeyPolicy": { + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:root" + }, + "Action": "kms:*", + "Resource": "*" + }, + { + "Sid": "Allow administration of the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/Alice" + }, + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:user/Bob" + }, + "Action": [ + "kms:DescribeKey", + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "*", + "Sid": "Allow use of the key" + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/f62aa827-4ade-4dc4-89e4-1433d384a368.md b/docs/queries/cloudformation-queries/aws/f62aa827-4ade-4dc4-89e4-1433d384a368.md new file mode 100644 index 00000000000..13e17e92c11 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f62aa827-4ade-4dc4-89e4-1433d384a368.md @@ -0,0 +1,188 @@ +--- +title: IAM Policy Grants Full Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f62aa827-4ade-4dc4-89e4-1433d384a368 +- **Query name:** IAM Policy Grants Full Permissions +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_policy_grants_full_permissions) + +### Description +IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 21" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + mypolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: mygrouppolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: ["*"] + Resource: "*" + Groups: + - myexistinggroup1 + - !Ref mygroup + mypolicy2: + Type: AWS::IAM::Policy + Properties: + PolicyName: mygrouppolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: "*" + Resource: "*" + Groups: + - myexistinggroup1 + - !Ref mygroup + + + + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9 29" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "mypolicy2": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "mygrouppolicy", + "PolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "Groups": [ + "myexistinggroup1", + "mygroup" + ] + } + }, + "mypolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "mygrouppolicy", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "*" + ], + "Resource": "*" + } + ] + }, + "Groups": [ + "myexistinggroup1", + "mygroup" + ] + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + adminPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: mygrouppolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: ["*"] + Resource: arn:aws:iam::aws:policy/AdministratorAccess + Groups: + - myexistinggroup1 + - !Ref mygroup + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "adminPolicy": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyName": "mygrouppolicy", + "PolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Resource": "arn:aws:iam::aws:policy/AdministratorAccess", + "Effect": "Allow", + "Action": [ + "*" + ] + } + ] + }, + "Groups": [ + "myexistinggroup1", + "mygroup" + ] + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + adminPolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: mygrouppolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: 'ec2messages:GetEndpoint' + Resource: ['*'] + Groups: + - myexistinggroup1 + - !Ref mygroup + +``` diff --git a/docs/queries/cloudformation-queries/aws/f6397a20-4cf1-4540-a997-1d363c25ef58.md b/docs/queries/cloudformation-queries/aws/f6397a20-4cf1-4540-a997-1d363c25ef58.md new file mode 100644 index 00000000000..4b611fbc23e --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f6397a20-4cf1-4540-a997-1d363c25ef58.md @@ -0,0 +1,188 @@ +--- +title: S3 Bucket Allows Put Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f6397a20-4cf1-4540-a997-1d363c25ef58 +- **Query name:** S3 Bucket Allows Put Action From All Principals +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_allows_put_actions_from_all_principals) + +### Description +S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="22 7" +#this is a problematic code where the query should report a result(s) +Resources: + SampleBucketPolicy3: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: "PutObject" + Effect: Allow + Resource: "*" + Principal: "*" + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + SampleBucketPolicy4: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: + - "PutObject" + - "GetObject" + Effect: Allow + Resource: "*" + Principal: "*" + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9 35" +{ + "Resources": { + "SampleBucketPolicy5": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "PutObject", + "Effect": "Allow", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + }, + "SampleBucketPolicy6": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "PutObject", + "GetObject" + ], + "Effect": "Allow", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + SampleBucketPolicy1: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: + - 's3:PutObject' + Effect: Deny + Resource: '*' + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "SampleBucketPolicy2": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:PutObject" + ], + "Effect": "Deny", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/f6d299d2-21eb-41cc-b1e1-fe12d857500b.md b/docs/queries/cloudformation-queries/aws/f6d299d2-21eb-41cc-b1e1-fe12d857500b.md new file mode 100644 index 00000000000..a52931b510b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f6d299d2-21eb-41cc-b1e1-fe12d857500b.md @@ -0,0 +1,321 @@ +--- +title: VPC FlowLogs Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f6d299d2-21eb-41cc-b1e1-fe12d857500b +- **Query name:** VPC FlowLogs Disabled +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/vpc_flowlogs_disabled) + +### Description +Every VPC resource should have an associated Flow Log
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-flowlog.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="34" +AWSTemplateFormatVersion: '2010-09-09' +Description: 'VPC: public and private subnets in two availability zones, a cloudonaut.io template' +Parameters: + ClassB: + Description: 'Class B of VPC (10.XXX.0.0/16)' + Type: Number + Default: 0 + ConstraintDescription: 'Must be in the range [0-255]' + MinValue: 0 + MaxValue: 255 +Resources: + Role: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: 'vpc-flow-logs.amazonaws.com' + Action: 'sts:AssumeRole' + Policies: + - PolicyName: 'flowlogs-policy' + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - 'logs:CreateLogStream' + - 'logs:PutLogEvents' + - 'logs:DescribeLogGroups' + - 'logs:DescribeLogStreams' + Resource: !GetAtt 'LogGroup.Arn' + MyVPC: + Type: 'AWS::EC2::VPC' + Properties: + CidrBlock: !Sub '10.${ClassB}.0.0/16' + EnableDnsSupport: true + EnableDnsHostnames: true + InstanceTenancy: default + Tags: + - Key: Name + Value: !Sub '10.${ClassB}.0.0/16' + LogGroup: + Type: 'AWS::Logs::LogGroup' + Properties: + RetentionInDays: 14 + FlowLog: + Type: 'AWS::EC2::FlowLog' + Properties: + DeliverLogsPermissionArn: !GetAtt 'Role.Arn' + LogGroupName: !Ref LogGroup + ResourceId: !Ref MyVPC1 + ResourceType: 'VPC' + TrafficType: ACCEPT +``` +```json title="Postitive test num. 2 - json file" hl_lines="52" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "VPC: public and private subnets in two availability zones, a cloudonaut.io template", + "Parameters": { + "ClassB": { + "MaxValue": 255, + "Description": "Class B of VPC (10.XXX.0.0/16)", + "Type": "Number", + "Default": 0, + "ConstraintDescription": "Must be in the range [0-255]", + "MinValue": 0 + } + }, + "Resources": { + "Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "vpc-flow-logs.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + }, + "Policies": [ + { + "PolicyName": "flowlogs-policy", + "PolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams" + ], + "Resource": "LogGroup.Arn" + } + ], + "Version": "2012-10-17" + } + } + ] + } + }, + "MyVPC": { + "Type": "AWS::EC2::VPC", + "Properties": { + "EnableDnsSupport": true, + "EnableDnsHostnames": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "10.${ClassB}.0.0/16" + } + ], + "CidrBlock": "10.${ClassB}.0.0/16" + } + }, + "LogGroup": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 14 + } + }, + "FlowLog": { + "Type": "AWS::EC2::FlowLog", + "Properties": { + "DeliverLogsPermissionArn": "Role.Arn", + "LogGroupName": "LogGroup", + "ResourceId": "MyVPC1", + "ResourceType": "VPC", + "TrafficType": "ACCEPT" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Description: 'VPC: public and private subnets in two availability zones, a cloudonaut.io template' +Parameters: + ClassB: + Description: 'Class B of VPC (10.XXX.0.0/16)' + Type: Number + Default: 0 + ConstraintDescription: 'Must be in the range [0-255]' + MinValue: 0 + MaxValue: 255 +Resources: + Role: + Type: 'AWS::IAM::Role' + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: 'vpc-flow-logs.amazonaws.com' + Action: 'sts:AssumeRole' + Policies: + - PolicyName: 'flowlogs-policy' + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - 'logs:CreateLogStream' + - 'logs:PutLogEvents' + - 'logs:DescribeLogGroups' + - 'logs:DescribeLogStreams' + Resource: !GetAtt 'LogGroup.Arn' + MyVPC: + Type: 'AWS::EC2::VPC' + Properties: + CidrBlock: !Sub '10.${ClassB}.0.0/16' + EnableDnsSupport: true + EnableDnsHostnames: true + InstanceTenancy: default + Tags: + - Key: Name + Value: !Sub '10.${ClassB}.0.0/16' + LogGroup: + Type: 'AWS::Logs::LogGroup' + Properties: + RetentionInDays: 14 + FlowLog: + Type: 'AWS::EC2::FlowLog' + Properties: + DeliverLogsPermissionArn: !GetAtt 'Role.Arn' + LogGroupName: !Ref LogGroup + ResourceId: !Ref MyVPC + ResourceType: 'VPC' + TrafficType: ACCEPT +``` +```json title="Negative test num. 2 - json file" +{ + "Description": "VPC: public and private subnets in two availability zones, a cloudonaut.io template", + "Parameters": { + "ClassB": { + "Description": "Class B of VPC (10.XXX.0.0/16)", + "Type": "Number", + "Default": 0, + "ConstraintDescription": "Must be in the range [0-255]", + "MinValue": 0, + "MaxValue": 255 + } + }, + "Resources": { + "Role": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "vpc-flow-logs.amazonaws.com" + } + } + ] + }, + "Policies": [ + { + "PolicyDocument": { + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams" + ], + "Resource": "LogGroup.Arn" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "flowlogs-policy" + } + ] + } + }, + "MyVPC": { + "Properties": { + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "10.${ClassB}.0.0/16" + } + ], + "CidrBlock": "10.${ClassB}.0.0/16", + "EnableDnsSupport": true, + "EnableDnsHostnames": true + }, + "Type": "AWS::EC2::VPC" + }, + "LogGroup": { + "Type": "AWS::Logs::LogGroup", + "Properties": { + "RetentionInDays": 14 + } + }, + "FlowLog": { + "Type": "AWS::EC2::FlowLog", + "Properties": { + "DeliverLogsPermissionArn": "Role.Arn", + "LogGroupName": "LogGroup", + "ResourceId": "MyVPC", + "ResourceType": "VPC", + "TrafficType": "ACCEPT" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09" +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/f80e3aa7-7b34-4185-954e-440a6894dde6.md b/docs/queries/cloudformation-queries/aws/f80e3aa7-7b34-4185-954e-440a6894dde6.md new file mode 100644 index 00000000000..e1bc88d7cce --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f80e3aa7-7b34-4185-954e-440a6894dde6.md @@ -0,0 +1,137 @@ +--- +title: IAM Role Allows All Principals To Assume +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f80e3aa7-7b34-4185-954e-440a6894dde6 +- **Query name:** IAM Role Allows All Principals To Assume +- **Platform:** CloudFormation +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/iam_role_allows_all_principals_to_assume) + +### Description +IAM role allows all services or principals to assume it
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#cfn-iam-role-assumerolepolicydocument) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + RootRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: > + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::root" + }, + "Effect": "Allow", + "Sid": "" + } + ] + } + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "RootRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": [ + "arn:aws:iam::root" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Resources: + RootRole: + Type: "AWS::IAM::Role" + Properties: + AssumeRolePolicyDocument: > + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "AWS": "arn:aws:iam::root" + }, + "Effect": "Deny", + "Sid": "" + } + ] + } + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "RootRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Deny", + "Principal": { + "AWS": [ + "arn:aws:iam::root" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/f914357d-8386-4d56-9ba6-456e5723f9a6.md b/docs/queries/cloudformation-queries/aws/f914357d-8386-4d56-9ba6-456e5723f9a6.md new file mode 100644 index 00000000000..eb094c69591 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f914357d-8386-4d56-9ba6-456e5723f9a6.md @@ -0,0 +1,367 @@ +--- +title: EC2 Instance Has No IAM Role +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f914357d-8386-4d56-9ba6-456e5723f9a6 +- **Query name:** EC2 Instance Has No IAM Role +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ec2_instance_has_no_iam_role) + +### Description +Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 29 55" +Resources: + NoIAM: + Type: AWS::EC2::Instance + Properties: + InstanceType: + Ref: InstanceType + ImageId: + Fn::FindInMap: + - AMIs + - Ref: AWS::Region + - Name + KeyName: + Ref: KeyName + Tags: + - Key: Name + Value: Test + IAM_Missing: + Type: AWS::EC2::Instance + Properties: + InstanceType: + Ref: InstanceType + ImageId: + Fn::FindInMap: + - AMIs + - Ref: AWS::Region + - Name + KeyName: + Ref: KeyName + IamInstanceProfile: + Ref: NonExistantProfile + SecurityGroupIds: + - Ref: SSHAccessSG + Tags: + - Key: Name + Value: Test + IAMNoRoles: + Type: AWS::EC2::Instance + Properties: + InstanceType: + Ref: InstanceType + ImageId: + Fn::FindInMap: + - AMIs + - Ref: AWS::Region + - Name + KeyName: + Ref: KeyName + IamInstanceProfile: + Ref: NoRolesProfile + Tags: + - Key: Name + Value: Test + NoRolesProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: "/" + +``` +```json title="Postitive test num. 2 - json file" hl_lines="5 94 47" +{ + "Resources": { + "NoIAM": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": { + "Ref": "InstanceType" + }, + "ImageId": { + "Fn::FindInMap": [ + "AMIs", + { + "Ref": "AWS::Region" + }, + "Name" + ] + }, + "KeyName": { + "Ref": "KeyName" + }, + "Tags": [ + { + "Key": "Name", + "Value": "Test" + } + ] + } + }, + "IAM_Missing": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": { + "Ref": "InstanceType" + }, + "ImageId": { + "Fn::FindInMap": [ + "AMIs", + { + "Ref": "AWS::Region" + }, + "Name" + ] + }, + "KeyName": { + "Ref": "KeyName" + }, + "IamInstanceProfile": { + "Ref": "NoProfile" + }, + "SecurityGroupIds": [ + { + "Ref": "SSHAccessSG" + } + ], + "Tags": [ + { + "Key": "Name", + "Value": "Test" + } + ] + } + }, + "IAMNoRoles": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": { + "Ref": "InstanceType" + }, + "ImageId": { + "Fn::FindInMap": [ + "AMIs", + { + "Ref": "AWS::Region" + }, + "Name" + ] + }, + "KeyName": { + "Ref": "KeyName" + }, + "IamInstanceProfile": { + "Ref": "NoRolesProfile" + }, + "Tags": [ + { + "Key": "Name", + "Value": "Test" + } + ] + } + }, + "NoRolesProfile": { + "Type": "AWS::IAM::InstanceProfile", + "Properties": { + "Path": "/" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="29 4 53" +Resources: + NoIAM: + Type: AWS::EC2::Instance + Properties: + InstanceType: + Ref: InstanceType + ImageId: + Fn::FindInMap: + - AMIs + - Ref: AWS::Region + - Name + KeyName: + Ref: KeyName + Tags: + - Key: Name + Value: Test + IAM_Missing: + Type: AWS::EC2::Instance + Properties: + InstanceType: + Ref: InstanceType + ImageId: + Fn::FindInMap: + - AMIs + - Ref: AWS::Region + - Name + KeyName: + Ref: KeyName + IamInstanceProfile: NonExistantProfile + SecurityGroupIds: + - Ref: SSHAccessSG + Tags: + - Key: Name + Value: Test + IAMNoRoles: + Type: AWS::EC2::Instance + Properties: + InstanceType: + Ref: InstanceType + ImageId: + Fn::FindInMap: + - AMIs + - Ref: AWS::Region + - Name + KeyName: + Ref: KeyName + IamInstanceProfile: NoRolesProfile + Tags: + - Key: Name + Value: Test + NoRolesProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: "/" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" + +Resources: + Test: + Type: AWS::EC2::Instance + Properties: + InstanceType: + Ref: InstanceType + ImageId: + Fn::FindInMap: + - AMIs + - Ref: AWS::Region + - Name + KeyName: + Ref: KeyName + IamInstanceProfile: + Ref: ListS3BucketsInstanceProfile + SecurityGroupIds: + - Ref: SSHAccessSG + Tags: + - Key: Name + Value: Test + ListS3BucketsInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: "/" + Roles: + - Ref: ListS3BucketsRole + ListS3BucketsRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: + - ec2.amazonaws.com + Action: + - sts:AssumeRole + Path: "/" +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "Test": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": { + "Ref": "InstanceType" + }, + "ImageId": { + "Fn::FindInMap": [ + "AMIs", + { + "Ref": "AWS::Region" + }, + "Name" + ] + }, + "KeyName": { + "Ref": "KeyName" + }, + "IamInstanceProfile": { + "Ref": "ListS3BucketsInstanceProfile" + }, + "SecurityGroupIds": [ + { + "Ref": "SSHAccessSG" + } + ], + "Tags": [ + { + "Key": "Name", + "Value": "Test" + } + ] + } + }, + "ListS3BucketsInstanceProfile": { + "Properties": { + "Path": "/", + "Roles": [ + { + "Ref": "ListS3BucketsRole" + } + ] + }, + "Type": "AWS::IAM::InstanceProfile" + }, + "ListS3BucketsRole": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": [ + "ec2.amazonaws.com" + ] + }, + "Action": [ + "sts:AssumeRole" + ] + } + ] + }, + "Path": "/" + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/f97b7d23-568f-4bcc-9ac9-02df0d57fbba.md b/docs/queries/cloudformation-queries/aws/f97b7d23-568f-4bcc-9ac9-02df0d57fbba.md new file mode 100644 index 00000000000..53bef7c82aa --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f97b7d23-568f-4bcc-9ac9-02df0d57fbba.md @@ -0,0 +1,185 @@ +--- +title: S3 Bucket Allows Get Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f97b7d23-568f-4bcc-9ac9-02df0d57fbba +- **Query name:** S3 Bucket Allows Get Action From All Principals +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_allows_get_actions_from_all_principals) + +### Description +S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="22 7" +#this is a problematic code where the query should report a result(s) +Resources: + SampleBucketPolicy3: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: "GetObject" + Effect: Allow + Resource: "*" + Principal: "*" + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + SampleBucketPolicy4: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: + - "DeleteObject" + - "GetObject" + Effect: Allow + Resource: "*" + Principal: "*" + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9 35" +{ + "Resources": { + "SampleBucketPolicy5": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "GetObject", + "Effect": "Allow", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + }, + "SampleBucketPolicy6": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": ["DeleteObject", "GetObject"], + "Effect": "Allow", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + SampleBucketPolicy1: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: + - 's3:GetObject' + Effect: Deny + Resource: '*' + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "SampleBucketPolicy2": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetObject" + ], + "Effect": "Deny", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/f988a17f-1139-46a3-8928-f27eafd8b024.md b/docs/queries/cloudformation-queries/aws/f988a17f-1139-46a3-8928-f27eafd8b024.md new file mode 100644 index 00000000000..41dc8430379 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f988a17f-1139-46a3-8928-f27eafd8b024.md @@ -0,0 +1,715 @@ +--- +title: DMS Endpoint MongoDB Settings Password Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f988a17f-1139-46a3-8928-f27eafd8b024 +- **Query name:** DMS Endpoint MongoDB Settings Password Exposed +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/dms_endpoint_mongo_db_settings_password_exposed) + +### Description +DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-dms-endpoint-mongodbsettings.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + Default: '' + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username!' + MasterMongoDBPassword: + Description: 'Password' + Type: String + Default: 'as@3djdkDjskjs73!!' +Resources: + NewAmpApp4: + Type: AWS::DMS::Endpoint + Properties: + CertificateArn: String + DatabaseName: String + EndpointIdentifier: String + EndpointType: String + EngineName: String + ExtraConnectionAttributes: String + KafkaSettings: + KafkaSettings + KinesisSettings: + KinesisSettings + KmsKeyId: String + MongoDbSettings: + AuthMechanism: String + AuthSource: String + AuthType: String + DatabaseName: String + DocsToInvestigate: String + ExtractDocId: String + NestingLevel: String + Password: !Ref MasterMongoDBPassword + Port: 80 + ServerName: String + Username: String + NeptuneSettings: + NeptuneSettings + Password: !Ref ParentMasterPassword + Port: 80 + S3Settings: + S3Settings + ServerName: String + SslMode: String + Tags: + - Tag + Username: String + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="24" +Resources: + NewAmpApp5: + Type: AWS::DMS::Endpoint + Properties: + CertificateArn: String + DatabaseName: String + EndpointIdentifier: String + EndpointType: String + EngineName: String + ExtraConnectionAttributes: String + KafkaSettings: + KafkaSettings + KinesisSettings: + KinesisSettings + KmsKeyId: String + MongoDbSettings: + AuthMechanism: String + AuthSource: String + AuthType: String + DatabaseName: String + DocsToInvestigate: String + ExtractDocId: String + NestingLevel: String + Password: 'as@3djdkDjskjs73!!' + Port: 80 + ServerName: String + Username: String + NeptuneSettings: + NeptuneSettings + Password: 'asDjskjs73!!' + Port: 80 + S3Settings: + S3Settings + ServerName: String + SslMode: String + Tags: + - Tag + Username: String + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="35" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + MasterMongoDBPassword: + Description: 'Password' + Type: String + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username' +Resources: + NewAmpApp6: + Type: AWS::DMS::Endpoint + Properties: + CertificateArn: String + DatabaseName: String + EndpointIdentifier: String + EndpointType: String + EngineName: String + ExtraConnectionAttributes: String + KafkaSettings: + KafkaSettings + KinesisSettings: + KinesisSettings + KmsKeyId: String + MongoDbSettings: + AuthMechanism: String + AuthSource: String + AuthType: String + DatabaseName: String + DocsToInvestigate: String + ExtractDocId: String + NestingLevel: String + Password: 'asDjskjs73!!' + Port: 80 + ServerName: String + Username: String + NeptuneSettings: + NeptuneSettings + Password: !Ref ParentMasterPassword + Port: 80 + S3Settings: + S3Settings + ServerName: String + SslMode: String + Tags: + - Tag + Username: String + +``` +
Postitive test num. 4 - json file + +```json hl_lines="16" +{ + "Parameters": { + "ParentMasterPassword": { + "Description": "Password", + "Type": "String", + "Default": "" + }, + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username!" + }, + "MasterMongoDBPassword": { + "Description": "Password", + "Type": "String", + "Default": "as@3djdkDjskjs73!!" + } + }, + "Resources": { + "NewAmpApp4": { + "Type": "AWS::DMS::Endpoint", + "Properties": { + "CertificateArn": "String", + "DatabaseName": "String", + "EndpointType": "String", + "ExtraConnectionAttributes": "String", + "SslMode": "String", + "EndpointIdentifier": "String", + "MongoDbSettings": { + "ServerName": "String", + "Username": "String", + "AuthMechanism": "String", + "AuthType": "String", + "DatabaseName": "String", + "DocsToInvestigate": "String", + "NestingLevel": "String", + "Password": "MasterMongoDBPassword", + "AuthSource": "String", + "ExtractDocId": "String", + "Port": 80 + }, + "NeptuneSettings": "NeptuneSettings", + "Password": "ParentMasterPassword", + "Tags": [ + "Tag" + ], + "KafkaSettings": "KafkaSettings", + "KinesisSettings": "KinesisSettings", + "KmsKeyId": "String", + "Port": 80, + "ServerName": "String", + "Username": "String", + "EngineName": "String", + "S3Settings": "S3Settings" + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="26" +{ + "Resources": { + "NewAmpApp5": { + "Type": "AWS::DMS::Endpoint", + "Properties": { + "EndpointIdentifier": "String", + "EngineName": "String", + "SslMode": "String", + "Username": "String", + "ExtraConnectionAttributes": "String", + "KafkaSettings": "KafkaSettings", + "KinesisSettings": "KinesisSettings", + "NeptuneSettings": "NeptuneSettings", + "S3Settings": "S3Settings", + "DatabaseName": "String", + "MongoDbSettings": { + "AuthMechanism": "String", + "AuthSource": "String", + "AuthType": "String", + "DatabaseName": "String", + "Port": 80, + "Username": "String", + "DocsToInvestigate": "String", + "ExtractDocId": "String", + "NestingLevel": "String", + "Password": "as@3djdkDjskjs73!!", + "ServerName": "String" + }, + "Password": "asDjskjs73!!", + "ServerName": "String", + "CertificateArn": "String", + "EndpointType": "String", + "KmsKeyId": "String", + "Port": 80, + "Tags": [ + "Tag" + ] + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="38" +{ + "Parameters": { + "ParentMasterPassword": { + "Type": "String", + "Description": "Password" + }, + "MasterMongoDBPassword": { + "Description": "Password", + "Type": "String" + }, + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username" + } + }, + "Resources": { + "NewAmpApp6": { + "Type": "AWS::DMS::Endpoint", + "Properties": { + "ExtraConnectionAttributes": "String", + "KafkaSettings": "KafkaSettings", + "NeptuneSettings": "NeptuneSettings", + "Password": "ParentMasterPassword", + "EndpointIdentifier": "String", + "EndpointType": "String", + "KinesisSettings": "KinesisSettings", + "S3Settings": "S3Settings", + "ServerName": "String", + "DatabaseName": "String", + "KmsKeyId": "String", + "MongoDbSettings": { + "DatabaseName": "String", + "NestingLevel": "String", + "AuthSource": "String", + "AuthType": "String", + "ExtractDocId": "String", + "Password": "asDjskjs73!!", + "Port": 80, + "ServerName": "String", + "Username": "String", + "AuthMechanism": "String", + "DocsToInvestigate": "String" + }, + "Port": 80, + "Username": "String", + "CertificateArn": "String", + "SslMode": "String", + "Tags": [ + "Tag" + ], + "EngineName": "String" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + Default: '' + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username!' + MasterMongoDBPassword: + Description: 'Password' + Type: String + Default: '' +Resources: + NewAmpApp1: + Type: AWS::DMS::Endpoint + Properties: + CertificateArn: String + DatabaseName: String + EndpointIdentifier: String + EndpointType: String + EngineName: String + ExtraConnectionAttributes: String + KafkaSettings: + KafkaSettings + KinesisSettings: + KinesisSettings + KmsKeyId: String + MongoDbSettings: + AuthMechanism: String + AuthSource: String + AuthType: String + DatabaseName: String + DocsToInvestigate: String + ExtractDocId: String + NestingLevel: String + Password: !Ref MasterMongoDBPassword + Port: 80 + ServerName: String + Username: String + NeptuneSettings: + NeptuneSettings + Password: !Ref ParentMasterPassword + Port: 80 + S3Settings: + S3Settings + ServerName: String + SslMode: String + Tags: + - Tag + Username: String + +``` +```yaml title="Negative test num. 2 - yaml file" +Parameters: + ParentMasterPassword: + Description: 'Password' + Type: String + MasterMongoDBPassword: + Description: 'Password' + Type: String + ParentMasterUsername: + Description: 'username' + Type: String + Default: 'username' +Resources: + NewAmpApp2: + Type: AWS::DMS::Endpoint + Properties: + CertificateArn: String + DatabaseName: String + EndpointIdentifier: String + EndpointType: String + EngineName: String + ExtraConnectionAttributes: String + KafkaSettings: + KafkaSettings + KinesisSettings: + KinesisSettings + KmsKeyId: String + MongoDbSettings: + AuthMechanism: String + AuthSource: String + AuthType: String + DatabaseName: String + DocsToInvestigate: String + ExtractDocId: String + NestingLevel: String + Password: !Ref MasterMongoDBPassword + Port: 80 + ServerName: String + Username: String + NeptuneSettings: + NeptuneSettings + Password: !Ref ParentMasterPassword + Port: 80 + S3Settings: + S3Settings + ServerName: String + SslMode: String + Tags: + - Tag + Username: String + +``` +```yaml title="Negative test num. 3 - yaml file" +Resources: + NewAmpApp3: + Type: AWS::DMS::Endpoint + Properties: + CertificateArn: String + DatabaseName: String + EndpointIdentifier: String + EndpointType: String + EngineName: String + ExtraConnectionAttributes: String + KafkaSettings: + KafkaSettings + KinesisSettings: + KinesisSettings + KmsKeyId: String + MongoDbSettings: + AuthMechanism: String + AuthSource: String + AuthType: String + DatabaseName: String + DocsToInvestigate: String + ExtractDocId: String + NestingLevel: String + Password: !Sub '{{resolve:secretsmanager:${MongoDBSecretManagerRotater}::password}}' + Port: 80 + ServerName: String + Username: String + NeptuneSettings: + NeptuneSettings + Password: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' + Port: 80 + S3Settings: + S3Settings + ServerName: String + SslMode: String + Tags: + - Tag + Username: String + MyAmpAppSecretManagerRotater: + Type: AWS::SecretsManager::Secret + Properties: + Description: 'This is my amp app instance secret' + GenerateSecretString: + SecretStringTemplate: '{"username": "admin"}' + GenerateStringKey: 'password' + PasswordLength: 16 + ExcludeCharacters: '"@/\' + MongoDBSecretManagerRotater: + Type: AWS::SecretsManager::Secret + Properties: + Description: 'This is my MongoDBSecretManagerRotater instance secret' + GenerateSecretString: + SecretStringTemplate: '{"username": "admin"}' + GenerateStringKey: 'password' + PasswordLength: 16 + ExcludeCharacters: '"@/\' + +``` +
Negative test num. 4 - json file + +```json +{ + "Parameters": { + "ParentMasterPassword": { + "Description": "Password", + "Type": "String", + "Default": "" + }, + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username!" + }, + "MasterMongoDBPassword": { + "Description": "Password", + "Type": "String", + "Default": "" + } + }, + "Resources": { + "NewAmpApp1": { + "Type": "AWS::DMS::Endpoint", + "Properties": { + "Username": "String", + "EndpointIdentifier": "String", + "EngineName": "String", + "Tags": [ + "Tag" + ], + "Password": "ParentMasterPassword", + "Port": 80, + "CertificateArn": "String", + "DatabaseName": "String", + "EndpointType": "String", + "KinesisSettings": "KinesisSettings", + "KmsKeyId": "String", + "NeptuneSettings": "NeptuneSettings", + "S3Settings": "S3Settings", + "ServerName": "String", + "SslMode": "String", + "ExtraConnectionAttributes": "String", + "KafkaSettings": "KafkaSettings", + "MongoDbSettings": { + "AuthMechanism": "String", + "NestingLevel": "String", + "Password": "MasterMongoDBPassword", + "Port": 80, + "AuthSource": "String", + "AuthType": "String", + "DatabaseName": "String", + "DocsToInvestigate": "String", + "ExtractDocId": "String", + "ServerName": "String", + "Username": "String" + } + } + } + } +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "Parameters": { + "ParentMasterPassword": { + "Description": "Password", + "Type": "String" + }, + "MasterMongoDBPassword": { + "Description": "Password", + "Type": "String" + }, + "ParentMasterUsername": { + "Description": "username", + "Type": "String", + "Default": "username" + } + }, + "Resources": { + "NewAmpApp2": { + "Type": "AWS::DMS::Endpoint", + "Properties": { + "EngineName": "String", + "KinesisSettings": "KinesisSettings", + "Password": "ParentMasterPassword", + "EndpointIdentifier": "String", + "KafkaSettings": "KafkaSettings", + "MongoDbSettings": { + "AuthMechanism": "String", + "AuthType": "String", + "DatabaseName": "String", + "ExtractDocId": "String", + "Port": 80, + "ServerName": "String", + "AuthSource": "String", + "DocsToInvestigate": "String", + "NestingLevel": "String", + "Password": "MasterMongoDBPassword", + "Username": "String" + }, + "Port": 80, + "CertificateArn": "String", + "Tags": [ + "Tag" + ], + "Username": "String", + "NeptuneSettings": "NeptuneSettings", + "S3Settings": "S3Settings", + "ServerName": "String", + "SslMode": "String", + "DatabaseName": "String", + "EndpointType": "String", + "ExtraConnectionAttributes": "String", + "KmsKeyId": "String" + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "Resources": { + "MyAmpAppSecretManagerRotater": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "Description": "This is my amp app instance secret", + "GenerateSecretString": { + "ExcludeCharacters": "\"@/\\", + "SecretStringTemplate": "{\"username\": \"admin\"}", + "GenerateStringKey": "password", + "PasswordLength": 16 + } + } + }, + "MongoDBSecretManagerRotater": { + "Type": "AWS::SecretsManager::Secret", + "Properties": { + "Description": "This is my MongoDBSecretManagerRotater instance secret", + "GenerateSecretString": { + "GenerateStringKey": "password", + "PasswordLength": 16, + "ExcludeCharacters": "\"@/\\", + "SecretStringTemplate": "{\"username\": \"admin\"}" + } + } + }, + "NewAmpApp3": { + "Type": "AWS::DMS::Endpoint", + "Properties": { + "EndpointType": "String", + "ExtraConnectionAttributes": "String", + "KmsKeyId": "String", + "NeptuneSettings": "NeptuneSettings", + "CertificateArn": "String", + "S3Settings": "S3Settings", + "Username": "String", + "MongoDbSettings": { + "Username": "String", + "AuthMechanism": "String", + "AuthType": "String", + "DocsToInvestigate": "String", + "ExtractDocId": "String", + "NestingLevel": "String", + "Password": "{{resolve:secretsmanager:${MongoDBSecretManagerRotater}::password}}", + "Port": 80, + "ServerName": "String", + "AuthSource": "String", + "DatabaseName": "String" + }, + "EndpointIdentifier": "String", + "EngineName": "String", + "Password": "{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}", + "Tags": [ + "Tag" + ], + "DatabaseName": "String", + "KinesisSettings": "KinesisSettings", + "Port": 80, + "ServerName": "String", + "SslMode": "String", + "KafkaSettings": "KafkaSettings" + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/f9b10cdb-eaab-4e39-9793-e12b94a582ad.md b/docs/queries/cloudformation-queries/aws/f9b10cdb-eaab-4e39-9793-e12b94a582ad.md new file mode 100644 index 00000000000..494ee54e42b --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/f9b10cdb-eaab-4e39-9793-e12b94a582ad.md @@ -0,0 +1,232 @@ +--- +title: ECS Task Definition Container With Plaintext Password +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f9b10cdb-eaab-4e39-9793-e12b94a582ad +- **Query name:** ECS Task Definition Container With Plaintext Password +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ecs_task_definition_with_plaintext_password) + +### Description +It's not recommended to use plaintext environment variables for sensitive information, such as credential data.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-containerdefinitions.html#cfn-ecs-taskdefinition-containerdefinition-environment) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="40 27" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "taskdefinition3": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "ContainerDefinitions": [ + { + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": 256, + "PortMappings": [ + { + "HostPort": { + "Ref": "AppHostPort" + }, + "ContainerPort": { + "Ref": "AppContainerPort" + } + } + ], + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": 512, + "Essential": true, + "Name": { + "Ref": "AppName" + }, + "Environment": [ + { + "Name": "password", + "Value": "123123" + } + ] + } + ], + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="40 27" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + taskdefinition4: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: + Ref: "AppName" + MountPoints: + - SourceVolume: "my-vol" + ContainerPath: "/var/www/my-vol" + Image: "amazon/amazon-ecs-sample" + Cpu: 256 + PortMappings: + - ContainerPort: + Ref: "AppContainerPort" + HostPort: + Ref: "AppHostPort" + EntryPoint: + - "/usr/sbin/apache2" + - "-D" + - "FOREGROUND" + Memory: 512 + Essential: true + Environment: + - Name: "password" + Value: 123123123 + Volumes: + - Host: + SourcePath: "/var/lib/docker/vfs/dir/" + Name: "my-vol" + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "A sample template", + "Resources": { + "taskdefinition": { + "Type": "AWS::ECS::TaskDefinition", + "Properties": { + "Volumes": [ + { + "Host": { + "SourcePath": "/var/lib/docker/vfs/dir/" + }, + "Name": "my-vol" + } + ], + "ContainerDefinitions": [ + { + "EntryPoint": [ + "/usr/sbin/apache2", + "-D", + "FOREGROUND" + ], + "Memory": 512, + "PortMappings": [ + { + "ContainerPort": { + "Ref": "AppContainerPort" + }, + "HostPort": { + "Ref": "AppHostPort" + } + } + ], + "MountPoints": [ + { + "SourceVolume": "my-vol", + "ContainerPath": "/var/www/my-vol" + } + ], + "Image": "amazon/amazon-ecs-sample", + "Cpu": 256, + "HealthCheck": { + "Command": [ + "CMD-SHELL", + "curl -f http://localhost:8080/ || exit 1" + ], + "Interval": 30, + "Retries": 3, + "StartPeriod": 1, + "Timeout": 5 + }, + "Essential": true, + "Name": { + "Ref": "AppName" + } + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: A sample template +Resources: + taskdefinition2: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Name: + Ref: "AppName" + MountPoints: + - SourceVolume: "my-vol" + ContainerPath: "/var/www/my-vol" + Image: "amazon/amazon-ecs-sample" + Cpu: 256 + PortMappings: + - ContainerPort: + Ref: "AppContainerPort" + HostPort: + Ref: "AppHostPort" + EntryPoint: + - "/usr/sbin/apache2" + - "-D" + - "FOREGROUND" + HealthCheck: + Command: + - CMD-SHELL + - curl -f http://localhost:8080/ || exit 1 + Interval: 30 + Retries: 3 + StartPeriod: 1 + Timeout: 5 + Memory: 512 + Essential: true + Volumes: + - Host: + SourcePath: "/var/lib/docker/vfs/dir/" + Name: "my-vol" + +``` diff --git a/docs/queries/cloudformation-queries/aws/faa8fddf-c0aa-4b2d-84ff-e993e233ebe9.md b/docs/queries/cloudformation-queries/aws/faa8fddf-c0aa-4b2d-84ff-e993e233ebe9.md new file mode 100644 index 00000000000..8e62b046149 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/faa8fddf-c0aa-4b2d-84ff-e993e233ebe9.md @@ -0,0 +1,188 @@ +--- +title: S3 Bucket Allows List Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** faa8fddf-c0aa-4b2d-84ff-e993e233ebe9 +- **Query name:** S3 Bucket Allows List Action From All Principals +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/s3_bucket_allows_list_actions_from_all_principals) + +### Description +S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="22 7" +#this is a problematic code where the query should report a result(s) +Resources: + SampleBucketPolicy3: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: "ListObject" + Effect: Allow + Resource: "*" + Principal: "*" + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + SampleBucketPolicy4: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: + - "ListObject" + - "GetObject" + Effect: Allow + Resource: "*" + Principal: "*" + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Postitive test num. 2 - json file" hl_lines="9 35" +{ + "Resources": { + "SampleBucketPolicy5": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "ListObject", + "Effect": "Allow", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + }, + "SampleBucketPolicy6": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "ListObject", + "GetObject" + ], + "Effect": "Allow", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + SampleBucketPolicy1: + Type: 'AWS::S3::BucketPolicy' + Properties: + Bucket: !Ref DOC-EXAMPLE-BUCKET + PolicyDocument: + Statement: + - Action: + - 's3:ListObject' + Effect: Deny + Resource: '*' + Principal: '*' + Condition: + StringLike: + 'aws:Referer': + - 'http://www.example.com/*' + - 'http://example.net/*' + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "SampleBucketPolicy2": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "DOC-EXAMPLE-BUCKET" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:ListObject" + ], + "Effect": "Deny", + "Resource": "*", + "Principal": "*", + "Condition": { + "StringLike": { + "aws:Referer": [ + "http://www.example.com/*", + "http://example.net/*" + ] + } + } + } + ] + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/fb2b0ecf-1492-491a-a70d-ba1df579175d.md b/docs/queries/cloudformation-queries/aws/fb2b0ecf-1492-491a-a70d-ba1df579175d.md new file mode 100644 index 00000000000..68a0b4339e5 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/fb2b0ecf-1492-491a-a70d-ba1df579175d.md @@ -0,0 +1,163 @@ +--- +title: ECS No Load Balancer Attached +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fb2b0ecf-1492-491a-a70d-ba1df579175d +- **Query name:** ECS No Load Balancer Attached +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/ecs_no_load_balancer_attached) + +### Description +Amazon ECS service should be configured to use Load Balancing to distribute traffic evenly across the tasks, which means there must exist at least one LoadBalancer.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="25 7" +#this is a problematic code where the query should report a result(s) +Resources: + ECSService: + Type: AWS::ECS::Service + DependsOn: + - Listener + Properties: + Role: + Ref: ECSServiceRole + TaskDefinition: + Ref: ECSTaskDefinition + DesiredCount: 1 + Cluster: + Ref: ECSCluster + ECSService2: + Type: AWS::ECS::Service + DependsOn: + - Listener + Properties: + Role: + Ref: ECSServiceRole + TaskDefinition: + Ref: ECSTaskDefinition + DesiredCount: 1 + LoadBalancers: [] + Cluster: + Ref: ECSCluster + +``` +```json title="Postitive test num. 2 - json file" hl_lines="27 7" +{ + "Resources": { + "ECSService": { + "DependsOn": [ + "Listener" + ], + "Properties": { + "Role": { + "Ref": "ECSServiceRole" + }, + "TaskDefinition": { + "Ref": "ECSTaskDefinition" + }, + "DesiredCount": 1, + "Cluster": { + "Ref": "ECSCluster" + } + }, + "Type": "AWS::ECS::Service" + }, + "ECSService2": { + "Properties": { + "TaskDefinition": { + "Ref": "ECSTaskDefinition" + }, + "DesiredCount": 1, + "LoadBalancers": [], + "Cluster": { + "Ref": "ECSCluster" + }, + "Role": { + "Ref": "ECSServiceRole" + } + }, + "Type": "AWS::ECS::Service", + "DependsOn": [ + "Listener" + ] + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +Resources: + ECSService: + Type: AWS::ECS::Service + DependsOn: + - Listener + Properties: + Role: + Ref: ECSServiceRole + TaskDefinition: + Ref: ECSTaskDefinition + DesiredCount: 1 + LoadBalancers: + - TargetGroupArn: + Ref: TargetGroup + ContainerPort: 80 + ContainerName: sample-app + Cluster: + Ref: ECSCluster + +``` +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "ECSService": { + "Type": "AWS::ECS::Service", + "DependsOn": [ + "Listener" + ], + "Properties": { + "DesiredCount": 1, + "LoadBalancers": [ + { + "TargetGroupArn": { + "Ref": "TargetGroup" + }, + "ContainerPort": 80, + "ContainerName": "sample-app" + } + ], + "Cluster": { + "Ref": "ECSCluster" + }, + "Role": { + "Ref": "ECSServiceRole" + }, + "TaskDefinition": { + "Ref": "ECSTaskDefinition" + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/fc7c2c15-f5d0-4b80-adb2-c89019f8f62b.md b/docs/queries/cloudformation-queries/aws/fc7c2c15-f5d0-4b80-adb2-c89019f8f62b.md new file mode 100644 index 00000000000..a3e9967605d --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/fc7c2c15-f5d0-4b80-adb2-c89019f8f62b.md @@ -0,0 +1,333 @@ +--- +title: MSK Cluster Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fc7c2c15-f5d0-4b80-adb2-c89019f8f62b +- **Query name:** MSK Cluster Logging Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/msk_cluster_logging_disabled) + +### Description +Ensure MSK Cluster Logging is enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-msk-cluster.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +AWSTemplateFormatVersion: "2010-09-09" +Description: MSK Cluster with required properties. +Resources: + TestCluster5: + Type: 'AWS::MSK::Cluster' + Properties: + ClusterName: ClusterWithRequiredProperties + KafkaVersion: 2.2.1 + NumberOfBrokerNodes: 3 + BrokerNodeGroupInfo: + InstanceType: kafka.m5.large + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="18 12 15" +AWSTemplateFormatVersion: "2010-09-09" +Description: MSK Cluster with required properties. +Resources: + TestCluster6: + Type: 'AWS::MSK::Cluster' + Properties: + ClusterName: ClusterWithRequiredProperties + KafkaVersion: 2.2.1 + LoggingInfo: + BrokerLogs: + CloudWatchLogs: + Enabled: false + LogGroup: aws_cloudwatch_log_group.test.name + Firehose: + Enabled: false + LogGroup: firehose.test.name + S3: + Enabled: false + LogGroup: s3.test.name + NumberOfBrokerNodes: 3 + BrokerNodeGroupInfo: + InstanceType: kafka.m5.large + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +AWSTemplateFormatVersion: "2010-09-09" +Description: MSK Cluster with required properties. +Resources: + TestCluster7: + Type: 'AWS::MSK::Cluster' + Properties: + ClusterName: ClusterWithRequiredProperties + KafkaVersion: 2.2.1 + LoggingInfo: + BrokerLogs: + CloudWatchLogs: + Enabled: false + LogGroup: aws_cloudwatch_log_group.test.name + NumberOfBrokerNodes: 3 + BrokerNodeGroupInfo: + InstanceType: kafka.m5.large + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + +``` +
Postitive test num. 4 - json file + +```json hl_lines="7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "MSK Cluster with required properties.", + "Resources": { + "TestCluster8": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "ClusterName": "ClusterWithRequiredProperties", + "KafkaVersion": "2.2.1", + "NumberOfBrokerNodes": 3, + "BrokerNodeGroupInfo": { + "InstanceType": "kafka.m5.large", + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ] + } + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="17 21 13" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "MSK Cluster with required properties.", + "Resources": { + "TestCluster9": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "ClusterName": "ClusterWithRequiredProperties", + "KafkaVersion": "2.2.1", + "LoggingInfo": { + "BrokerLogs": { + "CloudWatchLogs": { + "Enabled": false, + "LogGroup": "aws_cloudwatch_log_group.test.name" + }, + "Firehose": { + "Enabled": false, + "LogGroup": "firehose.test.name" + }, + "S3": { + "Enabled": false, + "LogGroup": "s3.test.name" + } + } + }, + "NumberOfBrokerNodes": 3, + "BrokerNodeGroupInfo": { + "InstanceType": "kafka.m5.large", + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ] + } + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="13" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "MSK Cluster with required properties.", + "Resources": { + "TestCluster10": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "ClusterName": "ClusterWithRequiredProperties", + "KafkaVersion": "2.2.1", + "LoggingInfo": { + "BrokerLogs": { + "CloudWatchLogs": { + "Enabled": false, + "LogGroup": "aws_cloudwatch_log_group.test.name" + } + } + }, + "NumberOfBrokerNodes": 3, + "BrokerNodeGroupInfo": { + "InstanceType": "kafka.m5.large", + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ] + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: MSK Cluster with required properties. +Resources: + TestCluster: + Type: 'AWS::MSK::Cluster' + Properties: + ClusterName: ClusterWithRequiredProperties + KafkaVersion: 2.2.1 + LoggingInfo: + BrokerLogs: + CloudWatchLogs: + Enabled: true + LogGroup: aws_cloudwatch_log_group.test.name + NumberOfBrokerNodes: 3 + BrokerNodeGroupInfo: + InstanceType: kafka.m5.large + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: MSK Cluster with required properties. +Resources: + TestCluster2: + Type: 'AWS::MSK::Cluster' + Properties: + ClusterName: ClusterWithRequiredProperties + KafkaVersion: 2.2.1 + LoggingInfo: + BrokerLogs: + CloudWatchLogs: + Enabled: false + LogGroup: aws_cloudwatch_log_group.test.name + S3: + Enabled: true + LogGroup: s3.test.name + NumberOfBrokerNodes: 3 + BrokerNodeGroupInfo: + InstanceType: kafka.m5.large + ClientSubnets: + - ReplaceWithSubnetId1 + - ReplaceWithSubnetId2 + - ReplaceWithSubnetId3 + +``` +```json title="Negative test num. 3 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "MSK Cluster with required properties.", + "Resources": { + "TestCluster3": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "ClusterName": "ClusterWithRequiredProperties", + "KafkaVersion": "2.2.1", + "LoggingInfo": { + "BrokerLogs": { + "CloudWatchLogs": { + "Enabled": true, + "LogGroup": "aws_cloudwatch_log_group.test.name" + } + } + }, + "NumberOfBrokerNodes": 3, + "BrokerNodeGroupInfo": { + "InstanceType": "kafka.m5.large", + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ] + } + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "MSK Cluster with required properties.", + "Resources": { + "TestCluster4": { + "Type": "AWS::MSK::Cluster", + "Properties": { + "ClusterName": "ClusterWithRequiredProperties", + "KafkaVersion": "2.2.1", + "LoggingInfo": { + "BrokerLogs": { + "CloudWatchLogs": { + "Enabled": false, + "LogGroup": "aws_cloudwatch_log_group.test.name" + }, + "S3": { + "Enabled": true, + "LogGroup": "s3.test.name" + } + } + }, + "NumberOfBrokerNodes": 3, + "BrokerNodeGroupInfo": { + "InstanceType": "kafka.m5.large", + "ClientSubnets": [ + "ReplaceWithSubnetId1", + "ReplaceWithSubnetId2", + "ReplaceWithSubnetId3" + ] + } + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/fcbf9019-566c-4832-a65c-af00d8137d2b.md b/docs/queries/cloudformation-queries/aws/fcbf9019-566c-4832-a65c-af00d8137d2b.md new file mode 100644 index 00000000000..0ae79ba1381 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/fcbf9019-566c-4832-a65c-af00d8137d2b.md @@ -0,0 +1,209 @@ +--- +title: API Gateway without WAF +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fcbf9019-566c-4832-a65c-af00d8137d2b +- **Query name:** API Gateway without WAF +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/api_gateway_without_waf) + +### Description +API Gateway should have WAF (Web Application Firewall) enabled
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webaclassociation.html#cfn-wafv2-webaclassociation-resourcearn) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + Variables: + Stack: Prod + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + SampleWebACLAssociation: + Type: 'AWS::WAFv2::WebACLAssociation' + Properties: + WebACLArn: ExampleARNForWebACL + ResourceArn: arn:aws:apigateway:region::/restapis/api-id/stages/stage + +``` +```json title="Postitive test num. 2 - json file" hl_lines="33" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "Prod": { + "Properties": { + "ClientCertificateId": "ClientCertificate", + "DeploymentId": "TestDeployment", + "Description": "Prod Stage", + "DocumentationVersion": "MyDocumentationVersion", + "MethodSettings": [ + { + "DataTraceEnabled": "false", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "ResourcePath": "/" + }, + { + "DataTraceEnabled": "false", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "ResourcePath": "/stack", + "ThrottlingBurstLimit": "999" + }, + { + "DataTraceEnabled": "false", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "ResourcePath": "/stack", + "ThrottlingBurstLimit": "555" + } + ], + "RestApiId": "MyRestApi", + "StageName": "Prod", + "Variables": { + "Stack": "Prod" + } + }, + "Type": "AWS::ApiGateway::Stage" + }, + "SampleWebACLAssociation": { + "Properties": { + "ResourceArn": "arn:aws:apigateway:region::/restapis/api-id/stages/stage", + "WebACLArn": "ExampleARNForWebACL" + }, + "Type": "AWS::WAFv2::WebACLAssociation" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: "2010-09-09" +Description: "BatchJobDefinition" +Resources: + Production: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Production + Description: Prod Stage + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: !Ref MyDocumentationVersion + ClientCertificateId: !Ref ClientCertificate + Variables: + Stack: Production + MethodSettings: + - ResourcePath: / + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + - ResourcePath: /stack + HttpMethod: POST + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '999' + - ResourcePath: /stack + HttpMethod: GET + MetricsEnabled: 'true' + DataTraceEnabled: 'false' + ThrottlingBurstLimit: '555' + SampleWebACLAssociation: + Type: 'AWS::WAFv2::WebACLAssociation' + Properties: + WebACLArn: ExampleARNForWebACL + ResourceArn: arn:aws:apigateway:region::/restapis/api-id/stages/Production + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "Production": { + "Properties": { + "ClientCertificateId": "ClientCertificate", + "DeploymentId": "TestDeployment", + "Description": "Prod Stage", + "DocumentationVersion": "MyDocumentationVersion", + "MethodSettings": [ + { + "DataTraceEnabled": "false", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "ResourcePath": "/" + }, + { + "DataTraceEnabled": "false", + "HttpMethod": "POST", + "MetricsEnabled": "true", + "ResourcePath": "/stack", + "ThrottlingBurstLimit": "999" + }, + { + "DataTraceEnabled": "false", + "HttpMethod": "GET", + "MetricsEnabled": "true", + "ResourcePath": "/stack", + "ThrottlingBurstLimit": "555" + } + ], + "RestApiId": "MyRestApi", + "StageName": "Production", + "Variables": { + "Stack": "Production" + } + }, + "Type": "AWS::ApiGateway::Stage" + }, + "SampleWebACLAssociation": { + "Properties": { + "ResourceArn": "arn:aws:apigateway:region::/restapis/api-id/stages/Production", + "WebACLArn": "ExampleARNForWebACL" + }, + "Type": "AWS::WAFv2::WebACLAssociation" + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/fe974ae9-858e-4991-bbd5-e040a834679f.md b/docs/queries/cloudformation-queries/aws/fe974ae9-858e-4991-bbd5-e040a834679f.md new file mode 100644 index 00000000000..57a9c0150e9 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/fe974ae9-858e-4991-bbd5-e040a834679f.md @@ -0,0 +1,174 @@ +--- +title: Stack Retention Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fe974ae9-858e-4991-bbd5-e040a834679f +- **Query name:** Stack Retention Disabled +- **Platform:** CloudFormation +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/stack_retention_disabled) + +### Description +Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudformation-stackset-autodeployment.html#cfn-cloudformation-stackset-autodeployment-retainstacksonaccountremoval) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="35 39 11 18 27" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + stackset3: + Type: AWS::CloudFormation::StackSet + Properties: + PermissionModel: SERVICE_MANAGED + StackSetName: some_stack_name + TemplateURL: some_stack_link + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: false + stackset4: + Type: AWS::CloudFormation::StackSet + Properties: + PermissionModel: SERVICE_MANAGED + StackSetName: some_stack_name + TemplateURL: some_stack_link + AutoDeployment: + Enabled: true + stackset5: + Type: AWS::CloudFormation::StackSet + Properties: + PermissionModel: SERVICE_MANAGED + StackSetName: some_stack_name + TemplateURL: some_stack_link + AutoDeployment: + Enabled: false + RetainStacksOnAccountRemoval: true + stackset6: + Type: AWS::CloudFormation::StackSet + Properties: + PermissionModel: SERVICE_MANAGED + StackSetName: some_stack_name + TemplateURL: some_stack_link + AutoDeployment: + RetainStacksOnAccountRemoval: false + stackset7: + Type: AWS::CloudFormation::StackSet + Properties: + PermissionModel: SERVICE_MANAGED + StackSetName: some_stack_name + TemplateURL: some_stack_link + +``` +```json title="Postitive test num. 2 - json file" hl_lines="34 12 45 52 22" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "stackset8": { + "Type": "AWS::CloudFormation::StackSet", + "Properties": { + "PermissionModel": "SERVICE_MANAGED", + "StackSetName": "some_stack_name", + "TemplateURL": "some_stack_link", + "AutoDeployment": { + "Enabled": true, + "RetainStacksOnAccountRemoval": false + } + } + }, + "stackset9": { + "Type": "AWS::CloudFormation::StackSet", + "Properties": { + "PermissionModel": "SERVICE_MANAGED", + "StackSetName": "some_stack_name", + "TemplateURL": "some_stack_link", + "AutoDeployment": { + "Enabled": true + } + } + }, + "stackset10": { + "Type": "AWS::CloudFormation::StackSet", + "Properties": { + "PermissionModel": "SERVICE_MANAGED", + "StackSetName": "some_stack_name", + "TemplateURL": "some_stack_link", + "AutoDeployment": { + "Enabled": false, + "RetainStacksOnAccountRemoval": false + } + } + }, + "stackset11": { + "Type": "AWS::CloudFormation::StackSet", + "Properties": { + "PermissionModel": "SERVICE_MANAGED", + "StackSetName": "some_stack_name", + "TemplateURL": "some_stack_link", + "AutoDeployment": { + "RetainStacksOnAccountRemoval": false + } + } + }, + "stackset12": { + "Type": "AWS::CloudFormation::StackSet", + "Properties": { + "PermissionModel": "SERVICE_MANAGED", + "StackSetName": "some_stack_name", + "TemplateURL": "some_stack_link" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: '2010-09-09' +Resources: + stackset: + Type: AWS::CloudFormation::StackSet + Properties: + PermissionModel: SERVICE_MANAGED + StackSetName: some_stack_name + TemplateURL: some_stack_link + AutoDeployment: + Enabled: true + RetainStacksOnAccountRemoval: true + +``` +```json title="Negative test num. 2 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "stackset2": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "PermissionModel": "SERVICE_MANAGED", + "StackSetName": "some_stack_name", + "TemplateURL": "some_stack_link", + "AutoDeployment": { + "Enabled": true, + "RetainStacksOnAccountRemoval": true + } + } + } + } +} + +``` diff --git a/docs/queries/cloudformation-queries/aws/ffee2785-c347-451e-89f3-11aeb08e5c84.md b/docs/queries/cloudformation-queries/aws/ffee2785-c347-451e-89f3-11aeb08e5c84.md new file mode 100644 index 00000000000..a98a6a62685 --- /dev/null +++ b/docs/queries/cloudformation-queries/aws/ffee2785-c347-451e-89f3-11aeb08e5c84.md @@ -0,0 +1,626 @@ +--- +title: CMK Unencrypted Storage +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ffee2785-c347-451e-89f3-11aeb08e5c84 +- **Query name:** CMK Unencrypted Storage +- **Platform:** CloudFormation +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/cmk_unencrypted_storage) + +### Description +Ensure that storage is encrypted.
+[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="54" +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + AWS CloudFormation Sample +Parameters: + DBInstanceID: + Default: mydbinstance + Description: My database instance + Type: String + MinLength: '1' + MaxLength: '63' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: >- + Must begin with a letter and must not end with a hyphen or contain two + consecutive hyphens. + DBName: + Default: mydb + Description: My database + Type: String + MinLength: '1' + MaxLength: '64' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: Must begin with a letter and contain only alphanumeric characters. + DBInstanceClass: + Default: db.m5.large + Description: DB instance class + Type: String + ConstraintDescription: Must select a valid DB instance type. + DBAllocatedStorage: + Default: '50' + Description: The size of the database (GiB) + Type: Number + MinValue: '5' + MaxValue: '1024' + ConstraintDescription: must be between 20 and 65536 GiB. + DBUsername: + NoEcho: 'true' + Description: Username for MySQL database access + Type: String + MinLength: '1' + MaxLength: '16' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: 'true' + Description: Password MySQL database access + Type: String + MinLength: '8' + MaxLength: '41' + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: must contain only alphanumeric characters. +Resources: + MyDB: + Type: 'AWS::RDS::DBInstance' + Properties: + DBInstanceIdentifier: !Ref DBInstanceID + DBName: !Ref DBName + DBInstanceClass: !Ref DBInstanceClass + AllocatedStorage: !Ref DBAllocatedStorage + Engine: MySQL + EngineVersion: 8.0.16 + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + MonitoringInterval: '60' + MonitoringRoleArn: 'arn:aws:iam::123456789012:role/rds-monitoring-role' + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="24" +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + AWS CloudFormation Sample Template +Parameters: + DBUsername: + NoEcho: "true" + Description: Username for MySQL database access + Type: String + MinLength: "1" + MaxLength: "16" + AllowedPattern: "[a-zA-Z][a-zA-Z0-9]*" + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: "true" + Description: Password MySQL database access + Type: String + MinLength: "8" + MaxLength: "41" + AllowedPattern: "[a-zA-Z0-9]*" + ConstraintDescription: must contain only alphanumeric characters. +Resources: + RDSCluster1: + Type: "AWS::RDS::DBCluster" + Properties: + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + DBClusterIdentifier: my-serverless-cluster + Engine: aurora + EngineVersion: 5.6.10a + EngineMode: serverless + ScalingConfiguration: + AutoPause: true + MinCapacity: 4 + MaxCapacity: 32 + SecondsUntilAutoPause: 1000 + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="36" +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + AWS CloudFormation Sample Template AuroraServerlessDBCluster +Parameters: + DBUsername: + NoEcho: 'true' + Description: Username for MySQL database access + Type: String + MinLength: '1' + MaxLength: '16' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: 'true' + Description: Password MySQL database access + Type: String + MinLength: '8' + MaxLength: '41' + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: must contain only alphanumeric characters. +Resources: + RDSCluster-2: + Type: 'AWS::RDS::DBCluster' + Properties: + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + DBClusterIdentifier: my-serverless-cluster + Engine: aurora + EngineVersion: 5.6.10a + EngineMode: serverless + ScalingConfiguration: + AutoPause: true + MinCapacity: 4 + MaxCapacity: 32 + SecondsUntilAutoPause: 1000 + StorageEncrypted: false + +``` +
Postitive test num. 4 - json file + +```json hl_lines="58" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "AWS CloudFormation Sample", + "Parameters": { + "DBAllocatedStorage": { + "Description": "The size of the database (GiB)", + "Type": "Number", + "MinValue": "5", + "MaxValue": "1024", + "ConstraintDescription": "must be between 20 and 65536 GiB.", + "Default": "50" + }, + "DBUsername": { + "NoEcho": "true", + "Description": "Username for MySQL database access", + "Type": "String", + "MinLength": "1", + "MaxLength": "16", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters." + }, + "DBPassword": { + "NoEcho": "true", + "Description": "Password MySQL database access", + "Type": "String", + "MinLength": "8", + "MaxLength": "41", + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "must contain only alphanumeric characters." + }, + "DBInstanceID": { + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "Must begin with a letter and must not end with a hyphen or contain two consecutive hyphens.", + "Default": "mydbinstance", + "Description": "My database instance", + "Type": "String", + "MinLength": "1", + "MaxLength": "63" + }, + "DBName": { + "Description": "My database", + "Type": "String", + "MinLength": "1", + "MaxLength": "64", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "Must begin with a letter and contain only alphanumeric characters.", + "Default": "mydb" + }, + "DBInstanceClass": { + "Default": "db.m5.large", + "Description": "DB instance class", + "Type": "String", + "ConstraintDescription": "Must select a valid DB instance type." + } + }, + "Resources": { + "MyDB": { + "Properties": { + "AllocatedStorage": "DBAllocatedStorage", + "MasterUserPassword": "DBPassword", + "MonitoringInterval": "60", + "DBInstanceIdentifier": "DBInstanceID", + "DBName": "DBName", + "DBInstanceClass": "DBInstanceClass", + "Engine": "MySQL", + "EngineVersion": "8.0.16", + "MasterUsername": "DBUsername", + "MonitoringRoleArn": "arn:aws:iam::123456789012:role/rds-monitoring-role" + }, + "Type": "AWS::RDS::DBInstance" + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="25" +{ + "Parameters": { + "DBUsername": { + "NoEcho": "true", + "Description": "Username for MySQL database access", + "Type": "String", + "MinLength": "1", + "MaxLength": "16", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters." + }, + "DBPassword": { + "Type": "String", + "MinLength": "8", + "MaxLength": "41", + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "must contain only alphanumeric characters.", + "NoEcho": "true", + "Description": "Password MySQL database access" + } + }, + "Resources": { + "RDSCluster1": { + "Type": "AWS::RDS::DBCluster", + "Properties": { + "DBClusterIdentifier": "my-serverless-cluster", + "Engine": "aurora", + "EngineVersion": "5.6.10a", + "EngineMode": "serverless", + "ScalingConfiguration": { + "AutoPause": true, + "MinCapacity": 4, + "MaxCapacity": 32, + "SecondsUntilAutoPause": 1000 + }, + "MasterUsername": "DBUsername", + "MasterUserPassword": "DBPassword" + } + } + }, + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "AWS CloudFormation Sample Template" +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="37" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "AWS CloudFormation Sample Template AuroraServerlessDBCluster", + "Parameters": { + "DBUsername": { + "MaxLength": "16", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.", + "NoEcho": "true", + "Description": "Username for MySQL database access", + "Type": "String", + "MinLength": "1" + }, + "DBPassword": { + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "must contain only alphanumeric characters.", + "NoEcho": "true", + "Description": "Password MySQL database access", + "Type": "String", + "MinLength": "8", + "MaxLength": "41" + } + }, + "Resources": { + "RDSCluster-2": { + "Type": "AWS::RDS::DBCluster", + "Properties": { + "Engine": "aurora", + "EngineVersion": "5.6.10a", + "EngineMode": "serverless", + "ScalingConfiguration": { + "AutoPause": true, + "MinCapacity": 4, + "MaxCapacity": 32, + "SecondsUntilAutoPause": 1000 + }, + "StorageEncrypted": false, + "MasterUsername": "DBUsername", + "MasterUserPassword": "DBPassword", + "DBClusterIdentifier": "my-serverless-cluster" + } + } + } +} + +``` +
+
Postitive test num. 7 - yaml file + +```yaml hl_lines="4" +Resources: + myCluster: + Type: "AWS::Redshift::Cluster" + Properties: + DBName: "mydb" + MasterUsername: "master" + MasterUserPassword: + Ref: "MasterUserPassword" + NodeType: "ds2.xlarge" + ClusterType: "single-node" + Tags: + - Key: foo + Value: bar + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="5" +{ + "Resources": { + "myCluster": { + "Type": "AWS::Redshift::Cluster", + "Properties": { + "DBName": "mydb", + "MasterUsername": "master", + "MasterUserPassword": { + "Ref": "MasterUserPassword" + }, + "NodeType": "ds2.xlarge", + "ClusterType": "single-node", + "Tags": [ + { + "Key": "foo", + "Value": "bar" + } + ] + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: RDS Storage Encrypted +Parameters: + SourceDBInstanceIdentifier: + Type: String + DBInstanceType: + Type: String + SourceRegion: + Type: String +Resources: + MyKey: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + MyDBSmall: + Type: "AWS::RDS::DBInstance" + Properties: + DBInstanceClass: !Ref DBInstanceType + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + KmsKeyId: !Ref MyKey + StorageEncrypted: true + + +``` +```yaml title="Negative test num. 2 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Description: >- + AWS CloudFormation Sample Template +Parameters: + DBUsername: + NoEcho: 'true' + Description: Username for MySQL database access + Type: String + MinLength: '1' + MaxLength: '16' + AllowedPattern: '[a-zA-Z][a-zA-Z0-9]*' + ConstraintDescription: must begin with a letter and contain only alphanumeric characters. + DBPassword: + NoEcho: 'true' + Description: Password MySQL database access + Type: String + MinLength: '8' + MaxLength: '41' + AllowedPattern: '[a-zA-Z0-9]*' + ConstraintDescription: must contain only alphanumeric characters. +Resources: + MyKey-0: + Type: "AWS::KMS::Key" + Properties: + KeyPolicy: + Version: 2012-10-17 + Id: key-default-1 + Statement: + - Sid: Enable IAM User Permissions + Effect: Allow + Principal: + AWS: !Join + - "" + - - "arn:aws:iam::" + - !Ref "AWS::AccountId" + - ":root" + Action: "kms:*" + Resource: "*" + RDSCluster: + Type: 'AWS::RDS::DBCluster' + Properties: + MasterUsername: !Ref DBUsername + MasterUserPassword: !Ref DBPassword + DBClusterIdentifier: my-serverless-cluster + Engine: aurora + EngineVersion: 5.6.10a + EngineMode: serverless + ScalingConfiguration: + AutoPause: true + MinCapacity: 4 + MaxCapacity: 32 + SecondsUntilAutoPause: 1000 + KmsKeyId: !Ref MyKey-0 + StorageEncrypted: true + +``` +```json title="Negative test num. 3 - json file" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "RDS Storage Encrypted", + "Parameters": { + "SourceDBInstanceIdentifier": { + "Type": "String" + }, + "DBInstanceType": { + "Type": "String" + }, + "SourceRegion": { + "Type": "String" + } + }, + "Resources": { + "MyKey": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1", + "Statement": [ + { + "Principal": { + "AWS": [ + "", + [ + "arn:aws:iam::", + "AWS::AccountId", + ":root" + ] + ] + }, + "Action": "kms:*", + "Resource": "*", + "Sid": "Enable IAM User Permissions", + "Effect": "Allow" + } + ] + } + } + }, + "MyDBSmall": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "SourceRegion": "SourceRegion", + "KmsKeyId": "MyKey", + "StorageEncrypted": true, + "DBInstanceClass": "DBInstanceType", + "SourceDBInstanceIdentifier": "SourceDBInstanceIdentifier" + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Description": "AWS CloudFormation Sample Template", + "Parameters": { + "DBUsername": { + "MaxLength": "16", + "AllowedPattern": "[a-zA-Z][a-zA-Z0-9]*", + "ConstraintDescription": "must begin with a letter and contain only alphanumeric characters.", + "NoEcho": "true", + "Description": "Username for MySQL database access", + "Type": "String", + "MinLength": "1" + }, + "DBPassword": { + "Type": "String", + "MinLength": "8", + "MaxLength": "41", + "AllowedPattern": "[a-zA-Z0-9]*", + "ConstraintDescription": "must contain only alphanumeric characters.", + "NoEcho": "true", + "Description": "Password MySQL database access" + } + }, + "Resources": { + "MyKey-0": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Version": "2012-10-17T00:00:00Z", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": ["", ["arn:aws:iam::", "AWS::AccountId", ":root"]] + }, + "Action": "kms:*", + "Resource": "*" + } + ] + } + } + }, + "RDSCluster": { + "Type": "AWS::RDS::DBCluster", + "Properties": { + "StorageEncrypted": true, + "MasterUsername": "DBUsername", + "DBClusterIdentifier": "my-serverless-cluster", + "ScalingConfiguration": { + "MinCapacity": 4, + "MaxCapacity": 32, + "SecondsUntilAutoPause": 1000, + "AutoPause": true + }, + "EngineMode": "serverless", + "KmsKeyId": "MyKey-0", + "MasterUserPassword": "DBPassword", + "Engine": "aurora", + "EngineVersion": "5.6.10a" + } + } + } +} + +``` +
diff --git a/docs/queries/common-queries.md b/docs/queries/common-queries.md index c267601990c..e4337e1d977 100644 --- a/docs/queries/common-queries.md +++ b/docs/queries/common-queries.md @@ -3,4 +3,4 @@ This page contains all queries from Common. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|High|Secret Management|Query to find passwords and secrets in infrastructure code.|Documentation
| +|Passwords And Secrets
a88baa34-e2ad-44ea-ad6f-8cac87bc7c71|High|Secret Management|Query to find passwords and secrets in infrastructure code. (read more)|Documentation
| diff --git a/docs/queries/common-queries/common/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md b/docs/queries/common-queries/common/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md new file mode 100644 index 00000000000..e314b4d92b8 --- /dev/null +++ b/docs/queries/common-queries/common/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md @@ -0,0 +1,2272 @@ +--- +title: Passwords And Secrets +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a88baa34-e2ad-44ea-ad6f-8cac87bc7c71 +- **Query name:** Passwords And Secrets +- **Platform:** Common +- **Severity:** High +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/common/passwords_and_secrets) + +### Description +Query to find passwords and secrets in infrastructure code.
+[Documentation](https://docs.kics.io/latest/secrets/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +#k8s test +apiVersion: v1 +kind: Secret +metadata: + name: secret-basic-auth +type: kubernetes.io/basic-auth +stringData: + password: "root" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +#cloud formation test +Resources: + RDSCluster1: + Type: "AWS::RDS::DBCluster" + Properties: + MasterUserPassword: root + DBClusterIdentifier: my-serverless-cluster + Engine: aurora + EngineVersion: 5.6.10a + EngineMode: serverless + ScalingConfiguration: + AutoPause: true + MinCapacity: 4 + MaxCapacity: 32 + SecondsUntilAutoPause: 1000 + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="7" +#ansible test +- name: create a cluster1 + google.cloud.gcp_container_cluster: + name: my-cluster1 + initial_node_count: 2 + master_auth: + password: root + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="9" +#this is a problematic code where the query should report a result(s) +resource "google_container_cluster" "primary1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + username = "" + password = "root" + + client_certificate_config { + issue_client_certificate = true + } + } + + timeouts { + create = "30m" + update = "40m" + } +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="2" +resource "google_secret_manager_secret_version" "secret-version-basic2" { + secret = "3gzcGokilvtw2HmCLuPx" + + secret_data = "secret-data" +} + +``` +
+
Postitive test num. 6 - dockerfile file + +```dockerfile hl_lines="3 7" +FROM baseImage + +ARG password=pass!1213Fs + + +FROM test2 +ARG password=pass!1213Fs + +``` +
+
Postitive test num. 7 - tf file + +```tf hl_lines="8" +resource "google_container_cluster" "primary2" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + username = "" + password = "pwd_jsuwauJk212" + + client_certificate_config { + issue_client_certificate = true + } + } + + timeouts { + create = "30m" + update = "40m" + } +} + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="3 6" +{ + "service-1": { + "password": "abcdefg" + }, + "service-2": { + "password": "abcdefg" + } +} + +``` +
+
Postitive test num. 9 - tf file + +```tf hl_lines="8" +resource "google_container_cluster" "primary4" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + username = "" + password = "abcd s" + + client_certificate_config { + issue_client_certificate = true + } + } + + timeouts { + create = "30m" + update = "40m" + } +} + +``` +
+
Postitive test num. 10 - json file + +```json hl_lines="17 27 7" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "myStackWithParams": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "http://bob:sekret@example.invalid/some/path", + "Parameters": { + "InstanceType": "t1.micro", + "KeyName": "mykey" + } + } + }, + "myStackWithParams_1": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX", + "Parameters": { + "InstanceType": "t1.micro", + "KeyName": "mykey" + } + } + }, + "myStackWithParams_2": { + "Type": "AWS::CloudFormation::Stack", + "Properties": { + "TemplateURL": "https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18", + "Parameters": { + "InstanceType": "t1.micro", + "KeyName": "mykey" + } + } + } + } +} + +``` +
+
Postitive test num. 11 - yaml file + +```yaml hl_lines="9 11 7" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: {} +servers: + - url: http://bob:sekret@example.invalid/some/path + description: My API Server 1 + - url: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX + description: My API Server 2 + - url: https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18 + description: My API Server 3 + +``` +
+
Postitive test num. 12 - json file + +```json hl_lines="8 19 11 15" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": {}, + "password": "Masu121m2d12d1", + "servers": [ + { + "url": "http://bob:sekret@example.invalid/some/path", + "description": "My API Server 1" + }, + { + "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX", + "description": "My API Server 2" + }, + { + "url": "https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18", + "description": "My API Server 3" + } + ] +} + +``` +
+
Postitive test num. 13 - tf file + +```tf hl_lines="6" +resource "aws_transfer_ssh_key" "example" { + server_id = aws_transfer_server.example.id + user_name = aws_transfer_user.example.user_name + body = < +
Postitive test num. 14 - tf file + +```tf hl_lines="17 18" + +provider "aws" { + region = "us-east-1" +} + +resource "aws_instance" "positive1" { + ami = "ami-005e54dee72cc1d00" # us-west-2 + instance_type = "t2.micro" + + tags = { + Name = "test" + } + + user_data = < +
Postitive test num. 15 - tf file + +```tf hl_lines="14 15" +resource "aws_instance" "web_host" { + # ec2 have plain text secrets in user data + ami = var.ami + instance_type = "t2.nano" + + vpc_security_group_ids = ["aws_security_group.web-node.id"] + subnet_id = aws_subnet.web_subnet.id + user_data = <Deployed via Terraform" | sudo tee /var/www/html/index.html +EOF + tags = merge({ + Name = "${local.resource_prefix.value}-ec2" + }, { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + }) +} + +resource "aws_ebs_volume" "web_host_storage" { + # unencrypted volume + availability_zone = "${var.region}a" + #encrypted = false # Setting this causes the volume to be recreated on apply + size = 1 + tags = merge({ + Name = "${local.resource_prefix.value}-ebs" + }, { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + }) +} + +resource "aws_ebs_snapshot" "example_snapshot" { + # ebs snapshot without encryption + volume_id = aws_ebs_volume.web_host_storage.id + description = "${local.resource_prefix.value}-ebs-snapshot" + tags = merge({ + Name = "${local.resource_prefix.value}-ebs-snapshot" + }, { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + }) +} + +resource "aws_volume_attachment" "ebs_att" { + device_name = "/dev/sdh" + volume_id = aws_ebs_volume.web_host_storage.id + instance_id = aws_instance.web_host.id +} + +resource "aws_security_group" "web-node" { + # security group is open to the world in SSH port + name = "${local.resource_prefix.value}-sg" + description = "${local.resource_prefix.value} Security Group" + vpc_id = aws_vpc.web_vpc.id + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = [ + "0.0.0.0/0"] + } + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [ + "0.0.0.0/0"] + } + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [ + "0.0.0.0/0"] + } + depends_on = [aws_vpc.web_vpc] + tags = { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + } +} + +resource "aws_vpc" "web_vpc" { + cidr_block = "172.16.0.0/16" + enable_dns_hostnames = true + enable_dns_support = true + tags = merge({ + Name = "${local.resource_prefix.value}-vpc" + }, { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + }) +} + +resource "aws_subnet" "web_subnet" { + vpc_id = aws_vpc.web_vpc.id + cidr_block = "172.16.10.0/24" + availability_zone = "${var.region}a" + map_public_ip_on_launch = true + + tags = merge({ + Name = "${local.resource_prefix.value}-subnet" + }, { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + }) +} + +resource "aws_subnet" "web_subnet2" { + vpc_id = aws_vpc.web_vpc.id + cidr_block = "172.16.11.0/24" + availability_zone = "${var.region}b" + map_public_ip_on_launch = true + + tags = merge({ + Name = "${local.resource_prefix.value}-subnet2" + }, { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + }) +} + + +resource "aws_internet_gateway" "web_igw" { + vpc_id = aws_vpc.web_vpc.id + + tags = merge({ + Name = "${local.resource_prefix.value}-igw" + }, { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + }) +} + +resource "aws_route_table" "web_rtb" { + vpc_id = aws_vpc.web_vpc.id + + tags = merge({ + Name = "${local.resource_prefix.value}-rtb" + }, { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + }) +} + +resource "aws_route_table_association" "rtbassoc" { + subnet_id = aws_subnet.web_subnet.id + route_table_id = aws_route_table.web_rtb.id +} + +resource "aws_route_table_association" "rtbassoc2" { + subnet_id = aws_subnet.web_subnet2.id + route_table_id = aws_route_table.web_rtb.id +} + +resource "aws_route" "public_internet_gateway" { + route_table_id = aws_route_table.web_rtb.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.web_igw.id + + timeouts { + create = "5m" + } +} + + +resource "aws_network_interface" "web-eni" { + subnet_id = aws_subnet.web_subnet.id + private_ips = ["172.16.10.100"] + + tags = merge({ + Name = "${local.resource_prefix.value}-primary_network_interface" + }, { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + }) +} + +# VPC Flow Logs to S3 +resource "aws_flow_log" "vpcflowlogs" { + log_destination = aws_s3_bucket.flowbucket.arn + log_destination_type = "s3" + traffic_type = "ALL" + vpc_id = aws_vpc.web_vpc.id + + tags = merge({ + Name = "${local.resource_prefix.value}-flowlogs" + Environment = local.resource_prefix.value + }, { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + }) +} + +resource "aws_s3_bucket" "flowbucket" { + bucket = "${local.resource_prefix.value}-flowlogs" + force_destroy = true + + tags = merge({ + Name = "${local.resource_prefix.value}-flowlogs" + Environment = local.resource_prefix.value + }, { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + }) +} + +output "ec2_public_dns" { + description = "Web Host Public DNS name" + value = aws_instance.web_host.public_dns +} + +output "vpc_id" { + description = "The ID of the VPC" + value = aws_vpc.web_vpc.id +} + +output "public_subnet" { + description = "The ID of the Public subnet" + value = aws_subnet.web_subnet.id +} + +output "public_subnet2" { + description = "The ID of the Public subnet" + value = aws_subnet.web_subnet2.id +} + +``` +
+
Postitive test num. 16 - yaml file + +```yaml hl_lines="34 36" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: x +spec: + replicas: 5 + selector: + matchLabels: + app: x + template: + metadata: + labels: + app: x + spec: + containers: + - name: x + image: x + ports: + - containerPort: 5432 + env: + - name: PORT + value: "1234" + - name: DB_HOST + value: "127.0.0.1" + - name: DB_PORT + value: "23" + - name: DB_PORT_BD + value: "5432" + - name: DB_HOST_BD + value: "127.0.0.1" + - name: DB_NAME_BD + value: "dbx" + - name: DB_PASS_BD + value: "passx" + - name: DB_PASS_BD_2 + value: "passx" + - name: DB_USER_BD + value: "userx" + +``` +
+
Postitive test num. 17 - tf file + +```tf hl_lines="7" +resource "azurerm_sql_server" "example" { + name = "kics-test" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "ariel" + administrator_login_password = "Aa12345678" + + tags = { + environment = var.environment + terragoat = "true" + } +} + +``` +
+
Postitive test num. 18 - tf file + +```tf hl_lines="5" +resource "auth0_connection" "google_oauth2" { + name = "Google-OAuth2-Connection" + strategy = "google-oauth2" + options { + client_id = "53221331-2323wasdfa343rwhthfaf33feaf2fa7f.apps.googleusercontent.com" + client_secret = "j2323232324" + allowed_audiences = [ "example.com", "api.example.com" ] + scopes = [ "email", "profile", "gmail", "youtube" ] + set_user_root_attributes = "on_each_login" + } +} + +``` +
+
Postitive test num. 19 - tf file + +```tf hl_lines="2" +provider "slack" { + token = "xoxp-121314151623-121314151623-121314151623-12131423121314151623121314151623" +} + +``` +
+
Postitive test num. 20 - tf file + +```tf hl_lines="2" +provider "stripe" { + api_key = "sk_live_aSaDsEaSaDsEaSaDs29SaDsE" +} + +``` +
+
Postitive test num. 21 - tf file + +```tf hl_lines="50" +resource "aws_ecs_task_definition" "webapp" { + family = "tomato-webapp" + task_role_arn = data.aws_iam_role.ecs_task_role.arn + + container_definitions = < +
Postitive test num. 22 - tf file + +```tf hl_lines="3" +provider "heroku" { + email = "ops@company.com" + api_key = "C71AAAAE-1D1D-1D1D-1D1D-1D1D1D1D1D1D" +} + +``` +
+
Postitive test num. 23 - tf file + +```tf hl_lines="3" + +provider "github" { + token = "we2323232g3hg2h3g2h3g2h3g2h3uh2h3ghg32h3" +} + +``` +
+
Postitive test num. 24 - tf file + +```tf hl_lines="4" +provider "cloudflare" { + version = "~> 2.0" + email = "var.cloudflare_email" + api_key = "1d2d2dewerdcxeee34c323c3223c223232c32" +} + +``` +
+
Postitive test num. 25 - dockerfile file + +```dockerfile hl_lines="3 5 7 9 11" +FROM baseImage + +ARG token=sq0atp-812erere3wewew45678901 + +ARG picaticKey=sk_live_123as6789o1234567890123a123a5678 + +ARG amazonToken=amzn.mws.643a5678-8f9f-1a2b-5c3b-e3ea43f3f4b4 + +ARG mailChimp=f4f56af5a54a3eaeb3c3beb3cc2ccccc-us36 + +ARG sgApiK=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 + +``` +
+
Postitive test num. 26 - yaml file + +```yaml hl_lines="9" +Resources: + PinpointApp: + Type: AWS::Pinpoint::App + Properties: + Name: foobar + PinpointAPNSChannel: + Type: AWS::Pinpoint::APNSChannel + Properties: + PrivateKey: b@d0@u7H70K3n + +``` +
+
Postitive test num. 27 - yaml file + +```yaml hl_lines="5 22" +Resources: + ElastiCacheReplicationGroup: + Type: AWS::ElastiCache::ReplicationGroup + Properties: + AuthToken: b@d0@u7H70K3n + CacheNodeType: cache.m5.large + CacheSubnetGroupName: subnet-foobar + Engine: redis + EngineVersion: '5.0.0' + NumCacheClusters: 2 + ReplicationGroupDescription: foobar + SecurityGroupIds: + - sg-foobar + TransitEncryptionEnabled: True + PinpointApp: + Type: AWS::Pinpoint::App + Properties: + Name: foobar + PinpointAPNSChannel: + Type: AWS::Pinpoint::APNSChannel + Properties: + TokenKey: b@d0@u7H70K3n + ApplicationId: !Ref PinpointApp + +``` +
+
Postitive test num. 28 - yaml file + +```yaml hl_lines="5" +- name: Start a workflow in the Itential Automation Platform + community.network.iap_start_workflow: + iap_port: 3000 + iap_fqdn: localhost + token_key: "DFSFSFHFGFGF[DSFSFAADAFASD%3D" + workflow_name: "RouterUpgradeWorkflow" + description: "OS-Router-Upgrade" + variables: {"deviceName":"ASR9K"} + register: result + +``` +
+
Postitive test num. 29 - tf file + +```tf hl_lines="2" +provider "mailgun" { + api_key = "key-987ad62adwf1w2w2563adf2ef5323123" +} + +``` +
+
Postitive test num. 30 - tf file + +```tf hl_lines="2" +provider "stripe" { + api_key = "rk_live_aSaDsEaSaDsEaSaDs29SaDsE" +} + +``` +
+
Postitive test num. 31 - yaml file + +```yaml hl_lines="4" +- hosts: all + remote_user: root + vars: + twilio_api_key: SKa7CF7acdcaf92Be4CCC52F4a2923BBB3 + + +``` +
+
Postitive test num. 32 - yaml file + +```yaml hl_lines="4" +- hosts: all + remote_user: root + vars: + paypal_access_token: access_token$production$1s2d3f4g5h6j7k8k$1b2b3c4a3a1b2b3c4a3a1b2b3c4a3a1b + + +``` +
+
Postitive test num. 33 - yaml file + +```yaml hl_lines="13" +apiVersion: v1 +kind: Pod +metadata: + name: envar-demo + labels: + purpose: demonstrate-envars +spec: + containers: + - name: envar-demo-container + image: gcr.io/google-samples/node-hello:1.0 + env: + - name: FACEBOOK_TOKEN + value: "EAACEdEose0cBA1bad3afsf2aew" + + +``` +
+
Postitive test num. 34 - yaml file + +```yaml hl_lines="13" +apiVersion: v1 +kind: Pod +metadata: + name: envar-demo + labels: + purpose: demonstrate-envars +spec: + containers: + - name: envar-demo-container + image: gcr.io/google-samples/node-hello:1.0 + env: + - name: Square_OAuth_Secret + value: "sq0csp-0p9h7g6f4s3s3s3-4a3ardgwa6ADRDJDDKUFYDYDYDY" + + +``` +
+
Postitive test num. 35 - yaml file + +```yaml hl_lines="13" +apiVersion: v1 +kind: Config +users: +- name: cluster-admin + user: + auth-provider: + config: {} + name: gcp +- name: google-oauth-access-token + user: + auth-provider: + config: + access-token: ya29.Radftwefewuifdebkw2_23232427t42wdbjsvdjavdajvdadkd + cmd-args: config config-helper --format=json + cmd-path: /Users/dave/google-cloud-sdk/bin/gcloud + expiry: 2021-10-28T15:12:03.000Z + expiry-key: '{.credential.token_expiry}' + token-key: '{.credential.access_token}' + name: gcp + +``` +
+
Postitive test num. 36 - tf file + +```tf hl_lines="5" +resource "aws_transfer_ssh_key" "example2" { + server_id = aws_transfer_server.example.id + user_name = aws_transfer_user.example.user_name + body = < +
Postitive test num. 37 - tf file + +```tf hl_lines="14" +resource "aws_lambda_function" "analysis_lambda2" { + # lambda have plain text secrets in environment variables + filename = "resources/lambda_function_payload.zip" + function_name = "${local.resource_prefix.value}-analysis" + role = "aws_iam_role.iam_for_lambda.arn" + handler = "exports.test" + + source_code_hash = "${filebase64sha256("resources/lambda_function_payload.zip")}" + + runtime = "nodejs12.x" + + environment { + variables = { + secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + } + } +} + +``` +
+
Postitive test num. 38 - yaml file + +```yaml hl_lines="16" +Resources: + NewAmpApp2: + Type: AWS::DocDB::DBCluster + Properties: + MasterUserPassword: !Sub '{{resolve:secretsmanager:${MyAmpAppSecretManagerRotater}::password}}' + Port: 27017 + PreferredBackupWindow: "07:34-08:04" + PreferredMaintenanceWindow: "sat:04:51-sat:05:21" + SnapshotIdentifier: "sample-cluster-snapshot-id" + StorageEncrypted: true + MyAmpAppSecretManagerRotater: + Type: AWS::SecretsManager::Secret + Properties: + Description: 'This is my amp app instance secret' + GenerateSecretString: + SecretStringTemplate: '{"username":"admin"}' + GenerateStringKey: 'password' + PasswordLength: 16 + ExcludeCharacters: '"@/\' + +``` +
+
Postitive test num. 39 - tf file + +```tf hl_lines="3" +locals { + secrets = { + clientSecret = "C98D9F6O-1273-4E8A-B8D9-551F7F3OC41" + } +} + +``` +
+
Postitive test num. 40 - tf file + +```tf hl_lines="14 15" +resource "aws_instance" "web_host" { + # ec2 have plain text secrets in user data + ami = var.ami + instance_type = "t2.nano" + + vpc_security_group_ids = ["aws_security_group.web-node.id"] + subnet_id = aws_subnet.web_subnet.id + user_data = <Deployed via Terraform" | sudo tee /var/www/html/index.html +EOF + tags = merge({ + Name = "${local.resource_prefix.value}-ec2" + }, { + git_last_modified_by = "felipe.avelar@checkmarx.com" + git_modifiers = "felipe.avelar" + git_org = "checkmarx" + git_repo = "kics" + }) +} + +``` +
+
Postitive test num. 41 - tf file + +```tf hl_lines="7" +resource "aws_transfer_ssh_key" "positive44" { + server_id = aws_transfer_server.example.id + user_name = aws_transfer_user.example.user_name + body = < +
Postitive test num. 42 - tf file + +```tf hl_lines="7" +data "terraform_remote_state" "intnet" { + backend = "azurerm" + config = { + storage_account_name = "asdsadas" + container_name = "dp-prasdasdase-001" + key = "infrastructure.tfstate" + access_key = "sdsaljasbdasddsadsa" + } + workspace = terraform.workspace +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#k8s test +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + env: test +spec: + containers: + - name: nginx + image: nginx + # trigger validation + +``` +```yaml title="Negative test num. 2 - yaml file" +#cloud formation test +Resources: + RDSCluster: + Type: "AWS::RDS::DBCluster" + Properties: + MasterUserPassword: !Ref PasswordMaster + DBClusterIdentifier: my-serverless-cluster + Engine: aurora + EngineVersion: 5.6.10a + EngineMode: serverless + ScalingConfiguration: + AutoPause: true + MinCapacity: 4 + MaxCapacity: 32 + SecondsUntilAutoPause: 1000 + +``` +```yaml title="Negative test num. 3 - yaml file" +#ansible test +- name: create a cluster + google.cloud.gcp_container_cluster: + name: my-cluster + initial_node_count: 2 + node_config: + machine_type: n1-standard-4 + disk_size_gb: 500 + location: us-central1-a + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present + +``` +
Negative test num. 4 - tf file + +```tf +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "primary" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + client_certificate_config { + issue_client_certificate = true + } + } + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_secret_manager_secret_version" "secret-version-basic" { + secret = var.my_google_secret + + secret_data = "secret-data" +} + +``` +
+
Negative test num. 5 - dockerfile file + +```dockerfile +FROM baseImage + +RUN command + +``` +
+
Negative test num. 6 - json file + +```json +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": {}, + "servers": [ + { + "url": "https://my.api.server.com/", + "description": "My API Server 1" + } + ] +} + +``` +
+
Negative test num. 7 - tf file + +```tf +resource "google_container_cluster" "primary3" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + username = "1234567890qwertyuiopasdfghjklçzxcvbnm" + password = "" + + client_certificate_config { + issue_client_certificate = true + } + } + + timeouts { + create = "30m" + update = "40m" + } +} + +``` +
+
Negative test num. 8 - tf file + +```tf +resource "google_container_cluster" "primary5" { + name = "marcellus-wallace-credential" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + username = "PRIVATE KEY_key" + password = "" + + client_certificate_config { + issue_client_certificate = true + } + } + + timeouts { + create = "30m" + update = "40m" + } +} + +``` +
+
Negative test num. 9 - tf file + +```tf +resource "google_secret_manager_secret" "secret-basic" { + secret_id = "secret-version" + + labels = { + label = "my-label" + } + + replication { + automatic = true + } +} + +``` +
+
Negative test num. 10 - tf file + +```tf +resource "aws_db_instance" "default" { + name = var.dbname + engine = "mysql" + option_group_name = aws_db_option_group.default.name + parameter_group_name = aws_db_parameter_group.default.name + db_subnet_group_name = aws_db_subnet_group.default.name + vpc_security_group_ids = ["aws_security_group.default.id"] + identifier = "rds-${local.resource_prefix.value}" + engine_version = "8.0" # Latest major version + instance_class = "db.t3.micro" + allocated_storage = "20" + username = "admin" + password = var.password + apply_immediately = true + multi_az = false + backup_retention_period = 0 + storage_encrypted = false + skip_final_snapshot = true + monitoring_interval = 0 + publicly_accessible = true + tags = { + Name = "${local.resource_prefix.value}-rds" + Environment = local.resource_prefix.value + } + + # Ignore password changes from tf plan diff + lifecycle { + ignore_changes = ["password"] + } +} + +``` +
+
Negative test num. 11 - tf file + +```tf +resource "auth0_connection" "google_oauth2" { + name = "Google-OAuth2-Connection" + strategy = "google-oauth2" + options { + client_id = var.google_client_id + client_secret = var.google_client_secret + allowed_audiences = [ "example.com", "api.example.com" ] + scopes = [ "email", "profile", "gmail", "youtube" ] + set_user_root_attributes = "on_each_login" + } +} + +``` +
+
Negative test num. 12 - tf file + +```tf +provider "slack" { + token = var.slack_token +} + +``` +
+
Negative test num. 13 - tf file + +```tf +provider "stripe" { + api_key = var.strip_api_key +} + +``` +
+
Negative test num. 14 - tf file + +```tf +resource "aws_ecs_task_definition" "webapp" { + family = "tomato-webapp" + task_role_arn = data.aws_iam_role.ecs_task_role.arn + + container_definitions = < +
Negative test num. 15 - tf file + +```tf +provider "heroku" { + email = "ops@company.com" + api_key = var.heroku_api_key +} + +``` +
+
Negative test num. 16 - tf file + +```tf +provider "github" { + token = var.github_key +} + +``` +
+
Negative test num. 17 - tf file + +```tf +provider "cloudflare" { + version = "~> 2.0" + email = "var.cloudflare_email" + api_key = "var.api_key" +} + +``` +
+
Negative test num. 18 - yaml file + +```yaml +Parameters: + PrivateKey1: + Type: String +Resources: + PinpointApp: + Type: AWS::Pinpoint::App + Properties: + Name: foobar + PinpointAPNSChannel: + Type: AWS::Pinpoint::APNSChannel + Properties: + PrivateKey: !GetAtt PrivateKey1 + +``` +
+
Negative test num. 19 - yaml file + +```yaml +Parameters: + PinpointAPNSVoipChannelTokenKey: + Type: String +Resources: + ElastiCacheReplicationGroup: + Type: AWS::ElastiCache::ReplicationGroup + Properties: + AuthToken: !Ref PinpointAPNSVoipChannelTokenKey + CacheNodeType: cache.m5.large + CacheSubnetGroupName: subnet-foobar + Engine: redis + EngineVersion: '5.0.0' + NumCacheClusters: 2 + ReplicationGroupDescription: foobar + SecurityGroupIds: + - sg-foobar + TransitEncryptionEnabled: True + PinpointApp: + Type: AWS::Pinpoint::App + Properties: + Name: foobar + PinpointAPNSChannel: + Type: AWS::Pinpoint::APNSChannel + Properties: + TokenKey: !Ref PinpointAPNSVoipChannelTokenKey + ApplicationId: !Ref PinpointApp + +``` +
+
Negative test num. 20 - yaml file + +```yaml +- name: Start a workflow in the Itential Automation Platform + community.network.iap_start_workflow: + iap_port: 3000 + iap_fqdn: localhost + workflow_name: "RouterUpgradeWorkflow" + description: "OS-Router-Upgrade" + variables: {"deviceName":"ASR9K"} + register: result + +``` +
+
Negative test num. 21 - tf file + +```tf +provider "mailgun" { + api_key = "var.mailgun_api_key" +} + +``` +
+
Negative test num. 22 - tf file + +```tf +provider "stripe" { + api_key = var.strip_restricted_api_key +} + +``` +
+
Negative test num. 23 - yaml file + +```yaml +- hosts: all + remote_user: root + vars: + twilio_api_key: '{{ TWILIO_API_KEY }}' + +``` +
+
Negative test num. 24 - yaml file + +```yaml +- hosts: all + remote_user: root + vars: + paypal_access_token: '{{ PAYPAL_ACCESS_TOKEN }}' + + +``` +
+
Negative test num. 25 - yaml file + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: envar-demo + labels: + purpose: demonstrate-envars +spec: + containers: + - name: envar-demo-container + image: gcr.io/google-samples/node-hello:1.0 + +``` +
+
Negative test num. 26 - yaml file + +```yaml +apiVersion: v1 +kind: Config +users: +- name: cluster-admin + user: + auth-provider: + config: {} + name: gcp +- name: google-oauth-access-token + user: + auth-provider: + config: + access-token: '{.credential.oauth_access_token_}' + cmd-args: config config-helper --format=json + cmd-path: /Users/dave/google-cloud-sdk/bin/gcloud + expiry: 2021-10-28T15:12:03.000Z + expiry-key: '{.credential.token_expiry}' + token-key: '{.credential.access_token}' + name: gcp + +``` +
+
Negative test num. 27 - tf file + +```tf +resource "aws_lambda_function" "analysis_lambda4" { + # lambda have plain text secrets in environment variables + filename = "resources/lambda_function_payload.zip" + function_name = "${local.resource_prefix.value}-analysis" + role = "aws_iam_role.iam_for_lambda.arn" + handler = "exports.test" + + source_code_hash = "${filebase64sha256("resources/lambda_function_payload.zip")}" + + runtime = "nodejs12.x" +} + +``` +
+
Negative test num. 28 - tf file + +```tf +provider rancher2 { + api_url = data.terraform_remote_state.rancher.outputs.api_url + token_key = data.terraform_remote_state.rancher.outputs.token_key +} + +``` +
+
Negative test num. 29 - yaml file + +```yaml +Resources: + ElastiCacheReplicationGroup: + Type: AWS::ElastiCache::ReplicationGroup + Properties: + AuthToken: '{{resolve:secretsmanager:/elasticache/replicationgroup/authtoken:SecretString:password}}' + CacheNodeType: cache.m5.large + CacheSubnetGroupName: subnet-foobar + Engine: redis + EngineVersion: '5.0.0' + NumCacheClusters: 2 + ReplicationGroupDescription: foobar + SecurityGroupIds: + - sg-foobar + TransitEncryptionEnabled: True + +``` +
+
Negative test num. 30 - yaml file + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo +spec: + automountServiceAccountToken: false + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false +``` +
+
Negative test num. 31 - yaml file + +```yaml +- name: 'aws_codebuild integration tests' + collections: + - amazon.aws + module_defaults: + group/aws: + aws_access_key: '{{ aws_access_key }}' + aws_secret_key: '{{ aws_secret_key }}' + security_token: '{{ security_token | default(omit) }}' + region: '{{ aws_region }}' + block: + - name: idempotence check rerunning same Codebuild task + aws_codebuild: + name: "{{ resource_prefix }}-test-ansible-codebuild" + description: Build project for testing the Ansible aws_codebuild module + service_role: "{{ codebuild_iam_role.iam_role.arn }}" + timeout_in_minutes: 30 + source: + type: CODEPIPELINE + buildspec: '' + artifacts: + namespace_type: NONE + packaging: NONE + type: CODEPIPELINE + name: test + encryption_key: 'arn:aws:kms:{{ aws_region }}:{{ aws_account_id }}:alias/aws/s3' + environment: + compute_type: BUILD_GENERAL1_SMALL + privileged_mode: true + image: 'aws/codebuild/docker:17.09.0' + type: LINUX_CONTAINER + environment_variables: + - { name: 'FOO_ENV', value: 'other' } + tags: + - { key: 'purpose', value: 'ansible-test' } + state: present + register: rerun_test_output + +``` +
+
Negative test num. 32 - yaml file + +```yaml +Conditions: + HasKmsKey: !Not [!Equals [!Ref ParentKmsKeyStack, '']] + HasSecretName: !Not [!Equals [!Ref ParentKmsKeyStack, '']] + HasPassword: !Not [!Equals [!Ref DBPassword, '']] + +``` +
+
Negative test num. 33 - yaml file + +```yaml +Resources: + LambdaFunctionV2: + Type: 'AWS::Lambda::Function' + Properties: + Code: + ZipFile: | + 'use strict'; + const AWS = require('aws-sdk'); + const response = require('cfn-response'); + const iam = new AWS.IAM({apiVersion: '2010-05-08'}); + exports.handler = (event, context, cb) => { + console.log(`Invoke: ${JSON.stringify(event)}`); + function done(err) { + if (err) { + console.log(`Error: ${JSON.stringify(err)}`); + response.send(event, context, response.FAILED, {}); + } else { + response.send(event, context, response.SUCCESS, {}); + } + } + if (event.RequestType === 'Delete') { + iam.deleteAccountPasswordPolicy({}, done); + } else if (event.RequestType === 'Create' || event.RequestType === 'Update') { + const params = { + MinimumPasswordLength: parseInt(event.ResourceProperties.MinimumPasswordLength, 10), + RequireSymbols: event.ResourceProperties.RequireSymbols === 'true', + RequireNumbers: event.ResourceProperties.RequireNumbers === 'true', + RequireUppercaseCharacters: event.ResourceProperties.RequireUppercaseCharacters === 'true', + RequireLowercaseCharacters: event.ResourceProperties.RequireLowercaseCharacters === 'true', + AllowUsersToChangePassword: event.ResourceProperties.AllowUsersToChangePassword === 'true', + HardExpiry: event.ResourceProperties.HardExpiry === 'true' + }; + if (parseInt(event.ResourceProperties.MaxPasswordAge, 10) > 0) { + params.MaxPasswordAge = parseInt(event.ResourceProperties.MaxPasswordAge, 10); + } + if (parseInt(event.ResourceProperties.PasswordReusePrevention, 10) > 0) { + params.PasswordReusePrevention = parseInt(event.ResourceProperties.PasswordReusePrevention, 10); + } + iam.updateAccountPasswordPolicy(params, done); + } else { + cb(new Error(`unsupported RequestType: ${event.RequestType}`)); + } + }; + Handler: 'index.handler' + MemorySize: 128 + Role: !GetAtt 'LambdaRole.Arn' + Runtime: 'nodejs12.x' + Timeout: 60 + +``` +
+
Negative test num. 34 - tf file + +```tf +locals { + secrets = { + my_secret = random_password.my_password.result + } +} + +``` +
+
Negative test num. 35 - dockerfile file + +```dockerfile +FROM baseImage + +RUN apk add --no-cache git \ + && git config \ + --global \ + url."https://${GIT_USER}:${GIT_TOKEN}@github.com".insteadOf \ + "https://github.com" + + +``` +
+
Negative test num. 36 - tf file + +```tf +resource "aws_instance" "instance" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" + + connection { + user = "ubuntu" + private_key = file(var.private_key_path) + } +} + +``` +
+
Negative test num. 37 - yaml file + +```yaml +Resources: + MytFunction: + Type: AWS::Lambda::Function + Properties: + FunctionName: !Sub '${AWS::StackName}-CdnViewerRequest' + Code: + ZipFile: !Sub | + function msg(userPass) { + return {"username": userPass[1], "password": userPass[2]} + } + +``` +
+
Negative test num. 38 - yaml file + +```yaml +Type: AWS::Glue::Connection +Properties: + CatalogId: "1111111111111" + ConnectionInput: + ConnectionProperties: + CONNECTION_URL: + Fn::Join: + - "" + - - "mongodb://{{resolve:secretsmanager:arn:" + - Ref: AWS::Partition + - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test + USERNAME: + Fn::Join: + - "" + - - "{{resolve:secretsmanager:arn:" + - Ref: AWS::Partition + - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:username::}} + PASSWORD: + Fn::Join: + - "" + - - "{{resolve:secretsmanager:arn:" + - Ref: AWS::Partition + - :secretsmanager:eu-west-1:1111111111111:secret:/test/resources/docdb-test:SecretString:password::}} + JDBC_ENFORCE_SSL: true + ConnectionType: MONGODB + +``` +
+
Negative test num. 39 - yaml file + +```yaml +AWSTemplateFormatVersion: "2010-09-09" +Resources: + somecode: + Type: AWS::CodeBuild::Project + Properties: + Name: somecodename + Description: somecodedesc + TimeoutInMinutes: 10 + QueuedTimeoutInMinutes: 10 + ServiceRole: someservicerole + EncryptionKey: somekey + Artifacts: + Type: someartifact + Cache: + Type: somecache + Modes: + - mode1 + - mode2 + Environment: + ComputeType: somecomputetype + Image: someimage + Type: someenv + ImagePullCredentialsType: somepulltype + Source: + Type: somesource + Location: somelocation + GitCloneDepth: 1 + +``` +
+
Negative test num. 40 - yaml file + +```yaml +Transform: 'AWS::Serverless-2016-10-31' +Metadata: + 'AWS::ServerlessRepo::Application': + Name: AthenaJdbcConnector + Description: 'This connector enables Amazon Athena to communicate with your Database instance(s) using JDBC driver.' + Author: 'default author' + SpdxLicenseId: Apache-2.0 + LicenseUrl: LICENSE.txt + ReadmeUrl: README.md + Labels: + - athena-federation + HomePageUrl: 'https://github.com/awslabs/aws-athena-query-federation' + SemanticVersion: 2021.41.1 + SourceCodeUrl: 'https://github.com/awslabs/aws-athena-query-federation' +Parameters: + SecretNamePrefix: + Description: 'Used to create resource-based authorization policy for "secretsmanager:GetSecretValue" action. E.g. All Athena JDBC Federation secret names can be prefixed with "AthenaJdbcFederation" and authorization policy will allow "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:AthenaJdbcFederation*". Parameter value in this case should be "AthenaJdbcFederation". If you do not have a prefix, you can manually update the IAM policy to add allow any secret names.' + Type: String + +``` +
+
Negative test num. 41 - yaml file + +```yaml +--- +AWSTemplateFormatVersion: "2010-09-09" +Description: > + Test values for GetAtt and Ref and conditions +Parameters: + pSubnets: + Type: List + Default: '' + pSubnet: + Type: String + Default: '' + pSsmSubnets: + Type: AWS::SSM::Parameter::Value> + Default: '' +Conditions: + cCreateSubnets: !Not [!Equals [!Ref pSubnets, '']] + cNotCreateSubnets: !Not [!Condition cCreateSubnets] + cUseSsmSubnets: !And [!Condition cNotCreateSubnets, !Not [!Equals [pSsmSubnets, '']]] +Resources: + Subnet1: + Type: AWS::EC2::Subnet + Properties: + VpcId: 'vpc-1234567' + CidrBlock: 10.0.0.0/24 + Subnet2: + Type: AWS::EC2::Subnet + Properties: + VpcId: 'vpc-1234567' + CidrBlock: 10.0.0.2/24 + LoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + Listeners: + - + InstancePort: '80' + LoadBalancerPort: '80' + Protocol: HTTP + Subnets: + Fn::If: + - cCreateSubnets + - - !Ref Subnet1 + - !Ref Subnet2 + - !Ref pSubnet # extra check to validate singular parameter works + - Fn::If: + - cUseSsmSubnets + - !Ref pSsmSubnets + - !Ref pSubnets + LoadBalancer2: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + Fn::If: + - cCreateSubnets + - Listeners: + - + InstancePort: '80' + LoadBalancerPort: '80' + Protocol: HTTP + Subnets: + - !Ref Subnet1 + - !Ref Subnet2 + - Fn::If: + - cUseSsmSubnets + - Listeners: + - + InstancePort: '80' + LoadBalancerPort: '80' + Protocol: HTTP + Subnets: !Ref pSsmSubnets + - Listeners: + - + InstancePort: '80' + LoadBalancerPort: '80' + Protocol: HTTP + Subnets: !Ref pSubnets + ### Test Custom Resources Don't fail + GetSubnets: + Type: AWS::CloudFormation::CustomResource + Properties: + ServiceToken: anArn + LoadBalancer3: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + Listeners: + - + InstancePort: '80' + LoadBalancerPort: '80' + Protocol: HTTP + Subnets: !GetAtt GetSubnets.Subnets + ### Test getatt to another resource and a list getatt + SecurityGroup1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: LoadBalancer Security Group + alb1: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Scheme: internal + Subnets: !Ref pSubnets + LoadBalancerAttributes: + - Key: idle_timeout.timeout_seconds + Value: '50' + SecurityGroups: + - Ref: SecurityGroup1 + alb2: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Scheme: internal + Subnets: !Ref pSubnets + LoadBalancerAttributes: + - Key: idle_timeout.timeout_seconds + Value: '50' + SecurityGroups: !GetAtt alb1.SecurityGroups + ### Test CloudFormation resource for Get Atts + SubStack: + Type: AWS::CloudFormation::Stack + Properties: + TemplateURL: https://example.com + albCfn2: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + Scheme: internal + Subnets: !Ref pSubnets + LoadBalancerAttributes: + - Key: idle_timeout.timeout_seconds + Value: '50' + SecurityGroups: + - !GetAtt SubStack.Outputs.SecurityGroups + Listener: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + Protocol: + Fn::GetAtt: + - SubStack + - Outputs.Protocol + LoadBalancerArn: !GetAtt SubStack.Outputs.LoadBalancerArn + KinesisStream: + Type: AWS::Kinesis::Stream + Properties: + ShardCount: 1 + StreamConsumer: + Type: AWS::Kinesis::StreamConsumer + Properties: + ConsumerName: MyConsumer + StreamARN: !GetAtt KinesisStream.Arn + 03EventSourceMapping: + Type: AWS::Lambda::EventSourceMapping + Properties: + BatchSize: 500 + Enabled: true + EventSourceArn: !GetAtt StreamConsumer.ConsumerARN + FunctionName: !Ref LambdaFunctionArn + StartingPosition: LATEST + 04EventSourceMapping: + Type: AWS::Lambda::EventSourceMapping + Properties: + BatchSize: 500 + Enabled: true + EventSourceArn: !GetAtt StreamConsumer.StreamARN + FunctionName: !Ref LambdaFunctionArn + StartingPosition: LATEST + +``` +
+
Negative test num. 42 - yaml file + +```yaml +name: Example Workflow + +on: workflow_call + +jobs: + build-deploy: + permissions: + contents: read + pages: write + id-token: write + + runs-on: ubuntu + + steps: + - uses: actions/checkout@v3 + +--- + +name: Example Workflow + +on: workflow_call + +jobs: + build-deploy: + permissions: + contents: read + pages: write + id-token: read + + runs-on: ubuntu + + steps: + - uses: actions/checkout@v3 + +--- + +name: Example Workflow + +on: workflow_call + +jobs: + build-deploy: + permissions: + contents: read + pages: write + id-token: none + + runs-on: ubuntu + + steps: + - uses: actions/checkout@v3 +``` +
+
Negative test num. 43 - yaml file + +```yaml +Type: AWS::Glue::Connection +Properties: + CatalogId: "1111111111111" + ConnectionInput: + ConnectionProperties: + CONNECTION_URL: + Fn::Join: + - "" + - - "mongodb://{{resolve:secretsmanager:arn:" + - Ref: AWS::Partition + - :secretsmanager:*:1111111111111:secret:/test/resources/docdb-test:SecretString:endpoint::}}/test + USERNAME: + Fn::Join: + - "" + - - "{{resolve:secretsmanager:arn:" + - Ref: AWS::Partition + - :secretsmanager:eu-west-1:*:secret:/test/resources/docdb-test:SecretString:username::}} + PASSWORD: + Fn::Join: + - "" + - - "{{resolve:secretsmanager:arn:" + - Ref: AWS::Partition + - :secretsmanager:us-east-?:*:secret:tiny::}} + JDBC_ENFORCE_SSL: true + ConnectionType: MONGODB + +``` +
+
Negative test num. 44 - tf file + +```tf +data "terraform_remote_state" "intnet" { + backend = "azurerm" + config = { + storage_account_name = "asdsadas" + container_name = "dp-prasdasdase-001" + key = "infrastructure.tfstate" + access_key = file(var.access_key_path) + } + workspace = terraform.workspace +} + +``` +
diff --git a/docs/queries/crossplane-queries.md b/docs/queries/crossplane-queries.md index 0469f0607d6..9fc636be1a7 100644 --- a/docs/queries/crossplane-queries.md +++ b/docs/queries/crossplane-queries.md @@ -8,8 +8,8 @@ Bellow are listed queries related with Crossplane AZURE: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| +|AKS RBAC Disabled
b2418936-cd47-4ea2-8346-623c0bdb87bd|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
6c7cfec3-c686-4ed2-bf58-a1ec054b63fc|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| ### AWS Bellow are listed queries related with Crossplane AWS: @@ -18,17 +18,17 @@ Bellow are listed queries related with Crossplane AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.|Documentation
| -|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true|Documentation
| -|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events|Documentation
| -|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| +|EFS Not Encrypted
72840c35-3876-48be-900d-f21b2f0c2ea1|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|EFS Without KMS
bdecd6db-2600-47dd-a10c-72c97cf17ae9|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|ELB Using Weak Ciphers
a507daa5-0795-4380-960b-dd7bb7c56661|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|DB Instance Storage Not Encrypted
e50eb68a-a4af-4048-8bbe-8ec324421469|High|Encryption|RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'. (read more)|Documentation
| +|DB Security Group Has Public Interface
dd667399-8d9d-4a8d-bbb4-e49ab53b2f52|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
255b0fcc-9f82-41fe-9229-01b163e3376b|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|SQS With SSE Disabled
9296f1cc-7a40-45de-bd41-f31745488a0e|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
83bf5aca-138a-498e-b9cd-ad5bc5e117b4|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|CloudFront Logging Disabled
7b590235-1ff4-421b-b9ff-5227134be9bb|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
934613fe-b12c-4e5a-95f5-c1dcdffac1ff|Medium|Observability|AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events (read more)|Documentation
| +|CloudFront Without WAF
6d19ce0f-b3d8-4128-ac3d-1064e0f00494|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| ### GCP Bellow are listed queries related with Crossplane GCP: @@ -37,5 +37,5 @@ Bellow are listed queries related with Crossplane GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
6c2d627c-de0f-45fb-b33d-dad9bffbb421|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
b4f65d13-a609-4dc1-af7c-63d2e08bffe9|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| diff --git a/docs/queries/crossplane-queries/aws/255b0fcc-9f82-41fe-9229-01b163e3376b.md b/docs/queries/crossplane-queries/aws/255b0fcc-9f82-41fe-9229-01b163e3376b.md new file mode 100644 index 00000000000..188616678b1 --- /dev/null +++ b/docs/queries/crossplane-queries/aws/255b0fcc-9f82-41fe-9229-01b163e3376b.md @@ -0,0 +1,159 @@ +--- +title: CloudFront Without Minimum Protocol TLS 1.2 +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 255b0fcc-9f82-41fe-9229-01b163e3376b +- **Query name:** CloudFront Without Minimum Protocol TLS 1.2 +- **Platform:** Crossplane +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/aws/cloudfront_without_minimum_protocol_tls_1.2) + +### Description +CloudFront Minimum Protocol version should be at least TLS 1.2
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-viewerCertificate-minimumProtocolVersion) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 11 44 14 50 54" +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.1_2016 + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-cloudfront + base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.1_2016 + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.2_2018 + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-cloudfront + base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.2_2018 + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" + +``` diff --git a/docs/queries/crossplane-queries/aws/6d19ce0f-b3d8-4128-ac3d-1064e0f00494.md b/docs/queries/crossplane-queries/aws/6d19ce0f-b3d8-4128-ac3d-1064e0f00494.md new file mode 100644 index 00000000000..a0e2f9355e2 --- /dev/null +++ b/docs/queries/crossplane-queries/aws/6d19ce0f-b3d8-4128-ac3d-1064e0f00494.md @@ -0,0 +1,161 @@ +--- +title: CloudFront Without WAF +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6d19ce0f-b3d8-4128-ac3d-1064e0f00494 +- **Query name:** CloudFront Without WAF +- **Platform:** Crossplane +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/aws/cloudfront_without_waf) + +### Description +All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-webACLID) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 48" +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.2_2018 + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-cloudfront + base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.2_2018 + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.2_2018 + webACLID: 473e64fd-f30b-4765-81a0-62ad96dd167a + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-cloudfront + base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + viewerCertificate: + sslSupportMethod: sni-only + cloudFrontDefaultCertificate: false + minimumProtocolVersion: TLSv1.2_2018 + webACLID: 473e64fd-f30b-4765-81a0-62ad96dd167a + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" + +``` diff --git a/docs/queries/crossplane-queries/aws/72840c35-3876-48be-900d-f21b2f0c2ea1.md b/docs/queries/crossplane-queries/aws/72840c35-3876-48be-900d-f21b2f0c2ea1.md new file mode 100644 index 00000000000..30f3f9b7597 --- /dev/null +++ b/docs/queries/crossplane-queries/aws/72840c35-3876-48be-900d-f21b2f0c2ea1.md @@ -0,0 +1,119 @@ +--- +title: EFS Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 72840c35-3876-48be-900d-f21b2f0c2ea1 +- **Query name:** EFS Not Encrypted +- **Platform:** Crossplane +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/aws/efs_not_encrypted) + +### Description +Elastic File System (EFS) must be encrypted
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 35 38 6" +apiVersion: efs.aws.crossplane.io/v1alpha1 +kind: FileSystem +metadata: + name: example3 +spec: + forProvider: + region: us-east-1 + encrypted: false + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: efs.aws.crossplane.io/v1alpha1 + kind: FileSystem + metadata: + name: example4 + spec: + forProvider: + region: us-east-1 + encrypted: false + providerConfigRef: + name: example + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: efs.aws.crossplane.io/v1alpha1 +kind: FileSystem +metadata: + name: example +spec: + forProvider: + region: us-east-1 + encrypted: true + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: efs.aws.crossplane.io/v1alpha1 + kind: FileSystem + metadata: + name: example2 + spec: + forProvider: + region: us-east-1 + encrypted: true + providerConfigRef: + name: example + +``` diff --git a/docs/queries/crossplane-queries/aws/7b590235-1ff4-421b-b9ff-5227134be9bb.md b/docs/queries/crossplane-queries/aws/7b590235-1ff4-421b-b9ff-5227134be9bb.md new file mode 100644 index 00000000000..98eea6c448f --- /dev/null +++ b/docs/queries/crossplane-queries/aws/7b590235-1ff4-421b-b9ff-5227134be9bb.md @@ -0,0 +1,159 @@ +--- +title: CloudFront Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7b590235-1ff4-421b-b9ff-5227134be9bb +- **Query name:** CloudFront Logging Disabled +- **Platform:** Crossplane +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/aws/cloudfront_logging_disabled) + +### Description +AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-aws/cloudfront.aws.crossplane.io/Distribution/v1alpha1@v0.29.0#spec-forProvider-distributionConfig-logging) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 41 11 12 47 50" +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + logging: + enabled: false + include_cookies: false + bucket: sample.s3.amazonaws.com + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + labels: + cluster: eks + provider: aws + name: cluster-aws +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + distributionConfig: + comment: "Crossplane - auto provisioning" + enabled: true + logging: + bucket: sample.s3.amazonaws.com + enabled: false + include_cookies: false + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" + region: us-east-1 + name: sample-cloudfront + writeConnectionSecretsToNamespace: crossplane-system + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: cloudfront.aws.crossplane.io/v1alpha1 +kind: Distribution +metadata: + name: sample-distribution +spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + logging: + enabled: true + include_cookies: false + bucket: sample.s3.amazonaws.com + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-cloudfront + base: + apiVersion: cloudfront.aws.crossplane.io/v1alpha1 + kind: Distribution + metadata: + name: sample-distribution + spec: + forProvider: + region: us-east-1 + distributionConfig: + enabled: true + comment: Crossplane - auto provisioning + logging: + enabled: true + include_cookies: false + bucket: sample.s3.amazonaws.com + origins: + items: + - domainName: sample.s3.amazonaws.com + id: s3Origin + s3OriginConfig: + originAccessIDentity: "" + +``` diff --git a/docs/queries/crossplane-queries/aws/83bf5aca-138a-498e-b9cd-ad5bc5e117b4.md b/docs/queries/crossplane-queries/aws/83bf5aca-138a-498e-b9cd-ad5bc5e117b4.md new file mode 100644 index 00000000000..c2c16d03e45 --- /dev/null +++ b/docs/queries/crossplane-queries/aws/83bf5aca-138a-498e-b9cd-ad5bc5e117b4.md @@ -0,0 +1,137 @@ +--- +title: Neptune Database Cluster Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 83bf5aca-138a-498e-b9cd-ad5bc5e117b4 +- **Query name:** Neptune Database Cluster Encryption Disabled +- **Platform:** Crossplane +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/aws/neptune_database_cluster_encryption_disabled) + +### Description +Neptune database cluster storage should have encryption enabled
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-aws/neptune.aws.crossplane.io/DBCluster/v1alpha1@v0.29.0#spec-forProvider-storageEncrypted) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 50 6 15" +apiVersion: neptune.aws.crossplane.io/v1alpha1 +kind: DBCluster +metadata: + name: sample-cluster3 +spec: + forProvider: + region: eu-central-1 + applyImmediately: true + backupRetentionPeriod: 5 + engine: neptune + enableIAMDatabaseAuthentication: true + deletionProtection: false + preferredBackupWindow: 07:00-09:00 + skipFinalSnapshot: true +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: neptune.aws.crossplane.io/v1alpha1 + kind: DBCluster + metadata: + name: sample-cluster4 + spec: + forProvider: + region: eu-central-1 + applyImmediately: true + backupRetentionPeriod: 5 + engine: neptune + enableIAMDatabaseAuthentication: true + deletionProtection: false + preferredBackupWindow: 07:00-09:00 + skipFinalSnapshot: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: neptune.aws.crossplane.io/v1alpha1 +kind: DBCluster +metadata: + name: sample-cluster +spec: + forProvider: + region: eu-central-1 + applyImmediately: true + backupRetentionPeriod: 5 + engine: neptune + enableIAMDatabaseAuthentication: true + deletionProtection: false + preferredBackupWindow: 07:00-09:00 + skipFinalSnapshot: true + storageEncrypted: true +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: neptune.aws.crossplane.io/v1alpha1 + kind: DBCluster + metadata: + name: sample-cluster2 + spec: + forProvider: + region: eu-central-1 + applyImmediately: true + backupRetentionPeriod: 5 + engine: neptune + enableIAMDatabaseAuthentication: true + deletionProtection: false + preferredBackupWindow: 07:00-09:00 + skipFinalSnapshot: true + storageEncrypted: true + +``` diff --git a/docs/queries/crossplane-queries/aws/9296f1cc-7a40-45de-bd41-f31745488a0e.md b/docs/queries/crossplane-queries/aws/9296f1cc-7a40-45de-bd41-f31745488a0e.md new file mode 100644 index 00000000000..37c08feb153 --- /dev/null +++ b/docs/queries/crossplane-queries/aws/9296f1cc-7a40-45de-bd41-f31745488a0e.md @@ -0,0 +1,137 @@ +--- +title: SQS With SSE Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9296f1cc-7a40-45de-bd41-f31745488a0e +- **Query name:** SQS With SSE Disabled +- **Platform:** Crossplane +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/aws/sqs_with_sse_disabled) + +### Description +Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-aws/sqs.aws.crossplane.io/Queue/v1beta1@v0.29.0#spec-forProvider-kmsMasterKeyId) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 6" +apiVersion: sqs.aws.crossplane.io/v1beta1 +kind: Queue +metadata: + name: test-queue3 +spec: + forProvider: + region: us-east-1 + delaySeconds: 4 + redrivePolicy: + deadLetterTargetArnRef: + name: test-queue2 + maxReceiveCount: 1 + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: sqs.aws.crossplane.io/v1beta1 + kind: Queue + metadata: + name: test-queue4 + spec: + forProvider: + region: us-east-1 + delaySeconds: 4 + redrivePolicy: + deadLetterTargetArnRef: + name: test-queue2 + maxReceiveCount: 1 + providerConfigRef: + name: example + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: sqs.aws.crossplane.io/v1beta1 +kind: Queue +metadata: + name: test-queue +spec: + forProvider: + region: us-east-1 + kmsMasterKeyId: KMS-KEY-ARN + delaySeconds: 4 + redrivePolicy: + deadLetterTargetArnRef: + name: test-queue2 + maxReceiveCount: 1 + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: sqs.aws.crossplane.io/v1beta1 + kind: Queue + metadata: + name: test-queue2 + spec: + forProvider: + region: us-east-1 + kmsMasterKeyId: KMS-KEY-ARN + delaySeconds: 4 + redrivePolicy: + deadLetterTargetArnRef: + name: test-queue2 + maxReceiveCount: 1 + providerConfigRef: + name: example + +``` diff --git a/docs/queries/crossplane-queries/aws/934613fe-b12c-4e5a-95f5-c1dcdffac1ff.md b/docs/queries/crossplane-queries/aws/934613fe-b12c-4e5a-95f5-c1dcdffac1ff.md new file mode 100644 index 00000000000..c6fbf70e215 --- /dev/null +++ b/docs/queries/crossplane-queries/aws/934613fe-b12c-4e5a-95f5-c1dcdffac1ff.md @@ -0,0 +1,115 @@ +--- +title: CloudWatch Without Retention Period Specified +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 934613fe-b12c-4e5a-95f5-c1dcdffac1ff +- **Query name:** CloudWatch Without Retention Period Specified +- **Platform:** Crossplane +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/aws/cloudwatch_without_retention_period_specified) + +### Description +AWS CloudWatch should have CloudWatch Logs enabled in order to monitor, store, and access log events
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-aws/cloudwatchlogs.aws.crossplane.io/LogGroup/v1alpha1@v0.29.0#spec-forProvider-retentionInDays) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 34 38 6" +apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1 +kind: LogGroup +metadata: + name: lg-3 +spec: + forProvider: + logGroupName: /aws/eks/sample-cluster/cluster + region: us-east-1 + retentionInDays: 0 +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1 + kind: LogGroup + metadata: + name: lg-4 + spec: + forProvider: + logGroupName: /aws/eks/sample-cluster/cluster + region: us-east-1 + retentionInDays: 0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1 +kind: LogGroup +metadata: + name: lg-1 +spec: + forProvider: + logGroupName: /aws/eks/sample-cluster/cluster + region: us-east-1 + retentionInDays: 1 +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: cloudwatchlogs.aws.crossplane.io/v1alpha1 + kind: LogGroup + metadata: + name: lg-2 + spec: + forProvider: + logGroupName: /aws/eks/sample-cluster/cluster + region: us-east-1 + retentionInDays: 1 + +``` diff --git a/docs/queries/crossplane-queries/aws/a507daa5-0795-4380-960b-dd7bb7c56661.md b/docs/queries/crossplane-queries/aws/a507daa5-0795-4380-960b-dd7bb7c56661.md new file mode 100644 index 00000000000..dc0b4f7cc26 --- /dev/null +++ b/docs/queries/crossplane-queries/aws/a507daa5-0795-4380-960b-dd7bb7c56661.md @@ -0,0 +1,159 @@ +--- +title: ELB Using Weak Ciphers +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a507daa5-0795-4380-960b-dd7bb7c56661 +- **Query name:** ELB Using Weak Ciphers +- **Platform:** Crossplane +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/aws/elb_using_weak_ciphers) + +### Description +ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-aws/elbv2.aws.crossplane.io/Listener/v1alpha1@v0.29.0#spec-forProvider-sslPolicy) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="18 58" +apiVersion: elbv2.aws.crossplane.io/v1alpha1 +kind: Listener +metadata: + name: test-listener +spec: + forProvider: + region: us-east-1 + defaultActions: + - actionType: forward + forwardConfig: + targetGroups: + - targetGroupArnRef: + name: test-targetgroup + loadBalancerArnRef: + name: test-loadbalancer + port: 80 + protocol: HTTP + sslPolicy: TLS_NULL_WITH_NULL_NULL + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: elbv2.aws.crossplane.io/v1alpha1 + kind: Listener + metadata: + name: test-listener2 + spec: + forProvider: + region: us-east-1 + defaultActions: + - actionType: forward + forwardConfig: + targetGroups: + - targetGroupArnRef: + name: test-targetgroup + loadBalancerArnRef: + name: test-loadbalancer + port: 80 + protocol: HTTP + sslPolicy: TLS_NULL_WITH_NULL_NULL + providerConfigRef: + name: example + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: elbv2.aws.crossplane.io/v1alpha1 +kind: Listener +metadata: + name: test-listener +spec: + forProvider: + region: us-east-1 + defaultActions: + - actionType: forward + forwardConfig: + targetGroups: + - targetGroupArnRef: + name: test-targetgroup + loadBalancerArnRef: + name: test-loadbalancer + port: 80 + protocol: HTTP + sslPolicy: ELBSecurityPolicy-2015-05 + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: elbv2.aws.crossplane.io/v1alpha1 + kind: Listener + metadata: + name: test-listener2 + spec: + forProvider: + region: us-east-1 + defaultActions: + - actionType: forward + forwardConfig: + targetGroups: + - targetGroupArnRef: + name: test-targetgroup + loadBalancerArnRef: + name: test-loadbalancer + port: 80 + protocol: HTTP + sslPolicy: ELBSecurityPolicy-2015-05 + providerConfigRef: + name: example + +``` diff --git a/docs/queries/crossplane-queries/aws/bdecd6db-2600-47dd-a10c-72c97cf17ae9.md b/docs/queries/crossplane-queries/aws/bdecd6db-2600-47dd-a10c-72c97cf17ae9.md new file mode 100644 index 00000000000..5ec5d141145 --- /dev/null +++ b/docs/queries/crossplane-queries/aws/bdecd6db-2600-47dd-a10c-72c97cf17ae9.md @@ -0,0 +1,121 @@ +--- +title: EFS Without KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bdecd6db-2600-47dd-a10c-72c97cf17ae9 +- **Query name:** EFS Without KMS +- **Platform:** Crossplane +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/aws/efs_without_kms) + +### Description +Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-aws/efs.aws.crossplane.io/FileSystem/v1alpha1@v0.29.0#spec-forProvider-kmsKeyID) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="36 6" +apiVersion: efs.aws.crossplane.io/v1alpha1 +kind: FileSystem +metadata: + name: example3 +spec: + forProvider: + region: us-east-1 + encrypted: false + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: efs.aws.crossplane.io/v1alpha1 + kind: FileSystem + metadata: + name: example4 + spec: + forProvider: + region: us-east-1 + encrypted: false + providerConfigRef: + name: example + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: efs.aws.crossplane.io/v1alpha1 +kind: FileSystem +metadata: + name: example +spec: + forProvider: + region: us-east-1 + kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab + encrypted: true + providerConfigRef: + name: example +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: efs.aws.crossplane.io/v1alpha1 + kind: FileSystem + metadata: + name: example2 + spec: + forProvider: + region: us-east-1 + kmsKeyID: 1234abcd-12ab-34cd-56ef-1234567890ab + encrypted: true + providerConfigRef: + name: example + +``` diff --git a/docs/queries/crossplane-queries/aws/dd667399-8d9d-4a8d-bbb4-e49ab53b2f52.md b/docs/queries/crossplane-queries/aws/dd667399-8d9d-4a8d-bbb4-e49ab53b2f52.md new file mode 100644 index 00000000000..a12e1987b21 --- /dev/null +++ b/docs/queries/crossplane-queries/aws/dd667399-8d9d-4a8d-bbb4-e49ab53b2f52.md @@ -0,0 +1,151 @@ +--- +title: DB Security Group Has Public Interface +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dd667399-8d9d-4a8d-bbb4-e49ab53b2f52 +- **Query name:** DB Security Group Has Public Interface +- **Platform:** Crossplane +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/aws/db_security_group_has_public_interface) + +### Description +The CIDR IP should not be a public interface
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-aws/ec2.aws.crossplane.io/SecurityGroup/v1beta1@v0.29.0#spec-forProvider-ingress-ipRanges-cidrIp) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 55" +apiVersion: ec2.aws.crossplane.io/v1beta1 +kind: SecurityGroup +metadata: + name: ec2-rule2 +spec: + forProvider: + region: us-east-1 + vpcIdSelector: + matchControllerRef: true + groupName: crossplane-getting-started + description: Allow access to PostgreSQL + ingress: + - fromPort: 5432 + toPort: 5432 + ipProtocol: tcp + ipRanges: + - cidrIp: 0.0.0.0/0 + description: Everywhere +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: ec2.aws.crossplane.io/v1beta1 + kind: SecurityGroup + metadata: + name: ec2-rule5 + spec: + forProvider: + region: us-east-1 + vpcIdSelector: + matchControllerRef: true + groupName: crossplane-getting-started + description: Allow access to PostgreSQL + ingress: + - fromPort: 5432 + toPort: 5432 + ipProtocol: tcp + ipRanges: + - cidrIp: 0.0.0.0/0 + description: Everywhere + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: ec2.aws.crossplane.io/v1beta1 +kind: SecurityGroup +metadata: + name: ec2-rule1 +spec: + forProvider: + region: us-east-1 + vpcIdSelector: + matchControllerRef: true + groupName: crossplane-getting-started + description: Allow access to PostgreSQL + ingress: + - fromPort: 5432 + toPort: 5432 + ipProtocol: tcp + ipRanges: + - cidrIp: 10.0.0.0/8 + description: sample +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: ec2.aws.crossplane.io/v1beta1 + kind: SecurityGroup + metadata: + name: ec2-rule + spec: + forProvider: + region: us-east-1 + vpcIdSelector: + matchControllerRef: true + groupName: crossplane-getting-started + description: Allow access to PostgreSQL + ingress: + - fromPort: 5432 + toPort: 5432 + ipProtocol: tcp + ipRanges: + - cidrIp: 10.0.0.0/8 + description: sample + +``` diff --git a/docs/queries/crossplane-queries/aws/e50eb68a-a4af-4048-8bbe-8ec324421469.md b/docs/queries/crossplane-queries/aws/e50eb68a-a4af-4048-8bbe-8ec324421469.md new file mode 100644 index 00000000000..ebafa66c0d9 --- /dev/null +++ b/docs/queries/crossplane-queries/aws/e50eb68a-a4af-4048-8bbe-8ec324421469.md @@ -0,0 +1,167 @@ +--- +title: DB Instance Storage Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e50eb68a-a4af-4048-8bbe-8ec324421469 +- **Query name:** DB Instance Storage Not Encrypted +- **Platform:** Crossplane +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/aws/db_instance_storage_not_encrypted) + +### Description +RDS Instance should have its storage encrypted by setting the parameter to 'true'. The storageEncrypted default value is 'false'.
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-aws/database.aws.crossplane.io/RDSInstance/v1beta1@v0.29.0#spec-forProvider-storageEncrypted) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="47 21 6 63" +apiVersion: database.aws.crossplane.io/v1beta1 +kind: RDSInstance +metadata: + name: rds3 +spec: + forProvider: + allocatedStorage: 50 + applyModificationsImmediately: false + backupRetentionPeriod: 0 + caCertificateIdentifier: rds-ca-2019 + copyTagsToSnapshot: false + dbInstanceClass: db.t3.medium + deletionProtection: false + enableIAMDatabaseAuthentication: false + enablePerformanceInsights: false + engine: mysql + region: us-west-2 + engineVersion: 5.7.33 + licenseModel: general-public-license + publiclyAccessible: false + storageEncrypted: false + storageType: gp2 +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: database.aws.crossplane.io/v1beta1 + kind: RDSInstance + metadata: + name: rds4 + spec: + forProvider: + allocatedStorage: 50 + applyModificationsImmediately: false + backupRetentionPeriod: 0 + caCertificateIdentifier: rds-ca-2019 + copyTagsToSnapshot: false + dbInstanceClass: db.t3.medium + deletionProtection: false + enableIAMDatabaseAuthentication: false + enablePerformanceInsights: false + engine: mysql + region: us-west-2 + engineVersion: 5.7.33 + licenseModel: general-public-license + publiclyAccessible: false + storageEncrypted: false + storageType: gp2 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: database.aws.crossplane.io/v1beta1 +kind: RDSInstance +metadata: + name: rds1 +spec: + forProvider: + allocatedStorage: 50 + applyModificationsImmediately: false + backupRetentionPeriod: 0 + caCertificateIdentifier: rds-ca-2019 + copyTagsToSnapshot: false + dbInstanceClass: db.t3.medium + deletionProtection: false + enableIAMDatabaseAuthentication: false + enablePerformanceInsights: false + engine: mysql + region: us-west-2 + engineVersion: 5.7.33 + licenseModel: general-public-license + publiclyAccessible: false + storageEncrypted: true + storageType: gp2 +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: cluster-aws + labels: + provider: aws + cluster: eks +spec: + compositeTypeRef: + apiVersion: mydev.org/v1alpha1 + kind: CompositeCluster + writeConnectionSecretsToNamespace: crossplane-system + patchSets: + - name: metadata + patches: + - fromFieldPath: metadata.labels + resources: + - name: sample-ec2 + base: + apiVersion: database.aws.crossplane.io/v1beta1 + kind: RDSInstance + metadata: + name: rds2 + spec: + forProvider: + allocatedStorage: 50 + applyModificationsImmediately: false + backupRetentionPeriod: 0 + caCertificateIdentifier: rds-ca-2019 + copyTagsToSnapshot: false + dbInstanceClass: db.t3.medium + deletionProtection: false + enableIAMDatabaseAuthentication: false + enablePerformanceInsights: false + engine: mysql + region: us-west-2 + engineVersion: 5.7.33 + licenseModel: general-public-license + publiclyAccessible: false + storageEncrypted: true + storageType: gp2 + +``` diff --git a/docs/queries/crossplane-queries/azure/6c7cfec3-c686-4ed2-bf58-a1ec054b63fc.md b/docs/queries/crossplane-queries/azure/6c7cfec3-c686-4ed2-bf58-a1ec054b63fc.md new file mode 100644 index 00000000000..10d29344ce4 --- /dev/null +++ b/docs/queries/crossplane-queries/azure/6c7cfec3-c686-4ed2-bf58-a1ec054b63fc.md @@ -0,0 +1,82 @@ +--- +title: Redis Cache Allows Non SSL Connections +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6c7cfec3-c686-4ed2-bf58-a1ec054b63fc +- **Query name:** Redis Cache Allows Non SSL Connections +- **Platform:** Crossplane +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/azure/redis_cache_allows_non_ssl_connections) + +### Description +Redis Cache resource should not allow non-SSL connections.
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-azure/cache.azure.crossplane.io/Redis/v1beta1@v0.19.0#spec-forProvider-enableNonSslPort) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +apiVersion: cache.azure.crossplane.io/v1beta1 +kind: Redis +metadata: + name: azureRedis3 +spec: + providerConfigRef: + name: crossplane-azure + forProvider: + location: West Europe + sku: + name: Basic + family: C + capacity: 0 + enableNonSslPort: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: cache.azure.crossplane.io/v1beta1 +kind: Redis +metadata: + name: azureRedis +spec: + providerConfigRef: + name: crossplane-azure + forProvider: + location: West Europe + sku: + name: Basic + family: C + capacity: 0 + enableNonSslPort: false +--- +apiVersion: cache.azure.crossplane.io/v1beta1 +kind: Redis +metadata: + name: azureRedis2 +spec: + providerConfigRef: + name: crossplane-azure + forProvider: + location: West Europe + sku: + name: Basic + family: C + capacity: 0 + + +``` diff --git a/docs/queries/crossplane-queries/azure/b2418936-cd47-4ea2-8346-623c0bdb87bd.md b/docs/queries/crossplane-queries/azure/b2418936-cd47-4ea2-8346-623c0bdb87bd.md new file mode 100644 index 00000000000..0f88ef509b4 --- /dev/null +++ b/docs/queries/crossplane-queries/azure/b2418936-cd47-4ea2-8346-623c0bdb87bd.md @@ -0,0 +1,118 @@ +--- +title: AKS RBAC Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b2418936-cd47-4ea2-8346-623c0bdb87bd +- **Query name:** AKS RBAC Disabled +- **Platform:** Crossplane +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/azure/aks_rbac_disabled) + +### Description +Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-azure/compute.azure.crossplane.io/AKSCluster/v1alpha3@v0.19.0#spec-disableRBAC) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 13" +apiVersion: compute.azure.crossplane.io/v1alpha3 +kind: AKSCluster +metadata: + name: anais-crossplane-demo +spec: + location: eastus + version: "1.19.7" + nodeVMSize: Standard_D2_v2 + resourceGroupNameRef: + name: anais-resource + dnsNamePrefix: dt + nodeCount: 2 + disableRBAC: true +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: aks.multik8s.platformref.crossplane.io + labels: + provider: AZURE +spec: + compositeTypeRef: + apiVersion: multik8s.platformref.crossplane.io/v1alpha1 + kind: AKS + resources: + - name: sample-ec2 + base: + apiVersion: compute.azure.crossplane.io/v1alpha3 + kind: AKSCluster + metadata: + name: anais-crossplane-demo + spec: + location: eastus + version: "1.19.7" + nodeVMSize: Standard_D2_v2 + resourceGroupNameRef: + name: anais-resource + dnsNamePrefix: dt + nodeCount: 2 + disableRBAC: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: compute.azure.crossplane.io/v1alpha3 +kind: AKSCluster +metadata: + name: anais-crossplane-demo +spec: + location: eastus + version: "1.19.7" + nodeVMSize: Standard_D2_v2 + resourceGroupNameRef: + name: anais-resource + dnsNamePrefix: dt + nodeCount: 2 + disableRBAC: false +--- +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: aks.multik8s.platformref.crossplane.io + labels: + provider: AZURE +spec: + compositeTypeRef: + apiVersion: multik8s.platformref.crossplane.io/v1alpha1 + kind: AKS + resources: + - name: sample-ec2 + base: + apiVersion: compute.azure.crossplane.io/v1alpha3 + kind: AKSCluster + metadata: + name: anais-crossplane-demo + spec: + location: eastus + version: "1.19.7" + nodeVMSize: Standard_D2_v2 + resourceGroupNameRef: + name: anais-resource + dnsNamePrefix: dt + nodeCount: 2 + +``` diff --git a/docs/queries/crossplane-queries/gcp/6c2d627c-de0f-45fb-b33d-dad9bffbb421.md b/docs/queries/crossplane-queries/gcp/6c2d627c-de0f-45fb-b33d-dad9bffbb421.md new file mode 100644 index 00000000000..2ba49a900ec --- /dev/null +++ b/docs/queries/crossplane-queries/gcp/6c2d627c-de0f-45fb-b33d-dad9bffbb421.md @@ -0,0 +1,65 @@ +--- +title: Cloud Storage Bucket Logging Not Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6c2d627c-de0f-45fb-b33d-dad9bffbb421 +- **Query name:** Cloud Storage Bucket Logging Not Enabled +- **Platform:** Crossplane +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/gcp/cloud_storage_bucket_logging_not_enabled) + +### Description +Cloud storage bucket should have logging enabled
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-gcp/storage.gcp.crossplane.io/Bucket/v1alpha3@v0.21.0#spec-logging) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +apiVersion: storage.gcp.crossplane.io/v1alpha3 +kind: Bucket +metadata: + name: bucketSample +spec: + location: EU + storageClass: MULTI_REGIONAL + providerConfigRef: + name: crossplane-gcp + labels: + made-by: crossplane + deletionPolicy: Delete + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: storage.gcp.crossplane.io/v1alpha3 +kind: Bucket +metadata: + name: bucketSample +spec: + location: EU + logging: + logBucket: example-logs-bucket + storageClass: MULTI_REGIONAL + providerConfigRef: + name: crossplane-gcp + labels: + made-by: crossplane + deletionPolicy: Delete + +``` diff --git a/docs/queries/crossplane-queries/gcp/b4f65d13-a609-4dc1-af7c-63d2e08bffe9.md b/docs/queries/crossplane-queries/gcp/b4f65d13-a609-4dc1-af7c-63d2e08bffe9.md new file mode 100644 index 00000000000..8143e65f44b --- /dev/null +++ b/docs/queries/crossplane-queries/gcp/b4f65d13-a609-4dc1-af7c-63d2e08bffe9.md @@ -0,0 +1,98 @@ +--- +title: Google Container Node Pool Auto Repair Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b4f65d13-a609-4dc1-af7c-63d2e08bffe9 +- **Query name:** Google Container Node Pool Auto Repair Disabled +- **Platform:** Crossplane +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/crossplane/gcp/google_container_node_pool_auto_repair_disabled) + +### Description +Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.
+[Documentation](https://doc.crds.dev/github.com/crossplane/provider-gcp/container.gcp.crossplane.io/NodePool/v1beta1@v0.21.0#spec-forProvider-management-autoRepair) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="27 6" +apiVersion: container.gcp.crossplane.io/v1beta1 +kind: NodePool +metadata: + name: cluster-np +spec: + forProvider: + autoscaling: + autoprovisioned: false + enabled: true + maxNodeCount: 5 + minNodeCount: 3 + clusterRef: + name: eutuxia-cluster + initialNodeCount: 3 + config: + machineType: n1-standard-1 + locations: + - "us-central1-a" +--- +apiVersion: container.gcp.crossplane.io/v1beta1 +kind: NodePool +metadata: + name: cluster-np +spec: + forProvider: + management: + autoRepair: false + autoscaling: + autoprovisioned: false + enabled: true + maxNodeCount: 5 + minNodeCount: 3 + clusterRef: + name: eutuxia-cluster + initialNodeCount: 3 + config: + machineType: n1-standard-1 + locations: + - "us-central1-a" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: container.gcp.crossplane.io/v1beta1 +kind: NodePool +metadata: + name: cluster-np +spec: + forProvider: + management: + autoRepair: true + autoscaling: + autoprovisioned: false + enabled: true + maxNodeCount: 5 + minNodeCount: 3 + clusterRef: + name: eutuxia-cluster + initialNodeCount: 3 + config: + machineType: n1-standard-1 + locations: + - "us-central1-a" + +``` diff --git a/docs/queries/dockercompose-queries.md b/docs/queries/dockercompose-queries.md index 5662564793d..1eee2fb96bb 100644 --- a/docs/queries/dockercompose-queries.md +++ b/docs/queries/dockercompose-queries.md @@ -3,24 +3,24 @@ This page contains all queries from DockerCompose. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume|Documentation
| -|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'|Documentation
| -|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.|Documentation
| -|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.|Documentation
| -|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations.|Documentation
| -|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|Medium|Availability|Check containers periodically to see if they are running properly.|Documentation
| -|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used.|Documentation
| -|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.|Documentation
| -|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface|Documentation
| -|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.|Documentation
| -|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.|Documentation
| -|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.|Documentation
| -|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|The host's user namespace should not be shared.|Documentation
| -|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1|Documentation
| -|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers|Documentation
| -|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined.|Documentation
| -|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.|Documentation
| +|Volume Has Sensitive Host Directory
1c1325ff-831d-43a1-973e-839ae57dfcc0|High|Build Process|Container has sensitive host directory mounted as a volume (read more)|Documentation
| +|Volume Mounted In Multiple Containers
baa452f0-1f21-4a25-ace5-844e7a5f410d|High|Build Process|Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave' (read more)|Documentation
| +|Docker Socket Mounted In Container
d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b|High|Build Process|Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands. (read more)|Documentation
| +|Privileged Containers Enabled
ae5b6871-7f45-42e0-bb4c-ab300c4d2026|High|Resource Management|Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker. (read more)|Documentation
| +|No New Privileges Not Set
27fcc7d6-c49b-46e0-98f1-6c082a6a2750|High|Resource Management|Ensuring the process does not gain any new privileges lessens the risk associated with many operations. (read more)|Documentation
| +|Healthcheck Not Set
698ed579-b239-4f8f-a388-baa4bcb13ef8|Medium|Availability|Check containers periodically to see if they are running properly. (read more)|Documentation
| +|Restart Policy On Failure Not Set To 5
2fc99041-ddad-49d5-853f-e35e70a48391|Medium|Build Process|Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used. (read more)|Documentation
| +|Cgroup Not Default
4d9f44c6-2f4a-4317-9bb5-267adbea0232|Medium|Build Process|Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault. (read more)|Documentation
| +|Container Traffic Not Bound To Host Interface
451d79dc-0588-476a-ad03-3c7f0320abb3|Medium|Networking and Firewall|Incoming container traffic should be bound to a specific host interface (read more)|Documentation
| +|Networks Not Set
ce14a68b-1668-41a0-ab7d-facd9f784742|Medium|Networking and Firewall|Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers. (read more)|Documentation
| +|Privileged Ports Mapped In Container
bc2908f3-f73c-40a9-8793-c1b7d5544f79|Medium|Networking and Firewall|Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports. (read more)|Documentation
| +|Memory Not Limited
bb9ac4f7-e13b-423d-a010-c74a1bfbe492|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Default Seccomp Profile Disabled
404fde2c-bc4b-4371-9747-7054132ac953|Medium|Resource Management|Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security. (read more)|Documentation
| +|Shared Host User Namespace
8af7162d-6c98-482f-868e-0d33fb675ca8|Medium|Resource Management|The host's user namespace should not be shared. (read more)|Documentation
| +|Pids Limit Not Set
221e0658-cb2a-44e3-b08a-db96a341d6fa|Medium|Resource Management|'pids_limit' should be set and different than -1 (read more)|Documentation
| +|Host Namespace is Shared
4f31dd9f-2cc3-4751-9b53-67e4af83dac0|Medium|Resource Management|The hosts process namespace should not be shared by containers (read more)|Documentation
| +|Shared Host IPC Namespace
baa3890f-bed7-46f5-ab8f-1da8fc91c729|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Shared Host Network Namespace
071a71ff-f868-47a4-ac0b-3c59e4ab5443|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Security Opt Not Set
610e266e-6c12-4bca-9925-1ed0cd29742b|Medium|Resource Management|Attribute 'security_opt' should be defined. (read more)|Documentation
| +|Cpus Not Limited
6b610c50-99fb-4ef0-a5f3-e312fd945bc3|Low|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Container Capabilities Unrestricted
ce76b7d0-9e77-464d-b86f-c5c48e03e22d|Low|Resource Management|Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well. (read more)|Documentation
| diff --git a/docs/queries/dockercompose-queries/071a71ff-f868-47a4-ac0b-3c59e4ab5443.md b/docs/queries/dockercompose-queries/071a71ff-f868-47a4-ac0b-3c59e4ab5443.md new file mode 100644 index 00000000000..c15eb57dcce --- /dev/null +++ b/docs/queries/dockercompose-queries/071a71ff-f868-47a4-ac0b-3c59e4ab5443.md @@ -0,0 +1,63 @@ +--- +title: Shared Host Network Namespace +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 071a71ff-f868-47a4-ac0b-3c59e4ab5443 +- **Query name:** Shared Host Network Namespace +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/shared_host_network_namespace) + +### Description +Container should not share the host network namespace
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#network_mode) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +version: '2' + +volumes: + dhcp-leases: + external: false + +services: + + mongo: # 27017 + image: mongo:latest + network_mode: "host" + privileged: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: '2' + +volumes: + dhcp-leases: + external: false + +services: + + mongo: # 27017 + image: mongo:latest + network_mode: "none" + privileged: true + +``` diff --git a/docs/queries/dockercompose-queries/1c1325ff-831d-43a1-973e-839ae57dfcc0.md b/docs/queries/dockercompose-queries/1c1325ff-831d-43a1-973e-839ae57dfcc0.md new file mode 100644 index 00000000000..b67557363d6 --- /dev/null +++ b/docs/queries/dockercompose-queries/1c1325ff-831d-43a1-973e-839ae57dfcc0.md @@ -0,0 +1,205 @@ +--- +title: Volume Has Sensitive Host Directory +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1c1325ff-831d-43a1-973e-839ae57dfcc0 +- **Query name:** Volume Has Sensitive Host Directory +- **Platform:** DockerCompose +- **Severity:** High +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/volume_has_sensitive_host_directory) + +### Description +Container has sensitive host directory mounted as a volume
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +version: "3.9" + +services: + db: + image: db + volumes: + - data-volume:/var/lib/db + backup: + image: backup-service + volumes: + - /var/lib/backup/data + +volumes: + data-volume: + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +version: "3.9" +services: + web: + image: nginx:alpine + volumes: + - type: volume + source: vol + target: /data + volume: + nocopy: true + - type: bind + source: ./static + target: /opt/app/static +volumes: + vol: + driver: local + driver_opts: + device: /var/lib/backup/data + o: bind + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +version: '3' + +volumes: + wordpress-db-data: + driver: local-persist + driver_opts: + mountpoint: ${CONTAINERVOLUME}/dockerData/mysql + wordpress: + wp-content: + driver: local-persist + driver_opts: + mountpoint: /var/data + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="11" +version: "3.8" + +services: + yesno: + image: docker.encEx.com/yesno/yesno:v1.1 + container_name: "yesno-${MODE}" + entrypoint: "/bin/sh" + restart: unless-stopped + volumes: + - type: bind + source: /etc/exercise + target: /etc/exercise + - type: volume + source: yesno-1 + target: /var/www/yesno + - type: volume + source: yesno-2 + target: /var/lib/exercise +volumes: + yesno-1: + name: yesno-1 + yesno-2: + name: yesno-2 + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3" +services: + proxy: + build: ./pyproxy + deploy: + mode: replicated + placement: + constraints: [node.role == manager] + replicas: 8 + depends_on: + - storage-node-1 + - storage-node-2 + - storage-node-3 + - storage-node-4 + - storage-node-5 + - storage-node-6 + - storage-node-7 + - storage-node-8 + - storage-node-9 + - storage-node-10 + - storage-node-11 + - storage-node-12 + - storage-node-13 + - storage-node-14 + - storage-node-15 + - storage-node-16 + zoo1: + image: zookeeper + restart: always + ports: + - 2181:2181 + environment: + - ZOO_MY_ID=1 + deploy: + mode: replicated + placement: + constraints: [node.role == manager] + + metadata: + image: redis:3.2.8 + command: redis-server --appendonly yes + deploy: + mode: replicated + placement: + constraints: [node.role == manager] + volumes: + - ./volumes/metadata/:/data/ + +``` +```yaml title="Negative test num. 2 - yaml file" +version: '3' + +volumes: + wordpress-db-data: + driver: local-persist + driver_opts: + mountpoint: ${CONTAINERVOLUME}/dockerData/mysql + wordpress: + wp-content: + driver: local-persist + driver_opts: + mountpoint: ${CONTAINERVOLUME}/wp-content + +``` +```yaml title="Negative test num. 3 - yaml file" +version: "3.9" +services: + web: + image: nginx:alpine + ports: + - "80:80" + volumes: + - type: volume + source: mydata + target: /data + volume: + nocopy: true + - type: bind + source: ./static + target: /opt/app/static + +networks: + webnet: + +volumes: + mydata: + +``` diff --git a/docs/queries/dockercompose-queries/221e0658-cb2a-44e3-b08a-db96a341d6fa.md b/docs/queries/dockercompose-queries/221e0658-cb2a-44e3-b08a-db96a341d6fa.md new file mode 100644 index 00000000000..310b4f7b17f --- /dev/null +++ b/docs/queries/dockercompose-queries/221e0658-cb2a-44e3-b08a-db96a341d6fa.md @@ -0,0 +1,83 @@ +--- +title: Pids Limit Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 221e0658-cb2a-44e3-b08a-db96a341d6fa +- **Query name:** Pids Limit Not Set +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/pids_limit_not_set) + +### Description +'pids_limit' should be set and different than -1
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +version: '2.2' + +volumes: + front_build: + +services: + auth: + build: + context: . + dockerfile: docker_config/Dockerfile + restart: on-failure + cpus: 0.25 + mem_limit: 500M + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +version: '2.2' + +volumes: + front_build: + +services: + auth: + build: + context: . + dockerfile: docker_config/Dockerfile + restart: on-failure + pids_limit: -1 + cpus: 0.25 + mem_limit: 500M + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: '2.2' + +volumes: + front_build: + +services: + auth: + build: + context: . + dockerfile: docker_config/Dockerfile + restart: on-failure + pids_limit: 10 + cpus: 0.25 + mem_limit: 500M + +``` diff --git a/docs/queries/dockercompose-queries/27fcc7d6-c49b-46e0-98f1-6c082a6a2750.md b/docs/queries/dockercompose-queries/27fcc7d6-c49b-46e0-98f1-6c082a6a2750.md new file mode 100644 index 00000000000..2c5527b6521 --- /dev/null +++ b/docs/queries/dockercompose-queries/27fcc7d6-c49b-46e0-98f1-6c082a6a2750.md @@ -0,0 +1,90 @@ +--- +title: No New Privileges Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 27fcc7d6-c49b-46e0-98f1-6c082a6a2750 +- **Query name:** No New Privileges Not Set +- **Platform:** DockerCompose +- **Severity:** High +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/no_new_privileges_not_set) + +### Description +Ensuring the process does not gain any new privileges lessens the risk associated with many operations.
+[Documentation](https://docs.docker.com/engine/reference/run/#security-configuration) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +version: "3.4" +services: + service-service-service: + build: + context: ./ + dockerfile: service.dockerfile + ports: + - "6969:8080" + networks: + - service-service-frontend + restart: always + security_opt: + - no-new-privileges:false + +networks: + service-service-frontend: + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +version: "3.4" +services: + service-service-service: + build: + context: ./ + dockerfile: service.dockerfile + ports: + - "6969:8080" + networks: + - service-service-frontend + restart: always + security_opt: + - "apparmor: false" + +networks: + service-service-frontend: + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.4" +services: + service-service-service: + build: + context: ./ + dockerfile: service.dockerfile + ports: + - "6969:8080" + networks: + - service-service-frontend + restart: always + security_opt: + - no-new-privileges:true + +networks: + service-service-frontend: + +``` diff --git a/docs/queries/dockercompose-queries/2fc99041-ddad-49d5-853f-e35e70a48391.md b/docs/queries/dockercompose-queries/2fc99041-ddad-49d5-853f-e35e70a48391.md new file mode 100644 index 00000000000..e887923a7a3 --- /dev/null +++ b/docs/queries/dockercompose-queries/2fc99041-ddad-49d5-853f-e35e70a48391.md @@ -0,0 +1,153 @@ +--- +title: Restart Policy On Failure Not Set To 5 +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2fc99041-ddad-49d5-853f-e35e70a48391 +- **Query name:** Restart Policy On Failure Not Set To 5 +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/restart_policy_on_failure_not_set_to_5) + +### Description +Attribute 'restart:on-failure' should be set to 5. Restart policies in general should be used.
+[Documentation](https://docs.docker.com/config/containers/start-containers-automatically/#use-a-restart-policy) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 6" +version: "3.9" + +services: + customer: + image: whoa/hello + restart: on-failure:10 + networks: + - netnet + expose: + - 8080 + ports: + - 8082:8080 + deploy: + restart_policy: + condition: on-failure + delay: 5s + max_attempts: 10 + window: 120s + +networks: + netnet: + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +version: '3.6' + +networks: + name_of_network: + name: name_of_network + driver: overlay + +services: + name_of_service: + image: not_a_real_one + container_name: container1 + build: ./ + ports: + - '5002:80' + restart: on-failure:3 + networks: + - name_of_network + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +version: "3.9" + +services: + customer: + image: whoa/hello + restart: on-failure:10 + networks: + - netnet + expose: + - 8080 + ports: + - 8082:8080 + deploy: + restart_policy: + condition: on-failure + delay: 5s + max_attempts: 5 + window: 120s + +networks: + netnet: + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="17" +version: "3.9" + +services: + customer: + image: whoa/hello + restart: on-failure:5 + networks: + - netnet + expose: + - 8080 + ports: + - 8082:8080 + deploy: + restart_policy: + condition: on-failure + delay: 5s + max_attempts: 10 + window: 120s + +networks: + netnet: + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.9" + +services: + customer: + image: whoa/hello + restart: on-failure:5 + networks: + - netnet + expose: + - 8080 + ports: + - 8082:8080 + deploy: + restart_policy: + condition: on-failure + delay: 5s + max_attempts: 5 + window: 120s + +networks: + netnet: + + +``` diff --git a/docs/queries/dockercompose-queries/404fde2c-bc4b-4371-9747-7054132ac953.md b/docs/queries/dockercompose-queries/404fde2c-bc4b-4371-9747-7054132ac953.md new file mode 100644 index 00000000000..97569297c63 --- /dev/null +++ b/docs/queries/dockercompose-queries/404fde2c-bc4b-4371-9747-7054132ac953.md @@ -0,0 +1,81 @@ +--- +title: Default Seccomp Profile Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 404fde2c-bc4b-4371-9747-7054132ac953 +- **Query name:** Default Seccomp Profile Disabled +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/default_seccomp_profile_disabled) + +### Description +Seccomp offers a whitelist of common system calls, blocking all others. Having less kernel exposed to an app then increases security.
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="13" +version: "3.8" + +services: + demo: + image: not/a/real/image + cap_add: + - SYS_PTRACE + volumes: + - type: volume + source: not-a-real-source-docker + target: /var/lib/docker + security_opt: + - label:seccomp:unconfined + +volumes: + not-a-real-source-docker: + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +version: "3.9" + +networks: + backend: + +services: + example: + build: . + security_opt: + - seccomp:unconfined + networks: + - backend + ports: + - "5002:5002" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.9" + +services: + webapp: + build: + context: ./ + dockerfile: Dockerfile-alternate + args: + buildno: 1 + +``` diff --git a/docs/queries/dockercompose-queries/451d79dc-0588-476a-ad03-3c7f0320abb3.md b/docs/queries/dockercompose-queries/451d79dc-0588-476a-ad03-3c7f0320abb3.md new file mode 100644 index 00000000000..980e78a7198 --- /dev/null +++ b/docs/queries/dockercompose-queries/451d79dc-0588-476a-ad03-3c7f0320abb3.md @@ -0,0 +1,216 @@ +--- +title: Container Traffic Not Bound To Host Interface +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 451d79dc-0588-476a-ad03-3c7f0320abb3 +- **Query name:** Container Traffic Not Bound To Host Interface +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/container_traffic_not_bound_to_host_interface) + +### Description +Incoming container traffic should be bound to a specific host interface
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#ports) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./ + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "7000:8000" + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./ + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "12400-12500:1240" + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +version: '3.2' + +services: + webapp: + container_name: webapp + build: ./ + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - target: 8000 + published: 8080 + protocol: tcp + mode: host + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./ + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "127.0.0.1:8000:8001" + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +```yaml title="Negative test num. 2 - yaml file" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./ + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "127.0.0.1:5000-5010:5000-5010" + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +```yaml title="Negative test num. 3 - yaml file" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./ + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "127.0.0.1::5000" + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +
Negative test num. 4 - yaml file + +```yaml +version: '3.2' + +services: + webapp: + container_name: webapp + build: ./ + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - target: 8000 + published: 127.0.0.1:8080 + protocol: tcp + mode: host + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +
+
Negative test num. 5 - yaml file + +```yaml +version: '3.2' + +services: + webapp: + container_name: webapp + build: ./ + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - target: 8000 + published: 127.0.0.1:8080-8090 + protocol: tcp + mode: host + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +
+
Negative test num. 6 - yaml file + +```yaml +version: '3.2' + +services: + webapp: + container_name: webapp + build: ./ + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - target: 8000 + published: 127.0.0.1 + protocol: tcp + mode: host + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +
diff --git a/docs/queries/dockercompose-queries/4d9f44c6-2f4a-4317-9bb5-267adbea0232.md b/docs/queries/dockercompose-queries/4d9f44c6-2f4a-4317-9bb5-267adbea0232.md new file mode 100644 index 00000000000..16935d892e2 --- /dev/null +++ b/docs/queries/dockercompose-queries/4d9f44c6-2f4a-4317-9bb5-267adbea0232.md @@ -0,0 +1,74 @@ +--- +title: Cgroup Not Default +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4d9f44c6-2f4a-4317-9bb5-267adbea0232 +- **Query name:** Cgroup Not Default +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/cgroup_not_default) + +### Description +Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#cgroup_parent) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +version: '2' + +services: + iperfclient: + build: + context: . + dockerfile: client.Dockerfile + container_name: ipc + cgroup_parent: nat-docker + volumes: + - ./host:container.yaml + networks: + - netnet + expose: + - 1234 + +networks: + netnet: + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: '2' + +services: + iperfclient: + build: + context: . + dockerfile: client.Dockerfile + container_name: ipc + volumes: + - ./host:container.yaml + networks: + - netnet + expose: + - 1234 + +networks: + netnet: + +``` diff --git a/docs/queries/dockercompose-queries/4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md b/docs/queries/dockercompose-queries/4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md new file mode 100644 index 00000000000..2844f8a8519 --- /dev/null +++ b/docs/queries/dockercompose-queries/4f31dd9f-2cc3-4751-9b53-67e4af83dac0.md @@ -0,0 +1,97 @@ +--- +title: Host Namespace is Shared +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4f31dd9f-2cc3-4751-9b53-67e4af83dac0 +- **Query name:** Host Namespace is Shared +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/host_namespace_is_shared) + +### Description +The hosts process namespace should not be shared by containers
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#pid) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +version: '3' + +services: + + service_name_1: + image: not/a-real-image:latest + command: ["launch"] + ports: + - "8080:8080" + pid: "host" # Share Process ID Namespace + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +version: "2.4" +services: + service_name_2: + build: ./ + restart: always + pid: "host" + entrypoint: node /app/directory.js + volumes: + - "./directory:/app" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +version: '3' + +services: + + service_name_3: + image: not/a-real-image:latest + command: ["launch"] + ports: + - "8080:8080" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: '2.1' + +services: + + service_name_4: + image: not/a-real-image:latest + command: ["launch"] + ports: + - "8080:8080" + pid: "container:container_name_4" + +``` +```yaml title="Negative test num. 2 - yaml file" +version: '2.1' + +services: + + service_name_5: + image: not/a-real-image:latest + command: ["launch"] + ports: + - "8080:8080" + pid: "container:service_name_4" + + +``` diff --git a/docs/queries/dockercompose-queries/610e266e-6c12-4bca-9925-1ed0cd29742b.md b/docs/queries/dockercompose-queries/610e266e-6c12-4bca-9925-1ed0cd29742b.md new file mode 100644 index 00000000000..b4786beb3f5 --- /dev/null +++ b/docs/queries/dockercompose-queries/610e266e-6c12-4bca-9925-1ed0cd29742b.md @@ -0,0 +1,65 @@ +--- +title: Security Opt Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 610e266e-6c12-4bca-9925-1ed0cd29742b +- **Query name:** Security Opt Not Set +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/security_opt_not_set) + +### Description +Attribute 'security_opt' should be defined.
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +version: "3.9" + +services: + webapp: + build: + context: ./ + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ports: + - "8080:8080" + - "3000:3000" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.9" + +services: + webapp: + build: + context: ./ + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ports: + - "8080:8080" + - "3000:3000" + security_opt: + - apparmor:unconfined + +``` diff --git a/docs/queries/dockercompose-queries/698ed579-b239-4f8f-a388-baa4bcb13ef8.md b/docs/queries/dockercompose-queries/698ed579-b239-4f8f-a388-baa4bcb13ef8.md new file mode 100644 index 00000000000..eb1c2c186fd --- /dev/null +++ b/docs/queries/dockercompose-queries/698ed579-b239-4f8f-a388-baa4bcb13ef8.md @@ -0,0 +1,120 @@ +--- +title: Healthcheck Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 698ed579-b239-4f8f-a388-baa4bcb13ef8 +- **Query name:** Healthcheck Not Set +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/healthcheck_not_set) + +### Description +Check containers periodically to see if they are running properly.
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#healthcheck) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +version: '2.1' + +services: + lelele-service: + build: ./ + image: lelele-service + restart: always + container_name: lelele + network_mode: "host" + hostname: localhost + ports: + - 8092:8092 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +version: '2.1' + +services: + lelele-service: + build: ./ + image: lelele-service + restart: always + container_name: lelele + network_mode: "host" + hostname: localhost + ports: + - 8092:8092 + healthcheck: + disable: true + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="14" +version: '2.1' + +services: + lelele-service: + build: ./ + image: lelele-service + restart: always + container_name: lelele + network_mode: "host" + hostname: localhost + ports: + - 8092:8092 + healthcheck: + test: ["NONE"] + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: '3.1' + +services: + lelele-service: + build: ./ + image: lelele-service + restart: always + container_name: lelele + network_mode: "host" + hostname: localhost + ports: + - 8092:8092 + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost"] + interval: 1m30s + timeout: 10s + retries: 3 + start_period: 40s + +``` +```yaml title="Negative test num. 2 - yaml file" +version: '3.1' + +services: + lelele-service: + build: ./ + image: lelele-service + restart: always + container_name: lelele + network_mode: "host" + hostname: localhost + ports: + - 8092:8092 + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost"] + +``` diff --git a/docs/queries/dockercompose-queries/6b610c50-99fb-4ef0-a5f3-e312fd945bc3.md b/docs/queries/dockercompose-queries/6b610c50-99fb-4ef0-a5f3-e312fd945bc3.md new file mode 100644 index 00000000000..644981847ef --- /dev/null +++ b/docs/queries/dockercompose-queries/6b610c50-99fb-4ef0-a5f3-e312fd945bc3.md @@ -0,0 +1,145 @@ +--- +title: Cpus Not Limited +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6b610c50-99fb-4ef0-a5f3-e312fd945bc3 +- **Query name:** Cpus Not Limited +- **Platform:** DockerCompose +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/cpus_not_limited) + +### Description +CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#resources) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +version: "3.7" +services: + zapzop: + image: openzapzop/zapzop + ports: + - 6412:6412 + deploy: + resources: + limits: + memory: 256M + reservations: + cpus: '0.1' + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +version: "2.4" + +services: + criwhat: + build: + context: "./cri/what" + restart: "unless-stopped" + mem_limit: 512m + environment: + - NODE_ENV=production + - PORT=5000 + - FLAG=FLAG-TOO_MANY_ERRORS_TOO_MANY_DETAILS + ports: + - 12345:6000 + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="3 7" +version: "3.7" +services: + zapzop: + image: openzapzop/zapzop + ports: + - 6412:6412 + deploy: + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="5" +version: "3.9" +services: + redis: + image: redis:alpine + deploy: + restart_policy: + condition: on-failure + delay: 5s + max_attempts: 3 + window: 120s + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="8" +version: "3.7" +services: + zapzop: + image: openzapzop/zapzop + ports: + - 6412:6412 + deploy: + resources: + reservations: + cpus: '0.1' + memory: 128M + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.7" +services: + zipkin: + image: openzipkin/zipkin + ports: + - 9411:9411 + deploy: + resources: + limits: + cpus: '0.3' + memory: 256M + reservations: + cpus: '0.1' + memory: 128M + +``` +```yaml title="Negative test num. 2 - yaml file" +version: "2.4" + +services: + # CRYPTO + crypto_padding_oracle: + build: + context: "./crypto/paddingoracle" + restart: "unless-stopped" + cpus: 0.25 + mem_limit: 512m + environment: + - NODE_ENV=production + - PORT=5000 + + - FLAG=FLAG-TOO_MANY_ERRORS_TOO_MANY_DETAILS + ports: + - 11111:5000 + +``` diff --git a/docs/queries/dockercompose-queries/8af7162d-6c98-482f-868e-0d33fb675ca8.md b/docs/queries/dockercompose-queries/8af7162d-6c98-482f-868e-0d33fb675ca8.md new file mode 100644 index 00000000000..5d655931210 --- /dev/null +++ b/docs/queries/dockercompose-queries/8af7162d-6c98-482f-868e-0d33fb675ca8.md @@ -0,0 +1,81 @@ +--- +title: Shared Host User Namespace +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8af7162d-6c98-482f-868e-0d33fb675ca8 +- **Query name:** Shared Host User Namespace +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/shared_host_user_namespace) + +### Description +The host's user namespace should not be shared.
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#userns_mode) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +version: "3" + +services: + service1: + image: service1:3.4 + hostname: servicer + network_mode: host + pid: host + userns_mode: host + privileged: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.9" + +services: + webapp: + build: + context: ./ + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ports: + - "8080:8080" + - "3000:3000" + security_opt: + - apparmor:unconfined + +``` +```yaml title="Negative test num. 2 - yaml file" +version: "3.9" + +services: + webapp: + build: + context: ./ + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ports: + - "8080:8080" + - "3000:3000" + security_opt: + - apparmor:unconfined + userns_mode: anything_but_host + +``` diff --git a/docs/queries/dockercompose-queries/ae5b6871-7f45-42e0-bb4c-ab300c4d2026.md b/docs/queries/dockercompose-queries/ae5b6871-7f45-42e0-bb4c-ab300c4d2026.md new file mode 100644 index 00000000000..ed55091a3bc --- /dev/null +++ b/docs/queries/dockercompose-queries/ae5b6871-7f45-42e0-bb4c-ab300c4d2026.md @@ -0,0 +1,92 @@ +--- +title: Privileged Containers Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ae5b6871-7f45-42e0-bb4c-ab300c4d2026 +- **Query name:** Privileged Containers Enabled +- **Platform:** DockerCompose +- **Severity:** High +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/privileged_containers_enabled) + +### Description +Privileged containers should be used with extreme caution, they have all of the capabilities that the linux kernel offers for docker.
+[Documentation](https://docs.docker.com/compose/compose-file/#privileged) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +version: "3.9" + +services: + webapp: + build: + context: ./dir + dockerfile: Dockerfile-alternate + args: + buildno: 1 + privileged: true + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +version: "3.9" + +services: + webapp: + build: + context: ./dir + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ports: + - "8080:8080" + - "3000:3000" + privileged: true + cap_drop: + - all + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.9" + +services: + webapp: + build: + context: ./dir + dockerfile: Dockerfile-alternate + args: + buildno: 1 + +``` +```yaml title="Negative test num. 2 - yaml file" +version: "3.9" + +services: + webapp: + build: + context: ./dir + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ports: + - "8080:8080" + - "3000:3000" + privileged: false + +``` diff --git a/docs/queries/dockercompose-queries/baa3890f-bed7-46f5-ab8f-1da8fc91c729.md b/docs/queries/dockercompose-queries/baa3890f-bed7-46f5-ab8f-1da8fc91c729.md new file mode 100644 index 00000000000..20cf9ff9036 --- /dev/null +++ b/docs/queries/dockercompose-queries/baa3890f-bed7-46f5-ab8f-1da8fc91c729.md @@ -0,0 +1,96 @@ +--- +title: Shared Host IPC Namespace +hide: + toc: true + navigation: true +--- + + + +- **Query id:** baa3890f-bed7-46f5-ab8f-1da8fc91c729 +- **Query name:** Shared Host IPC Namespace +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/shared_host_ipc_namespace) + +### Description +Container should not share the host IPC namespace
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +version: "3.9" + +services: + webapp: + build: + context: ./dir + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ipc: "host" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +version: "3.9" + +services: + webapp: + build: + context: ./dir + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ports: + - "8080:8080" + - "3000:3000" + ipc: "host" + cap_drop: + - all + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.9" + +services: + webapp: + build: + context: ./dir + dockerfile: Dockerfile-alternate + args: + buildno: 1 + +``` +```yaml title="Negative test num. 2 - yaml file" +version: "2.4" + +services: + service: + image: busybox + command: top + ipc: "service:shareable" + + container: + image: busybox + command: top + ipc: "container:composetest_ipc_mode_container" + + shareable: + image: busybox + command: top + ipc: shareable + +``` diff --git a/docs/queries/dockercompose-queries/baa452f0-1f21-4a25-ace5-844e7a5f410d.md b/docs/queries/dockercompose-queries/baa452f0-1f21-4a25-ace5-844e7a5f410d.md new file mode 100644 index 00000000000..eb54cd32d5a --- /dev/null +++ b/docs/queries/dockercompose-queries/baa452f0-1f21-4a25-ace5-844e7a5f410d.md @@ -0,0 +1,160 @@ +--- +title: Volume Mounted In Multiple Containers +hide: + toc: true + navigation: true +--- + + + +- **Query id:** baa452f0-1f21-4a25-ace5-844e7a5f410d +- **Query name:** Volume Mounted In Multiple Containers +- **Platform:** DockerCompose +- **Severity:** High +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/volume_mounted_in_multiple_containers) + +### Description +Volume mounts should not be shared, which means that 'propagation' should not be set to 'shared', 'rshared', 'slave', or 'rslave'
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="15" +version: "3.2" +services: + old8k: + image: notreal + container_name: "c1" + restart: always + expose: + - 74746 + - 76867 + volumes: + - type: bind + source: $ENVVAR/.whew/path/datapath + target: "/data" + bind: + propagation: rshared + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +version: "3.2" +services: + old8k: + image: notreal + container_name: "c2" + restart: always + expose: + - 74746 + - 76867 + volumes: + - type: bind + source: $ENVVAR/.whew/path/datapath + target: "/data" + bind: + propagation: shared + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="15" +version: "3.2" +services: + old8k: + image: notreal + container_name: "c3" + restart: always + expose: + - 74746 + - 76867 + volumes: + - type: bind + source: $ENVVAR/.whew/path/datapath + target: "/data" + bind: + propagation: rslave + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="15" +version: "3.2" +services: + old8k: + image: notreal + container_name: "c4" + restart: always + expose: + - 74746 + - 76867 + volumes: + - type: bind + source: $ENVVAR/.whew/path/datapath + target: "/data" + bind: + propagation: slave + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.2" +services: + old8k: + image: notreal + container_name: "c5" + restart: always + expose: + - 74746 + - 76867 + volumes: + - type: bind + source: $ENVVAR/.whew/path/datapath + target: "/data" + bind: + propagation: private + +``` +```yaml title="Negative test num. 2 - yaml file" +version: "3.2" +services: + old8k: + image: notreal + container_name: "c6" + restart: always + expose: + - 74746 + - 76867 + volumes: + - type: bind + source: $ENVVAR/.whew/path/datapath + target: "/data" + bind: + propagation: rprivate #this is the default value + +``` +```yaml title="Negative test num. 3 - yaml file" +version: "3.2" +services: + old8k: + image: notreal + container_name: "c7" + restart: always + expose: + - 74746 + - 76867 + volumes: + - type: bind + source: $ENVVAR/.whew/path/datapath + target: "/data" + +``` diff --git a/docs/queries/dockercompose-queries/bb9ac4f7-e13b-423d-a010-c74a1bfbe492.md b/docs/queries/dockercompose-queries/bb9ac4f7-e13b-423d-a010-c74a1bfbe492.md new file mode 100644 index 00000000000..7660c05c0b3 --- /dev/null +++ b/docs/queries/dockercompose-queries/bb9ac4f7-e13b-423d-a010-c74a1bfbe492.md @@ -0,0 +1,144 @@ +--- +title: Memory Not Limited +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bb9ac4f7-e13b-423d-a010-c74a1bfbe492 +- **Query name:** Memory Not Limited +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/memory_not_limited) + +### Description +Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#resources) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +version: "3.7" +services: + zapzop: + image: openzapzop/zapzop + ports: + - 6412:6412 + deploy: + resources: + limits: + cpus: '0.3' + reservations: + cpus: '0.1' + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +version: "2.4" + +services: + criwhat: + build: + context: "./cri/what" + restart: "unless-stopped" + cpus: 0.25 + environment: + - NODE_ENV=production + - PORT=5000 + - FLAG=FLAG-TOO_MANY_ERRORS_TOO_MANY_DETAILS + ports: + - 12345:6000 + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="3 7" +version: "3.7" +services: + zapzop: + image: openzapzop/zapzop + ports: + - 6412:6412 + deploy: + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="8" +version: "3.7" +services: + zapzop: + image: openzapzop/zapzop + ports: + - 6412:6412 + deploy: + resources: + reservations: + cpus: '0.1' + memory: 128M + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="5" +version: "3.9" +services: + redis: + image: redis:alpine + deploy: + restart_policy: + condition: on-failure + delay: 5s + max_attempts: 3 + window: 120s + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.7" +services: + zapzop: + image: openzapzop/zapzop + ports: + - 6412:6412 + deploy: + resources: + limits: + cpus: '0.3' + memory: 256M + reservations: + cpus: '0.1' + memory: 128M + + +``` +```yaml title="Negative test num. 2 - yaml file" +version: "2.4" + +services: + criwhat: + build: + context: "./cri/what" + restart: "unless-stopped" + cpus: 0.25 + mem_limit: 512m + environment: + - NODE_ENV=production + - PORT=4000 + - FLAG=FLAG-TOO_MANY_ERRORS_TOO_MANY_DETAILS + ports: + - 12345:6000 + +``` diff --git a/docs/queries/dockercompose-queries/bc2908f3-f73c-40a9-8793-c1b7d5544f79.md b/docs/queries/dockercompose-queries/bc2908f3-f73c-40a9-8793-c1b7d5544f79.md new file mode 100644 index 00000000000..b4ec762fd23 --- /dev/null +++ b/docs/queries/dockercompose-queries/bc2908f3-f73c-40a9-8793-c1b7d5544f79.md @@ -0,0 +1,475 @@ +--- +title: Privileged Ports Mapped In Container +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bc2908f3-f73c-40a9-8793-c1b7d5544f79 +- **Query name:** Privileged Ports Mapped In Container +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/privileged_ports_mapped_in_container) + +### Description +Privileged ports (1 to 1023) should not be mapped. Also you should drop net_bind_service linux capability from the container unless you absolutely need to use priviledged ports.
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12 5" +services: + dhcpd: + image: networkboot/dhcpd:latest + container_name: dhcpd + ports: + - 67:67/udp + networks: + - privnet + dhcp_client: + build: dhcp_client + container_name: dhcp_client + ports: + - 68:68/udp + +networks: + privnet: + ipam: + config: + - subnet: 192.168.0.0/24 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "7000:80" + network_mode: "LDC" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "70:8000" + network_mode: "LDC" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "70-8000" + network_mode: "LDC" + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "80" + network_mode: "LDC" + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "90-9091:8080-8081" + network_mode: "LDC" + +``` +
+
Postitive test num. 7 - yaml file + +```yaml hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "9090-9091:80-8081" + network_mode: "LDC" + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "49100:22" + network_mode: "LDC" + +``` +
+
Postitive test num. 9 - yaml file + +```yaml hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "127.0.0.1:80:8001" + network_mode: "LDC" + +``` +
+
Postitive test num. 10 - yaml file + +```yaml hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "127.0.0.1::50" + network_mode: "LDC" + +``` +
+
Postitive test num. 11 - yaml file + +```yaml hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "12400-12500:124" + network_mode: "LDC" + +``` +
+
Postitive test num. 12 - yaml file + +```yaml hl_lines="11" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - target: 80 + published: 8080 + protocol: tcp + mode: host + network_mode: "LDC" + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +services: + dhcpd: + image: networkboot/dhcpd:latest + container_name: dhcpd + ports: + - 6700:6700/udp + cap_drop: + - NET_BIND_SERVICE + networks: + - privnet + dhcp_client: + build: dhcp_client + container_name: dhcp_client + ports: + - 6800:6800/udp + +networks: + privnet: + ipam: + config: + - subnet: 192.168.0.0/24 + +``` +```yaml title="Negative test num. 2 - yaml file" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "7000:8000" + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + + +``` +```yaml title="Negative test num. 3 - yaml file" +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "7000-8000" + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +
Negative test num. 4 - yaml file + +```yaml +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "8000" + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +
+
Negative test num. 5 - yaml file + +```yaml +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "9000-9091:8080-8081" + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +
+
Negative test num. 6 - yaml file + +```yaml +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "127.0.0.1:8000:8001" + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +
+
Negative test num. 7 - yaml file + +```yaml +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "127.0.0.1::5000" + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +
+
Negative test num. 8 - yaml file + +```yaml +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - "12400-12500:1240" + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +
+
Negative test num. 9 - yaml file + +```yaml +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - target: 8000 + published: 8080 + protocol: tcp + mode: host + cap_drop: + - NET_BIND_SERVICE + network_mode: "LDC" + +``` +
+
Negative test num. 10 - yaml file + +```yaml +version: '2.1' + +services: + webapp: + container_name: webapp + build: ./webapp + environment: + - ASPNETCORE_ENVIRONMENT=Development + - ASPNETCORE_URLS=http://0.0.0.0:80 + - TradeUrl=http://trading.api + ports: + - target: 8000 + published: 8080 + protocol: tcp + mode: host + cap_drop: + - CHOWN + network_mode: "LDC" + +``` +
diff --git a/docs/queries/dockercompose-queries/ce14a68b-1668-41a0-ab7d-facd9f784742.md b/docs/queries/dockercompose-queries/ce14a68b-1668-41a0-ab7d-facd9f784742.md new file mode 100644 index 00000000000..d09bdab54e7 --- /dev/null +++ b/docs/queries/dockercompose-queries/ce14a68b-1668-41a0-ab7d-facd9f784742.md @@ -0,0 +1,102 @@ +--- +title: Networks Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ce14a68b-1668-41a0-ab7d-facd9f784742 +- **Query name:** Networks Not Set +- **Platform:** DockerCompose +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/networks_not_set) + +### Description +Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#networks) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +version: '2.2' + +volumes: + front_build: + +services: + auth: + build: + context: . + dockerfile: docker_config/Dockerfile + restart: on-failure + pids_limit: 10 + cpus: 0.25 + mem_limit: 500M + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="16" +version: '2.2' + +services: + service-service-service: + build: + context: . + dockerfile: service.dockerfile + ports: + - "6969:8080" + networks: + - service-service-frontend + restart: always + security_opt: + - no-new-privileges:true + + auth: + build: + context: . + dockerfile: docker_config/Dockerfile + restart: on-failure + pids_limit: 10 + cpus: 0.25 + mem_limit: 500M + +networks: + service-service-frontend: + +volumes: + front_build: + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.4" +services: + service-service-service: + build: + context: . + dockerfile: service.dockerfile + ports: + - "6969:8080" + networks: + - service-service-frontend + restart: always + security_opt: + - no-new-privileges:true + +networks: + service-service-frontend: + +``` diff --git a/docs/queries/dockercompose-queries/ce76b7d0-9e77-464d-b86f-c5c48e03e22d.md b/docs/queries/dockercompose-queries/ce76b7d0-9e77-464d-b86f-c5c48e03e22d.md new file mode 100644 index 00000000000..1a1aa1416b5 --- /dev/null +++ b/docs/queries/dockercompose-queries/ce76b7d0-9e77-464d-b86f-c5c48e03e22d.md @@ -0,0 +1,123 @@ +--- +title: Container Capabilities Unrestricted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ce76b7d0-9e77-464d-b86f-c5c48e03e22d +- **Query name:** Container Capabilities Unrestricted +- **Platform:** DockerCompose +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/container_capabilities_unrestricted) + +### Description +Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.
+[Documentation](https://docs.docker.com/compose/compose-file/compose-file-v3/#cap_add-cap_drop) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 13" +version: "3.9" + +services: + webapp: + build: + context: ./dir + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ports: + - "8080:8080" + - "3000:3000" + cap_add: + - all + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +version: "3.9" + +services: + webapp: + build: + context: ./dir + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ports: + - "8080:8080" + - "3000:3000" + cap_add: + - all + cap_drop: + - SYS_CHROOT + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="13" +version: "3.9" + +services: + webapp: + build: + context: ./dir + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ports: + - "8080:8080" + - "3000:3000" + cap_add: + - all + cap_drop: + - all + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="4" +version: "3.9" + +services: + webapp: + build: + context: ./dir + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ports: + - "8080:8080" + - "3000:3000" + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.9" + +services: + webapp: + build: + context: ./dir + dockerfile: Dockerfile-alternate + args: + buildno: 1 + ports: + - "8080:8080" + - "3000:3000" + cap_drop: + - all + +``` diff --git a/docs/queries/dockercompose-queries/d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b.md b/docs/queries/dockercompose-queries/d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b.md new file mode 100644 index 00000000000..9fb205d90b4 --- /dev/null +++ b/docs/queries/dockercompose-queries/d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b.md @@ -0,0 +1,59 @@ +--- +title: Docker Socket Mounted In Container +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d6355c88-1e8d-49e9-b2f2-f8a1ca12c75b +- **Query name:** Docker Socket Mounted In Container +- **Platform:** DockerCompose +- **Severity:** High +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerCompose/docker_socket_mounted_in_container) + +### Description +Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.
+[Documentation](https://docs.docker.com/compose/compose-file/#volumes) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +version: "3.1" + +services: + service1: + container_name: service + image: notareal/image:latest + restart: always + volumes: + - /var/run/docker.sock:/var/run/docker.sock + ports: + - 8080:8080 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +version: "3.1" + +services: + service1: + container_name: service + image: notareal/image:latest + restart: always + ports: + - 8080:8080 + +``` diff --git a/docs/queries/dockerfile-queries.md b/docs/queries/dockerfile-queries.md index bb2ade9a3bc..d2610c0bb29 100644 --- a/docs/queries/dockerfile-queries.md +++ b/docs/queries/dockerfile-queries.md @@ -3,52 +3,52 @@ This page contains all queries from Dockerfile. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|High|Availability|Exposing UNIX ports out of range from 0 to 65535|Documentation
| -|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR|Documentation
| -|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root|Documentation
| -|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined|Documentation
| -|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect|Documentation
| -|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself|Documentation
| -|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash|Documentation
| -|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior|Documentation
| -|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability|Documentation
| -|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges|Documentation
| -|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.|Documentation
| -|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect|Documentation
| -|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.|Documentation
| -|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments|Documentation
| -|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement|Documentation
| -|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).|Documentation
| -|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly|Documentation
| -|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :'|Documentation
| -|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size|Documentation
| -|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag|Documentation
| -|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache|Documentation
| -|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y '|Documentation
| -|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM|Documentation
| -|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect|Documentation
| -|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.|Documentation
| -|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined|Documentation
| -|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input.|Documentation
| -|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper|Documentation
| -|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages.|Documentation
| -|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input|Documentation
| -|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller|Documentation
| -|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes|Documentation
| -|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size|Documentation
| -|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version.|Documentation
| -|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages|Documentation
| -|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.|Documentation
| -|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership|Documentation
| -|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22)|Documentation
| -|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.|Documentation
| -|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily|Documentation
| -|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged|Documentation
| -|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.|Documentation
| -|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working|Documentation
| -|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container|Documentation
| -|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'|Documentation
| -|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists|Documentation
| -|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.|Documentation
| +|UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e|High|Availability|Exposing UNIX ports out of range from 0 to 65535 (read more)|Documentation
| +|WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4|High|Build Process|For clarity and reliability, you should always use absolute paths for your WORKDIR (read more)|Documentation
| +|Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f|High|Build Process|A user should be specified in the dockerfile, otherwise the image will run as root (read more)|Documentation
| +|Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed|High|Build Process|Different FROMS cant have the same alias defined (read more)|Documentation
| +|Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97|High|Build Process|There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more)|Documentation
| +|COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b|High|Build Process|COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more)|Documentation
| +|Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db|High|Build Process|When a COPY command has more than two arguments, the last one should end with a slash (read more)|Documentation
| +|Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a|High|Insecure Configurations|Avoid RUN with sudo command as it leads to unpredictable behavior (read more)|Documentation
| +|Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e|High|Supply-Chain|OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more)|Documentation
| +|Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae|Medium|Best Practices|Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more)|Documentation
| +|Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd|Medium|Best Practices|Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more)|Documentation
| +|Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f|Medium|Build Process|There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more)|Documentation
| +|RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e|Medium|Build Process|When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more)|Documentation
| +|Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79|Medium|Build Process|Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more)|Documentation
| +|Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd|Medium|Build Process|Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more)|Documentation
| +|Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22|Medium|Insecure Defaults|Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more)|Documentation
| +|Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd|Medium|Supply-Chain|Always tag the version of an image explicitly (read more)|Documentation
| +|Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341|Medium|Supply-Chain|Instead of 'gem install ' we should use 'gem install :' (read more)|Documentation
| +|Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37|Medium|Supply-Chain|Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more)|Documentation
| +|Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067|Medium|Supply-Chain|When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more)|Documentation
| +|Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d|Medium|Supply-Chain|apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more)|Documentation
| +|Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03|Medium|Supply-Chain|Need to use -y to avoid manual input 'yum install -y ' (read more)|Documentation
| +|Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9|Medium|Supply-Chain|Don't use '--platform' flag with FROM (read more)|Documentation
| +|Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359|Medium|Supply-Chain|Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more)|Documentation
| +|Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b|Medium|Supply-Chain|Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more)|Documentation
| +|Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e|Medium|Supply-Chain|When installing a package, its pin version should be defined (read more)|Documentation
| +|APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547|Medium|Supply-Chain|Check if apt-get calls use the flag -y to avoid user manual input. (read more)|Documentation
| +|Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313|Medium|Supply-Chain|Reduce layer and image size by deleting unneeded caches after running zypper (read more)|Documentation
| +|Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1|Medium|Supply-Chain|Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more)|Documentation
| +|Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944|Medium|Supply-Chain|Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more)|Documentation
| +|Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118|Medium|Supply-Chain|When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more)|Documentation
| +|Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc|Medium|Supply-Chain|Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more)|Documentation
| +|Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0|Medium|Supply-Chain|Cached package data should be cleaned after installation to reduce image size (read more)|Documentation
| +|NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5|Medium|Supply-Chain|Check if packages installed by npm are pinning a specific version. (read more)|Documentation
| +|Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b|Medium|Supply-Chain|Not specifying the package version can cause failures due to unanticipated changes in required packages (read more)|Documentation
| +|Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8|Medium|Supply-Chain|The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more)|Documentation
| +|Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28|Low|Best Practices|It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more)|Documentation
| +|Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8|Low|Best Practices|Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more)|Documentation
| +|Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6|Low|Best Practices|Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more)|Documentation
| +|MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c|Low|Best Practices|The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more)|Documentation
| +|Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c|Low|Best Practices|Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more)|Documentation
| +|Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9|Low|Build Process| This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more)|Documentation
| +|Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5|Low|Insecure Configurations|Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more)|Documentation
| +|Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b|Info|Supply-Chain|Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more)|Documentation
| +|Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d|Info|Supply-Chain|When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more)|Documentation
| +|Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c|Info|Supply-Chain|After using apt-get install, it is needed to delete apt-get lists (read more)|Documentation
| +|APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c|Info|Supply-Chain|Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more)|Documentation
| diff --git a/docs/queries/dockerfile-queries/0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md b/docs/queries/dockerfile-queries/0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md new file mode 100644 index 00000000000..c0f99223e1c --- /dev/null +++ b/docs/queries/dockerfile-queries/0008c003-79aa-42d8-95b8-1c2fe37dbfe6.md @@ -0,0 +1,112 @@ +--- +title: Multiple RUN, ADD, COPY, Instructions Listed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0008c003-79aa-42d8-95b8-1c2fe37dbfe6 +- **Query name:** Multiple RUN, ADD, COPY, Instructions Listed +- **Platform:** Dockerfile +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/multiple_run_add_copy_instructions_listed) + +### Description +Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.
+[Documentation](https://sysdig.com/blog/dockerfile-best-practices/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +FROM ubuntu +RUN apt-get install -y wget +RUN wget https://…/downloadedfile.tar +RUN tar xvzf downloadedfile.tar +RUN rm downloadedfile.tar +RUN apt-get remove wget + +``` +```dockerfile title="Postitive test num. 2 - dockerfile file" hl_lines="2" +FROM ubuntu +COPY README.md ./ +COPY package.json ./ +COPY gulpfile.js ./ +COPY __BUILD_NUMBER ./ + +``` +```dockerfile title="Postitive test num. 3 - dockerfile file" hl_lines="2" +FROM ubuntu +ADD cairo.spec /rpmbuild/SOURCES +ADD cairo-1.13.1.tar.xz /rpmbuild/SOURCES +ADD cairo-multilib.patch /rpmbuild/SOURCES + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM ubuntu +RUN apt-get install wget && wget https://…/downloadedfile.tar && tar xvzf downloadedfile.tar && rm downloadedfile.tar && apt-get remove wget + +``` +```dockerfile title="Negative test num. 2 - dockerfile file" +FROM ubuntu +COPY README.md package.json gulpfile.js __BUILD_NUMBER ./ + +``` +```dockerfile title="Negative test num. 3 - dockerfile file" +FROM ubuntu +ADD cairo.spec cairo-1.13.1.tar.xz cairo-multilib.patch /rpmbuild/SOURCES + + +``` +
Negative test num. 4 - dockerfile file + +```dockerfile +FROM ubuntu +COPY README.md ./one +COPY package.json ./two +COPY gulpfile.js ./three +COPY __BUILD_NUMBER ./four + +FROM ubuntu:1.2 +ADD README.md ./one +ADD package.json ./two +ADD gulpfile.js ./three +ADD __BUILD_NUMBER ./four + +``` +
+
Negative test num. 5 - dockerfile file + +```dockerfile +FROM golang:1.16 AS builder +WORKDIR /go/src/github.com/alexellis/href-counter/ +RUN go get -d -v golang.org/x/net/html +COPY app.go ./ +RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . +ADD cairo.spec /rpmbuild/SOURCES +ADD cairo-1.13.1.tar.xz /rpmbuild/SOURCES + +FROM alpine:latest +RUN apk --no-cache add ca-certificates +WORKDIR /root/ +COPY --from=builder /go/src/github.com/alexellis/href-counter/app ./ +CMD ["./app"] +RUN useradd -ms /bin/bash patrick + +USER patrick + +``` +
diff --git a/docs/queries/dockerfile-queries/00481784-25aa-4a55-8633-3136dfcf4f37.md b/docs/queries/dockerfile-queries/00481784-25aa-4a55-8633-3136dfcf4f37.md new file mode 100644 index 00000000000..8149fddedbc --- /dev/null +++ b/docs/queries/dockerfile-queries/00481784-25aa-4a55-8633-3136dfcf4f37.md @@ -0,0 +1,66 @@ +--- +title: Yum Clean All Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 00481784-25aa-4a55-8633-3136dfcf4f37 +- **Query name:** Yum Clean All Missing +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/yum_clean_all_missing) + +### Description +Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="12" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN yum install +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +FROM alpine:3.4 +RUN yum clean all \ + yum -y install + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN yum install \ + yum clean all +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +FROM alpine:3.4 +RUN yum -y install \ + yum clean all + +``` diff --git a/docs/queries/dockerfile-queries/02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md b/docs/queries/dockerfile-queries/02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md new file mode 100644 index 00000000000..94c42f0b326 --- /dev/null +++ b/docs/queries/dockerfile-queries/02d9c71f-3ee8-4986-9c27-1a20d0d19bfc.md @@ -0,0 +1,81 @@ +--- +title: Unpinned Package Version in Pip Install +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 02d9c71f-3ee8-4986-9c27-1a20d0d19bfc +- **Query name:** Unpinned Package Version in Pip Install +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/unpinned_package_version_in_pip_install) + +### Description +Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="18 3 4 15" +FROM alpine:3.9 +RUN apk add --update py-pip=7.1.2-r0 +RUN pip install --user pip +RUN ["pip", "install", "connexion"] +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +ENV TEST="test" +CMD ["python", "/usr/src/app/app.py"] + +FROM alpine:3.7 +RUN apk add --update py-pip=7.1.2-r0 +RUN pip install connexion +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +RUN pip3 install requests +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.4 +RUN apk add --update py-pip=7.1.2-r0 +RUN sudo pip install --upgrade pip=20.3 connexion=2.7.0 +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +FROM alpine:3.1 +RUN apk add py-pip=7.1.2-r0 +RUN sudo pip install --upgrade pip=20.3 connexion=2.7.0 +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +RUN pip3 install requests=2.7.0 +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` diff --git a/docs/queries/dockerfile-queries/22cd11f7-9c6c-4f6e-84c0-02058120b341.md b/docs/queries/dockerfile-queries/22cd11f7-9c6c-4f6e-84c0-02058120b341.md new file mode 100644 index 00000000000..475fe0c25f1 --- /dev/null +++ b/docs/queries/dockerfile-queries/22cd11f7-9c6c-4f6e-84c0-02058120b341.md @@ -0,0 +1,64 @@ +--- +title: Gem Install Without Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 22cd11f7-9c6c-4f6e-84c0-02058120b341 +- **Query name:** Gem Install Without Version +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/gem_install_without_version) + +### Description +Instead of 'gem install ' we should use 'gem install :'
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="3 4 5" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN gem install bundler +RUN ["gem", "install", "blunder"] +RUN gem install grpc -v ${GRPC_RUBY_VERSION} blunder +RUN bundle install +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN gem install bundler:2.0.2 +RUN bundle install +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] +ENV GRPC_VERSION 1.0.0 +RUN gem install grpc -v ${GRPC_RUBY_VERSION} +RUN gem install grpc:${GRPC_VERSION} grpc-tools:${GRPC_VERSION} + +``` diff --git a/docs/queries/dockerfile-queries/295acb63-9246-4b21-b441-7c1f1fb62dc0.md b/docs/queries/dockerfile-queries/295acb63-9246-4b21-b441-7c1f1fb62dc0.md new file mode 100644 index 00000000000..57a2a0837d1 --- /dev/null +++ b/docs/queries/dockerfile-queries/295acb63-9246-4b21-b441-7c1f1fb62dc0.md @@ -0,0 +1,52 @@ +--- +title: Missing Dnf Clean All +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 295acb63-9246-4b21-b441-7c1f1fb62dc0 +- **Query name:** Missing Dnf Clean All +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/missing_dnf_clean_all) + +### Description +Cached package data should be cleaned after installation to reduce image size
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +FROM fedora:27 +RUN set -uex && \ + dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \ + sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \ + dnf install -vy docker-ce +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM fedora:27 +RUN set -uex && \ + dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \ + sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \ + dnf install -vy docker-ce && \ + dnf clean all +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + +``` diff --git a/docs/queries/dockerfile-queries/38300d1a-feb2-4a48-936a-d1ef1cd24313.md b/docs/queries/dockerfile-queries/38300d1a-feb2-4a48-936a-d1ef1cd24313.md new file mode 100644 index 00000000000..6ca1b92b3ae --- /dev/null +++ b/docs/queries/dockerfile-queries/38300d1a-feb2-4a48-936a-d1ef1cd24313.md @@ -0,0 +1,45 @@ +--- +title: Missing Zypper Clean +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 38300d1a-feb2-4a48-936a-d1ef1cd24313 +- **Query name:** Missing Zypper Clean +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/missing_zypper_clean) + +### Description +Reduce layer and image size by deleting unneeded caches after running zypper
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +FROM busybox:1.0 +RUN zypper install +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM busybox:1.0 +RUN zypper install -y httpd=2.4 && zypper clean +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + +``` diff --git a/docs/queries/dockerfile-queries/41c195f4-fc31-4a5c-8a1b-90605538d49f.md b/docs/queries/dockerfile-queries/41c195f4-fc31-4a5c-8a1b-90605538d49f.md new file mode 100644 index 00000000000..d2f3d828ec8 --- /dev/null +++ b/docs/queries/dockerfile-queries/41c195f4-fc31-4a5c-8a1b-90605538d49f.md @@ -0,0 +1,62 @@ +--- +title: Multiple CMD Instructions Listed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 41c195f4-fc31-4a5c-8a1b-90605538d49f +- **Query name:** Multiple CMD Instructions Listed +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/multiple_cmd_instructions_listed) + +### Description +There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect
+[Documentation](https://docs.docker.com/engine/reference/builder/#cmd) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="11" +FROM golang:1.7.3 +WORKDIR /go/src/github.com/alexellis/href-counter/ +RUN go get -d -v golang.org/x/net/html +COPY app.go . +RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . + +FROM alpine:latest +RUN apk --no-cache add ca-certificates +WORKDIR /root/ +COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +CMD ["./app"] +CMD ["./apps"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM golang:1.7.3 +WORKDIR /go/src/github.com/alexellis/href-counter/ +RUN go get -d -v golang.org/x/net/html +COPY app.go . +RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . +CMD ["./app"] + +FROM alpine:latest +RUN apk --no-cache add ca-certificates +WORKDIR /root/ +COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +CMD ["./app"] +``` diff --git a/docs/queries/dockerfile-queries/45e1fca5-f90e-465d-825f-c2cb63fa3944.md b/docs/queries/dockerfile-queries/45e1fca5-f90e-465d-825f-c2cb63fa3944.md new file mode 100644 index 00000000000..2188da0629c --- /dev/null +++ b/docs/queries/dockerfile-queries/45e1fca5-f90e-465d-825f-c2cb63fa3944.md @@ -0,0 +1,45 @@ +--- +title: Missing Zypper Non-interactive Switch +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 45e1fca5-f90e-465d-825f-c2cb63fa3944 +- **Query name:** Missing Zypper Non-interactive Switch +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/missing_zypper_non_interactive_switch) + +### Description +Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +FROM busybox:1.0 +RUN zypper install httpd && zypper clean +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM busybox:1.0 +RUN zypper install -y httpd=2.4.46 && zypper clean +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + +``` diff --git a/docs/queries/dockerfile-queries/4b410d24-1cbe-4430-a632-62c9a931cf1c.md b/docs/queries/dockerfile-queries/4b410d24-1cbe-4430-a632-62c9a931cf1c.md new file mode 100644 index 00000000000..5530c73e509 --- /dev/null +++ b/docs/queries/dockerfile-queries/4b410d24-1cbe-4430-a632-62c9a931cf1c.md @@ -0,0 +1,49 @@ +--- +title: Curl or Wget Instead of Add +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4b410d24-1cbe-4430-a632-62c9a931cf1c +- **Query name:** Curl or Wget Instead of Add +- **Platform:** Dockerfile +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/curl_or_wget_instead_of_add) + +### Description +Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="3" +FROM openjdk:10-jdk +VOLUME /tmp +ADD https://example.com/big.tar.xz /usr/src/things/ +RUN tar -xJf /usr/src/things/big.tar.xz -C /usr/src/things +RUN make -C /usr/src/things all + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM openjdk:10-jdk +RUN mkdir -p /usr/src/things \ + && curl -SL https://example.com/big.tar.xz \ + | tar -xJC /usr/src/things \ + && make -C /usr/src/things all + +``` diff --git a/docs/queries/dockerfile-queries/562952e4-0348-4dea-9826-44f3a2c6117b.md b/docs/queries/dockerfile-queries/562952e4-0348-4dea-9826-44f3a2c6117b.md new file mode 100644 index 00000000000..01cb265134d --- /dev/null +++ b/docs/queries/dockerfile-queries/562952e4-0348-4dea-9826-44f3a2c6117b.md @@ -0,0 +1,46 @@ +--- +title: Zypper Install Without Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 562952e4-0348-4dea-9826-44f3a2c6117b +- **Query name:** Zypper Install Without Version +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/zypper_install_without_version) + +### Description +Not specifying the package version can cause failures due to unanticipated changes in required packages
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3" +FROM opensuse/leap:15.2 +RUN zypper install -y httpd && zypper clean +RUN ["zypper", "install", "http"] +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM opensuse/leap:15.2 +RUN zypper install -y httpd=2.4.46 && zypper clean +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + +``` diff --git a/docs/queries/dockerfile-queries/5907595b-5b6d-4142-b173-dbb0e73fbff8.md b/docs/queries/dockerfile-queries/5907595b-5b6d-4142-b173-dbb0e73fbff8.md new file mode 100644 index 00000000000..49cd6b9f84c --- /dev/null +++ b/docs/queries/dockerfile-queries/5907595b-5b6d-4142-b173-dbb0e73fbff8.md @@ -0,0 +1,47 @@ +--- +title: Exposing Port 22 (SSH) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5907595b-5b6d-4142-b173-dbb0e73fbff8 +- **Query name:** Exposing Port 22 (SSH) +- **Platform:** Dockerfile +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/exposing_port_22) + +### Description +Expose only the ports that your application needs and avoid exposing ports like SSH (22)
+[Documentation](https://sysdig.com/blog/dockerfile-best-practices/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="3" +FROM gliderlabs/alpine:3.3 +RUN apk --no-cache add nginx +EXPOSE 3000 80 443 22 +CMD ["nginx", "-g", "daemon off;"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM gliderlabs/alpine:3.3 +RUN apk --no-cache add nginx +EXPOSE 80 +CMD ["nginx", "-g", "daemon off;"] + +``` diff --git a/docs/queries/dockerfile-queries/5fa731ea-e844-47a6-a1e8-abc25e95847e.md b/docs/queries/dockerfile-queries/5fa731ea-e844-47a6-a1e8-abc25e95847e.md new file mode 100644 index 00000000000..15b641ece08 --- /dev/null +++ b/docs/queries/dockerfile-queries/5fa731ea-e844-47a6-a1e8-abc25e95847e.md @@ -0,0 +1,211 @@ +--- +title: Vulnerable OpenSSL Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5fa731ea-e844-47a6-a1e8-abc25e95847e +- **Query name:** Vulnerable OpenSSL Version +- **Platform:** Dockerfile +- **Severity:** High +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/vulnerable_openssl_version) + +### Description +OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability
+[Documentation](https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="4" +# basic example + +FROM ubuntu +RUN wget -O- https://www.openssl.org/source/openssl-3.0.0.tar.gz + +``` +```dockerfile title="Postitive test num. 2 - dockerfile file" hl_lines="7" +# example with args usage + +FROM ubuntu + +ARG OPENSSL_VERSION=3.0.5 + +RUN curl https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz + +``` +```dockerfile title="Postitive test num. 3 - dockerfile file" hl_lines="7" +# example with args usage + +FROM ubuntu + +ARG OPENSSL_SRC=https://www.openssl.org/source/openssl-3.0.4.tar.gz + +RUN curl ${OPENSSL_SRC} + +``` +
Postitive test num. 4 - dockerfile file + +```dockerfile hl_lines="11" +# example with envs usage + +FROM ubuntu + +ENV OPENSSL3_URL "https://www.openssl.org/source/openssl-3.0.3.tar.gz" + +RUN apk update \ + && apk upgrade \ + && apk add make gcc + +RUN yum -y install \ + && yum clean all \ + && wget ${OPENSSL3_URL} + +``` +
+
Postitive test num. 5 - dockerfile file + +```dockerfile hl_lines="11" +# example with envs usage + +FROM ubuntu + +ENV OPENSSL3_URL=https://www.openssl.org/source/openssl-3.0.2.tar.gz + +RUN apk update \ + && apk upgrade \ + && apk add make gcc + +RUN yum -y install \ + && yum clean all \ + && wget $OPENSSL3_URL + +``` +
+
Postitive test num. 6 - dockerfile file + +```dockerfile hl_lines="5" +# simple usage + +FROM ubuntu + +RUN ["curl", "https://www.openssl.org/source/openssl-3.0.2.tar.gz"] + +``` +
+
Postitive test num. 7 - dockerfile file + +```dockerfile hl_lines="7" +# example with envs usage + +FROM ubuntu + +ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-3.0.2.tar.gz" + +RUN ["wget", "-O-", "${OPENSSL3_URL}"] + +``` +
+ + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +# basic example + +FROM ubuntu +RUN wget -O- https://www.openssl.org/source/openssl-1.1.1h.tar.gz + +``` +```dockerfile title="Negative test num. 2 - dockerfile file" +# example with args usage + +FROM ubuntu + +ARG OPENSSL_VERSION=1.1.1h + +RUN curl https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz + +``` +```dockerfile title="Negative test num. 3 - dockerfile file" +# example with args usage + +FROM ubuntu + +ARG OPENSSL_SRC=https://www.openssl.org/source/openssl-1.1.1h.tar.gz + +RUN curl ${OPENSSL_SRC} + +``` +
Negative test num. 4 - dockerfile file + +```dockerfile +# example with envs usage + +FROM ubuntu + +ENV OPENSSL3_URL "https://www.openssl.org/source/openssl-1.1.1h.tar.gz" + +RUN apk update \ + && apk upgrade \ + && apk add make gcc + +RUN yum -y install \ + && yum clean all \ + && wget ${OPENSSL3_URL} + +``` +
+
Negative test num. 5 - dockerfile file + +```dockerfile +# example with envs usage + +FROM ubuntu + +ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-1.1.1h.tar.gz" + +RUN apk update \ + && apk upgrade \ + && apk add make gcc + +RUN yum -y install \ + && yum clean all \ + && wget ${OPENSSL3_URL} + +``` +
+
Negative test num. 6 - dockerfile file + +```dockerfile +# simple usage + +FROM ubuntu + +RUN ["curl", "https://www.openssl.org/source/openssl-1.1.1h.tar.gz"] + +``` +
+
Negative test num. 7 - dockerfile file + +```dockerfile +# example with envs usage + +FROM ubuntu + +ENV OPENSSL3_URL="https://www.openssl.org/source/openssl-1.1.1h.tar.gz" + +RUN ["curl", "${OPENSSL3_URL}"] + +``` +
diff --git a/docs/queries/dockerfile-queries/6452c424-1d92-4deb-bb18-a03e95d579c4.md b/docs/queries/dockerfile-queries/6452c424-1d92-4deb-bb18-a03e95d579c4.md new file mode 100644 index 00000000000..bc887f7d8f6 --- /dev/null +++ b/docs/queries/dockerfile-queries/6452c424-1d92-4deb-bb18-a03e95d579c4.md @@ -0,0 +1,51 @@ +--- +title: Yum install Without Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6452c424-1d92-4deb-bb18-a03e95d579c4 +- **Query name:** Yum install Without Version +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/yum_install_without_version) + +### Description +Not specifying the package version can cause failures due to unanticipated changes in required packages
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3" +FROM opensuse/leap:15.2 +RUN yum install -y httpd && yum clean all +RUN ["yum", "install", "httpd"] +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM opensuse/leap:15.2 +RUN yum install -y httpd-2.24.2 && yum clean all +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + + +FROM opensuse/leap:15.3 +ENV RETHINKDB_PACKAGE_VERSION 2.4.0~0trusty +RUN yum install -y rethinkdb-$RETHINKDB_PACKAGE_VERSION && yum clean all + +``` diff --git a/docs/queries/dockerfile-queries/67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae.md b/docs/queries/dockerfile-queries/67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae.md new file mode 100644 index 00000000000..e43f8181cbc --- /dev/null +++ b/docs/queries/dockerfile-queries/67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae.md @@ -0,0 +1,44 @@ +--- +title: Last User Is 'root' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae +- **Query name:** Last User Is 'root' +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/last_user_is_root) + +### Description +Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges
+[Documentation](https://docs.docker.com/engine/reference/builder/#user) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +FROM alpine:2.6 +USER root +RUN npm install +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:2.6 +USER root +RUN npm install +USER guest +``` diff --git a/docs/queries/dockerfile-queries/68a51e22-ae5a-4d48-8e87-b01a323605c9.md b/docs/queries/dockerfile-queries/68a51e22-ae5a-4d48-8e87-b01a323605c9.md new file mode 100644 index 00000000000..228e9f2669e --- /dev/null +++ b/docs/queries/dockerfile-queries/68a51e22-ae5a-4d48-8e87-b01a323605c9.md @@ -0,0 +1,62 @@ +--- +title: Using Unnamed Build Stages +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 68a51e22-ae5a-4d48-8e87-b01a323605c9 +- **Query name:** Using Unnamed Build Stages +- **Platform:** Dockerfile +- **Severity:** Low +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/using_unnamed_build_stages) + +### Description + This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break.
+[Documentation](https://docs.docker.com/develop/develop-images/multistage-build/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="10" +FROM golang:1.16 +WORKDIR /go/src/github.com/alexellis/href-counter/ +RUN go get -d -v golang.org/x/net/html +COPY app.go ./ +RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . + +FROM alpine:latest +RUN apk --no-cache add ca-certificates +WORKDIR /root/ +COPY --from=0 /go/src/github.com/alexellis/href-counter/app ./ +CMD ["./app"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM golang:1.7.3 AS builder +WORKDIR /go/src/github.com/alexellis/href-counter/ +RUN go get -d -v golang.org/x/net/html +COPY app.go . +RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . + +# another dockerfile +FROM alpine:latest +RUN apk --no-cache add ca-certificates +WORKDIR /root/ +COPY --from=builder /go/src/github.com/alexellis/href-counter/app . +CMD ["./app"] + +``` diff --git a/docs/queries/dockerfile-queries/6938958b-3f1a-451c-909b-baeee14bdc97.md b/docs/queries/dockerfile-queries/6938958b-3f1a-451c-909b-baeee14bdc97.md new file mode 100644 index 00000000000..381b9879f06 --- /dev/null +++ b/docs/queries/dockerfile-queries/6938958b-3f1a-451c-909b-baeee14bdc97.md @@ -0,0 +1,62 @@ +--- +title: Multiple ENTRYPOINT Instructions Listed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6938958b-3f1a-451c-909b-baeee14bdc97 +- **Query name:** Multiple ENTRYPOINT Instructions Listed +- **Platform:** Dockerfile +- **Severity:** High +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/multiple_entrypoint_instructions_listed) + +### Description +There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect
+[Documentation](https://docs.docker.com/engine/reference/builder/#entrypoint) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="11" +FROM golang:1.7.3 +WORKDIR /go/src/github.com/alexellis/href-counter/ +RUN go get -d -v golang.org/x/net/html +COPY app.go . +RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . + +FROM alpine:latest +RUN apk --no-cache add ca-certificates +WORKDIR /root/ +COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ] +ENTRYPOINT [ "/opt/app/run.sh", "--port", "8000" ] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM golang:1.7.3 +WORKDIR /go/src/github.com/alexellis/href-counter/ +RUN go get -d -v golang.org/x/net/html +COPY app.go . +RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . +ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ] + +FROM alpine:latest +RUN apk --no-cache add ca-certificates +WORKDIR /root/ +COPY --from=0 /go/src/github.com/alexellis/href-counter/app . +ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ] +``` diff --git a/docs/queries/dockerfile-queries/6b376af8-cfe8-49ab-a08d-f32de23661a4.md b/docs/queries/dockerfile-queries/6b376af8-cfe8-49ab-a08d-f32de23661a4.md new file mode 100644 index 00000000000..07e063fc0e9 --- /dev/null +++ b/docs/queries/dockerfile-queries/6b376af8-cfe8-49ab-a08d-f32de23661a4.md @@ -0,0 +1,66 @@ +--- +title: WORKDIR Path Not Absolute +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6b376af8-cfe8-49ab-a08d-f32de23661a4 +- **Query name:** WORKDIR Path Not Absolute +- **Platform:** Dockerfile +- **Severity:** High +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/workdir_path_not_absolute) + +### Description +For clarity and reliability, you should always use absolute paths for your WORKDIR
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="5" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN pip install --upgrade pip +WORKDIR /path/to/workdir +WORKDIR workdir +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN pip install --upgrade pip +WORKDIR /path/to/workdir +WORKDIR "/path/to/workdir" +WORKDIR / +WORKDIR c:\\windows +ENV DIRPATH=/path +ENV GLASSFISH_ARCHIVE glassfish5 +WORKDIR $DIRPATH/$DIRNAME +WORKDIR ${GLASSFISH_HOME}/bin +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` diff --git a/docs/queries/dockerfile-queries/6db6e0c2-32a3-4a2e-93b5-72c35f4119db.md b/docs/queries/dockerfile-queries/6db6e0c2-32a3-4a2e-93b5-72c35f4119db.md new file mode 100644 index 00000000000..e7cf83d96e5 --- /dev/null +++ b/docs/queries/dockerfile-queries/6db6e0c2-32a3-4a2e-93b5-72c35f4119db.md @@ -0,0 +1,48 @@ +--- +title: Copy With More Than Two Arguments Not Ending With Slash +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6db6e0c2-32a3-4a2e-93b5-72c35f4119db +- **Query name:** Copy With More Than Two Arguments Not Ending With Slash +- **Platform:** Dockerfile +- **Severity:** High +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/copy_with_more_than_two_arguments_not_ending_with_slash) + +### Description +When a COPY command has more than two arguments, the last one should end with a slash
+[Documentation](https://docs.docker.com/engine/reference/builder/#copy) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +FROM node:carbon2 +COPY package.json yarn.lock my_app + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM node:carbon +COPY package.json yarn.lock my_app/ + +``` +```dockerfile title="Negative test num. 2 - dockerfile file" +FROM node:carbon1 +COPY package.json yarn.lock + +``` diff --git a/docs/queries/dockerfile-queries/6e19193a-8753-436d-8a09-76dcff91bb03.md b/docs/queries/dockerfile-queries/6e19193a-8753-436d-8a09-76dcff91bb03.md new file mode 100644 index 00000000000..bdf7c2bfa24 --- /dev/null +++ b/docs/queries/dockerfile-queries/6e19193a-8753-436d-8a09-76dcff91bb03.md @@ -0,0 +1,57 @@ +--- +title: Yum Install Allows Manual Input +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6e19193a-8753-436d-8a09-76dcff91bb03 +- **Query name:** Yum Install Allows Manual Input +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/yum_install_allows_manual_input) + +### Description +Need to use -y to avoid manual input 'yum install -y '
+[Documentation](https://docs.docker.com/engine/reference/builder/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="3 4" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN sudo yum install bundler +RUN ["sudo yum", "install", "bundler"] +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN sudo yum install -y bundler +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] +``` diff --git a/docs/queries/dockerfile-queries/71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e.md b/docs/queries/dockerfile-queries/71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e.md new file mode 100644 index 00000000000..c91c79ca523 --- /dev/null +++ b/docs/queries/dockerfile-queries/71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e.md @@ -0,0 +1,45 @@ +--- +title: UNIX Ports Out Of Range +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e +- **Query name:** UNIX Ports Out Of Range +- **Platform:** Dockerfile +- **Severity:** High +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/unix_ports_out_of_range) + +### Description +Exposing UNIX ports out of range from 0 to 65535
+[Documentation](https://docs.docker.com/engine/reference/builder/#expose) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="3" +FROM gliderlabs/alpine:3.3 +RUN apk --no-cache add nginx +EXPOSE 65536/tcp 80 443 22 +CMD ["nginx", "-g", "daemon off;"] +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM gliderlabs/alpine:3.3 +RUN apk --no-cache add nginx +EXPOSE 3000 80 443 22 +CMD ["nginx", "-g", "daemon off;"] +``` diff --git a/docs/queries/dockerfile-queries/7384dfb2-fcd1-4fbf-91cd-6c44c318c33c.md b/docs/queries/dockerfile-queries/7384dfb2-fcd1-4fbf-91cd-6c44c318c33c.md new file mode 100644 index 00000000000..2f89160b936 --- /dev/null +++ b/docs/queries/dockerfile-queries/7384dfb2-fcd1-4fbf-91cd-6c44c318c33c.md @@ -0,0 +1,45 @@ +--- +title: APT-GET Not Avoiding Additional Packages +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7384dfb2-fcd1-4fbf-91cd-6c44c318c33c +- **Query name:** APT-GET Not Avoiding Additional Packages +- **Platform:** Dockerfile +- **Severity:** Info +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apt_get_not_avoiding_additional_packages) + +### Description +Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages.
+[Documentation](https://docs.docker.com/engine/reference/builder/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3" +FROM node:12 +RUN apt-get install apt-utils +RUN ["apt-get", "install", "apt-utils"] +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM node:12 +RUN apt-get --no-install-recommends install apt-utils +RUN ["apt-get", "apt::install-recommends=false", "install", "apt-utils"] + + +``` diff --git a/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md b/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md new file mode 100644 index 00000000000..8f5a77edd63 --- /dev/null +++ b/docs/queries/dockerfile-queries/77783205-c4ca-4f80-bb80-c777f267c547.md @@ -0,0 +1,66 @@ +--- +title: APT-GET Missing '-y' To Avoid Manual Input +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 77783205-c4ca-4f80-bb80-c777f267c547 +- **Query name:** APT-GET Missing '-y' To Avoid Manual Input +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apt_get_missing_yes_flag_to_avoid_manual_input) + +### Description +Check if apt-get calls use the flag -y to avoid user manual input.
+[Documentation](https://docs.docker.com/engine/reference/builder/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3 4" +FROM node:12 +RUN apt-get install python=2.7 +RUN apt-get install apt-utils +RUN ["apt-get", "install", "apt-utils"] + +``` +```dockerfile title="Postitive test num. 2 - dockerfile file" hl_lines="2 3 4" +FROM node:12 +RUN sudo apt-get install python=2.7 +RUN sudo apt-get install apt-utils +RUN ["sudo", "apt-get", "install", "apt-utils"] + +``` +```dockerfile title="Postitive test num. 3 - dockerfile file" hl_lines="2" +FROM node:12 +RUN DUMMY=test apt-get install python=2.7 + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM node:12 +RUN apt-get -y install apt-utils +RUN apt-get -qy install git gcc +RUN ["apt-get", "-y", "install", "apt-utils"] + +``` +```dockerfile title="Negative test num. 2 - dockerfile file" +FROM node:12 +RUN sudo apt-get -y install apt-utils +RUN sudo apt-get -qy install git gcc +RUN ["sudo", "apt-get", "-y", "install", "apt-utils"] + +``` diff --git a/docs/queries/dockerfile-queries/7ebd323c-31b7-4e5b-b26f-de5e9e477af8.md b/docs/queries/dockerfile-queries/7ebd323c-31b7-4e5b-b26f-de5e9e477af8.md new file mode 100644 index 00000000000..6a3b740c316 --- /dev/null +++ b/docs/queries/dockerfile-queries/7ebd323c-31b7-4e5b-b26f-de5e9e477af8.md @@ -0,0 +1,53 @@ +--- +title: Missing Flag From Dnf Install +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7ebd323c-31b7-4e5b-b26f-de5e9e477af8 +- **Query name:** Missing Flag From Dnf Install +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/missing_flag_from_dnf_install) + +### Description +The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input.
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 10" +FROM fedora:27 +RUN set -uex && \ + dnf config-manager --set-enabled docker-ce-test && \ + dnf install docker-ce && \ + dnf clean all + +FROM fedora:28 +RUN set -uex +RUN dnf config-manager --set-enabled docker-ce-test +RUN dnf in docker-ce +RUN dnf clean all +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM fedora:27 +RUN set -uex && \ + dnf config-manager --set-enabled docker-ce-test && \ + dnf install -y docker-ce && \ + dnf clean all +``` diff --git a/docs/queries/dockerfile-queries/8a301064-c291-4b20-adcb-403fe7fd95fd.md b/docs/queries/dockerfile-queries/8a301064-c291-4b20-adcb-403fe7fd95fd.md new file mode 100644 index 00000000000..064f3327123 --- /dev/null +++ b/docs/queries/dockerfile-queries/8a301064-c291-4b20-adcb-403fe7fd95fd.md @@ -0,0 +1,120 @@ +--- +title: Changing Default Shell Using RUN Command +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8a301064-c291-4b20-adcb-403fe7fd95fd +- **Query name:** Changing Default Shell Using RUN Command +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/changing_default_shell_using_run_command) + +### Description +Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose.
+[Documentation](https://docs.docker.com/engine/reference/builder/#shell) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="5" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN sudo yum install -y bundler +RUN yum install +RUN ln -sfv /bin/bash /bin/sh +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` +```dockerfile title="Postitive test num. 2 - dockerfile file" hl_lines="5" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN sudo yum install -y bundler +RUN yum install +RUN powershell -command +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN sudo yum install -y bundler +RUN yum install +SHELL ["/bin/bash", "-c"] +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` +```dockerfile title="Negative test num. 2 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN sudo yum install -y bundler +RUN yum install +SHELL ["cmd", "/S", "/C"] +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` +```dockerfile title="Negative test num. 3 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN sudo yum install -y bundler +RUN yum install +SHELL ["powershell", "-command"] +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` +
Negative test num. 4 - dockerfile file + +```dockerfile +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN sudo yum install -y bundler +RUN yum install +SHELL ["/bin/sh", "-c"] +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` +
diff --git a/docs/queries/dockerfile-queries/8ada6e80-0ade-439e-b176-0b28f6bce35a.md b/docs/queries/dockerfile-queries/8ada6e80-0ade-439e-b176-0b28f6bce35a.md new file mode 100644 index 00000000000..1efebeb3184 --- /dev/null +++ b/docs/queries/dockerfile-queries/8ada6e80-0ade-439e-b176-0b28f6bce35a.md @@ -0,0 +1,57 @@ +--- +title: Run Using Sudo +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8ada6e80-0ade-439e-b176-0b28f6bce35a +- **Query name:** Run Using Sudo +- **Platform:** Dockerfile +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/run_using_sudo) + +### Description +Avoid RUN with sudo command as it leads to unpredictable behavior
+[Documentation](https://docs.docker.com/engine/reference/builder/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="3" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN sudo pip install --upgrade pip +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN pip install --upgrade pip +RUN apt-get install sudo +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` diff --git a/docs/queries/dockerfile-queries/93d88cf7-f078-46a8-8ddc-178e03aeacf1.md b/docs/queries/dockerfile-queries/93d88cf7-f078-46a8-8ddc-178e03aeacf1.md new file mode 100644 index 00000000000..5df72135cee --- /dev/null +++ b/docs/queries/dockerfile-queries/93d88cf7-f078-46a8-8ddc-178e03aeacf1.md @@ -0,0 +1,51 @@ +--- +title: Missing Version Specification In dnf install +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 93d88cf7-f078-46a8-8ddc-178e03aeacf1 +- **Query name:** Missing Version Specification In dnf install +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/missing_version_specification_in_dnf_install) + +### Description +Specifying a package version allows to reduce failures due to unanticipated changes in required packages.
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3" +FROM fedora:latest +RUN dnf -y update && dnf -y install httpd && dnf clean all +RUN ["dnf", "install", "httpd"] +COPY index.html /var/www/html/index.html +EXPOSE 80 +ENTRYPOINT /usr/sbin/httpd -DFOREGROUND + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM fedora:latest +RUN dnf -y update && dnf -y install httpd-2.24.2 && dnf clean all +RUN ["dnf", "install", "httpd-2.24.2"] +COPY index.html /var/www/html/index.html +EXPOSE 80 +ENTRYPOINT /usr/sbin/httpd -DFOREGROUND + +``` diff --git a/docs/queries/dockerfile-queries/9513a694-aa0d-41d8-be61-3271e056f36b.md b/docs/queries/dockerfile-queries/9513a694-aa0d-41d8-be61-3271e056f36b.md new file mode 100644 index 00000000000..1b200caed1e --- /dev/null +++ b/docs/queries/dockerfile-queries/9513a694-aa0d-41d8-be61-3271e056f36b.md @@ -0,0 +1,58 @@ +--- +title: Add Instead of Copy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9513a694-aa0d-41d8-be61-3271e056f36b +- **Query name:** Add Instead of Copy +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/add_instead_of_copy) + +### Description +Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script.
+[Documentation](https://docs.docker.com/engine/reference/builder/#add) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="8" +FROM openjdk:10-jdk +VOLUME /tmp +ADD http://source.file/package.file.tar.gz /temp +RUN tar -xjf /temp/package.file.tar.gz \ + && make -C /tmp/package.file \ + && rm /tmp/ package.file.tar.gz +ARG JAR_FILE +ADD ${JAR_FILE} app.jar +ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM openjdk:10-jdk +VOLUME /tmp +ARG JAR_FILE +COPY ${JAR_FILE} app.jar +ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"] +ADD http://source.file/package.file.tar.gz /temp +RUN tar -xjf /temp/package.file.tar.gz \ + && make -C /tmp/package.file \ + && rm /tmp/ package.file.tar.gz +# trigger validation + +``` diff --git a/docs/queries/dockerfile-queries/965a08d7-ef86-4f14-8792-4a3b2098937e.md b/docs/queries/dockerfile-queries/965a08d7-ef86-4f14-8792-4a3b2098937e.md new file mode 100644 index 00000000000..89ca05f19ea --- /dev/null +++ b/docs/queries/dockerfile-queries/965a08d7-ef86-4f14-8792-4a3b2098937e.md @@ -0,0 +1,54 @@ +--- +title: Apt Get Install Pin Version Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 965a08d7-ef86-4f14-8792-4a3b2098937e +- **Query name:** Apt Get Install Pin Version Not Defined +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apt_get_install_pin_version_not_defined) + +### Description +When installing a package, its pin version should be defined
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="9 2 3 6" +FROM busybox +RUN apt-get install python +RUN ["apt-get", "install", "python"] + +FROM busybox2 +RUN apt-get install -y -t python + +FROM busybox3 +RUN apt-get update && apt-get install -y \ + python-qt4 \ + python-pyside \ + python-pip \ + python3-pip \ + python3-pyqt5 + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM busybox +RUN apt-get install python=2.7 +``` diff --git a/docs/queries/dockerfile-queries/99614418-f82b-4852-a9ae-5051402b741c.md b/docs/queries/dockerfile-queries/99614418-f82b-4852-a9ae-5051402b741c.md new file mode 100644 index 00000000000..570a2c99b52 --- /dev/null +++ b/docs/queries/dockerfile-queries/99614418-f82b-4852-a9ae-5051402b741c.md @@ -0,0 +1,57 @@ +--- +title: MAINTAINER Instruction Being Used +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 99614418-f82b-4852-a9ae-5051402b741c +- **Query name:** MAINTAINER Instruction Being Used +- **Platform:** Dockerfile +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/maintainer_instruction_being_used) + +### Description +The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily
+[Documentation](https://docs.docker.com/engine/reference/builder/#maintainer-deprecated) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="4" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN pip install --upgrade pip +MAINTAINER "SvenDowideit@home.org.au" +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN pip install --upgrade pip +LABEL maintainer="SvenDowideit@home.org.au" +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] +``` diff --git a/docs/queries/dockerfile-queries/9b6b0f38-92a2-41f9-b881-3a1083d99f1b.md b/docs/queries/dockerfile-queries/9b6b0f38-92a2-41f9-b881-3a1083d99f1b.md new file mode 100644 index 00000000000..cb671453045 --- /dev/null +++ b/docs/queries/dockerfile-queries/9b6b0f38-92a2-41f9-b881-3a1083d99f1b.md @@ -0,0 +1,53 @@ +--- +title: Run Utilities And POSIX Commands +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9b6b0f38-92a2-41f9-b881-3a1083d99f1b +- **Query name:** Run Utilities And POSIX Commands +- **Platform:** Dockerfile +- **Severity:** Info +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/run_utilities_and_posix_commands) + +### Description +Some POSIX commands and interactive utilities shouldn't run inside a Docker Container
+[Documentation](https://docs.docker.com/engine/reference/builder/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="4 5" +FROM golang:1.12.0-stretch +WORKDIR /go +COPY . /go +RUN top +RUN ["ps", "-d"] +CMD ["go", "run", "main.go"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM ubuntu +RUN apt-get update && apt-get install -y x11vnc xvfb firefox +RUN mkdir ~/.vnc +RUN x11vnc -storepasswd 1234 ~/.vnc/passwd +RUN bash -c 'echo "firefox" >> /.bashrc' +RUN apt-get install nano vim +EXPOSE 5900 +CMD ["x11vnc", "-forever", "-usepw", "-create"] + +``` diff --git a/docs/queries/dockerfile-queries/9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md b/docs/queries/dockerfile-queries/9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md new file mode 100644 index 00000000000..4b09e390d3d --- /dev/null +++ b/docs/queries/dockerfile-queries/9bae49be-0aa3-4de5-bab2-4c3a069e40cd.md @@ -0,0 +1,53 @@ +--- +title: Update Instruction Alone +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9bae49be-0aa3-4de5-bab2-4c3a069e40cd +- **Query name:** Update Instruction Alone +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/update_instruction_alone) + +### Description +Instruction 'RUN update' should always be followed by ' install' in the same RUN statement
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 5" +FROM ubuntu:18.04 +RUN apt-get update +RUN apt-get install -y --no-install-recommends mysql-client \ + && rm -rf /var/lib/apt/lists/* +RUN apk update +ENTRYPOINT ["mysql"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM ubuntu:18.04 +RUN apt-get update \ + && apt-get install -y --no-install-recommends mysql-client \ + && rm -rf /var/lib/apt/lists/* +RUN apk update \ + && apk add --no-cache git ca-certificates +RUN apk --update add easy-rsa +ENTRYPOINT ["mysql"] + +``` diff --git a/docs/queries/dockerfile-queries/9efb0b2d-89c9-41a3-91ca-dcc0aec911fd.md b/docs/queries/dockerfile-queries/9efb0b2d-89c9-41a3-91ca-dcc0aec911fd.md new file mode 100644 index 00000000000..967c0b3a30b --- /dev/null +++ b/docs/queries/dockerfile-queries/9efb0b2d-89c9-41a3-91ca-dcc0aec911fd.md @@ -0,0 +1,58 @@ +--- +title: Image Version Not Explicit +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9efb0b2d-89c9-41a3-91ca-dcc0aec911fd +- **Query name:** Image Version Not Explicit +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/image_version_not_explicit) + +### Description +Always tag the version of an image explicitly
+[Documentation](https://docs.docker.com/engine/reference/builder/#from) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="1" +FROM alpine +RUN apk add --update py2-pip +RUN pip install --upgrade pip +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN pip install --upgrade pip +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +ARG IMAGE=alpine:3.12 +FROM $IMAGE +CMD ["python", "/usr/src/app/app.py"] + +``` diff --git a/docs/queries/dockerfile-queries/aa93e17f-b6db-4162-9334-c70334e7ac28.md b/docs/queries/dockerfile-queries/aa93e17f-b6db-4162-9334-c70334e7ac28.md new file mode 100644 index 00000000000..688a7de0ab8 --- /dev/null +++ b/docs/queries/dockerfile-queries/aa93e17f-b6db-4162-9334-c70334e7ac28.md @@ -0,0 +1,53 @@ +--- +title: Chown Flag Exists +hide: + toc: true + navigation: true +--- + + + +- **Query id:** aa93e17f-b6db-4162-9334-c70334e7ac28 +- **Query name:** Chown Flag Exists +- **Platform:** Dockerfile +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/chown_flag_exists) + +### Description +It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="4" +FROM python:3.7 +RUN pip install Flask==0.11.1 +RUN useradd -ms /bin/bash patrick +COPY --chown=patrick:patrick app /app +WORKDIR /app +USER patrick +CMD ["python", "app.py"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM python:3.7 +RUN pip install Flask==0.11.1 +RUN useradd -ms /bin/bash patrick +COPY app /app +WORKDIR /app +USER patrick +CMD ["python", "app.py"] + +``` diff --git a/docs/queries/dockerfile-queries/ae9c56a6-3ed1-4ac0-9b54-31267f51151d.md b/docs/queries/dockerfile-queries/ae9c56a6-3ed1-4ac0-9b54-31267f51151d.md new file mode 100644 index 00000000000..a1b7877b7f9 --- /dev/null +++ b/docs/queries/dockerfile-queries/ae9c56a6-3ed1-4ac0-9b54-31267f51151d.md @@ -0,0 +1,51 @@ +--- +title: Apk Add Using Local Cache Path +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ae9c56a6-3ed1-4ac0-9b54-31267f51151d +- **Query name:** Apk Add Using Local Cache Path +- **Platform:** Dockerfile +- **Severity:** Info +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apk_add_using_local_cache_path) + +### Description +When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*'
+[Documentation](https://docs.docker.com/engine/reference/builder/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +FROM gliderlabs/alpine:3.3 +RUN apk add --update-cache python +WORKDIR /app +ONBUILD COPY . /app +ONBUILD RUN virtualenv /env && /env/bin/pip install -r /app/requirements.txt +EXPOSE 8080 +CMD ["/env/bin/python", "main.py"] +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM gliderlabs/alpine:3.3 +RUN apk add --no-cache python +WORKDIR /app +ONBUILD COPY . /app +ONBUILD RUN virtualenv /env && /env/bin/pip install -r /app/requirements.txt +EXPOSE 8080 +CMD ["/env/bin/python", "main.py"] +``` diff --git a/docs/queries/dockerfile-queries/b03a748a-542d-44f4-bb86-9199ab4fd2d5.md b/docs/queries/dockerfile-queries/b03a748a-542d-44f4-bb86-9199ab4fd2d5.md new file mode 100644 index 00000000000..25d902724e8 --- /dev/null +++ b/docs/queries/dockerfile-queries/b03a748a-542d-44f4-bb86-9199ab4fd2d5.md @@ -0,0 +1,52 @@ +--- +title: Healthcheck Instruction Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b03a748a-542d-44f4-bb86-9199ab4fd2d5 +- **Query name:** Healthcheck Instruction Missing +- **Platform:** Dockerfile +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/healthcheck_instruction_missing) + +### Description +Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
+[Documentation](https://docs.docker.com/engine/reference/builder/#healthcheck) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="1 7" +FROM node:alpine +WORKDIR /usr/src/app +COPY package*.json ./ +RUN npm install +COPY . . +EXPOSE 3000 +CMD ["node","app.js"] +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM node:alpine +WORKDIR /usr/src/app +COPY package*.json ./ +RUN npm install +COPY . . +EXPOSE 3000 +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 +CMD ["node","app.js"] +``` diff --git a/docs/queries/dockerfile-queries/b16e8501-ef3c-44e1-a543-a093238099c9.md b/docs/queries/dockerfile-queries/b16e8501-ef3c-44e1-a543-a093238099c9.md new file mode 100644 index 00000000000..d676e20e7d3 --- /dev/null +++ b/docs/queries/dockerfile-queries/b16e8501-ef3c-44e1-a543-a093238099c9.md @@ -0,0 +1,49 @@ +--- +title: Using Platform Flag with FROM Command +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b16e8501-ef3c-44e1-a543-a093238099c9 +- **Query name:** Using Platform Flag with FROM Command +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/using_platform_with_from) + +### Description +Don't use '--platform' flag with FROM
+[Documentation](https://docs.docker.com/engine/reference/builder/#from) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="6" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN pip install --upgrade pip +LABEL maintainer="SvenDowideit@home.org.au" +COPY requirements.txt /usr/src/app/ +FROM --platform=arm64 baseimage +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN pip install --upgrade pip +LABEL maintainer="SvenDowideit@home.org.au" +COPY requirements.txt /usr/src/app/ +FROM baseimage +``` diff --git a/docs/queries/dockerfile-queries/b84a0b47-2e99-4c9f-8933-98bcabe2b94d.md b/docs/queries/dockerfile-queries/b84a0b47-2e99-4c9f-8933-98bcabe2b94d.md new file mode 100644 index 00000000000..6bde3215eb0 --- /dev/null +++ b/docs/queries/dockerfile-queries/b84a0b47-2e99-4c9f-8933-98bcabe2b94d.md @@ -0,0 +1,45 @@ +--- +title: Run Using apt +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b84a0b47-2e99-4c9f-8933-98bcabe2b94d +- **Query name:** Run Using apt +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/run_using_apt) + +### Description +apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +FROM busybox:1.0 +RUN apt install curl +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM busybox:1.0 +RUN apt-get install curl +HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 + +``` diff --git a/docs/queries/dockerfile-queries/b86987e1-6397-4619-81d5-8807f2387c79.md b/docs/queries/dockerfile-queries/b86987e1-6397-4619-81d5-8807f2387c79.md new file mode 100644 index 00000000000..14e1442e78a --- /dev/null +++ b/docs/queries/dockerfile-queries/b86987e1-6397-4619-81d5-8807f2387c79.md @@ -0,0 +1,59 @@ +--- +title: Not Using JSON In CMD And ENTRYPOINT Arguments +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b86987e1-6397-4619-81d5-8807f2387c79 +- **Query name:** Not Using JSON In CMD And ENTRYPOINT Arguments +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/not_using_json_in_cmd_and_entrypoint_arguments) + +### Description +Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments
+[Documentation](https://docs.docker.com/engine/reference/builder/#entrypoint) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="10 11" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN sudo yum install bundler +RUN yum install +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD [python, /usr/src/app/app.py] +ENTRYPOINT [top, -b] +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN sudo yum install bundler +RUN yum install +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] +ENTRYPOINT ["top", "-b"] +``` diff --git a/docs/queries/dockerfile-queries/cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md b/docs/queries/dockerfile-queries/cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md new file mode 100644 index 00000000000..26c11fd0f20 --- /dev/null +++ b/docs/queries/dockerfile-queries/cdddb86f-95f6-4fc4-b5a1-483d9afceb2b.md @@ -0,0 +1,53 @@ +--- +title: COPY '--from' References Current FROM Alias +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cdddb86f-95f6-4fc4-b5a1-483d9afceb2b +- **Query name:** COPY '--from' References Current FROM Alias +- **Platform:** Dockerfile +- **Severity:** High +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/copy_from_references_current_from_alias) + +### Description +COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself
+[Documentation](https://docs.docker.com/develop/develop-images/multistage-build/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2" +FROM myimage:tag as dep +COPY --from=dep /binary / +RUN dir c:\ +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM golang:1.7.3 AS builder +WORKDIR /go/src/github.com/alexellis/href-counter/ +RUN go get -d -v golang.org/x/net/html +COPY app.go . +RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . + +# another dockerfile +FROM alpine:latest +RUN apk --no-cache add ca-certificates +WORKDIR /root/ +COPY --from=builder /go/src/github.com/alexellis/href-counter/app . +CMD ["./app"] + +``` diff --git a/docs/queries/dockerfile-queries/d3499f6d-1651-41bb-a9a7-de925fea487b.md b/docs/queries/dockerfile-queries/d3499f6d-1651-41bb-a9a7-de925fea487b.md new file mode 100644 index 00000000000..20cebf222e5 --- /dev/null +++ b/docs/queries/dockerfile-queries/d3499f6d-1651-41bb-a9a7-de925fea487b.md @@ -0,0 +1,84 @@ +--- +title: Unpinned Package Version in Apk Add +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d3499f6d-1651-41bb-a9a7-de925fea487b +- **Query name:** Unpinned Package Version in Apk Add +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/unpinned_package_version_in_apk_add) + +### Description +Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 13 14 16 18" +FROM alpine:3.9 +RUN apk add --update py-pip +RUN sudo pip install --upgrade pip +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +ENV TEST="test" +CMD ["python", "/usr/src/app/app.py"] + +FROM alpine:3.7 +RUN apk add py-pip && apk add tea +RUN apk add py-pip \ + && rm -rf /tmp/* +RUN apk add --dir /dir libimagequant \ + && minidlna +RUN ["apk", "add", "py-pip"] +RUN sudo pip install --upgrade pip +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.4 +RUN apk add --update py-pip=7.1.2-r0 +RUN sudo pip install --upgrade pip +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +FROM alpine:3.1 +RUN apk add py-pip=7.1.2-r0 +RUN ["apk", "add", "py-pip=7.1.2-r0"] +RUN sudo pip install --upgrade pip +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] + +``` diff --git a/docs/queries/dockerfile-queries/df746b39-6564-4fed-bf85-e9c44382303c.md b/docs/queries/dockerfile-queries/df746b39-6564-4fed-bf85-e9c44382303c.md new file mode 100644 index 00000000000..ea86f281404 --- /dev/null +++ b/docs/queries/dockerfile-queries/df746b39-6564-4fed-bf85-e9c44382303c.md @@ -0,0 +1,68 @@ +--- +title: Apt Get Install Lists Were Not Deleted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** df746b39-6564-4fed-bf85-e9c44382303c +- **Query name:** Apt Get Install Lists Were Not Deleted +- **Platform:** Dockerfile +- **Severity:** Info +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/apt_get_install_lists_were_not_deleted) + +### Description +After using apt-get install, it is needed to delete apt-get lists
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="8 2 12 5" +FROM busybox1 +RUN apt-get update && apt-get install --no-install-recommends -y python + +FROM busybox2 +RUN apt-get install python + +FROM busybox3 +RUN apt-get update && apt-get install --no-install-recommends -y python +RUN rm -rf /var/lib/apt/lists/* + +FROM busybox4 +RUN apt-get update && apt-get install --no-install-recommends -y python +RUN rm -rf /var/lib/apt/lists/* +RUN apt-get clean + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM busyboxneg1 +RUN apt-get update && apt-get install --no-install-recommends -y python \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +FROM busyboxneg2 +RUN apt-get update && apt-get install --no-install-recommends -y python && apt-get clean + +FROM busyboxneg3 +RUN apt-get update && apt-get install --no-install-recommends -y python \ + && apt-get clean + +FROM busyboxneg4 +RUN apt-get update && apt-get install --no-install-recommends -y python \ + && rm -rf /var/lib/apt/lists/* + +``` diff --git a/docs/queries/dockerfile-queries/e36d8880-3f78-4546-b9a1-12f0745ca0d5.md b/docs/queries/dockerfile-queries/e36d8880-3f78-4546-b9a1-12f0745ca0d5.md new file mode 100644 index 00000000000..00627ebf393 --- /dev/null +++ b/docs/queries/dockerfile-queries/e36d8880-3f78-4546-b9a1-12f0745ca0d5.md @@ -0,0 +1,55 @@ +--- +title: NPM Install Command Without Pinned Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e36d8880-3f78-4546-b9a1-12f0745ca0d5 +- **Query name:** NPM Install Command Without Pinned Version +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/npm_install_without_pinned_version) + +### Description +Check if packages installed by npm are pinning a specific version.
+[Documentation](https://docs.docker.com/engine/reference/builder/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3 4 5 6 7 8" +FROM node:12 +RUN npm install sax +RUN npm install sax --no-cache +RUN npm install sax | grep fail && npm install sax@latest +RUN npm install sax@latest | grep fail && npm install sax +RUN npm install sax | grep fail && npm install sax +RUN npm i -g @angular/cli +RUN ["npm","add","sax"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM node:12 +RUN npm install +RUN npm install sax@latest +RUN npm install sax@0.1.1 +RUN npm install sax@0.1.1 | grep fail && npm install sax@latest +RUN npm install git://github.com/npm/cli.git +RUN npm install git+ssh://git@github.com:npm/cli#semver:^5.0 +RUN npm install --production --no-cache + +``` diff --git a/docs/queries/dockerfile-queries/efbf148a-67e9-42d2-ac47-02fa1c0d0b22.md b/docs/queries/dockerfile-queries/efbf148a-67e9-42d2-ac47-02fa1c0d0b22.md new file mode 100644 index 00000000000..786aa9e9dd9 --- /dev/null +++ b/docs/queries/dockerfile-queries/efbf148a-67e9-42d2-ac47-02fa1c0d0b22.md @@ -0,0 +1,48 @@ +--- +title: Shell Running A Pipe Without Pipefail Flag +hide: + toc: true + navigation: true +--- + + + +- **Query id:** efbf148a-67e9-42d2-ac47-02fa1c0d0b22 +- **Query name:** Shell Running A Pipe Without Pipefail Flag +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/shell_running_a_pipe_without_pipefail_flag) + +### Description +Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o).
+[Documentation](https://docs.docker.com/engine/reference/builder/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 3" +FROM node:12 +RUN zsh ./some_output | ./some_script +RUN [ "/bin/bash", "./some_output", "|", "./some_script" ] +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM node:12 +RUN pwsh SOME_CMD | SOME_OTHER_CMD +SHELL [ "zsh", "-o","pipefail" ] +RUN zsh ./some_output | ./some_script +SHELL [ "/bin/bash", "-o","pipefail" ] +RUN [ "/bin/bash", "./some_output", "./some_script" ] + + +``` diff --git a/docs/queries/dockerfile-queries/f2daed12-c802-49cd-afed-fe41d0b82fed.md b/docs/queries/dockerfile-queries/f2daed12-c802-49cd-afed-fe41d0b82fed.md new file mode 100644 index 00000000000..4bd51c987be --- /dev/null +++ b/docs/queries/dockerfile-queries/f2daed12-c802-49cd-afed-fe41d0b82fed.md @@ -0,0 +1,52 @@ +--- +title: Same Alias In Different Froms +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f2daed12-c802-49cd-afed-fe41d0b82fed +- **Query name:** Same Alias In Different Froms +- **Platform:** Dockerfile +- **Severity:** High +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/same_alias_in_different_froms) + +### Description +Different FROMS cant have the same alias defined
+[Documentation](https://docs.docker.com/develop/develop-images/multistage-build/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="4" +FROM baseImage +RUN Test + +FROM debian:jesse2 as build +RUN stuff + +FROM debian:jesse1 as build +RUN more_stuff + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM debian:jesse1 as build +RUN stuff + +FROM debian:jesse1 as another-alias +RUN more_stuff + +``` diff --git a/docs/queries/dockerfile-queries/f2f903fb-b977-461e-98d7-b3e2185c6118.md b/docs/queries/dockerfile-queries/f2f903fb-b977-461e-98d7-b3e2185c6118.md new file mode 100644 index 00000000000..a999cacd00c --- /dev/null +++ b/docs/queries/dockerfile-queries/f2f903fb-b977-461e-98d7-b3e2185c6118.md @@ -0,0 +1,58 @@ +--- +title: Pip install Keeping Cached Packages +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f2f903fb-b977-461e-98d7-b3e2185c6118 +- **Query name:** Pip install Keeping Cached Packages +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/pip_install_keeping_cached_packages) + +### Description +When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="2 8 9 10 11" +FROM python:3 +RUN pip install --upgrade pip && \ + pip install nibabel pydicom matplotlib pillow && \ + pip install med2image +CMD ["cat", "/etc/os-release"] + +FROM python:3.1 +RUN pip install --upgrade pip +RUN python -m pip install nibabel pydicom matplotlib pillow +RUN pip3 install requests=2.7.0 +RUN ["pip3", "install", "requests=2.7.0"] +CMD ["cat", "/etc/os-release"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM python:3 +RUN pip install --no-cache-dir --upgrade pip && \ + pip install --no-cache-dir nibabel pydicom matplotlib pillow && \ + pip install --no-cache-dir med2image +RUN pip3 install --no-cache-dir requests=2.7.0 +RUN ["pip3", "install", "requests=2.7.0", "--no-cache-dir"] +CMD ["cat", "/etc/os-release"] + +``` diff --git a/docs/queries/dockerfile-queries/f45ea400-6bbe-4501-9fc7-1c3d75c32067.md b/docs/queries/dockerfile-queries/f45ea400-6bbe-4501-9fc7-1c3d75c32067.md new file mode 100644 index 00000000000..566d5d85cfe --- /dev/null +++ b/docs/queries/dockerfile-queries/f45ea400-6bbe-4501-9fc7-1c3d75c32067.md @@ -0,0 +1,55 @@ +--- +title: Image Version Using 'latest' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f45ea400-6bbe-4501-9fc7-1c3d75c32067 +- **Query name:** Image Version Using 'latest' +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/image_version_using_latest) + +### Description +When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag
+[Documentation](https://docs.docker.com/develop/dev-best-practices/) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="1" +FROM alpine:latest +RUN apk add --update py2-pip +RUN pip install --upgrade pip +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM alpine:3.5 +RUN apk add --update py2-pip +RUN pip install --upgrade pip +COPY requirements.txt /usr/src/app/ +RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt +COPY app.py /usr/src/app/ +COPY templates/index.html /usr/src/app/templates/ +EXPOSE 5000 +CMD ["python", "/usr/src/app/app.py"] +``` diff --git a/docs/queries/dockerfile-queries/f4a6bcd3-e231-4acf-993c-aa027be50d2e.md b/docs/queries/dockerfile-queries/f4a6bcd3-e231-4acf-993c-aa027be50d2e.md new file mode 100644 index 00000000000..5af45e9e53d --- /dev/null +++ b/docs/queries/dockerfile-queries/f4a6bcd3-e231-4acf-993c-aa027be50d2e.md @@ -0,0 +1,60 @@ +--- +title: RUN Instruction Using 'cd' Instead of WORKDIR +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f4a6bcd3-e231-4acf-993c-aa027be50d2e +- **Query name:** RUN Instruction Using 'cd' Instead of WORKDIR +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/run_command_cd_instead_of_workdir) + +### Description +When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead.
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="9 3 15" +FROM nginx +ENV AUTHOR=Docker +RUN cd /../share/nginx/html +COPY Hello_docker.html /usr/share/nginx/html +CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' + +FROM nginx +ENV AUTHOR=Docker +RUN cd ../share/nginx/html +COPY Hello_docker.html /usr/share/nginx/html +CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' + +FROM nginx +ENV AUTHOR=Docker +RUN cd /usr/../share/nginx/html +COPY Hello_docker.html /usr/share/nginx/html +CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM nginx +ENV AUTHOR=Docker +WORKDIR /usr/share/nginx/html +COPY Hello_docker.html /usr/share/nginx/html +CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' +``` diff --git a/docs/queries/dockerfile-queries/fc775e75-fcfb-4c98-b2f2-910c5858b359.md b/docs/queries/dockerfile-queries/fc775e75-fcfb-4c98-b2f2-910c5858b359.md new file mode 100644 index 00000000000..450f2bb0f56 --- /dev/null +++ b/docs/queries/dockerfile-queries/fc775e75-fcfb-4c98-b2f2-910c5858b359.md @@ -0,0 +1,51 @@ +--- +title: Run Using 'wget' and 'curl' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fc775e75-fcfb-4c98-b2f2-910c5858b359 +- **Query name:** Run Using 'wget' and 'curl' +- **Platform:** Dockerfile +- **Severity:** Medium +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/run_using_wget_and_curl) + +### Description +Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect
+[Documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="8 3 7" +FROM debian +RUN wget http://google.com +RUN curl http://bing.com + +FROM baseImage +RUN wget http://test.com +RUN curl http://bing.com +RUN ["curl", "http://bing.com"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM debian +RUN curl http://google.com +RUN curl http://bing.com +RUN ["curl", "http://bing.com"] + +``` diff --git a/docs/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f.md b/docs/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f.md new file mode 100644 index 00000000000..8958ccc1456 --- /dev/null +++ b/docs/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f.md @@ -0,0 +1,59 @@ +--- +title: Missing User Instruction +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fd54f200-402c-4333-a5a4-36ef6709af2f +- **Query name:** Missing User Instruction +- **Platform:** Dockerfile +- **Severity:** High +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/dockerfile/missing_user_instruction) + +### Description +A user should be specified in the dockerfile, otherwise the image will run as root
+[Documentation](https://docs.docker.com/engine/reference/builder/#user) + +### Code samples +#### Code samples with security vulnerabilities +```dockerfile title="Postitive test num. 1 - dockerfile file" hl_lines="1 7" +FROM python:2.7 +RUN pip install Flask==0.11.1 +RUN useradd -ms /bin/bash patrick +COPY --chown=patrick:patrick app /app +WORKDIR /app +CMD ["python", "app.py"] + +``` + + +#### Code samples without security vulnerabilities +```dockerfile title="Negative test num. 1 - dockerfile file" +FROM python:2.7 +RUN pip install Flask==0.11.1 +RUN useradd -ms /bin/bash patrick +COPY --chown=patrick:patrick app /app +WORKDIR /app +USER patrick +CMD ["python", "app.py"] + +FROM scratch +RUN pip install Flask==0.11.1 +RUN useradd -ms /bin/bash patrick +COPY --chown=patrick:patrick app /app +WORKDIR /app +CMD ["python", "app.py"] + +``` diff --git a/docs/queries/googledeploymentmanager-queries.md b/docs/queries/googledeploymentmanager-queries.md index 8ed026943c2..2526ee1545a 100644 --- a/docs/queries/googledeploymentmanager-queries.md +++ b/docs/queries/googledeploymentmanager-queries.md @@ -8,9 +8,9 @@ Bellow are listed queries related with GoogleDeploymentManager GCP_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| +|BOM - GCP PD
268c65a8-58ad-43e4-9019-1a9bbc56749f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|BOM - GCP SB
c7781feb-a955-4f9f-b9cf-0d7c6f54bb59|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP PST
9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| ### GCP Bellow are listed queries related with GoogleDeploymentManager GCP: @@ -19,35 +19,35 @@ Bellow are listed queries related with GoogleDeploymentManager GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|High|Encryption|DNSSEC should not use the RSASHA1 algorithm|Documentation
| -|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined|Documentation
| -|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On|Documentation
| -|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.|Documentation
| -|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false|Documentation
| -|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty|Documentation
| -|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.|Documentation
| -|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.|Documentation
| -|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true|Documentation
| -|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet.|Documentation
| -|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters|Documentation
| -|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'|Documentation
| -|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'|Documentation
| -|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true|Documentation
| -|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined|Documentation
| -|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true|Documentation
| -|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled|Documentation
| -|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true|Documentation
| -|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|Medium|Observability|Bucket should have versioning enabled|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| +|BigQuery Dataset Is Public
83103dff-d57f-42a8-bd81-40abab64c1a7|High|Access Control|BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers' (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
63ae3638-a38c-4ff4-b616-6e1f72a31a6a|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|SQL DB Instance Backup Disabled
a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
660360d3-9ca7-46d1-b147-3acc4002953f|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|DNSSEC Using RSASHA1
6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35|High|Encryption|DNSSEC should not use the RSASHA1 algorithm (read more)|Documentation
| +|Cluster Labels Disabled
8810968b-4b15-421d-918b-d91eb4bb8d1d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined (read more)|Documentation
| +|MySQL Instance With Local Infile On
c759d6f2-4dd3-4160-82d3-89202ef10d87|High|Insecure Configurations|MySQL Instance should not have Local Infile On (read more)|Documentation
| +|GKE Legacy Authorization Enabled
df58d46c-783b-43e0-bdd0-d99164f712ee|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false. (read more)|Documentation
| +|Not Proper Email Account In Use
a21b8df3-c840-4b3d-a41a-10fb2afda171|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|Network Policy Disabled
c47f90e8-4a19-43f0-8413-cc434d286c4e|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false (read more)|Documentation
| +|Cluster Master Authentication Disabled
7ef7d141-9fbb-4679-a977-fd0883436906|High|Insecure Configurations|Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty (read more)|Documentation
| +|Private Cluster Disabled
48c61fbd-09c9-46cc-a521-012e0c325412|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true. (read more)|Documentation
| +|IP Aliasing Disabled
28727987-e398-49b8-aef1-8a3e7789d111|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'. (read more)|Documentation
| +|Client Certificate Disabled
dd690686-2bf9-4012-a821-f61912dd77be|High|Insecure Configurations|Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true (read more)|Documentation
| +|Compute Instance Is Publicly Accessible
8212e2d7-e683-49bc-bf78-d6799075c5a7|High|Networking and Firewall|Compute instances shouldn't be accessible from the Internet. (read more)|Documentation
| +|GKE Master Authorized Networks Disabled
62c8cf50-87f0-4295-a974-8184ed78fe02|High|Networking and Firewall|Master authorized networks must be enabled in GKE clusters (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
ad0875c1-0b39-4890-9149-173158ba3bba|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Stackdriver Monitoring Disabled
bbfc97ab-e92a-4a7b-954c-e88cec815011|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none' (read more)|Documentation
| +|Stackdriver Logging Disabled
95601b9a-7fe8-4aee-9b58-d36fd9382dfc|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none' (read more)|Documentation
| +|Node Auto Upgrade Disabled
dc5c5fee-6c53-43b0-ab11-4c660e064aaf|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true (read more)|Documentation
| +|Disk Encryption Disabled
fc040fb6-4c23-4c0d-b12a-39edac35debb|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined (read more)|Documentation
| +|Cloud DNS Without DNSSEC
313d6deb-3b67-4948-b41d-35b699c2492e|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|COS Node Image Not Used
dbe058d7-b82e-430b-8426-992b2e4677e7|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Shielded VM Disabled
9038b526-4c19-4928-bca2-c03d503bdb79|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
1239f54b-33de-482a-8132-faebe288e6a6|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|OSLogin Is Disabled In VM Instance
e66e1b71-c810-4b4e-a737-0ab59e7f5e41|Medium|Insecure Configurations|VM instance should have OSLogin enabled (read more)|Documentation
| +|RDP Access Is Not Restricted
50cb6c3b-c878-4b88-b50e-d1421bada9e8|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|SSH Access Is Not Restricted
dee21308-2a7a-49de-8ff7-c9b87e188575|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|IP Forwarding Enabled
7c98538a-81c6-444b-bf04-e60bc3ceeec0|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true (read more)|Documentation
| +|Bucket Without Versioning
227c2f58-70c6-4432-8e9a-a89c1a548cf5|Medium|Observability|Bucket should have versioning enabled (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
6e2b1ec1-1eca-4eb7-9d4d-2882680b4811|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| diff --git a/docs/queries/googledeploymentmanager-queries/gcp/1239f54b-33de-482a-8132-faebe288e6a6.md b/docs/queries/googledeploymentmanager-queries/gcp/1239f54b-33de-482a-8132-faebe288e6a6.md new file mode 100644 index 00000000000..e6c74ec14d8 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/1239f54b-33de-482a-8132-faebe288e6a6.md @@ -0,0 +1,61 @@ +--- +title: Google Storage Bucket Level Access Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1239f54b-33de-482a-8132-faebe288e6a6 +- **Query name:** Google Storage Bucket Level Access Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/google_storage_bucket_level_access_disabled) + +### Description +Google Storage Bucket Level Access should be enabled
+[Documentation](https://cloud.google.com/storage/docs/json_api/v1/buckets) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +resources: +- name: a-new-pubsub-topic1 + type: storage.v1.bucket + properties: + storageClass: STANDARD + location: EUROPE-WEST3 + versioning: + enabled: true + iamConfiguration: + uniformBucketLevelAccess: + enabled: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: a-new-pubsub-topic2 + type: storage.v1.bucket + properties: + storageClass: STANDARD + location: EUROPE-WEST3 + versioning: + enabled: true + iamConfiguration: + uniformBucketLevelAccess: + enabled: true + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/227c2f58-70c6-4432-8e9a-a89c1a548cf5.md b/docs/queries/googledeploymentmanager-queries/gcp/227c2f58-70c6-4432-8e9a-a89c1a548cf5.md new file mode 100644 index 00000000000..a3fb30fc8ed --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/227c2f58-70c6-4432-8e9a-a89c1a548cf5.md @@ -0,0 +1,61 @@ +--- +title: Bucket Without Versioning +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 227c2f58-70c6-4432-8e9a-a89c1a548cf5 +- **Query name:** Bucket Without Versioning +- **Platform:** GoogleDeploymentManager +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/bucket_without_versioning) + +### Description +Bucket should have versioning enabled
+[Documentation](https://cloud.google.com/storage/docs/json_api/v1/buckets) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: + - name: bucket + type: storage.v1.bucket + properties: + name: my-bucket + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +resources: + - name: bucket + type: storage.v1.bucket + properties: + name: my-bucket + versioning: + enabled: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: bucket + type: storage.v1.bucket + properties: + name: my-bucket + versioning: + enabled: true + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/268c65a8-58ad-43e4-9019-1a9bbc56749f.md b/docs/queries/googledeploymentmanager-queries/gcp/268c65a8-58ad-43e4-9019-1a9bbc56749f.md new file mode 100644 index 00000000000..97de5b073a4 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/268c65a8-58ad-43e4-9019-1a9bbc56749f.md @@ -0,0 +1,95 @@ +--- +title: BOM - GCP PD +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 268c65a8-58ad-43e4-9019-1a9bbc56749f +- **Query name:** BOM - GCP PD +- **Platform:** GoogleDeploymentManager +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp_bom/pd) + +### Description +A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="3 11 19 24 31" +resources: +- type: compute.v1.disk + name: disk-1-data + properties: + sizeGb: 10 + zone: us-east1-c + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + rawKey: SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0= +- type: compute.v1.disk + name: disk-2-data + properties: + sizeGb: 10 + zone: us-east1-c + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + kmsKeyName: disk-crypto-key +- type: compute.v1.disk + name: disk-3-data + properties: + sizeGb: 10 + zone: us-east1-c +- type: compute.v1.disk + name: disk-4-data + properties: + sizeGb: 10 + zone: us-east1-c + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 +- type: compute.v1.disk + name: disk-5-data + properties: + sizeGb: 10 + zone: us-east1-c + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + rawKey: "" + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: vm-template4 + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + rawKey: SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0= + networkInterfaces: + - network: global/networks/default + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/28727987-e398-49b8-aef1-8a3e7789d111.md b/docs/queries/googledeploymentmanager-queries/gcp/28727987-e398-49b8-aef1-8a3e7789d111.md new file mode 100644 index 00000000000..850f63c8601 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/28727987-e398-49b8-aef1-8a3e7789d111.md @@ -0,0 +1,73 @@ +--- +title: IP Aliasing Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 28727987-e398-49b8-aef1-8a3e7789d111 +- **Query name:** IP Aliasing Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/ip_aliasing_disabled) + +### Description +Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribute 'ipAllocationPolicy' must be defined and the subattribute 'useIpAliases' must be set to 'true'.
+[Documentation](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + ipAllocationPolicy: + subnetworkName: my-network + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="8" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + ipAllocationPolicy: + subnetworkName: my-network + useIpAliases: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + ipAllocationPolicy: + subnetworkName: my-network + useIpAliases: true + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/313d6deb-3b67-4948-b41d-35b699c2492e.md b/docs/queries/googledeploymentmanager-queries/gcp/313d6deb-3b67-4948-b41d-35b699c2492e.md new file mode 100644 index 00000000000..019c565a2a3 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/313d6deb-3b67-4948-b41d-35b699c2492e.md @@ -0,0 +1,71 @@ +--- +title: Cloud DNS Without DNSSEC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 313d6deb-3b67-4948-b41d-35b699c2492e +- **Query name:** Cloud DNS Without DNSSEC +- **Platform:** GoogleDeploymentManager +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/cloud_dns_without_dnnsec) + +### Description +DNSSEC must be enabled for Cloud DNS
+[Documentation](https://cloud.google.com/dns/docs/reference/v1/managedZones) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: +- name: dns + type: dns.v1.managedZone + properties: + name: my-zone + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +resources: +- name: dns2 + type: dns.v1.managedZone + properties: + name: my-zone2 + dnssecConfig: + kind: "dns#managedZoneDnsSecConfig" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="7" +resources: +- name: dns3 + type: dns.v1.managedZone + properties: + name: my-zone3 + dnssecConfig: + state: "off" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: dns4 + type: dns.v1.managedZone + properties: + name: my-zone4 + dnssecConfig: + state: "on" + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/48c61fbd-09c9-46cc-a521-012e0c325412.md b/docs/queries/googledeploymentmanager-queries/gcp/48c61fbd-09c9-46cc-a521-012e0c325412.md new file mode 100644 index 00000000000..0dc856a56b0 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/48c61fbd-09c9-46cc-a521-012e0c325412.md @@ -0,0 +1,62 @@ +--- +title: Private Cluster Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 48c61fbd-09c9-46cc-a521-012e0c325412 +- **Query name:** Private Cluster Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/private_cluster_disabled) + +### Description +Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'privateClusterConfig' must be defined and the attributes 'enablePrivateEndpoint' and 'enablePrivateNodes' must be true.
+[Documentation](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: +- name: mycluster + type: container.v1.cluster + properties: + zone: us-east1-b + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6 7" +resources: +- name: mycluster2 + type: container.v1.cluster + properties: + zone: us-east1-b + privateClusterConfig: + enablePrivateEndpoint: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: mycluster3 + type: container.v1.cluster + properties: + zone: us-east1-b + privateClusterConfig: + enablePrivateEndpoint: true + enablePrivateNodes: true + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/50cb6c3b-c878-4b88-b50e-d1421bada9e8.md b/docs/queries/googledeploymentmanager-queries/gcp/50cb6c3b-c878-4b88-b50e-d1421bada9e8.md new file mode 100644 index 00000000000..85bef5bb7c6 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/50cb6c3b-c878-4b88-b50e-d1421bada9e8.md @@ -0,0 +1,103 @@ +--- +title: RDP Access Is Not Restricted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 50cb6c3b-c878-4b88-b50e-d1421bada9e8 +- **Query name:** RDP Access Is Not Restricted +- **Platform:** GoogleDeploymentManager +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/rdp_access_is_not_restricted) + +### Description +Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389
+[Documentation](https://cloud.google.com/compute/docs/reference/rest/v1/firewalls) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +resources: + - name: firewall + type: compute.v1.firewall + properties: + name: my-firewall + sourceRanges: + - "0.0.0.0/0" + allowed: + - IPProtocol: icmp + ports: + - "80" + - "8080" + - "1000-2000" + - IPProtocol: tcp + ports: + - "80" + - "8080" + - "1000-2000" + - "3389" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +resources: + - name: firewall + type: compute.v1.firewall + properties: + name: my-firewall + sourceRanges: + - "::/0" + allowed: + - IPProtocol: icmp + ports: + - "80" + - "8080" + - "1000-2000" + - IPProtocol: udp + ports: + - "80" + - "8080" + - "1000-2000" + - "21-3389" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="9" +resources: + - name: firewall + type: compute.v1.firewall + properties: + name: my-firewall + sourceRanges: + - "::/0" + allowed: + - IPProtocol: all + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: firewall + type: compute.v1.firewall + properties: + name: my-firewall + allowed: + - IPProtocol: icmp + ports: + - "80" + - "8080" + - "1000-2000" + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/62c8cf50-87f0-4295-a974-8184ed78fe02.md b/docs/queries/googledeploymentmanager-queries/gcp/62c8cf50-87f0-4295-a974-8184ed78fe02.md new file mode 100644 index 00000000000..39ac6c6b69a --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/62c8cf50-87f0-4295-a974-8184ed78fe02.md @@ -0,0 +1,61 @@ +--- +title: GKE Master Authorized Networks Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 62c8cf50-87f0-4295-a974-8184ed78fe02 +- **Query name:** GKE Master Authorized Networks Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/gke_master_authorized_networks_disabled) + +### Description +Master authorized networks must be enabled in GKE clusters
+[Documentation](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: + - name: my-cluster + type: container.v1.cluster + properties: + description: cluster + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +resources: + - name: my-cluster + type: container.v1.cluster + properties: + description: cluster + masterAuthorizedNetworksConfig: + enabled: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: my-cluster + type: container.v1.cluster + properties: + description: cluster + masterAuthorizedNetworksConfig: + enabled: true + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/63ae3638-a38c-4ff4-b616-6e1f72a31a6a.md b/docs/queries/googledeploymentmanager-queries/gcp/63ae3638-a38c-4ff4-b616-6e1f72a31a6a.md new file mode 100644 index 00000000000..94642382b46 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/63ae3638-a38c-4ff4-b616-6e1f72a31a6a.md @@ -0,0 +1,77 @@ +--- +title: Cloud Storage Anonymous or Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 63ae3638-a38c-4ff4-b616-6e1f72a31a6a +- **Query name:** Cloud Storage Anonymous or Publicly Accessible +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/cloud_storage_anonymous_or_publicly_accessible) + +### Description +Cloud Storage Buckets must not be anonymously or publicly accessible, which means the subattribute 'entity' from attributes 'acl' and 'defaultObjectAcl' must not be 'allUsers' or 'allAuthenticatedUsers'
+[Documentation](https://cloud.google.com/storage/docs/json_api/v1/buckets) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: + - name: storage-bucket + type: storage.v1.bucket + properties: + name: my-bucket + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4 7" +resources: + - name: storage-bucket + type: storage.v1.bucket + properties: + name: my-bucket + defaultObjectAcl: + - entity: allAuthenticatedUsers + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10 7" +resources: + - name: storage-bucket + type: storage.v1.bucket + properties: + name: my-bucket + acl: + - entity: allUsers + - entity: user-liz@example.com + defaultObjectAcl: + - entity: allAuthenticatedUsers + - entity: user-liz@example.com + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: storage-bucket + type: storage.v1.bucket + properties: + name: my-bucket + acl: + - entity: user-liz@example.com + defaultObjectAcl: + - entity: user-liz@example.com + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/660360d3-9ca7-46d1-b147-3acc4002953f.md b/docs/queries/googledeploymentmanager-queries/gcp/660360d3-9ca7-46d1-b147-3acc4002953f.md new file mode 100644 index 00000000000..8ccefcee800 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/660360d3-9ca7-46d1-b147-3acc4002953f.md @@ -0,0 +1,76 @@ +--- +title: SQL DB Instance With SSL Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 660360d3-9ca7-46d1-b147-3acc4002953f +- **Query name:** SQL DB Instance With SSL Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/sql_db_instance_with_ssl_disabled) + +### Description +Cloud SQL Database Instance should have SLL enabled
+[Documentation](https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +resources: + - name: sql-instance + type: sqladmin.v1beta4.instance + properties: + settings: + tier: db-custom-1-3840 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +resources: + - name: sql-instance + type: sqladmin.v1beta4.instance + properties: + settings: + tier: db-custom-1-3840 + ipConfiguration: + ipv4Enabled: true + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="9" +resources: + - name: sql-instance + type: sqladmin.v1beta4.instance + properties: + settings: + tier: db-custom-1-3840 + ipConfiguration: + ipv4Enabled: true + requireSsl: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: sql-instance + type: sqladmin.v1beta4.instance + properties: + settings: + tier: db-custom-1-3840 + ipConfiguration: + requireSsl: true + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35.md b/docs/queries/googledeploymentmanager-queries/gcp/6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35.md new file mode 100644 index 00000000000..4c3ecde75e2 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35.md @@ -0,0 +1,57 @@ +--- +title: DNSSEC Using RSASHA1 +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6d7b121a-a2ed-4e37-bd2f-80d9df1dfd35 +- **Query name:** DNSSEC Using RSASHA1 +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/dnssec_using_rsasha1) + +### Description +DNSSEC should not use the RSASHA1 algorithm
+[Documentation](https://cloud.google.com/dns/docs/reference/v1/managedZones) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +resources: +- name: dns + type: dns.v1.managedZone + properties: + name: my-zone + dnssecConfig: + state: "on" + defaultKeySpecs: + - algorithm: rsasha1 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: dns2 + type: dns.v1.managedZone + properties: + name: my-zone2 + dnssecConfig: + state: "on" + defaultKeySpecs: + - algorithm: rsasha256 + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/6e2b1ec1-1eca-4eb7-9d4d-2882680b4811.md b/docs/queries/googledeploymentmanager-queries/gcp/6e2b1ec1-1eca-4eb7-9d4d-2882680b4811.md new file mode 100644 index 00000000000..008ac2a3b4d --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/6e2b1ec1-1eca-4eb7-9d4d-2882680b4811.md @@ -0,0 +1,86 @@ +--- +title: Project-wide SSH Keys Are Enabled In VM Instances +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6e2b1ec1-1eca-4eb7-9d4d-2882680b4811 +- **Query name:** Project-wide SSH Keys Are Enabled In VM Instances +- **Platform:** GoogleDeploymentManager +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances) + +### Description +VM Instance should block project-wide SSH keys
+[Documentation](https://cloud.google.com/compute/docs/reference/rest/v1/instances) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: + - name: vm + type: compute.v1.instance + properties: + description: my-vm + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +resources: + - name: vm + type: compute.v1.instance + properties: + description: my-vm + metadata: + fingerprint: fingerprint + items: + - key: my-key + value: true + - key: my-key-2 + value: false + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +resources: + - name: vm + type: compute.v1.instance + properties: + description: my-vm + metadata: + fingerprint: fingerprint + items: + - key: my-key + value: true + - key: block-project-ssh-keys + value: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: vm + type: compute.v1.instance + properties: + description: my-vm + metadata: + fingerprint: fingerprint + items: + - key: my-key + value: true + - key: block-project-ssh-keys + value: true + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc.md b/docs/queries/googledeploymentmanager-queries/gcp/77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc.md new file mode 100644 index 00000000000..1e25957487f --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc.md @@ -0,0 +1,68 @@ +--- +title: Cloud Storage Bucket Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 77c1fa3f-83dc-4c9d-bfed-e1d0cc8fd9dc +- **Query name:** Cloud Storage Bucket Is Publicly Accessible +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_is_publicly_accessible) + +### Description +Cloud Storage Bucket is anonymously or publicly accessible
+[Documentation](https://cloud.google.com/storage/docs/json_api/v1/bucketAccessControls) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +resources: + - name: bucket-access-control + type: storage.v1.bucketAccessControl + properties: + entity: allUsers + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +resources: + - name: bucket-access-control + type: storage.v1.bucketAccessControl + properties: + entity: allAuthenticatedUsers + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: bucket-access-control + type: storage.v1.bucketAccessControl + properties: + storageClass: STANDARD + location: EUROPE-WEST3 + +``` +```yaml title="Negative test num. 2 - yaml file" +resources: + - name: bucket-access-control + type: storage.v1.bucketAccessControl + properties: + storageClass: STANDARD + location: EUROPE-WEST3 + entity: user-liz@example.com + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/7c98538a-81c6-444b-bf04-e60bc3ceeec0.md b/docs/queries/googledeploymentmanager-queries/gcp/7c98538a-81c6-444b-bf04-e60bc3ceeec0.md new file mode 100644 index 00000000000..fc11426dbdf --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/7c98538a-81c6-444b-bf04-e60bc3ceeec0.md @@ -0,0 +1,71 @@ +--- +title: IP Forwarding Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7c98538a-81c6-444b-bf04-e60bc3ceeec0 +- **Query name:** IP Forwarding Enabled +- **Platform:** GoogleDeploymentManager +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/ip_forwarding_enabled) + +### Description +Instances must not have IP forwarding enabled, which means the attribute 'canIpForward' must not be true
+[Documentation](https://cloud.google.com/compute/docs/reference/rest/v1/instances) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +resources: +- name: vm-template + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + networkInterfaces: + - network: global/networks/default + canIpForward: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: vm-template2 + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + networkInterfaces: + - network: global/networks/default + canIpForward: false + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/7ef7d141-9fbb-4679-a977-fd0883436906.md b/docs/queries/googledeploymentmanager-queries/gcp/7ef7d141-9fbb-4679-a977-fd0883436906.md new file mode 100644 index 00000000000..0569d48f28b --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/7ef7d141-9fbb-4679-a977-fd0883436906.md @@ -0,0 +1,70 @@ +--- +title: Cluster Master Authentication Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7ef7d141-9fbb-4679-a977-fd0883436906 +- **Query name:** Cluster Master Authentication Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/cluster_master_authentication_disabled) + +### Description +Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'masterAuth' must have the subattributes 'username' and 'password' defined and not empty
+[Documentation](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: cluster + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +resources: + - name: cluster + type: container.v1.cluster + properties: + masterAuth: + clientKey: test + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +resources: + - name: cluster + type: container.v1.cluster + properties: + masterAuth: + username: + password: + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: cluster + type: container.v1.cluster + properties: + masterAuth: + username: test + password: test + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/8212e2d7-e683-49bc-bf78-d6799075c5a7.md b/docs/queries/googledeploymentmanager-queries/gcp/8212e2d7-e683-49bc-bf78-d6799075c5a7.md new file mode 100644 index 00000000000..de34089de7a --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/8212e2d7-e683-49bc-bf78-d6799075c5a7.md @@ -0,0 +1,58 @@ +--- +title: Compute Instance Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8212e2d7-e683-49bc-bf78-d6799075c5a7 +- **Query name:** Compute Instance Is Publicly Accessible +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/compute_instance_is_publicly_accessible) + +### Description +Compute instances shouldn't be accessible from the Internet.
+[Documentation](https://cloud.google.com/compute/docs/reference/rest/v1/instances) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +resources: +- name: instance + type: compute.v1.instance + properties: + scheduling: + automaticRestart: true + networkInterfaces: + - accessConfigs: + - name: External NAT + type: ONE_TO_ONE_NAT + network: network + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: instance2 + type: compute.v1.instance + properties: + scheduling: + automaticRestart: true + networkInterfaces: + network: network + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/83103dff-d57f-42a8-bd81-40abab64c1a7.md b/docs/queries/googledeploymentmanager-queries/gcp/83103dff-d57f-42a8-bd81-40abab64c1a7.md new file mode 100644 index 00000000000..781aa334961 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/83103dff-d57f-42a8-bd81-40abab64c1a7.md @@ -0,0 +1,63 @@ +--- +title: BigQuery Dataset Is Public +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 83103dff-d57f-42a8-bd81-40abab64c1a7 +- **Query name:** BigQuery Dataset Is Public +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/bigquery_database_is_public) + +### Description +BigQuery dataset is anonymously or publicly accessible. Attribute access.specialGroup should not contain 'allAuthenticatedUsers'
+[Documentation](https://cloud.google.com/bigquery/docs/reference/rest/v2/datasets) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +resources: + - name: bigquery + type: bigquery.v2.dataset + properties: + access: + - role: owner + specialGroup: allAuthenticatedUsers + - role: owner + specialGroup: my-group + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: bigquery + type: bigquery.v2.dataset + properties: + access: + - role: owner + specialGroup: my-group + +``` +```yaml title="Negative test num. 2 - yaml file" +resources: + - name: bigquery + type: bigquery.v2.dataset + properties: + description: my-bigquery + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/8810968b-4b15-421d-918b-d91eb4bb8d1d.md b/docs/queries/googledeploymentmanager-queries/gcp/8810968b-4b15-421d-918b-d91eb4bb8d1d.md new file mode 100644 index 00000000000..fb841d0cc02 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/8810968b-4b15-421d-918b-d91eb4bb8d1d.md @@ -0,0 +1,51 @@ +--- +title: Cluster Labels Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8810968b-4b15-421d-918b-d91eb4bb8d1d +- **Query name:** Cluster Labels Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/cluster_labels_disabled) + +### Description +Kubernetes Clusters must be configured with labels, which means the attribute 'resourceLabels' must be defined
+[Documentation](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: + - name: cluster + type: container.v1.cluster + properties: + name: my-cluster + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: cluster + type: container.v1.cluster + properties: + name: my-cluster + resourceLabels: + name: "wrench" + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/9038b526-4c19-4928-bca2-c03d503bdb79.md b/docs/queries/googledeploymentmanager-queries/gcp/9038b526-4c19-4928-bca2-c03d503bdb79.md new file mode 100644 index 00000000000..798d1f37d2a --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/9038b526-4c19-4928-bca2-c03d503bdb79.md @@ -0,0 +1,96 @@ +--- +title: Shielded VM Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9038b526-4c19-4928-bca2-c03d503bdb79 +- **Query name:** Shielded VM Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/shielded_vm_disabled) + +### Description +Compute instances must be launched with Shielded VM enabled, which means the attribute 'shieldedInstanceConfig' must be defined and its sub attributes 'enableSecureBoot', 'enableVtpm' and 'enableIntegrityMonitoring' must be set to true
+[Documentation](https://cloud.google.com/compute/docs/reference/rest/v1/instances) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: +- name: vm-template + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + networkInterfaces: + - network: global/networks/default + canIpForward: false + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="17 18" +resources: +- name: vm-template2 + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + networkInterfaces: + - network: global/networks/default + canIpForward: false + shieldedInstanceConfig: + enableSecureBoot: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: vm-templatee + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + networkInterfaces: + - network: global/networks/default + canIpForward: false + shieldedInstanceConfig: + enableSecureBoot: true + enableVtpm: true + enableIntegrityMonitoring: true + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/95601b9a-7fe8-4aee-9b58-d36fd9382dfc.md b/docs/queries/googledeploymentmanager-queries/gcp/95601b9a-7fe8-4aee-9b58-d36fd9382dfc.md new file mode 100644 index 00000000000..d4d69d58852 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/95601b9a-7fe8-4aee-9b58-d36fd9382dfc.md @@ -0,0 +1,59 @@ +--- +title: Stackdriver Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 95601b9a-7fe8-4aee-9b58-d36fd9382dfc +- **Query name:** Stackdriver Logging Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/stackdriver_logging_disabled) + +### Description +Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'loggingService' must be defined and different from 'none'
+[Documentation](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: + - name: cluster + type: container.v1.cluster + properties: + name: my-cluster + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +resources: + - name: cluster + type: container.v1.cluster + properties: + name: my-cluster + loggingService: none + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: cluster + type: container.v1.cluster + properties: + name: my-cluster + loggingService: "logging.googleapis.com" + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8.md b/docs/queries/googledeploymentmanager-queries/gcp/9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8.md new file mode 100644 index 00000000000..77a21b8e3f1 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8.md @@ -0,0 +1,67 @@ +--- +title: BOM - GCP PST +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9ed08714-b2f3-4c6d-8fb0-ac0b74ad71d8 +- **Query name:** BOM - GCP PST +- **Platform:** GoogleDeploymentManager +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp_bom/pst) + +### Description +A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 3" +resources: +- type: pubsub.v1.topic + name: topic-1 + properties: + kmsKeyName: some key + topic: classified-topic +- type: pubsub.v1.topic + name: topic-2 + properties: + topic: classified-topic + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: vm-template4 + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + rawKey: SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0= + networkInterfaces: + - network: global/networks/default + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/a21b8df3-c840-4b3d-a41a-10fb2afda171.md b/docs/queries/googledeploymentmanager-queries/gcp/a21b8df3-c840-4b3d-a41a-10fb2afda171.md new file mode 100644 index 00000000000..a88a86f847f --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/a21b8df3-c840-4b3d-a41a-10fb2afda171.md @@ -0,0 +1,61 @@ +--- +title: Not Proper Email Account In Use +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a21b8df3-c840-4b3d-a41a-10fb2afda171 +- **Query name:** Not Proper Email Account In Use +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/not_proper_email_account_in_use) + +### Description +Gmail accounts are being used instead of corporate credentials
+[Documentation](https://cloud.google.com/deployment-manager/docs/configuration/set-access-control-resources) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +resources: +- name: a-new-pubsub-topic + type: pubsub.v1.topic + + accessControl: + gcpIamPolicy: + bindings: + - role: roles/pubsub.publisher + members: + - "user:jane@gmail.com" + - "serviceAccount:my-other-app@appspot.gserviceaccount.com" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: a-new-pubsub-topic + type: pubsub.v1.topic + + accessControl: + gcpIamPolicy: + bindings: + - role: roles/pubsub.publisher + members: + - "user:jane@example.com" + - "serviceAccount:my-other-app@appspot.gserviceaccount.com" + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01.md b/docs/queries/googledeploymentmanager-queries/gcp/a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01.md new file mode 100644 index 00000000000..da91e61fe69 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01.md @@ -0,0 +1,75 @@ +--- +title: SQL DB Instance Backup Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a5bf1a1c-92c7-401c-b4c6-ebdc8b686c01 +- **Query name:** SQL DB Instance Backup Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/sql_db_instance_backup_disabled) + +### Description +Checks if backup configuration is enabled for all Cloud SQL Database instances
+[Documentation](https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +resources: + - name: sql-instance + type: sqladmin.v1beta4.instance + properties: + settings: + tier: db-custom-1-3840 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +resources: + - name: sql-instance + type: sqladmin.v1beta4.instance + properties: + settings: + tier: db-custom-1-3840 + backupConfiguration: + binaryLogEnabled: true + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="8" +resources: + - name: sql-instance + type: sqladmin.v1beta4.instance + properties: + settings: + tier: db-custom-1-3840 + backupConfiguration: + enabled: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: sql-instance + type: sqladmin.v1beta4.instance + properties: + settings: + tier: db-custom-1-3840 + backupConfiguration: + enabled: true + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/ad0875c1-0b39-4890-9149-173158ba3bba.md b/docs/queries/googledeploymentmanager-queries/gcp/ad0875c1-0b39-4890-9149-173158ba3bba.md new file mode 100644 index 00000000000..b9cf3f332f7 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/ad0875c1-0b39-4890-9149-173158ba3bba.md @@ -0,0 +1,64 @@ +--- +title: Cloud Storage Bucket Versioning Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ad0875c1-0b39-4890-9149-173158ba3bba +- **Query name:** Cloud Storage Bucket Versioning Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/cloud_storage_bucket_versioning_disabled) + +### Description +Cloud Storage Bucket should have versioning enabled
+[Documentation](https://cloud.google.com/storage/docs/json_api/v1/buckets) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: +- name: a-new-pubsub-topic + type: storage.v1.bucket + properties: + storageClass: STANDARD + location: EUROPE-WEST3 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +resources: +- name: a-new-pubsub-topic2 + type: storage.v1.bucket + properties: + storageClass: STANDARD + location: EUROPE-WEST3 + versioning: + enabled: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: a-new-pubsub-topic3 + type: storage.v1.bucket + properties: + storageClass: STANDARD + location: EUROPE-WEST3 + versioning: + enabled: true + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/bbfc97ab-e92a-4a7b-954c-e88cec815011.md b/docs/queries/googledeploymentmanager-queries/gcp/bbfc97ab-e92a-4a7b-954c-e88cec815011.md new file mode 100644 index 00000000000..b099b0bf2d7 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/bbfc97ab-e92a-4a7b-954c-e88cec815011.md @@ -0,0 +1,59 @@ +--- +title: Stackdriver Monitoring Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bbfc97ab-e92a-4a7b-954c-e88cec815011 +- **Query name:** Stackdriver Monitoring Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/stackdriver_monitoring_disabled) + +### Description +Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoringService' must be defined and different than 'none'
+[Documentation](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: + - name: my-cluster + type: container.v1.cluster + properties: + description: cluster + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +resources: + - name: my-cluster + type: container.v1.cluster + properties: + description: cluster + monitoringService: "none" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: my-cluster + type: container.v1.cluster + properties: + description: cluster + monitoringService: "monitoring.googleapis.com/kubernetes" + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/c47f90e8-4a19-43f0-8413-cc434d286c4e.md b/docs/queries/googledeploymentmanager-queries/gcp/c47f90e8-4a19-43f0-8413-cc434d286c4e.md new file mode 100644 index 00000000000..09eed7f47c4 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/c47f90e8-4a19-43f0-8413-cc434d286c4e.md @@ -0,0 +1,91 @@ +--- +title: Network Policy Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c47f90e8-4a19-43f0-8413-cc434d286c4e +- **Query name:** Network Policy Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/network_policy_disabled) + +### Description +Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'networkPolicy.enabled' must be true and the attribute 'addonsConfig.networkPolicyConfig.disabled' must be false
+[Documentation](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4 7" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + networkPolicy: + enabled: false + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="8 4" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + addonsConfig: + networkPolicyConfig: + disabled: true + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="10 7" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + networkPolicy: + enabled: false + addonsConfig: + networkPolicyConfig: + disabled: true + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + networkPolicy: + enabled: true + addonsConfig: + networkPolicyConfig: + disabled: false + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/c759d6f2-4dd3-4160-82d3-89202ef10d87.md b/docs/queries/googledeploymentmanager-queries/gcp/c759d6f2-4dd3-4160-82d3-89202ef10d87.md new file mode 100644 index 00000000000..7ffec4051d0 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/c759d6f2-4dd3-4160-82d3-89202ef10d87.md @@ -0,0 +1,69 @@ +--- +title: MySQL Instance With Local Infile On +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c759d6f2-4dd3-4160-82d3-89202ef10d87 +- **Query name:** MySQL Instance With Local Infile On +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/mysql_instance_with_local_infile_on) + +### Description +MySQL Instance should not have Local Infile On
+[Documentation](https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/instances) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +resources: + - name: db-instance + type: sqladmin.v1beta4.instance + properties: + databaseVersion: MYSQL_5_7 + settings: + databaseFlags: + - name: local_infile + value: on + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: db-instance + type: sqladmin.v1beta4.instance + properties: + databaseVersion: MYSQL_5_7 + settings: + databaseFlags: + - name: local_infile + value: off + +``` +```yaml title="Negative test num. 2 - yaml file" +resources: + - name: db-instance + type: sqladmin.v1beta4.instance + properties: + databaseVersion: MYSQL_5_7 + settings: + databaseFlags: + - name: log_queries_not_using_indexes + value: on + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/c7781feb-a955-4f9f-b9cf-0d7c6f54bb59.md b/docs/queries/googledeploymentmanager-queries/gcp/c7781feb-a955-4f9f-b9cf-0d7c6f54bb59.md new file mode 100644 index 00000000000..f3953bff04d --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/c7781feb-a955-4f9f-b9cf-0d7c6f54bb59.md @@ -0,0 +1,116 @@ +--- +title: BOM - GCP SB +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c7781feb-a955-4f9f-b9cf-0d7c6f54bb59 +- **Query name:** BOM - GCP SB +- **Platform:** GoogleDeploymentManager +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp_bom/sb) + +### Description +A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 2 12 44 20" +resources: +- name: sample-input + type: storage.v1.bucket + properties: + storageClass: STANDARD + location: EUROPE-WEST3 + iamConfiguration: + uniformBucketLevelAccess: + enabled: true + encryption: + defaultKmsKeyName: some-key +- name: sample-input2 + type: storage.v1.bucket + properties: + storageClass: STANDARD + location: EUROPE-WEST3 + iamConfiguration: + uniformBucketLevelAccess: + enabled: true +- name: sample-input3 + type: storage.v1.bucket + properties: + storageClass: STANDARD + location: EUROPE-WEST3 + iamConfiguration: + uniformBucketLevelAccess: + enabled: true + acl: + - entity: "project-viewers-ucg-configuration-project" + role: READER + - entity: allUsers + role: READER +- name: sample-input4 + type: storage.v1.bucket + properties: + storageClass: STANDARD + location: EUROPE-WEST3 + iamConfiguration: + uniformBucketLevelAccess: + enabled: true + defaultObjectAcl: + - entity: allUsers + role: READER +- name: sample-input5 + type: storage.v1.bucket + properties: + storageClass: STANDARD + location: EUROPE-WEST3 + iamConfiguration: + uniformBucketLevelAccess: + enabled: true +- name: sample-ac + type: storage.v1.bucketAccessControl + properties: + bucket: sample-input5 + entity: allUsers + role: OWNER + + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: vm-template4 + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + rawKey: SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0= + networkInterfaces: + - network: global/networks/default + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/dbe058d7-b82e-430b-8426-992b2e4677e7.md b/docs/queries/googledeploymentmanager-queries/gcp/dbe058d7-b82e-430b-8426-992b2e4677e7.md new file mode 100644 index 00000000000..6f2ddef75f6 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/dbe058d7-b82e-430b-8426-992b2e4677e7.md @@ -0,0 +1,71 @@ +--- +title: COS Node Image Not Used +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dbe058d7-b82e-430b-8426-992b2e4677e7 +- **Query name:** COS Node Image Not Used +- **Platform:** GoogleDeploymentManager +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/cos_node_image_not_used) + +### Description +The node image should be Container-Optimized OS(COS)
+[Documentation](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters.nodePools) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +resources: + - name: nodePool + type: container.v1.nodePool + properties: + name: my-node + config: + imageType: ubuntu + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: nodePool + type: container.v1.nodePool + properties: + name: my-node + config: + imageType: cos + +``` +```yaml title="Negative test num. 2 - yaml file" +resources: + - name: nodePool + type: container.v1.nodePool + properties: + name: my-node + config: + imageType: cos_containerd + +``` +```yaml title="Negative test num. 3 - yaml file" +resources: + - name: nodePool + type: container.v1.nodePool + properties: + name: my-node + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/dc5c5fee-6c53-43b0-ab11-4c660e064aaf.md b/docs/queries/googledeploymentmanager-queries/gcp/dc5c5fee-6c53-43b0-ab11-4c660e064aaf.md new file mode 100644 index 00000000000..46f1a765b43 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/dc5c5fee-6c53-43b0-ab11-4c660e064aaf.md @@ -0,0 +1,90 @@ +--- +title: Node Auto Upgrade Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dc5c5fee-6c53-43b0-ab11-4c660e064aaf +- **Query name:** Node Auto Upgrade Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/node_auto_upgrade_disabled) + +### Description +Kubernetes nodes must have auto upgrades set to true, which means the attribute 'nodePools' must be defined and the subattribute 'managment' must be defined and have the attribute 'autoUpgrade' set to true
+[Documentation](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + nodePools: + initialNodeCount: 2 + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="8" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + nodePools: + initialNodeCount: 2 + management: + autoRepair: true + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="9" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + nodePools: + initialNodeCount: 2 + management: + autoUpgrade: false + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + nodePools: + initialNodeCount: 2 + management: + autoUpgrade: true + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/dd690686-2bf9-4012-a821-f61912dd77be.md b/docs/queries/googledeploymentmanager-queries/gcp/dd690686-2bf9-4012-a821-f61912dd77be.md new file mode 100644 index 00000000000..c1cab85f919 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/dd690686-2bf9-4012-a821-f61912dd77be.md @@ -0,0 +1,73 @@ +--- +title: Client Certificate Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dd690686-2bf9-4012-a821-f61912dd77be +- **Query name:** Client Certificate Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/client_certificate_disabled) + +### Description +Kubernetes Clusters must be created with Client Certificate enabled, which means 'masterAuth' must have 'clientCertificateConfig' with the attribute 'issueClientCertificate' equal to true
+[Documentation](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.zones.clusters) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +resources: + - name: cluster + type: container.v1.cluster + properties: + name: my-cluster + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +resources: + - name: cluster + type: container.v1.cluster + properties: + name: my-cluster + masterAuth: + clientKey: key + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="8" +resources: + - name: cluster + type: container.v1.cluster + properties: + name: my-cluster + masterAuth: + clientCertificateConfig: + issueClientCertificate: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: cluster + type: container.v1.cluster + properties: + name: my-cluster + masterAuth: + clientCertificateConfig: + issueClientCertificate: true + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/dee21308-2a7a-49de-8ff7-c9b87e188575.md b/docs/queries/googledeploymentmanager-queries/gcp/dee21308-2a7a-49de-8ff7-c9b87e188575.md new file mode 100644 index 00000000000..e7d7eda725e --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/dee21308-2a7a-49de-8ff7-c9b87e188575.md @@ -0,0 +1,93 @@ +--- +title: SSH Access Is Not Restricted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dee21308-2a7a-49de-8ff7-c9b87e188575 +- **Query name:** SSH Access Is Not Restricted +- **Platform:** GoogleDeploymentManager +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/ssh_access_is_not_restricted) + +### Description +Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges
+[Documentation](https://cloud.google.com/compute/docs/reference/rest/v1/firewalls) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +resources: + - name: firewall + type: compute.v1.firewall + properties: + name: my-firewall + sourceRanges: + - "0.0.0.0/0" + allowed: + - IPProtocol: icmp + ports: + - "80" + - "8080" + - "1000-2000" + - "22" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +resources: + - name: firewall + type: compute.v1.firewall + properties: + name: my-firewall + sourceRanges: + - "0.0.0.0/0" + allowed: + - IPProtocol: icmp + ports: + - "80" + - "8080" + - "1000-2000" + - "21-3390" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="4" +resources: + - name: firewall + type: compute.v1.firewall + properties: + name: my-firewall + sourceRanges: + - "0.0.0.0/0" + allowed: + - IPProtocol: all + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: firewall + type: compute.v1.firewall + properties: + name: my-firewall + allowed: + - IPProtocol: icmp + ports: + - "80" + - "8080" + - "1000-2000" + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/df58d46c-783b-43e0-bdd0-d99164f712ee.md b/docs/queries/googledeploymentmanager-queries/gcp/df58d46c-783b-43e0-bdd0-d99164f712ee.md new file mode 100644 index 00000000000..ea90dfa7d6c --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/df58d46c-783b-43e0-bdd0-d99164f712ee.md @@ -0,0 +1,61 @@ +--- +title: GKE Legacy Authorization Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** df58d46c-783b-43e0-bdd0-d99164f712ee +- **Query name:** GKE Legacy Authorization Enabled +- **Platform:** GoogleDeploymentManager +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/gke_legacy_authorization_enabled) + +### Description +Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'legacyAbac.enabled' must be false.
+[Documentation](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#Cluster.LegacyAbac) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + legacyAbac: + enabled: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + +``` +```yaml title="Negative test num. 2 - yaml file" +resources: + - name: cluster + type: container.v1.cluster + properties: + description: my-cluster + legacyAbac: + enabled: false + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/e66e1b71-c810-4b4e-a737-0ab59e7f5e41.md b/docs/queries/googledeploymentmanager-queries/gcp/e66e1b71-c810-4b4e-a737-0ab59e7f5e41.md new file mode 100644 index 00000000000..829d9f513ea --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/e66e1b71-c810-4b4e-a737-0ab59e7f5e41.md @@ -0,0 +1,76 @@ +--- +title: OSLogin Is Disabled In VM Instance +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e66e1b71-c810-4b4e-a737-0ab59e7f5e41 +- **Query name:** OSLogin Is Disabled In VM Instance +- **Platform:** GoogleDeploymentManager +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/os_login_is_disabled_for_vm_instance) + +### Description +VM instance should have OSLogin enabled
+[Documentation](https://cloud.google.com/compute/docs/reference/rest/v1/instances) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +resources: + - name: vm + type: compute.v1.instance + properties: + description: my-vm + metadata: + fingerprint: fingerprint + items: + - key: enable-oslogin + value: false + - key: my-key-2 + value: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: + - name: vm + type: compute.v1.instance + properties: + description: my-vm + metadata: + fingerprint: fingerprint + items: + - key: my-key-2 + value: false + +``` +```yaml title="Negative test num. 2 - yaml file" +resources: + - name: vm + type: compute.v1.instance + properties: + description: my-vm + metadata: + fingerprint: fingerprint + items: + - key: enable-oslogin + value: true + - key: my-key-2 + value: false + +``` diff --git a/docs/queries/googledeploymentmanager-queries/gcp/fc040fb6-4c23-4c0d-b12a-39edac35debb.md b/docs/queries/googledeploymentmanager-queries/gcp/fc040fb6-4c23-4c0d-b12a-39edac35debb.md new file mode 100644 index 00000000000..14938105c84 --- /dev/null +++ b/docs/queries/googledeploymentmanager-queries/gcp/fc040fb6-4c23-4c0d-b12a-39edac35debb.md @@ -0,0 +1,171 @@ +--- +title: Disk Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fc040fb6-4c23-4c0d-b12a-39edac35debb +- **Query name:** Disk Encryption Disabled +- **Platform:** GoogleDeploymentManager +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/googleDeploymentManager/gcp/disk_encryption_disabled) + +### Description +VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'diskEncryptionKey' must be defined and its sub attributes 'rawKey' or 'kmsKeyName' must also be defined
+[Documentation](https://cloud.google.com/compute/docs/reference/rest/v1/instances) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 18" +resources: +- name: vm-template + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + networkInterfaces: + - network: global/networks/default +- type: compute.v1.disk + name: disk-3-data + properties: + sizeGb: 10 + zone: us-east1-c + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="14 23" +resources: +- name: vm-template2 + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + networkInterfaces: + - network: global/networks/default +- type: compute.v1.disk + name: disk-4-data + properties: + sizeGb: 10 + zone: us-east1-c + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="16 26" +resources: +- name: vm-template3 + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + rawKey: "" + networkInterfaces: + - network: global/networks/default +- type: compute.v1.disk + name: disk-5-data + properties: + sizeGb: 10 + zone: us-east1-c + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + rawKey: "" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +resources: +- name: vm-template4 + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + rawKey: SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0= + networkInterfaces: + - network: global/networks/default +- type: compute.v1.disk + name: disk-1-data + properties: + sizeGb: 10 + zone: us-east1-c + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + rawKey: SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0= + + +``` +```yaml title="Negative test num. 2 - yaml file" +resources: +- name: vm-template5 + type: compute.v1.instance + properties: + zone: us-central1-a + machineType: zones/us-central1-a/machineTypes/n1-standard-1 + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + sourceImage: projects/debian-cloud/global/images/family/debian-9 + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + kmsKeyName: disk-crypto-key + networkInterfaces: + - network: global/networks/default +- type: compute.v1.disk + name: disk-2-data + properties: + sizeGb: 10 + zone: us-east1-c + diskEncryptionKey: + sha_256: 68b4caecf5d5130426a8b8f0222cdd7f31232b5c99a5bf0daf19099e26e2ec29 + kmsKeyName: disk-crypto-key + +``` diff --git a/docs/queries/grpc-queries.md b/docs/queries/grpc-queries.md index 2da3287ef68..e876f7ab4bb 100644 --- a/docs/queries/grpc-queries.md +++ b/docs/queries/grpc-queries.md @@ -3,4 +3,4 @@ This page contains all queries from GRPC. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter|Documentation
| +|Enum Name Not CamelCase
daaace5f-c0dc-4835-b526-7a116b7f4b4e|Low|Best Practices|All Enum Names should follow CamelCase and start with Capital Letter (read more)|Documentation
| diff --git a/docs/queries/grpc-queries/daaace5f-c0dc-4835-b526-7a116b7f4b4e.md b/docs/queries/grpc-queries/daaace5f-c0dc-4835-b526-7a116b7f4b4e.md new file mode 100644 index 00000000000..09dee6fe07f --- /dev/null +++ b/docs/queries/grpc-queries/daaace5f-c0dc-4835-b526-7a116b7f4b4e.md @@ -0,0 +1,33 @@ +--- +title: Enum Name Not CamelCase +hide: + toc: true + navigation: true +--- + + + +- **Query id:** daaace5f-c0dc-4835-b526-7a116b7f4b4e +- **Query name:** Enum Name Not CamelCase +- **Platform:** GRPC +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/grpc/enum_name_not_camel_case) + +### Description +All Enum Names should follow CamelCase and start with Capital Letter
+[Documentation](https://developers.google.com/protocol-buffers/docs/reference/proto3-spec#enum_definition) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/knative-queries.md b/docs/queries/knative-queries.md index faf5e8e0d9c..245d3897b60 100644 --- a/docs/queries/knative-queries.md +++ b/docs/queries/knative-queries.md @@ -3,4 +3,4 @@ This page contains all queries from Knative. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service|Documentation
| +|Serving Revision Spec Without Timeout Seconds
e8bb41e4-2f24-4e84-8bea-8c7c070cf93d|Info|Insecure Configurations|Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service (read more)|Documentation
| diff --git a/docs/queries/knative-queries/e8bb41e4-2f24-4e84-8bea-8c7c070cf93d.md b/docs/queries/knative-queries/e8bb41e4-2f24-4e84-8bea-8c7c070cf93d.md new file mode 100644 index 00000000000..3fe4aced22d --- /dev/null +++ b/docs/queries/knative-queries/e8bb41e4-2f24-4e84-8bea-8c7c070cf93d.md @@ -0,0 +1,102 @@ +--- +title: Serving Revision Spec Without Timeout Seconds +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e8bb41e4-2f24-4e84-8bea-8c7c070cf93d +- **Query name:** Serving Revision Spec Without Timeout Seconds +- **Platform:** Knative +- **Severity:** Info +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/knative/serving_revision_spec_without_timeout_settings) + +### Description +Serving Revision Spec should have Timeout Seconds defined to avoid Denial of Service
+[Documentation](https://knative.dev/docs/reference/api/serving-api/#serving.knative.dev/v1.RevisionSpec) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="42 7" +apiVersion: serving.knative.dev/v1 +kind: Service +metadata: + name: dummy +spec: + template: + spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + containerConcurrency: 100 +--- +apiVersion: serving.knative.dev/v1 +kind: Service +metadata: + name: dummy +spec: + template: + spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + containerConcurrency: 100 + timeoutSeconds: 0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: serving.knative.dev/v1 +kind: Service +metadata: + name: dummy +spec: + template: + spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + containerConcurrency: 100 + timeoutSeconds: 600 + +``` diff --git a/docs/queries/kubernetes-queries.md b/docs/queries/kubernetes-queries.md index 41c23dc967e..5ddc24a3e3a 100644 --- a/docs/queries/kubernetes-queries.md +++ b/docs/queries/kubernetes-queries.md @@ -3,149 +3,149 @@ This page contains all queries from Kubernetes. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions|Documentation
| -|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true|Documentation
| -|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file|Documentation
| -|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true|Documentation
| -|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin|Documentation
| -|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set|Documentation
| -|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set|Documentation
| -|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.|Documentation
| -|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace|Documentation
| -|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present|Documentation
| -|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1|Documentation
| -|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup|Documentation
| -|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false|Documentation
| -|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set|Documentation
| -|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined|Documentation
| -|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined|Documentation
| -|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster.|Documentation
| -|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0|Documentation
| -|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined|Documentation
| -|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0|Documentation
| -|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed|Documentation
| -|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false|Documentation
| -|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false|Documentation
| -|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments|Documentation
| -|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode|Documentation
| -|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)|Documentation
| -|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin|Documentation
| -|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode|Documentation
| -|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation|Documentation
| -|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments|Documentation
| -|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges|Documentation
| -|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions|Documentation
| -|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501|Documentation
| -|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long|Documentation
| -|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table.|Documentation
| -|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites|Documentation
| -|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined|Documentation
| -|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider|Documentation
| -|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file|Documentation
| -|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode|Documentation
| -|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used|Documentation
| -|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true|Documentation
| -|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container.|Documentation
| -|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace|Documentation
| -|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set|Documentation
| -|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy.|Documentation
| -|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0|Documentation
| -|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster|Documentation
| -|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)|Documentation
| -|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true|Documentation
| -|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined|Documentation
| -|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined|Documentation
| -|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true|Documentation
| -|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs|Documentation
| -|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined|Documentation
| -|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true|Documentation
| -|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd|Documentation
| -|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set|Documentation
| -|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set|Documentation
| -|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined|Documentation
| -|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined|Documentation
| -|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources|Documentation
| -|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set|Documentation
| -|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions.|Documentation
| -|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin|Documentation
| -|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file|Documentation
| -|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted read-only.|Documentation
| -|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector|Documentation
| -|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume|Documentation
| -|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Service should Target a Pod|Documentation
| -|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries|Documentation
| -|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0|Documentation
| -|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false|Documentation
| -|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days|Documentation
| -|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files|Documentation
| -|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies|Documentation
| -|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes|Documentation
| -|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined|Documentation
| -|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.|Documentation
| -|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively|Documentation
| -|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.|Documentation
| -|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest.|Documentation
| -|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces.|Documentation
| -|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited|Documentation
| +|RBAC Wildcard In Rule
6b896afb-ca07-467a-b256-1a0077a1c08e|High|Access Control|Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions (read more)|Documentation
| +|Service Account Lookup Set To False
a5530bd7-225a-48f9-91bb-f40b04200165|High|Access Control|When using kube-apiserver command, the '--service-account-lookup' flag should be set to true (read more)|Documentation
| +|Client Certificate Authentication Not Setup Properly
e0e00aba-5f1c-4981-a542-9a9563c0ee20|High|Access Control|Client Certificate Authentication should be Setup with a .pem or .crt file (read more)|Documentation
| +|Node Restriction Admission Control Plugin Not Set
33fc6923-6553-4fe6-9d3a-4efa51eb874b|High|Access Control|When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Use Service Account Credentials Not Set To True
1acd93f1-5a37-45c0-aaac-82ece818be7d|High|Access Control|When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true (read more)|Documentation
| +|Always Admit Admission Control Plugin Set
ce30e584-b33f-4c7d-b418-a3d7027f8f60|High|Access Control|When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin (read more)|Documentation
| +|Token Auth File Is Set
32ecd76e-7bbf-402e-bf48-8b9485749558|High|Access Control|When using kube-apiserver command, the 'token-auth-file' flag should not be set (read more)|Documentation
| +|Basic Auth File Is Set
5da47109-f8d6-4585-9e2b-96a8958a12f5|High|Access Control|When using kube-apiserver command, the 'basic-auth-file' flag should not be set (read more)|Documentation
| +|Pod Security Policy Admission Control Plugin Not Set
afa36afb-39fe-4d94-b9b6-afb236f7a03d|High|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Service Account Private Key File Not Defined
ccc98ff7-68a7-436e-9218-185cb0b0b780|High|Encryption|When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
a33e9173-b674-4dfb-9d82-cf3754816e4b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Tiller (Helm v2) Is Deployed
6d173be7-545a-46c6-a81d-2ae52ed1605d|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
caa93370-791f-4fc6-814b-ba6ce0cb4032|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
9127f0d9-2310-42e7-866f-5fd9d20dcbad|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined. (read more)|Documentation
| +|Container Is Privileged
dd29336b-fe57-445b-a26e-e6aa867ae609|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|Shared Host PID Namespace
302736f4-b16c-41b8-befe-c0baffa0bd9d|High|Insecure Configurations|Container should not share the host process ID namespace (read more)|Documentation
| +|Tiller Service Is Not Deleted
8b862ca9-0fbd-4959-ad72-b6609bdaa22d|High|Insecure Configurations|Check if there is any Tiller Service present (read more)|Documentation
| +|Privilege Escalation Allowed
5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Role Binding To Default Service Account
1e749bc9-fde8-471c-af0c-8254efd2dee5|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|Bind Address Not Properly Set
46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2|High|Networking and Firewall|When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1 (read more)|Documentation
| +|TSL Connection Certificate Not Setup
fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f|High|Networking and Firewall|TSL Connection Certificate files should be Setup (read more)|Documentation
| +|Kubelet HTTPS Set To False
cdc8b54e-6b16-4538-a1b0-35849dbe29cf|High|Networking and Firewall|When using kube-apiserver command, the '--kubelet-https' flag should not be set to false (read more)|Documentation
| +|Insecure Bind Address Set
b9380fd3-5ffe-4d10-9290-13e18e71eee1|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-bind-address' flag should not be set (read more)|Documentation
| +|Etcd Peer TLS Certificate Files Not Properly Set
09bb9e96-8da3-4736-b89a-b36814acca60|High|Networking and Firewall|When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined (read more)|Documentation
| +|Etcd TLS Certificate Files Not Properly Set
075ca296-6768-4322-aea2-ba5063b969a9|High|Networking and Firewall|When using etcd commands, the '--cert-file' and '--key-file' should be defined (read more)|Documentation
| +|Tiller Deployment Is Accessible From Within The Cluster
e17fa86a-6222-4584-a914-56e8f6c87e06|High|Networking and Firewall|Check if any Tiller Deployment container allows access from within the cluster. (read more)|Documentation
| +|Secure Port Set To Zero
3d24b204-b73d-42cb-b0bf-1a5438c5f71e|High|Networking and Firewall|When using kube-apiserver command, the --secure-port flag should not be 0 (read more)|Documentation
| +|Etcd TLS Certificate Not Properly Configured
895a5a95-3756-4b04-9924-2f3bc93181bd|High|Networking and Firewall|When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined (read more)|Documentation
| +|Insecure Port Not Properly Set
fa4def8c-1898-4a35-a139-7b76b1acdef0|High|Networking and Firewall|When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0 (read more)|Documentation
| +|PSP With Unrestricted Access to Host Path
de4421f1-4e35-43b4-9783-737dd4e4a47e|High|Resource Management|PodSecurityPolicy should set 'readOnly' to true in every host path allowed (read more)|Documentation
| +|Auto TLS Set To True
98ce8b81-7707-4734-aa39-627c6db3d84b|High|Secret Management|When using etcd commands, the '--auto-tls' should be set to false (read more)|Documentation
| +|Peer Auto TLS Set To True
ae8827e2-4af9-4baa-9998-87539ae0d6f0|High|Secret Management|When using etcd commands, the '--peer-auto-tls' should be set to false (read more)|Documentation
| +|RBAC Roles with Exec Permission
c589f42c-7924-4871-aee2-1cede9bc7cbc|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments (read more)|Documentation
| +|Authorization Mode RBAC Not Set
1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e|Medium|Access Control|When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode (read more)|Documentation
| +|Anonymous Auth Is Not Set To False
1de5cc51-f376-4638-a940-20f2e85ae238|Medium|Access Control|When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false) (read more)|Documentation
| +|Service Account Admission Control Plugin Disabled
9587c890-0524-40c2-9ce2-663af7c2f063|Medium|Access Control|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin (read more)|Documentation
| +|Authorization Mode Set To Always Allow
f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5|Medium|Access Control|When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode (read more)|Documentation
| +|RBAC Roles with Impersonate Permission
9f85c3f6-26fd-4007-938a-2e0cb0100980|Medium|Access Control|Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation (read more)|Documentation
| +|RBAC Roles with Attach Permission
d45330fd-f58d-45fb-a682-6481477a0f84|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments (read more)|Documentation
| +|Non Kube System Pod With Host Mount
aa8f7a35-9923-4cad-bd61-a19b7f6aac91|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|RBAC Roles Allow Privilege Escalation
8320826e-7a9c-4b0b-9535-578333193432|Medium|Access Control|Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges (read more)|Documentation
| +|RBAC Roles with Port-Forwarding Permission
38fa11ef-dbcc-4da8-9680-7e1fd855b6fb|Medium|Access Control|Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions (read more)|Documentation
| +|Permissive Access to Create Pods
592ad21d-ad9b-46c6-8d2d-fad09d62a942|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Readiness Probe Is Not Configured
a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Terminated Pod Garbage Collector Threshold Not Properly Set
49113af4-29ca-458e-b8d4-724c01a4a24f|Medium|Availability|When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501 (read more)|Documentation
| +|Request Timeout Not Properly Set
d89a15bb-8dba-4c71-9529-bef6729b9c09|Medium|Availability|When using kube-apiserver command, the '--request-timeout' flag value should not be too long (read more)|Documentation
| +|Container Running With Low UID
02323c00-cdc3-4fdc-a310-4f2b3e7a1660|Medium|Best Practices|Check if containers are running with low UID, which might cause conflicts with the host's user table. (read more)|Documentation
| +|Root Containers Admitted
e3aa0612-4351-4a0d-983f-aefea25cf203|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Container Running As Root
cf34805e-3872-4c08-bf92-6ff7bb0cfadb|Medium|Best Practices|Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
3878dc92-8e5d-47cf-9cdd-7590f71d21b9|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Always Pull Images Admission Control Plugin Not Set
a77f4d07-c6e0-4a48-8b35-0eeb51576f4f|Medium|Build Process|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Weak TLS Cipher Suites
510d5810-9a30-443a-817d-5c1fa527b110|Medium|Encryption|TLS Connection should use strong Cipher Suites (read more)|Documentation
| +|Root CA File Not Defined
05fb986f-ac73-4ebb-a5b2-7faafa93d882|Medium|Encryption|When using kube-controller-manager commands, the '--root-ca-file' should be defined (read more)|Documentation
| +|Encryption Provider Not Properly Configured
10efce34-5af6-4d83-b414-9e096d5a06a9|Medium|Encryption|The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider (read more)|Documentation
| +|Encryption Provider Config Is Not Defined
cbd2db69-0b21-4c14-8a40-7710a50571a9|Medium|Encryption|When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file (read more)|Documentation
| +|Authorization Mode Node Not Set
4d7ee40f-fc5d-427d-8cac-dffbe22d42d1|Medium|Insecure Configurations|When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode (read more)|Documentation
| +|PSP Set To Privileged
c48e57d3-d642-4e0b-90db-37f807b41b91|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Using Unrecommended Namespace
611ab018-c4aa-4ba2-b0f6-a448337509a6|Medium|Insecure Configurations|Namespaces like 'default', 'kube-system' or 'kube-public' should not be used (read more)|Documentation
| +|Containers With Added Capabilities
19ebaa28-fc86-4a58-bcfa-015c9e22fe40|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|Containers With Sys Admin Capabilities
235236ee-ad78-4065-bd29-61b061f28ce0|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|PSP With Added Capabilities
7307579a-3abb-46ad-9ce5-2a915634d5c8|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|Seccomp Profile Is Not Configured
f377b83e-bd07-4f48-a591-60c82b14a78b|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
dbbc6705-d541-43b0-b166-dd4be8208b54|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|Kubelet Protect Kernel Defaults Set To False
6cf42c97-facd-4fda-b8af-ea4529123355|Medium|Insecure Configurations|--protect-kernel-defaults should be set to true (read more)|Documentation
| +|Ingress Controller Exposes Workload
69bbc5e3-0818-4150-89cc-1e989b48f23b|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|Not Limited Capabilities For Container
2f1a0619-b12b-48a0-825f-993bb6f01d58|Medium|Insecure Configurations|Limit the capabilities for a Container. (read more)|Documentation
| +|PSP Allows Sharing Host PID
91dacd0e-d189-4a9c-8272-5999a3cc32d9|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host process ID namespace (read more)|Documentation
| +|PSP Allows Privilege Escalation
87554eef-154d-411d-bdce-9dbd91e56851|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
2270987f-bb51-479f-b8be-3ca73e5ad648|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Security Context Deny Admission Control Plugin Not Set
6a68bebe-c021-492e-8ddb-55b0567fb768|Medium|Insecure Configurations|When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set (read more)|Documentation
| +|PSP Allows Sharing Host IPC
80f93444-b240-4ebb-a4c6-5c40b76c04ea|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
5308a7a8-06f8-45ac-bf10-791fe21de46e|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Container Runs Unmasked
f922827f-aab6-447c-832a-e1ff63312bd3|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|Service Account Name Undefined Or Empty
591ade62-d6b0-4580-b1ae-209f80ba1cd9|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty. (read more)|Documentation
| +|Service Account Token Automount Not Disabled
48471392-d4d0-47c0-b135-cdec95eb3eef|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Service With External Load Balancer
26763a1c-5dda-4772-b507-5fca7fb5f165|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Pod Misconfigured Network Policy
0401f71b-9c1e-4821-ab15-a955caa621be|Medium|Networking and Firewall|Check if any pod is not being targeted by a proper network policy. (read more)|Documentation
| +|Kubelet Streaming Connection Timeout Disabled
ed89b97d-04e9-4fd4-919f-ee5b27e555e9|Medium|Networking and Firewall|The flag --streaming-connection-idle-timeout should not be set to 0 (read more)|Documentation
| +|CNI Plugin Does Not Support Network Policies
03aabc8c-35d6-481e-9c85-20139cf72d23|Medium|Networking and Firewall|Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster (read more)|Documentation
| +|Kubelet Read Only Port Is Not Set To Zero
2940d48a-dc5e-4178-a3f8-bfbd80720b41|Medium|Networking and Firewall|When using the kubelet command, the read-only port should be set to zero (--read-only-port=0) (read more)|Documentation
| +|Kubelet Not Managing Ip Tables
5f89001f-6dd9-49ff-9b15-d8cd71b617f4|Medium|Networking and Firewall|Kubelet argument --make-iptables-util-chains should be true (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Audit Policy File Not Defined
13a49a2e-488e-4309-a7c0-d6b05577a5fb|Medium|Observability|When using kube-apiserver command, the '--audit-policy-file' flag should be defined (read more)|Documentation
| +|Audit Log Path Not Set
73e251f0-363d-4e53-86e2-0a93592437eb|Medium|Observability|When using kube-apiserver command, the 'audit-log-path' flag should be defined (read more)|Documentation
| +|Memory Requests Not Defined
229588ef-8fde-40c8-8756-f4f2b5825ded|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|CPU Limits Not Set
4ac0e2b7-d2d2-4af7-8799-e8de6721ccda|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
b7652612-de4e-4466-a0bf-1cd81f0c6063|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|CPU Requests Not Set
ca469dd4-c736-448f-8ac1-30a642705e0a|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Shared Host IPC Namespace
cd290efd-6c82-4e9d-a698-be12ae31d536|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Shared Host Network Namespace
6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Memory Limits Not Defined
b14d1bc4-a208-45db-92f0-e21f8e2588e9|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Shared Service Account
c1032cf7-3628-44e2-bd53-38c17cf31b6b|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Etcd Peer Client Certificate Authentication Set To False
b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff|Medium|Secret Management|When using etcd commands, the '--peer-client-cert-auth' flag should be set to true (read more)|Documentation
| +|ServiceAccount Allows Access Secrets
056ac60e-fe07-4acc-9b34-8e1d51716ab9|Medium|Secret Management|Roles and ClusterRoles when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Etcd Client Certificate Authentication Set To False
9391103a-d8d7-4671-ac5d-606ba7ccb0ac|Medium|Secret Management|When using etcd commands, the '--client-cert-auth' flag should be defined (read more)|Documentation
| +|Kubelet Client Periodic Certificate Switch Disabled
52d70f2e-3257-474c-b3dc-8ad9ba6a061a|Medium|Secret Management|Kubelet argument --rotate-certificates should be true (read more)|Documentation
| +|Not Unique Certificate Authority
cb7e695d-6a85-495c-b15f-23aed2519303|Medium|Secret Management|Certificate Authority should be unique for etcd (read more)|Documentation
| +|Kubelet Client Certificate Or Key Not Set
36a27826-1bf5-49da-aeb0-a60a30c0e834|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set (read more)|Documentation
| +|Kubelet Certificate Authority Not Set
ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0|Medium|Secret Management|When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set (read more)|Documentation
| +|Service Account Key File Not Properly Set
dab4ec72-ce2e-4732-b7c3-1757dcce01a1|Medium|Secret Management|When using kube-apiserver command, the '--service-account-key-file' flag should be defined (read more)|Documentation
| +|Etcd Client Certificate File Not Defined
3f5ff8a7-5ad6-4d02-86f5-666307da1b20|Medium|Secret Management|When using kube-apiserver commands, the '--etcd-cafile' flag should be defined (read more)|Documentation
| +|Rotate Kubelet Server Certificate Not Active
1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2|Medium|Secret Management|The RotateKubeletServerCertificate argument should be true (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
249328b8-5f0f-409f-b1dd-029f07882e11|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Missing AppArmor Profile
8b36775e-183d-4d46-b0f7-96a6f34a723f|Low|Access Control|Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
a6f34658-fdfb-4154-9536-56d516f65828|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|Event Rate Limit Admission Control Plugin Not Set
e0099af2-fe17-411f-9991-0de28fe15f3c|Low|Availability|When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|StatefulSet Without Service Name
bb241e61-77c3-4b97-9575-c0f8a1e008d0|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|Liveness Probe Is Not Defined
ade74944-a674-4e00-859e-c6eab5bde441|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|HPA Targeted Deployments With Configured Replica Count
5744cbb8-5946-4b75-a196-ade44449525b|Low|Availability|Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set (read more)|Documentation
| +|HPA Targets Invalid Object
2f652c42-619d-4361-b361-9f599688f8ca|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
b23e9b98-0cb6-4fc9-b257-1f3270442678|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|No Drop Capabilities for Containers
268ca686-7fb7-4ae9-b129-955a2a89064e|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Metadata Label Is Invalid
1123031a-f921-4c5b-bd86-ef354ecfd37a|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Object Is Using A Deprecated API Version
94b76ea5-e074-4ca2-8a03-c5a606e30645|Low|Best Practices|Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions. (read more)|Documentation
| +|Namespace Lifecycle Admission Control Plugin Disabled
1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37|Low|Build Process|When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin (read more)|Documentation
| +|Image Policy Webhook Admission Control Plugin Not Set
14abda69-8e91-4acb-9931-76e2bee90284|Low|Build Process|When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file (read more)|Documentation
| +|Root Container Not Mounted Read-only
a9c2f49d-0671-4fc9-9ece-f4e261e128d0|Low|Build Process|Check if the root container filesystem is not being mounted read-only. (read more)|Documentation
| +|StatefulSet Requests Storage
8cf4671a-cf3d-46fc-8389-21e7405063a2|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Kubelet Hostname Override Is Set
bf36b900-b5ef-4828-adb7-70eb543b7cfb|Low|Insecure Configurations|Hostnames should not be overrided (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
caa3479d-885d-4882-9aac-95e5e78ef5c2|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Dashboard Is Enabled
d2ad057f-0928-41ef-a83c-f59203bb855b|Low|Insecure Configurations|If not needed, disabling the dashboard can prevent from being used as an attack vector (read more)|Documentation
| +|Pod or Container Without ResourceQuota
48a5beba-e4c0-4584-a2aa-e6894e4cf424|Low|Insecure Configurations|Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume (read more)|Documentation
| +|Pod or Container Without Security Context
a97a340a-0063-418e-b3a1-3028941d0995|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Image Without Digest
7c81d34c-8e5a-402b-9798-9f442630e678|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Service Does Not Target Pod
3ca03a61-3249-4c16-8427-6f8e47dda729|Low|Insecure Configurations|Service should Target a Pod (read more)|Documentation
| +|Pod or Container Without LimitRange
4a20ebac-1060-4c81-95d1-1f7f620e983b|Low|Insecure Configurations|Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries (read more)|Documentation
| +|Service Type is NodePort
845acfbe-3e10-4b8e-b656-3b404d36dfb2|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Workload Host Port Not Specified
2b1836f1-dcce-416e-8e16-da8c71920633|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|Kubelet Event QPS Not Properly Set
1a07a446-8e61-4e4d-bc16-b0781fcb8211|Low|Observability|When using the kubelet command, the '--event-qps' should be set to 0 (read more)|Documentation
| +|Profiling Not Set To False
2f491173-6375-4a84-b28e-a4e2b9a58a69|Low|Observability|When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false (read more)|Documentation
| +|Audit Log Maxage Not Properly Set
da9f3aa8-fbfb-472f-b5a1-576127944218|Low|Observability|When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days (read more)|Documentation
| +|Audit Log Maxbackup Not Properly Set
768aab52-2504-4a2f-a3e3-329d5a679848|Low|Observability|When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files (read more)|Documentation
| +|Audit Policy Not Cover Key Security Concerns
1828a670-5957-4bc5-9974-47da228f75e2|Low|Observability|Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies (read more)|Documentation
| +|Audit Log Maxsize Not Properly Set
35c0a471-f7c8-4993-aa2c-503a3c712a66|Low|Observability|When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes (read more)|Documentation
| +|CronJob Deadline Not Configured
192fe40b-b1c3-448a-aba2-6cc19a300fe3|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined (read more)|Documentation
| +|StatefulSet Has No PodAntiAffinity
d740d048-8ed3-49d3-b77b-6f072f3b669e|Low|Resource Management|Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Container Memory Requests Not Equal To It's Limits
aafa7d94-62de-4fbf-8838-b69ee217b0e6|Low|Resource Management|A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined. (read more)|Documentation
| +|Container Requests Not Equal To It's Limits
aee3c7d2-a811-4201-90c7-11c028be9a46|Low|Resource Management|Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
a31b7b82-d994-48c4-bd21-3bab6c31827a|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Container CPU Requests Not Equal To It's Limits
9d43040e-e703-4e16-8bfe-8d4da10fa7e6|Low|Resource Management|A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined. (read more)|Documentation
| +|Secrets As Environment Variables
3d658f8b-d988-41a0-a841-40043121de1e|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image Tag
583053b7-e632-46f0-b989-f81ff8045385|Low|Supply-Chain|Image tag must be defined and not be empty or equal to latest. (read more)|Documentation
| +|Ensure Administrative Boundaries Between Resources
e84eaf4d-2f45-47b2-abe8-e581b06deb66|Info|Access Control|As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces. (read more)|Documentation
| +|Using Kubernetes Native Secret Management
b9c83569-459b-4110-8f79-6305aa33cb37|Info|Secret Management|Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited (read more)|Documentation
| diff --git a/docs/queries/kubernetes-queries/02323c00-cdc3-4fdc-a310-4f2b3e7a1660.md b/docs/queries/kubernetes-queries/02323c00-cdc3-4fdc-a310-4f2b3e7a1660.md new file mode 100644 index 00000000000..f67387b3e04 --- /dev/null +++ b/docs/queries/kubernetes-queries/02323c00-cdc3-4fdc-a310-4f2b3e7a1660.md @@ -0,0 +1,315 @@ +--- +title: Container Running With Low UID +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 02323c00-cdc3-4fdc-a310-4f2b3e7a1660 +- **Query name:** Container Running With Low UID +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/containers_run_with_low_uid) + +### Description +Check if containers are running with low UID, which might cause conflicts with the host's user table.
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-2 +spec: + securityContext: + runAsUser: 1000 + containers: + - name: sec-ctx-demo-2 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 2000 + allowPrivilegeEscalation: false + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="18 13" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-2 +spec: + securityContext: + runAsUser: 10 + runAsNonRoot: false + containers: + - name: sec-ctx-demo-100 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 333 + runAsNonRoot: false + - name: sec-ctx-demo-200 + image: gcr.io/google-samples/node-hedwfwllo:1.0 + securityContext: + runAsUser: 340 + runAsNonRoot: false + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +apiVersion: v1 +kind: Pod +metadata: + name: containers-runs-as-root +spec: + securityContext: + runAsNonRoot: false + containers: + - name: sec-ctx-demo-100 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 13 + runAsNonRoot: false + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="18" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: securitydemo + labels: + app: web +spec: + replicas: 2 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + spec: + securityContext: + runAsUser: 1200 + containers: + - name: frontend + image: nginx + ports: + - containerPort: 80 + securityContext: + readOnlyRootFilesystem: true + - name: echoserver + image: k8s.gcr.io/echoserver:1.4 + ports: + - containerPort: 8080 + securityContext: + readOnlyRootFilesystem: true + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="28 22" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: securitydemo + labels: + app: web +spec: + replicas: 2 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + spec: + containers: + - name: frontend + image: nginx + ports: + - containerPort: 80 + securityContext: + readOnlyRootFilesystem: true + - name: echoserver + image: k8s.gcr.io/echoserver:1.4 + ports: + - containerPort: 8080 + securityContext: + readOnlyRootFilesystem: true + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="32 25" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: securitydemo + labels: + app: web +spec: + replicas: 2 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + spec: + securityContext: + runAsUser: 12000 + containers: + - name: frontend + image: nginx + ports: + - containerPort: 80 + securityContext: + runAsUser: 1234 + readOnlyRootFilesystem: true + - name: echoserver + image: k8s.gcr.io/echoserver:1.4 + ports: + - containerPort: 8080 + securityContext: + runAsUser: 5678 + readOnlyRootFilesystem: true + +``` +
+
Postitive test num. 7 - yaml file + +```yaml hl_lines="25 23" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: securitydemo + labels: + app: web +spec: + replicas: 2 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + spec: + containers: + - name: frontend + image: nginx + ports: + - containerPort: 80 + securityContext: + runAsUser: 1234 + readOnlyRootFilesystem: true + - name: echoserver + image: k8s.gcr.io/echoserver:1.4 + ports: + - containerPort: 8080 + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-2 +spec: + securityContext: + runAsUser: 10000 + containers: + - name: sec-ctx-demo-2 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 10100 + allowPrivilegeEscalation: false + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: securitydemo + labels: + app: web +spec: + replicas: 2 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + spec: + securityContext: + runAsUser: 65532 + containers: + - name: frontend + image: nginx + ports: + - containerPort: 80 + securityContext: + readOnlyRootFilesystem: true + - name: echoserver + image: k8s.gcr.io/echoserver:1.4 + ports: + - containerPort: 8080 + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: securitydemo + labels: + app: web +spec: + replicas: 2 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + spec: + securityContext: + runAsUser: 19000 + containers: + - name: frontend + image: nginx + ports: + - containerPort: 80 + securityContext: + runAsUser: 12000 + readOnlyRootFilesystem: true + - name: echoserver + image: k8s.gcr.io/echoserver:1.4 + ports: + - containerPort: 8080 + securityContext: + readOnlyRootFilesystem: true + +``` diff --git a/docs/queries/kubernetes-queries/03aabc8c-35d6-481e-9c85-20139cf72d23.md b/docs/queries/kubernetes-queries/03aabc8c-35d6-481e-9c85-20139cf72d23.md new file mode 100644 index 00000000000..ed852e747f7 --- /dev/null +++ b/docs/queries/kubernetes-queries/03aabc8c-35d6-481e-9c85-20139cf72d23.md @@ -0,0 +1,91 @@ +--- +title: CNI Plugin Does Not Support Network Policies +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 03aabc8c-35d6-481e-9c85-20139cf72d23 +- **Query name:** CNI Plugin Does Not Support Network Policies +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/cni_plugin_does_not_support_network_policies) + +### Description +Ensure the use of CNI Plugin that support Network Policies. If the CNI Plugin in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster
+[Documentation](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="10 6" +{ + "name": "k8s-pod-network", + "cniVersion": "0.3.0", + "plugins": [ + { + "type": "flannel", + "log_level": "info", + "datastore_type": "kubernetes", + "nodename": "127.0.0.1", + "ipam": { + "type": "host-local", + "subnet": "usePodCidr" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/flannel-kubeconfig" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + ] +} + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "name": "k8s-pod-network", + "cniVersion": "0.3.0", + "plugins": [ + { + "type": "calico", + "log_level": "info", + "datastore_type": "kubernetes", + "nodename": "127.0.0.1", + "ipam": { + "type": "host-local", + "subnet": "usePodCidr" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "/etc/cni/net.d/calico-kubeconfig" + } + }, + { + "type": "portmap", + "capabilities": {"portMappings": true} + } + ] +} + +``` diff --git a/docs/queries/kubernetes-queries/0401f71b-9c1e-4821-ab15-a955caa621be.md b/docs/queries/kubernetes-queries/0401f71b-9c1e-4821-ab15-a955caa621be.md new file mode 100644 index 00000000000..58fccabfd1e --- /dev/null +++ b/docs/queries/kubernetes-queries/0401f71b-9c1e-4821-ab15-a955caa621be.md @@ -0,0 +1,194 @@ +--- +title: Pod Misconfigured Network Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0401f71b-9c1e-4821-ab15-a955caa621be +- **Query name:** Pod Misconfigured Network Policy +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/pod_misconfigured_network_policy) + +### Description +Check if any pod is not being targeted by a proper network policy.
+[Documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +apiVersion: v1 +kind: Pod +metadata: + name: positive1-pod + namespace: positive1-one + labels: + app: shouldmatch +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: positive1-netpol + labels: + policy: no-ingress-no-egress + namespace: positive1-anotherone +spec: + podSelector: + matchLabels: + app: shouldmatch + policyTypes: [] + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +apiVersion: v1 +kind: Pod +metadata: + name: positive2-pod + namespace: positive2 +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: positive2-netpol + namespace: positive2 +spec: + podSelector: {} + policyTypes: [] + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: negative1-pod + namespace: negative1 +spec: + securityContext: + runAsUser: 1000 + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: negative1-policy + namespace: negative1 +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: negative2-pod + namespace: negative2-namespace + labels: + app: negative2-app +spec: + securityContext: + runAsUser: 1000 + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: negative2-policy + namespace: negative2-othernamespace +spec: + podSelector: + matchLabels: + app: negative2-app + policyTypes: + - Ingress + egress: + - to: + - ipBlock: + cidr: 10.0.0.0/24 + ports: + - protocol: TCP + port: 5978 + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: negative3-pod + namespace: negative3 +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: negative3-netpol + labels: + policy: just-egress + namespace: negative3 +spec: + podSelector: {} + egress: + - to: + - ipBlock: + cidr: 10.0.0.0/24 + ports: + - protocol: TCP + port: 5978 + +``` diff --git a/docs/queries/kubernetes-queries/056ac60e-fe07-4acc-9b34-8e1d51716ab9.md b/docs/queries/kubernetes-queries/056ac60e-fe07-4acc-9b34-8e1d51716ab9.md new file mode 100644 index 00000000000..b5a519a2d17 --- /dev/null +++ b/docs/queries/kubernetes-queries/056ac60e-fe07-4acc-9b34-8e1d51716ab9.md @@ -0,0 +1,279 @@ +--- +title: ServiceAccount Allows Access Secrets +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 056ac60e-fe07-4acc-9b34-8e1d51716ab9 +- **Query name:** ServiceAccount Allows Access Secrets +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/service_account_allows_access_secrets) + +### Description +Roles and ClusterRoles when binded, should not use get, list or watch as verbs
+[Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 34 58" +#Vulnerable Role +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: assembly-prod + name: testRoleVulnerable +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: testRoleBinding + namespace: bindingTestWithBinding +subjects: +- kind: ServiceAccount + name: testsa + apiGroup: "" +roleRef: + kind: Role + name: testRoleVulnerable + apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: assembly-prod + name: testRoleVulnerable2 +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["*"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: testRoleBinding + namespace: bindingTestWithBinding2 +subjects: +- kind: ServiceAccount + name: testsa + apiGroup: "" +roleRef: + kind: Role + name: testRoleVulnerable2 + apiGroup: rbac.authorization.k8s.io +--- +# Vulnerable Cluster Role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: testClusterRoleVulnerable +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["update", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: bindingTestClusterRoleWithBinding + namespace: bindingTestClusterRoleWithBindingNamespace +subjects: +- kind: ServiceAccount + name: testsa + apiGroup: "" +roleRef: + kind: ClusterRole + name: testClusterRoleVulnerable + apiGroup: rbac.authorization.k8s.io + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +# Vulnerable Role Without Binding +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: assembly-prod + name: testRoleWithoutBindingVulnerable +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +# Vulnerable Role With Binding Not Service Account +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: assembly-prod + name: testRoleWithBindingVulnerableNotSA +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: bindingNotSATestRoleWithBindingVulnerable + namespace: bindingNotSATestRoleWithBindingVulnerableNamespace +subjects: +- kind: NotServiceAccount + name: testsa + apiGroup: "" +roleRef: + kind: Role + name: testRoleWithBindingVulnerableNotSA + apiGroup: rbac.authorization.k8s.io +--- +# Safe Role With Binding +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: assembly-prod + name: testRoleWithBindingSafe +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["update"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: bindingtestRoleWithBindingSafe + namespace: bindingtestRoleWithBindingSafeNamespace +subjects: +- kind: ServiceAccount + name: testsa + apiGroup: "" +roleRef: + kind: Role + name: testRoleWithBindingSafe + apiGroup: rbac.authorization.k8s.io +--- +# Vulnerable Role with Pod +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: assembly-prod + name: testRoleVulnerablePod +rules: +- apiGroups: [""] + resources: ["pod"] + verbs: ["get", "watch", "list"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: testRoleBinding + namespace: bindingTestWithBindingPod +subjects: +- kind: ServiceAccount + name: testsa + apiGroup: "" +roleRef: + kind: Role + name: testRoleVulnerablePod + apiGroup: rbac.authorization.k8s.io +--- +# Vulnerable Cluster Role Without Binding +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: testClusterRoleWithoutBindingVulnerable +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +# Vulnerable Cluster Role With Binding Not Service Account +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + namespace: default + name: testClusterRoleWithBindingVulnerableNotSA +rules: +- apiGroups: [""] # "" indicates the core API group + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: bindingNotSATestClusterRoleWithBindingVulnerable + namespace: bindingNotSATestClusterRoleWithBindingVulnerableNamespace +subjects: +- kind: NotServiceAccount + name: testsa + apiGroup: "" +roleRef: + kind: ClusterRole + name: testClusterRoleWithBindingVulnerableNotSA + apiGroup: rbac.authorization.k8s.io +--- +# Safe ClusterRole With Binding +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + namespace: default + name: testClusterRoleWithBindingSafe +rules: +- apiGroups: [""] # "" indicates the core API group + resources: ["secrets"] + verbs: ["update"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: bindingTestClusterRoleWithBindingSafe + namespace: bindingTestClusterRoleWithBindingSafeNamespace +subjects: +- kind: NotServiceAccount + name: testsa + apiGroup: "" +roleRef: + kind: ClusterRole + name: testClusterRoleWithBindingSafe + apiGroup: rbac.authorization.k8s.io +--- +# Vulnerable Cluster Role With Pod +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: testClusterRoleVulnerablePod +rules: +- apiGroups: [""] + resources: ["pod"] + verbs: ["update", "list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: bindingTestClusterRoleWithBinding + namespace: bindingTestClusterRoleWithBindingNamespace +subjects: +- kind: ServiceAccount + name: testsa + apiGroup: "" +roleRef: + kind: ClusterRole + name: testClusterRoleVulnerablePod + apiGroup: rbac.authorization.k8s.io +``` diff --git a/docs/queries/kubernetes-queries/05fb986f-ac73-4ebb-a5b2-7faafa93d882.md b/docs/queries/kubernetes-queries/05fb986f-ac73-4ebb-a5b2-7faafa93d882.md new file mode 100644 index 00000000000..f7d195a2179 --- /dev/null +++ b/docs/queries/kubernetes-queries/05fb986f-ac73-4ebb-a5b2-7faafa93d882.md @@ -0,0 +1,81 @@ +--- +title: Root CA File Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 05fb986f-ac73-4ebb-a5b2-7faafa93d882 +- **Query name:** Root CA File Not Defined +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/root_ca_file_not_defined) + +### Description +When using kube-controller-manager commands, the '--root-ca-file' should be defined
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager"] + args: ["--root-ca-file=/path/to/ca/file.pem"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager","--root-ca-file=/path/to/ca/file.pem"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/075ca296-6768-4322-aea2-ba5063b969a9.md b/docs/queries/kubernetes-queries/075ca296-6768-4322-aea2-ba5063b969a9.md new file mode 100644 index 00000000000..1209e40609e --- /dev/null +++ b/docs/queries/kubernetes-queries/075ca296-6768-4322-aea2-ba5063b969a9.md @@ -0,0 +1,145 @@ +--- +title: Etcd TLS Certificate Files Not Properly Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 075ca296-6768-4322-aea2-ba5063b969a9 +- **Query name:** Etcd TLS Certificate Files Not Properly Set +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/etcd_tls_certificate_files_not_properly_set) + +### Description +When using etcd commands, the '--cert-file' and '--key-file' should be defined
+[Documentation](https://etcd.io/docs/v3.4/op-guide/security/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--cert-file=/etc/env/file.crt"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--key-file=/etc/env/file2.key"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--cert-file=/etc/env/file.crt", "--key-file=/etc/env/file2.key"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd", "--cert-file=/etc/env/file.crt", "--key-file=/etc/env/file2.key"] + args: [] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/09bb9e96-8da3-4736-b89a-b36814acca60.md b/docs/queries/kubernetes-queries/09bb9e96-8da3-4736-b89a-b36814acca60.md new file mode 100644 index 00000000000..ab3ca248145 --- /dev/null +++ b/docs/queries/kubernetes-queries/09bb9e96-8da3-4736-b89a-b36814acca60.md @@ -0,0 +1,145 @@ +--- +title: Etcd Peer TLS Certificate Files Not Properly Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 09bb9e96-8da3-4736-b89a-b36814acca60 +- **Query name:** Etcd Peer TLS Certificate Files Not Properly Set +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/etcd_peer_tls_certificate_files_not_properly_set) + +### Description +When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined
+[Documentation](https://etcd.io/docs/v3.4/op-guide/security/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--peer-cert-file=/etc/env/file.crt"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--peer-key-file=/etc/env/file2.key"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--peer-cert-file=/etc/env/file.crt", "--peer-key-file=/etc/env/file2.key"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd", "--peer-cert-file=/etc/env/file.crt", "--peer-key-file=/etc/env/file2.key"] + args: [] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/10efce34-5af6-4d83-b414-9e096d5a06a9.md b/docs/queries/kubernetes-queries/10efce34-5af6-4d83-b414-9e096d5a06a9.md new file mode 100644 index 00000000000..55ac97246a4 --- /dev/null +++ b/docs/queries/kubernetes-queries/10efce34-5af6-4d83-b414-9e096d5a06a9.md @@ -0,0 +1,75 @@ +--- +title: Encryption Provider Not Properly Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 10efce34-5af6-4d83-b414-9e096d5a06a9 +- **Query name:** Encryption Provider Not Properly Configured +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/encryption_provider_not_properly_configured) + +### Description +The EncryptionConfiguration should be configured to have at least one 'aescbc', 'kms' or 'secretbox' provider
+[Documentation](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#understanding-the-encryption-at-rest-configuration) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +apiVersion: apiserver.config.k8s.io/v1 +kind: EncryptionConfiguration +resources: + - resources: + - secrets + providers: + - identity: {} + - aesgcm: + keys: + - name: key1 + secret: c2VjcmV0IGlzIHNlY3VyZQ== + - name: key2 + secret: dGhpcyBpcyBwYXNzd29yZA== + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apiserver.config.k8s.io/v1 +kind: EncryptionConfiguration +resources: + - resources: + - secrets + providers: + - identity: {} + - aesgcm: + keys: + - name: key1 + secret: c2VjcmV0IGlzIHNlY3VyZQ== + - name: key2 + secret: dGhpcyBpcyBwYXNzd29yZA== + - aescbc: + keys: + - name: key1 + secret: c2VjcmV0IGlzIHNlY3VyZQ== + - name: key2 + secret: dGhpcyBpcyBwYXNzd29yZA== + - secretbox: + keys: + - name: key1 + secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY= + +``` diff --git a/docs/queries/kubernetes-queries/1123031a-f921-4c5b-bd86-ef354ecfd37a.md b/docs/queries/kubernetes-queries/1123031a-f921-4c5b-bd86-ef354ecfd37a.md new file mode 100644 index 00000000000..1e044999e25 --- /dev/null +++ b/docs/queries/kubernetes-queries/1123031a-f921-4c5b-bd86-ef354ecfd37a.md @@ -0,0 +1,78 @@ +--- +title: Metadata Label Is Invalid +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1123031a-f921-4c5b-bd86-ef354ecfd37a +- **Query name:** Metadata Label Is Invalid +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/metadata_label_is_invalid) + +### Description +Check if any label in the metadata is invalid.
+[Documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +apiVersion: v1 +kind: Pod +metadata: + name: goproxy + labels: + app: g**dy.l+bel. +spec: + containers: + - name: goproxy + image: k8s.gcr.io/goproxy:0.1 + ports: + - containerPort: 8080 + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 20 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: goproxy + labels: + app: goproxy +spec: + containers: + - name: goproxy + image: k8s.gcr.io/goproxy:0.1 + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 20 + +``` diff --git a/docs/queries/kubernetes-queries/13a49a2e-488e-4309-a7c0-d6b05577a5fb.md b/docs/queries/kubernetes-queries/13a49a2e-488e-4309-a7c0-d6b05577a5fb.md new file mode 100644 index 00000000000..2d694bc3a2e --- /dev/null +++ b/docs/queries/kubernetes-queries/13a49a2e-488e-4309-a7c0-d6b05577a5fb.md @@ -0,0 +1,252 @@ +--- +title: Audit Policy File Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 13a49a2e-488e-4309-a7c0-d6b05577a5fb +- **Query name:** Audit Policy File Not Defined +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/audit_policy_file_not_defined) + +### Description +When using kube-apiserver command, the '--audit-policy-file' flag should be defined
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--audit-policy-file=./not/valid/file.yaml"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="12" +apiVersion: serving.knative.dev/v1 +kind: Service +metadata: + name: dummy + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-policy-file=/home/miguel/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative1.yaml"] + restartPolicy: OnFailure +--- +apiVersion: audit.k8s.io/v1 # This is required. +kind: Policy +# Don't generate audit events for all requests in RequestReceived stage. +omitStages: + - "RequestReceived" +rules: + # Log pod changes at RequestResponse level + - level: RequestResponse + resources: + - group: "" + # Resource "pods" doesn't match requests to any subresource of pods, + # which is consistent with the RBAC policy. + resources: ["pods"] + # Log "pods/log", "pods/status" at Metadata level + - level: Metadata + resources: + - group: "" + resources: ["pods/log", "pods/status"] + + # Don't log requests to a configmap called "controller-leader" + - level: None + resources: + - group: "" + resources: ["configmaps"] + resourceNames: ["controller-leader"] + + # Don't log watch requests by the "system:kube-proxy" on endpoints or services + - level: None + users: ["system:kube-proxy"] + verbs: ["watch"] + resources: + - group: "" # core API group + resources: ["endpoints", "services"] + + # Don't log authenticated requests to certain non-resource URL paths. + - level: None + userGroups: ["system:authenticated"] + nonResourceURLs: + - "/api*" # Wildcard matching. + - "/version" + + # Log the request body of configmap changes in kube-system. + - level: Request + resources: + - group: "" # core API group + resources: ["configmaps"] + # This rule only applies to resources in the "kube-system" namespace. + # The empty string "" can be used to select non-namespaced resources. + namespaces: ["kube-system"] + + # Log configmap and secret changes in all other namespaces at the Metadata level. + - level: Metadata + resources: + - group: "" # core API group + resources: ["secrets", "configmaps"] + + # Log all other resources in core and extensions at the Request level. + - level: Request + resources: + - group: "" # core API group + - group: "extensions" # Version of group should NOT be included. + + # A catch-all rule to log all other requests at the Metadata level. + - level: Metadata + # Long-running requests like watches that fall under this rule will not + # generate an audit event in RequestReceived. + omitStages: + - "RequestReceived" + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--audit-policy-file=/home/miguel/cx/kics/assets/queries/k8s/audit_policy_file_not_defined/test/negative2.yaml"] + args: [] + restartPolicy: OnFailure +--- +apiVersion: audit.k8s.io/v1 # This is required. +kind: Policy +# Don't generate audit events for all requests in RequestReceived stage. +omitStages: + - "RequestReceived" +rules: + # Log pod changes at RequestResponse level + - level: RequestResponse + resources: + - group: "" + # Resource "pods" doesn't match requests to any subresource of pods, + # which is consistent with the RBAC policy. + resources: ["pods"] + # Log "pods/log", "pods/status" at Metadata level + - level: Metadata + resources: + - group: "" + resources: ["pods/log", "pods/status"] + + # Don't log requests to a configmap called "controller-leader" + - level: None + resources: + - group: "" + resources: ["configmaps"] + resourceNames: ["controller-leader"] + + # Don't log watch requests by the "system:kube-proxy" on endpoints or services + - level: None + users: ["system:kube-proxy"] + verbs: ["watch"] + resources: + - group: "" # core API group + resources: ["endpoints", "services"] + + # Don't log authenticated requests to certain non-resource URL paths. + - level: None + userGroups: ["system:authenticated"] + nonResourceURLs: + - "/api*" # Wildcard matching. + - "/version" + + # Log the request body of configmap changes in kube-system. + - level: Request + resources: + - group: "" # core API group + resources: ["configmaps"] + # This rule only applies to resources in the "kube-system" namespace. + # The empty string "" can be used to select non-namespaced resources. + namespaces: ["kube-system"] + + # Log configmap and secret changes in all other namespaces at the Metadata level. + - level: Metadata + resources: + - group: "" # core API group + resources: ["secrets", "configmaps"] + + # Log all other resources in core and extensions at the Request level. + - level: Request + resources: + - group: "" # core API group + - group: "extensions" # Version of group should NOT be included. + + # A catch-all rule to log all other requests at the Metadata level. + - level: Metadata + # Long-running requests like watches that fall under this rule will not + # generate an audit event in RequestReceived. + omitStages: + - "RequestReceived" + +``` diff --git a/docs/queries/kubernetes-queries/14abda69-8e91-4acb-9931-76e2bee90284.md b/docs/queries/kubernetes-queries/14abda69-8e91-4acb-9931-76e2bee90284.md new file mode 100644 index 00000000000..bbe9ab1ea1a --- /dev/null +++ b/docs/queries/kubernetes-queries/14abda69-8e91-4acb-9931-76e2bee90284.md @@ -0,0 +1,81 @@ +--- +title: Image Policy Webhook Admission Control Plugin Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 14abda69-8e91-4acb-9931-76e2bee90284 +- **Query name:** Image Policy Webhook Admission Control Plugin Not Set +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/image_policy_webhook_admission_control_plugin_not_set) + +### Description +When using kube-apiserver command, the --enable-admission-plugins flag should have 'ImagePolicyWebhook' plugin and the plugin should be correctly configured in AdmissionControl Config file
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=AlwaysAdmit"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=ImagePolicyWebhook", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--enable-admission-plugins=ImagePolicyWebhook", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/1828a670-5957-4bc5-9974-47da228f75e2.md b/docs/queries/kubernetes-queries/1828a670-5957-4bc5-9974-47da228f75e2.md new file mode 100644 index 00000000000..dc3d314442c --- /dev/null +++ b/docs/queries/kubernetes-queries/1828a670-5957-4bc5-9974-47da228f75e2.md @@ -0,0 +1,103 @@ +--- +title: Audit Policy Not Cover Key Security Concerns +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1828a670-5957-4bc5-9974-47da228f75e2 +- **Query name:** Audit Policy Not Cover Key Security Concerns +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/audit_policy_not_cover_key_security_concerns) + +### Description +Audit Policy should cover key security concerns about the sensitive data logged in Kubernetes audit policies
+[Documentation](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +apiVersion: audit.k8s.io/v1 # This is required. +kind: Policy +# Don't generate audit events for all requests in RequestReceived stage. +omitStages: + - "RequestReceived" +rules: + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +apiVersion: audit.k8s.io/v1 # This is required. +kind: Policy +# Don't generate audit events for all requests in RequestReceived stage. +rules: + - level: RequestResponse + resources: + - group: "" + resources: ["secrets","configmaps","tokenreviews"] + - level: Metadata + resources: + - group: "" + resources: ["pods","deployments"] + - level: None + resources: + - group: "" + resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"] + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="6" +apiVersion: audit.k8s.io/v1 # This is required. +kind: Policy +# Don't generate audit events for all requests in RequestReceived stage. +omitStages: + - "RequestReceived" +rules: + - level: Metadata + resources: + - group: "" + resources: ["secrets","configmaps","tokenreviews"] + - level: Metadata + resources: + - group: "" + resources: ["pods"] + - level: RequestResponse + resources: + - group: "" + resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"] + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: audit.k8s.io/v1 # This is required. +kind: Policy +# Don't generate audit events for all requests in RequestReceived stage. +omitStages: + - "RequestReceived" +rules: + - level: Metadata + resources: + - group: "" + resources: ["secrets","configmaps","tokenreviews"] + - level: Metadata + resources: + - group: "" + resources: ["pods","deployments"] + - level: RequestResponse + resources: + - group: "" + resources: ["pods/exec", "pods/portforward", "pods/proxy", "services/proxy"] + +``` diff --git a/docs/queries/kubernetes-queries/192fe40b-b1c3-448a-aba2-6cc19a300fe3.md b/docs/queries/kubernetes-queries/192fe40b-b1c3-448a-aba2-6cc19a300fe3.md new file mode 100644 index 00000000000..2829dff61b7 --- /dev/null +++ b/docs/queries/kubernetes-queries/192fe40b-b1c3-448a-aba2-6cc19a300fe3.md @@ -0,0 +1,76 @@ +--- +title: CronJob Deadline Not Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 192fe40b-b1c3-448a-aba2-6cc19a300fe3 +- **Query name:** CronJob Deadline Not Configured +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/cronjob_deadline_not_configured) + +### Description +Cronjobs must have a configured deadline, which means the attribute 'startingDeadlineSeconds' must be defined
+[Documentation](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +#this is a problematic code where the query should report a result(s) +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello +spec: + schedule: "*/1 * * * *" + startingDeadlineSeconds: 100 + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/19ebaa28-fc86-4a58-bcfa-015c9e22fe40.md b/docs/queries/kubernetes-queries/19ebaa28-fc86-4a58-bcfa-015c9e22fe40.md new file mode 100644 index 00000000000..ec892f6f36a --- /dev/null +++ b/docs/queries/kubernetes-queries/19ebaa28-fc86-4a58-bcfa-015c9e22fe40.md @@ -0,0 +1,168 @@ +--- +title: Containers With Added Capabilities +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 19ebaa28-fc86-4a58-bcfa-015c9e22fe40 +- **Query name:** Containers With Added Capabilities +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/containers_with_added_capabilities) + +### Description +Containers should not have extra capabilities allowed
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="43 12" +apiVersion: v1 +kind: Pod +metadata: + name: pod2 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: ["NET_ADMIN", "SYS_TIME"] + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod3 +spec: + initContainers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: ["NET_ADMIN", "SYS_TIME"] + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + containers: + - name: app + image: images.my-company.example/app:v4 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: pod1 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: pod4 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +``` diff --git a/docs/queries/kubernetes-queries/1a07a446-8e61-4e4d-bc16-b0781fcb8211.md b/docs/queries/kubernetes-queries/1a07a446-8e61-4e4d-bc16-b0781fcb8211.md new file mode 100644 index 00000000000..c40f3a2fada --- /dev/null +++ b/docs/queries/kubernetes-queries/1a07a446-8e61-4e4d-bc16-b0781fcb8211.md @@ -0,0 +1,158 @@ +--- +title: Kubelet Event QPS Not Properly Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1a07a446-8e61-4e4d-bc16-b0781fcb8211 +- **Query name:** Kubelet Event QPS Not Properly Set +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/kubelet_event_qps_not_properly_set) + +### Description +When using the kubelet command, the '--event-qps' should be set to 0
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--event-qps=1"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet","--event-qps=3"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +eventRecordQPS: 2 +serializeImagePulls: false +tlsCertFile: "someFile.txt" +tlsPrivateKeyFile: "someFile.txt" +evictionHard: + memory.available: "200Mi" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="2" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +tlsCertFile: "someFile.txt" +tlsPrivateKeyFile: "someFile.txt" +evictionHard: + memory.available: "200Mi" + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--event-qps=0"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +eventRecordQPS: 0 +tlsCertFile: "someFile.txt" +tlsPrivateKeyFile: "someFile.txt" +evictionHard: + memory.available: "200Mi" + +``` +
Negative test num. 4 - json file + +```json +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "port": 10250, + "readOnlyPort": 10255, + "cgroupDriver": "cgroupfs", + "eventRecordQPS": 0, + "hairpinMode": "promiscuous-bridge", + "serializeImagePulls": false, + "featureGates": { + "RotateKubeletClientCertificate": true, + "RotateKubeletServerCertificate": true + } + } + +``` +
diff --git a/docs/queries/kubernetes-queries/1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e.md b/docs/queries/kubernetes-queries/1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e.md new file mode 100644 index 00000000000..cfa26b2e2bf --- /dev/null +++ b/docs/queries/kubernetes-queries/1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e.md @@ -0,0 +1,97 @@ +--- +title: Authorization Mode RBAC Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1aa4a1ae-5dbb-48a1-9aa2-630ea4be208e +- **Query name:** Authorization Mode RBAC Not Set +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/authorization_mode_rbac_not_set) + +### Description +When using kube-apiserver command, the 'authorization-mode' flag should have 'RBAC' mode
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--authorization-mode=AlwaysAllow"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--authorization-mode=Node"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--authorization-mode=RBAC,Node"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--authorization-mode=RBAC,Node"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/1acd93f1-5a37-45c0-aaac-82ece818be7d.md b/docs/queries/kubernetes-queries/1acd93f1-5a37-45c0-aaac-82ece818be7d.md new file mode 100644 index 00000000000..7faae70466c --- /dev/null +++ b/docs/queries/kubernetes-queries/1acd93f1-5a37-45c0-aaac-82ece818be7d.md @@ -0,0 +1,97 @@ +--- +title: Use Service Account Credentials Not Set To True +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1acd93f1-5a37-45c0-aaac-82ece818be7d +- **Query name:** Use Service Account Credentials Not Set To True +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/use_service_account_credentials_not_set_to_true) + +### Description +When using kube-controller-manager commands, the '--use-service-account-credentials' should be set to true
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager","--use-service-account-credentials=false"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager"] + args: ["--use-service-account-credentials=true"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager","--use-service-account-credentials=true"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md b/docs/queries/kubernetes-queries/1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md new file mode 100644 index 00000000000..25eb0721e2a --- /dev/null +++ b/docs/queries/kubernetes-queries/1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2.md @@ -0,0 +1,189 @@ +--- +title: Rotate Kubelet Server Certificate Not Active +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1c621b8e-2c6a-44f5-bd6a-fb0fb7ba33e2 +- **Query name:** Rotate Kubelet Server Certificate Not Active +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/rotate_kubelet_server_certificate_not_active) + +### Description +The RotateKubeletServerCertificate argument should be true
+[Documentation](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" +featureGates: + RotateKubeletServerCertificate: false + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--feature-gates=RotateKubeletServerCertificate=false"] + restartPolicy: OnFailure + +``` +```json title="Postitive test num. 3 - json file" hl_lines="8" +{ + "kind": "KubeletConfiguration", + "address": "192.168.0.8", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "evictionHard": { + "memory.available": "200Mi" + }, + "featureGates": { + "RotateKubeletServerCertificate": false + }, + "port": 20250, + "serializeImagePulls": false +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container7 + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-controller-manager"] + args: ["--feature-gates=RotateKubeletServerCertificate=false"] + restartPolicy: OnFailure + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" +featureGates: + RotateKubeletServerCertificate: true + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--feature-gates=RotateKubeletServerCertificate=true"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" + + +``` +
Negative test num. 4 - yaml file + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: [""] + restartPolicy: OnFailure + +``` +
+
Negative test num. 5 - json file + +```json +{ + "kind": "KubeletConfiguration", + "address": "192.168.0.8", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "evictionHard": { + "memory.available": "200Mi" + }, + "featureGates": { + "RotateKubeletServerCertificate": true + }, + "port": 20250, + "serializeImagePulls": false +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "kind": "KubeletConfiguration", + "address": "192.168.0.8", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "evictionHard": { + "memory.available": "200Mi" + }, + "port": 20250, + "serializeImagePulls": false +} + +``` +
diff --git a/docs/queries/kubernetes-queries/1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5.md b/docs/queries/kubernetes-queries/1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5.md new file mode 100644 index 00000000000..d3ef0e9da55 --- /dev/null +++ b/docs/queries/kubernetes-queries/1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5.md @@ -0,0 +1,113 @@ +--- +title: StatefulSet Without PodDisruptionBudget +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1db3a5a5-bf75-44e5-9e44-c56cfc8b1ac5 +- **Query name:** StatefulSet Without PodDisruptionBudget +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/statefulset_without_pod_disruption_budget) + +### Description +StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability
+[Documentation](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="19" +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: nginx-pdb +spec: + maxUnavailable: 1 + selector: + matchLabels: + app: xpto +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: web +spec: + requiredDropCapabilities: + - ALL + selector: + matchLabels: + app: nginx + serviceName: "nginx" + replicas: 3 + template: + metadata: + labels: + app: nginx + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: nginx + image: k8s.gcr.io/nginx-slim:0.8 + ports: + - containerPort: 80 + name: web + volumeMounts: + - name: www + mountPath: /usr/share/nginx/html + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: nginx-pdb +spec: + maxUnavailable: 1 + selector: + matchLabels: + app: nginx33 + run: test +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: web +spec: + selector: + matchLabels: + app: nginx123 + run: test + serviceName: "nginx" + replicas: 3 + template: + metadata: + labels: + app: nginx + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: nginx + image: k8s.gcr.io/nginx-slim:0.8 + ports: + - containerPort: 80 + name: web + volumeMounts: + - name: www + mountPath: /usr/share/nginx/html + +``` diff --git a/docs/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238.md b/docs/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238.md new file mode 100644 index 00000000000..b86c3633955 --- /dev/null +++ b/docs/queries/kubernetes-queries/1de5cc51-f376-4638-a940-20f2e85ae238.md @@ -0,0 +1,220 @@ +--- +title: Anonymous Auth Is Not Set To False +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1de5cc51-f376-4638-a940-20f2e85ae238 +- **Query name:** Anonymous Auth Is Not Set To False +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/anonymous_auth_is_not_set_to_false) + +### Description +When using the kubelet or kube-apiserver command, the 'anonymous-auth' flag should be set to false (--anonymous-auth=false)
+[Documentation](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver", "--anonymous-auth=true"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--anonymous-auth=true"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet", "--anonymous-auth=true"] + restartPolicy: OnFailure + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--anonymous-auth=true"] + restartPolicy: OnFailure + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="9" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +readOnlyPort: 0 +authentication: + anonymous: + enabled: true + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="7" +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "address": "0.0.0.0", + "authentication": { + "anonymous": { + "enabled": true + } + } +} +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver", "--anonymous-auth=false"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--anonymous-auth=false"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--anonymous-auth=false"] + restartPolicy: OnFailure + +``` +
Negative test num. 4 - yaml file + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet", "--anonymous-auth=false"] + restartPolicy: OnFailure + +``` +
+
Negative test num. 5 - yaml file + +```yaml +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +readOnlyPort: 0 + +``` +
+
Negative test num. 6 - json file + +```json +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "address": "0.0.0.0", + "authentication": { + "anonymous": { + "enabled": false + } + } +} +``` +
diff --git a/docs/queries/kubernetes-queries/1e749bc9-fde8-471c-af0c-8254efd2dee5.md b/docs/queries/kubernetes-queries/1e749bc9-fde8-471c-af0c-8254efd2dee5.md new file mode 100644 index 00000000000..529daf55575 --- /dev/null +++ b/docs/queries/kubernetes-queries/1e749bc9-fde8-471c-af0c-8254efd2dee5.md @@ -0,0 +1,66 @@ +--- +title: Role Binding To Default Service Account +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1e749bc9-fde8-471c-af0c-8254efd2dee5 +- **Query name:** Role Binding To Default Service Account +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/role_binding_to_default_service_account) + +### Description +No role nor cluster role should bind to a default service account
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-pods + namespace: default +subjects: +- kind: User + name: jane + apiGroup: rbac.authorization.k8s.io +- kind: ServiceAccount + name: default + namespace: kube-system +roleRef: + kind: Role + name: pod-reader + apiGroup: rbac.authorization.k8s.io +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-pods + namespace: default +subjects: +- kind: User + name: jane + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: pod-reader + apiGroup: rbac.authorization.k8s.io +``` diff --git a/docs/queries/kubernetes-queries/1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37.md b/docs/queries/kubernetes-queries/1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37.md new file mode 100644 index 00000000000..f0a66c49f15 --- /dev/null +++ b/docs/queries/kubernetes-queries/1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37.md @@ -0,0 +1,97 @@ +--- +title: Namespace Lifecycle Admission Control Plugin Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1ffe7bf7-563b-4b3d-a71d-ba6bd8d49b37 +- **Query name:** Namespace Lifecycle Admission Control Plugin Disabled +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/namespace_lifecycle_admission_control_plugin_disabled) + +### Description +When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'NamespaceLifecycle' plugin
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--disable-admission-plugins=NamespaceLifecycle"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--disable-admission-plugins=NamespaceLifecycle"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=NamespaceLifecycle", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/2270987f-bb51-479f-b8be-3ca73e5ad648.md b/docs/queries/kubernetes-queries/2270987f-bb51-479f-b8be-3ca73e5ad648.md new file mode 100644 index 00000000000..5822fbb2322 --- /dev/null +++ b/docs/queries/kubernetes-queries/2270987f-bb51-479f-b8be-3ca73e5ad648.md @@ -0,0 +1,159 @@ +--- +title: NET_RAW Capabilities Disabled for PSP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2270987f-bb51-479f-b8be-3ca73e5ad648 +- **Query name:** NET_RAW Capabilities Disabled for PSP +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/net_raw_capabilities_disabled_for_psp) + +### Description +Containers need to have NET_RAW or All as drop capabilities
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="57 13" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: restricted + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - SYS_TIME + - SYS_ADMIN + - KILL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: restricted2 + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - KILL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: restricted + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +``` diff --git a/docs/queries/kubernetes-queries/229588ef-8fde-40c8-8756-f4f2b5825ded.md b/docs/queries/kubernetes-queries/229588ef-8fde-40c8-8756-f4f2b5825ded.md new file mode 100644 index 00000000000..343858a5033 --- /dev/null +++ b/docs/queries/kubernetes-queries/229588ef-8fde-40c8-8756-f4f2b5825ded.md @@ -0,0 +1,171 @@ +--- +title: Memory Requests Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 229588ef-8fde-40c8-8756-f4f2b5825ded +- **Query name:** Memory Requests Not Defined +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/memory_requests_not_defined) + +### Description +Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 25 59 13" +apiVersion: v1 +kind: Pod +metadata: + name: memory-demo + namespace: mem-example +spec: + containers: + - name: memory-demo-ctr-1 + image: polinux/stress + resources: + limits: + memory: "200Mi" + requests: + cpu: "0.5" + command: ["stress"] + args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: memory-demo-1 + namespace: mem-example +spec: + containers: + - name: memory-demo-ctr-2 + image: polinux/stress + resources: + limits: + memory: "200Mi" + command: ["stress"] + args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: memory-demo-2 + namespace: mem-example +spec: + containers: + - name: memory-demo-ctr-3 + image: polinux/stress + command: ["stress"] + args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: memory-demo-3 + namespace: mem-example +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: memory-demo-ctr-4 + image: polinux/stress + command: ["stress"] + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-deployment2 + labels: + app: test2 +spec: + replicas: 3 + selector: + matchLabels: + app: test2 + template: + metadata: + labels: + app: test2 + spec: + containers: + - name: pause + image: k8s.gcr.io/pause + resources: + limits: + cpu: 0.5 + memory: 512Mi + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: memory-demo + namespace: mem-example +spec: + containers: + - name: memory-demo-ctr + image: polinux/stress + resources: + limits: + memory: "200Mi" + requests: + memory: "100Mi" + command: ["stress"] + args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"] + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-deployment-ctr-neg + labels: + app: test-neg +spec: + replicas: 3 + selector: + matchLabels: + app: test-ctr-neg + template: + metadata: + labels: + app: test-ctr-neg + spec: + containers: + - name: pause + image: k8s.gcr.io/pause + resources: + limits: + cpu: 0.5 + memory: 512Mi + requests: + cpu: 0.5 + memory: 512Mi + +``` diff --git a/docs/queries/kubernetes-queries/235236ee-ad78-4065-bd29-61b061f28ce0.md b/docs/queries/kubernetes-queries/235236ee-ad78-4065-bd29-61b061f28ce0.md new file mode 100644 index 00000000000..e83f9649874 --- /dev/null +++ b/docs/queries/kubernetes-queries/235236ee-ad78-4065-bd29-61b061f28ce0.md @@ -0,0 +1,98 @@ +--- +title: Containers With Sys Admin Capabilities +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 235236ee-ad78-4065-bd29-61b061f28ce0 +- **Query name:** Containers With Sys Admin Capabilities +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/containers_with_sys_admin_capabilities) + +### Description +Containers should not have CAP_SYS_ADMIN Linux capability
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +apiVersion: v1 +kind: Pod +metadata: + name: pod4 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: ["SYS_ADMIN"] + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: pod1 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +``` diff --git a/docs/queries/kubernetes-queries/249328b8-5f0f-409f-b1dd-029f07882e11.md b/docs/queries/kubernetes-queries/249328b8-5f0f-409f-b1dd-029f07882e11.md new file mode 100644 index 00000000000..da2c459df77 --- /dev/null +++ b/docs/queries/kubernetes-queries/249328b8-5f0f-409f-b1dd-029f07882e11.md @@ -0,0 +1,64 @@ +--- +title: Cluster Admin Rolebinding With Superuser Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 249328b8-5f0f-409f-b1dd-029f07882e11 +- **Query name:** Cluster Admin Rolebinding With Superuser Permissions +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/cluster_admin_role_binding_with_super_user_permissions) + +### Description +Ensure that the cluster-admin role is only used where required (RBAC)
+[Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: tiller-clusterrolebinding +subjects: + - kind: ServiceAccount + name: tiller + namespace: kube-system +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: "" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: tiller-clusterrolebinding +subjects: +- kind: ServiceAccount + name: tiller + namespace: kube-system +roleRef: + kind: ClusterRole + name: view + apiGroup: "" +# trigger validation + +``` diff --git a/docs/queries/kubernetes-queries/26763a1c-5dda-4772-b507-5fca7fb5f165.md b/docs/queries/kubernetes-queries/26763a1c-5dda-4772-b507-5fca7fb5f165.md new file mode 100644 index 00000000000..a36f986c4da --- /dev/null +++ b/docs/queries/kubernetes-queries/26763a1c-5dda-4772-b507-5fca7fb5f165.md @@ -0,0 +1,171 @@ +--- +title: Service With External Load Balancer +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 26763a1c-5dda-4772-b507-5fca7fb5f165 +- **Query name:** Service With External Load Balancer +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/service_with_external_load_balancer) + +### Description +Service has an external load balancer, which may cause accessibility from other networks and the Internet
+[Documentation](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="33 4 48 18 63" +apiVersion: v1 +kind: Service +metadata: + name: sample-service 05 +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + type: LoadBalancer + selector: + app: nginx +--- +apiVersion: v1 +kind: Service +metadata: + name: sample-service 05334443 + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 'false' +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + type: LoadBalancer + selector: + app: nginx +--- +apiVersion: v1 +kind: Service +metadata: + name: sample-service 07 + annotations: + service.beta.kubernetes.io/azure-load-balancer-internal: 'false' +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + type: LoadBalancer + selector: + app: nginx +--- +apiVersion: v1 +kind: Service +metadata: + name: sample-service 08 + annotations: + networking.gke.io/load-balancer-type: 'External' +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + type: LoadBalancer + selector: + app: nginx +--- +apiVersion: v1 +kind: Service +metadata: + name: sample-service 09 + annotations: + cloud.google.com/load-balancer-type: 'External' +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + type: LoadBalancer + selector: + app: nginx + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Service +metadata: + name: sample-service 01 + annotations: + cloud.google.com/load-balancer-type: 'Internal' +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + type: LoadBalancer + selector: + app: nginx +--- +apiVersion: v1 +kind: Service +metadata: + name: sample-service 02 + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 'true' +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + type: LoadBalancer + selector: + app: nginx +--- +apiVersion: v1 +kind: Service +metadata: + name: sample-service 03 + annotations: + service.beta.kubernetes.io/azure-load-balancer-internal: 'true' +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + type: LoadBalancer + selector: + app: nginx +--- +apiVersion: v1 +kind: Service +metadata: + name: sample-service 04 + annotations: + networking.gke.io/load-balancer-type: 'Internal' +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + type: LoadBalancer + selector: + app: nginx + +``` diff --git a/docs/queries/kubernetes-queries/268ca686-7fb7-4ae9-b129-955a2a89064e.md b/docs/queries/kubernetes-queries/268ca686-7fb7-4ae9-b129-955a2a89064e.md new file mode 100644 index 00000000000..2169e3705b7 --- /dev/null +++ b/docs/queries/kubernetes-queries/268ca686-7fb7-4ae9-b129-955a2a89064e.md @@ -0,0 +1,92 @@ +--- +title: No Drop Capabilities for Containers +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 268ca686-7fb7-4ae9-b129-955a2a89064e +- **Query name:** No Drop Capabilities for Containers +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/no_drop_capabilities_for_containers) + +### Description +Sees if Kubernetes Drop Capabilities exists to ensure containers security context
+[Documentation](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 28 21" +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: payment + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: payment2 + image: nginx + securityContext: + allowPrivilegeEscalation: false + - name: payment3 + image: nginx + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: payment + image: nginx + securityContext: + capabilities: + drop: + - all + add: + - NET_BIND_SERVICE +``` diff --git a/docs/queries/kubernetes-queries/2940d48a-dc5e-4178-a3f8-bfbd80720b41.md b/docs/queries/kubernetes-queries/2940d48a-dc5e-4178-a3f8-bfbd80720b41.md new file mode 100644 index 00000000000..6e4adc6b2a4 --- /dev/null +++ b/docs/queries/kubernetes-queries/2940d48a-dc5e-4178-a3f8-bfbd80720b41.md @@ -0,0 +1,149 @@ +--- +title: Kubelet Read Only Port Is Not Set To Zero +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2940d48a-dc5e-4178-a3f8-bfbd80720b41 +- **Query name:** Kubelet Read Only Port Is Not Set To Zero +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/kubelet_read_only_port_is_not_set_to_zero) + +### Description +When using the kubelet command, the read-only port should be set to zero (--read-only-port=0)
+[Documentation](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--read-only-port=1"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet", "--read-only-port=1"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="8" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" +readOnlyPort: 1 + +``` +
Postitive test num. 4 - json file + +```json hl_lines="5" +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "address": "192.168.0.8", + "readOnlyPort": 1 + } +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: kubelet-demo + labels: + purpose: kubelet-demo +spec: + containers: + - name: kubelet-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--read-only-port=0"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet", "--read-only-port=0"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" +readOnlyPort: 0 + +``` +
Negative test num. 4 - json file + +```json +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "address": "192.168.0.8", + "readOnlyPort": 0 + } +``` +
+
Negative test num. 5 - json file + +```json +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "address": "192.168.0.8" + } +``` +
diff --git a/docs/queries/kubernetes-queries/2b1836f1-dcce-416e-8e16-da8c71920633.md b/docs/queries/kubernetes-queries/2b1836f1-dcce-416e-8e16-da8c71920633.md new file mode 100644 index 00000000000..3b1e77cb3c5 --- /dev/null +++ b/docs/queries/kubernetes-queries/2b1836f1-dcce-416e-8e16-da8c71920633.md @@ -0,0 +1,82 @@ +--- +title: Workload Host Port Not Specified +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2b1836f1-dcce-416e-8e16-da8c71920633 +- **Query name:** Workload Host Port Not Specified +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/workload_host_port_not_specified) + +### Description +Verifies if Kubernetes workload's host port is specified
+[Documentation](https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#exposing-the-service) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 9" +apiVersion: v1 +kind: Pod +metadata: + name: firstpod +spec: + containers: + - name: container + image: nginx + ports: + - containerPort: 80 + hostIP: 10.0.0.1 + hostPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: secondpod +spec: + template: + spec: + containers: + - name: container2 + image: nginx + ports: + - containerPort: 81 + hostIP: 10.0.0.2 + hostPort: 8081 + metadata: + labels: + app: nginx + selector: + matchLabels: + app: nginx + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: firstpod +spec: + containers: + - name: container + image: nginx + ports: + - containerPort: 80 + hostIP: 10.0.0.1 +``` diff --git a/docs/queries/kubernetes-queries/2f1a0619-b12b-48a0-825f-993bb6f01d58.md b/docs/queries/kubernetes-queries/2f1a0619-b12b-48a0-825f-993bb6f01d58.md new file mode 100644 index 00000000000..5d9e0e0a533 --- /dev/null +++ b/docs/queries/kubernetes-queries/2f1a0619-b12b-48a0-825f-993bb6f01d58.md @@ -0,0 +1,88 @@ +--- +title: Not Limited Capabilities For Container +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2f1a0619-b12b-48a0-825f-993bb6f01d58 +- **Query name:** Not Limited Capabilities For Container +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/not_limited_capabilities_for_container) + +### Description +Limit the capabilities for a Container.
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="34 11" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-4 +spec: + containers: + - name: sec-ctx-4 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + capabilities: + drop: ["NET_ADMIN", "SYS_TIME"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dropCapabilitiesTest + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: payment + image: nginx + securityContext: + capabilities: + drop: + - NET_ADMIN + add: + - NET_BIND_SERVICE + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-4 +spec: + containers: + - name: sec-ctx-4 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + capabilities: + drop: ["ALL"] + +``` diff --git a/docs/queries/kubernetes-queries/2f491173-6375-4a84-b28e-a4e2b9a58a69.md b/docs/queries/kubernetes-queries/2f491173-6375-4a84-b28e-a4e2b9a58a69.md new file mode 100644 index 00000000000..55443d831d2 --- /dev/null +++ b/docs/queries/kubernetes-queries/2f491173-6375-4a84-b28e-a4e2b9a58a69.md @@ -0,0 +1,278 @@ +--- +title: Profiling Not Set To False +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2f491173-6375-4a84-b28e-a4e2b9a58a69 +- **Query name:** Profiling Not Set To False +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/profiling_not_set_to_false) + +### Description +When using kube-apiserver or kube-controller-manager or kube-scheduler command, the '--profiling' flag should be defined and set to false
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--profiling=true"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo-1 + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="21" +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: null + labels: + component: kube-controller-manager + tier: control-plane + name: kube-controller-manager-master-3 + namespace: kube-system +spec: + selector: + matchLabels: + app: kube-controller-manager + template: + metadata: + labels: + app: kube-controller-manager + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-master-3 + command: ["kube-controller-manager","--profiling=true"] + args: [] + restartPolicy: OnFailure + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="21" +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: null + labels: + component: kube-controller-manager + tier: control-plane + name: kube-controller-manager-master-4 + namespace: kube-system +spec: + selector: + matchLabels: + app: kube-controller-manager + template: + metadata: + labels: + app: kube-controller-manager + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-master-4 + command: ["kube-controller-manager"] + args: [] + restartPolicy: OnFailure + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="2" +apiVersion: kubescheduler.config.k8s.io/v1beta2 +kind: KubeSchedulerConfiguration +profiles: + pluginConfig: + args: + scoringStrategy: + resources: + name: cpu + weight: 1 + type: MostAllocated + name: NodeResourcesFit + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="3" +apiVersion: kubescheduler.config.k8s.io/v1beta2 +kind: KubeSchedulerConfiguration +enableProfiling: true +profiles: + pluginConfig: + args: + scoringStrategy: + resources: + name: cpu + weight: 1 + type: MostAllocated + name: NodeResourcesFit2 + +``` +
+
Postitive test num. 7 - yaml file + +```yaml hl_lines="14" +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: null + labels: + component: kube-scheduler + tier: control-plane + name: kube-scheduler-master-2 + namespace: kube-system +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-scheduler-master-2 + command: ["kube-scheduler","--profiling=true"] + args: [] + restartPolicy: OnFailure + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--profiling=false"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: null + labels: + component: kube-controller-manager + tier: control-plane + name: kube-controller-manager-master-1 + namespace: kube-system +spec: + selector: + matchLabels: + app: kube-controller-manager + template: + metadata: + labels: + app: kube-controller-manager + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-master-1 + command: ["kube-controller-manager","--profiling=false"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: null + labels: + component: kube-scheduler + tier: control-plane + name: kube-scheduler-master-3 + namespace: kube-system +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-scheduler-master-1 + command: ["kube-scheduler","--profiling=false"] + args: [] + restartPolicy: OnFailure + +``` +
Negative test num. 4 - yaml file + +```yaml +apiVersion: kubescheduler.config.k8s.io/v1beta2 +kind: KubeSchedulerConfiguration +enableProfiling: false +profiles: +- pluginConfig: + - args: + scoringStrategy: + resources: + - name: cpu + weight: 1 + type: MostAllocated + name: NodeResourcesFit3 + +``` +
+
Negative test num. 5 - yaml file + +```yaml +apiVersion: v1 +kind: Pod +metadata: + creationTimestamp: null + labels: + component: kube-scheduler + tier: control-plane + name: kube-scheduler-master-1 + namespace: kube-system +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-scheduler-master-1 + command: ["kube-scheduler"] + args: [] + restartPolicy: OnFailure + +``` +
diff --git a/docs/queries/kubernetes-queries/2f652c42-619d-4361-b361-9f599688f8ca.md b/docs/queries/kubernetes-queries/2f652c42-619d-4361-b361-9f599688f8ca.md new file mode 100644 index 00000000000..0a32701839d --- /dev/null +++ b/docs/queries/kubernetes-queries/2f652c42-619d-4361-b361-9f599688f8ca.md @@ -0,0 +1,106 @@ +--- +title: HPA Targets Invalid Object +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2f652c42-619d-4361-b361-9f599688f8ca +- **Query name:** HPA Targets Invalid Object +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/hpa_targets_invalid_object) + +### Description +The Horizontal Pod Autoscaler must target a valid object
+[Documentation](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: php-apache +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: php-apache + minReplicas: 1 + maxReplicas: 10 + metrics: + - type: Object + object: + metric: + name: requests-per-second + target: + type: Value + value: 10k + describedObject: + apiVersion: networking.k8s.io/v1beta1 + kind: Ingress + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: php-apache +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: php-apache + minReplicas: 1 + maxReplicas: 10 + metrics: + - type: Object + object: + metric: + name: requests-per-second + describedObject: + apiVersion: networking.k8s.io/v1beta1 + kind: Ingress + name: main-route + target: + type: Value + value: 10k + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: matching-svc + namespace: default +spec: + metrics: + - resource: + name: cpu + target: + averageUtilization: 50 + type: Utilization + type: Resource + minReplicas: 1 + maxReplicas: 5 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: matching-svc + +``` diff --git a/docs/queries/kubernetes-queries/302736f4-b16c-41b8-befe-c0baffa0bd9d.md b/docs/queries/kubernetes-queries/302736f4-b16c-41b8-befe-c0baffa0bd9d.md new file mode 100644 index 00000000000..d086a9d62ad --- /dev/null +++ b/docs/queries/kubernetes-queries/302736f4-b16c-41b8-befe-c0baffa0bd9d.md @@ -0,0 +1,81 @@ +--- +title: Shared Host PID Namespace +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 302736f4-b16c-41b8-befe-c0baffa0bd9d +- **Query name:** Shared Host PID Namespace +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/shared_host_pid_namespace) + +### Description +Container should not share the host process ID namespace
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 6" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo +spec: + hostPID: true + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo +spec: + hostPID: false + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false +``` diff --git a/docs/queries/kubernetes-queries/32ecd76e-7bbf-402e-bf48-8b9485749558.md b/docs/queries/kubernetes-queries/32ecd76e-7bbf-402e-bf48-8b9485749558.md new file mode 100644 index 00000000000..ae3a3c74386 --- /dev/null +++ b/docs/queries/kubernetes-queries/32ecd76e-7bbf-402e-bf48-8b9485749558.md @@ -0,0 +1,95 @@ +--- +title: Token Auth File Is Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 32ecd76e-7bbf-402e-bf48-8b9485749558 +- **Query name:** Token Auth File Is Set +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/token_auth_file_is_set) + +### Description +When using kube-apiserver command, the 'token-auth-file' flag should not be set
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver", "--token-auth-file=/path/to/any/file"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--token-auth-file=/path/to/any/file"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/33fc6923-6553-4fe6-9d3a-4efa51eb874b.md b/docs/queries/kubernetes-queries/33fc6923-6553-4fe6-9d3a-4efa51eb874b.md new file mode 100644 index 00000000000..6e86e537c99 --- /dev/null +++ b/docs/queries/kubernetes-queries/33fc6923-6553-4fe6-9d3a-4efa51eb874b.md @@ -0,0 +1,81 @@ +--- +title: Node Restriction Admission Control Plugin Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 33fc6923-6553-4fe6-9d3a-4efa51eb874b +- **Query name:** Node Restriction Admission Control Plugin Not Set +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/node_restriction_admission_control_plugin_not_set) + +### Description +When using kube-apiserver command, the --enable-admission-plugins flag should have 'NodeRestriction' plugin and the plugin should be correctly configured in AdmissionControl Config file
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=AlwaysAdmit"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=NodeRestriction", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--enable-admission-plugins=NodeRestriction", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/35c0a471-f7c8-4993-aa2c-503a3c712a66.md b/docs/queries/kubernetes-queries/35c0a471-f7c8-4993-aa2c-503a3c712a66.md new file mode 100644 index 00000000000..9c5709c8486 --- /dev/null +++ b/docs/queries/kubernetes-queries/35c0a471-f7c8-4993-aa2c-503a3c712a66.md @@ -0,0 +1,157 @@ +--- +title: Audit Log Maxsize Not Properly Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 35c0a471-f7c8-4993-aa2c-503a3c712a66 +- **Query name:** Audit Log Maxsize Not Properly Set +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/audit_log_maxsize_not_properly_set) + +### Description +When using kube-apiserver command, the '--audit-log-maxsize' flag should be defined and set to 100 or more MegaBytes
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxsize=50"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="40 27 12 55" +apiVersion: serving.knative.dev/v1 +kind: Service +metadata: + name: dummy + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxsize=50"] + restartPolicy: OnFailure +--- +apiVersion: serving.knative.dev/v1 +kind: Configuration +metadata: + name: dummy-config + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxsize=50"] + restartPolicy: OnFailure +--- +apiVersion: serving.knative.dev/v1 +kind: Revision +metadata: + name: dummy-rev + namespace: knative-sequence +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxsize=50"] + restartPolicy: OnFailure +--- +apiVersion: sources.knative.dev/v1 +kind: ContainerSource +metadata: + name: dummy-cs + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxsize=50"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxsize=150"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--audit-log-maxsize=100"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/36a27826-1bf5-49da-aeb0-a60a30c0e834.md b/docs/queries/kubernetes-queries/36a27826-1bf5-49da-aeb0-a60a30c0e834.md new file mode 100644 index 00000000000..ced98aed55f --- /dev/null +++ b/docs/queries/kubernetes-queries/36a27826-1bf5-49da-aeb0-a60a30c0e834.md @@ -0,0 +1,111 @@ +--- +title: Kubelet Client Certificate Or Key Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 36a27826-1bf5-49da-aeb0-a60a30c0e834 +- **Query name:** Kubelet Client Certificate Or Key Not Set +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/kubelet_client_certificate_or_key_not_set) + +### Description +When using kube-apiserver command, the 'kubelet-client-key' and 'kubelet-client-certificate' flags should be set
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--kubelet-client-certificate=/path/to/any/file.pem"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--kubelet-client-key=/path/to/any/file"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver", "--kubelet-client-certificate=/path/to/any/file.pem", "--kubelet-client-key=/path/to/any/file2.pem"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--kubelet-client-certificate=/path/to/any/file.pem", "--kubelet-client-key=/path/to/any/file2"] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/3878dc92-8e5d-47cf-9cdd-7590f71d21b9.md b/docs/queries/kubernetes-queries/3878dc92-8e5d-47cf-9cdd-7590f71d21b9.md new file mode 100644 index 00000000000..dc3c647fcda --- /dev/null +++ b/docs/queries/kubernetes-queries/3878dc92-8e5d-47cf-9cdd-7590f71d21b9.md @@ -0,0 +1,160 @@ +--- +title: Incorrect Volume Claim Access Mode ReadWriteOnce +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3878dc92-8e5d-47cf-9cdd-7590f71d21b9 +- **Query name:** Incorrect Volume Claim Access Mode ReadWriteOnce +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/incorrect_volume_claim_access_mode_read_write_once) + +### Description +Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'
+[Documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="72 27" +#this is a problematic code where the query should report a result(s) +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: web +spec: + selector: + matchLabels: + app: nginx # has to match .spec.template.metadata.labels + serviceName: "nginx" + replicas: 3 # by default is 1 + template: + metadata: + labels: + app: nginx # has to match .spec.selector.matchLabels + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: nginx + image: k8s.gcr.io/nginx-slim:0.8 + ports: + - containerPort: 80 + name: web + volumeMounts: + - name: www + mountPath: /usr/share/nginx/html + volumeClaimTemplates: + - metadata: + name: www + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "my-storage-class" + resources: + requests: + storage: 1Gi + - metadata: + name: aaa + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "my-storage-class" + resources: + requests: + storage: 1Gi + +--- + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: web2 +spec: + selector: + matchLabels: + app: nginx # has to match .spec.template.metadata.labels + serviceName: "nginx" + replicas: 3 # by default is 1 + template: + metadata: + labels: + app: nginx # has to match .spec.selector.matchLabels + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: nginx + image: k8s.gcr.io/nginx-slim:0.8 + ports: + - containerPort: 80 + name: web + volumeMounts: + - name: www + mountPath: /usr/share/nginx/html + volumeClaimTemplates: + - metadata: + name: www + spec: + accessModes: [ "ReadWrite" ] + storageClassName: "my-storage-class" + resources: + requests: + storage: 1Gi + - metadata: + name: aaa + spec: + accessModes: [ "ReadWrite" ] + storageClassName: "my-storage-class" + resources: + requests: + storage: 1Gi +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: web +spec: + selector: + matchLabels: + app: nginx # has to match .spec.template.metadata.labels + serviceName: "nginx" + replicas: 3 # by default is 1 + template: + metadata: + labels: + app: nginx # has to match .spec.selector.matchLabels + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: nginx + image: k8s.gcr.io/nginx-slim:0.8 + ports: + - containerPort: 80 + name: web + volumeMounts: + - name: www + mountPath: /usr/share/nginx/html + volumeClaimTemplates: + - metadata: + name: www + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "my-storage-class" + resources: + requests: + storage: 1Gi +``` diff --git a/docs/queries/kubernetes-queries/38fa11ef-dbcc-4da8-9680-7e1fd855b6fb.md b/docs/queries/kubernetes-queries/38fa11ef-dbcc-4da8-9680-7e1fd855b6fb.md new file mode 100644 index 00000000000..de29e0a002d --- /dev/null +++ b/docs/queries/kubernetes-queries/38fa11ef-dbcc-4da8-9680-7e1fd855b6fb.md @@ -0,0 +1,83 @@ +--- +title: RBAC Roles with Port-Forwarding Permission +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 38fa11ef-dbcc-4da8-9680-7e1fd855b6fb +- **Query name:** RBAC Roles with Port-Forwarding Permission +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/rbac_roles_with_portforwarding_permissions) + +### Description +Roles or ClusterRoles with RBAC permissions to port-forward into pods can open socket-level communication channels to containers. In case of compromise, attackers may abuse this for direct communication that bypasses network security restrictions
+[Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: my-namespace + name: allow-port-forward +rules: +- apiGroups: [""] + resources: ["pods", "pods/portforward"] + verbs: ["get", "list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: allow-port-forward + namespace: my-namespace +subjects: +- kind: User + name: bob + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: allow-port-forward + apiGroup: "" +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: my-namespace + name: allow-port-forward-neg +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: allow-port-forward-neg + namespace: my-namespace +subjects: +- kind: User + name: bob + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: allow-port-forward-neg + apiGroup: "" +``` diff --git a/docs/queries/kubernetes-queries/3ca03a61-3249-4c16-8427-6f8e47dda729.md b/docs/queries/kubernetes-queries/3ca03a61-3249-4c16-8427-6f8e47dda729.md new file mode 100644 index 00000000000..b5e52c1f7b8 --- /dev/null +++ b/docs/queries/kubernetes-queries/3ca03a61-3249-4c16-8427-6f8e47dda729.md @@ -0,0 +1,348 @@ +--- +title: Service Does Not Target Pod +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3ca03a61-3249-4c16-8427-6f8e47dda729 +- **Query name:** Service Does Not Target Pod +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/service_does_not_target_pod) + +### Description +Service should Target a Pod
+[Documentation](https://kubernetes.io/docs/concepts/services-networking/service/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +apiVersion: v1 +kind: Service +metadata: + name: helloworld2 +spec: + type: NodePort + selector: + app: helloworld2 + ports: + - name: http + nodePort: 30475 + port: 9377 + protocol: TCP + targetPort: 9377 +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx2 + labels: + app: hellowwwworld +spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 9377 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +apiVersion: v1 +kind: Service +metadata: + name: helloworld3 +spec: + type: NodePort + selector: + app: helloworld3 + ports: + - name: http + nodePort: 30475 + port: 9377 + protocol: TCP + targetPort: 9377 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: helloworld3 +spec: + replicas: 3 + selector: + matchLabels: + app: helloworld3 + template: + metadata: + labels: + app: helloworld3 + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" + +apiVersion: v1 +kind: Service +metadata: + name: helloworld +spec: + type: NodePort + selector: + app: helloworld + ports: + - name: http + nodePort: 30475 + port: 8089 + protocol: TCP + targetPort: 8089 + +--- + +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + app: helloworld +spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 8089 + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Service +metadata: + name: negative2 +spec: + type: ClusterIP + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8080 + - name: health + port: 8081 + protocol: TCP + targetPort: 8082 + selector: + app: negative2 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: negative2 + labels: + app: negative2 +spec: + selector: + matchLabels: + app: negative2 + template: + metadata: + labels: + app: negative2 + spec: + containers: + - name: webserver + image: nginx:latest + ports: + - containerPort: 8080 + - containerPort: 8082 + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: v1 +kind: Service +metadata: + name: negative3 +spec: + type: NodePort + selector: + app: negative3 + ports: + - name: http + nodePort: 30475 + port: 9377 + protocol: TCP + targetPort: web +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: negative3 +spec: + replicas: 3 + selector: + matchLabels: + app: negative3 + template: + metadata: + labels: + app: negative3 + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - name: web + containerPort: 80 + +``` +
Negative test num. 4 - yaml file + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: negative4 +spec: + selector: + app: negative4 + tier: backend + ports: + - protocol: TCP + port: 80 + targetPort: http +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend +spec: + selector: + matchLabels: + app: negative4 + tier: backend + track: stable + replicas: 3 + template: + metadata: + labels: + app: negative4 + tier: backend + track: stable + spec: + containers: + - name: negative4 + image: "gcr.io/google-samples/hello-go-gke:1.0" + ports: + - name: http + containerPort: 80 + +``` +
+
Negative test num. 5 - yaml file + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: negative5 +spec: + selector: + app: negative5 + tier: backend + ports: + - protocol: TCP + port: 80 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: backend +spec: + selector: + matchLabels: + app: negative5 + tier: backend + track: stable + replicas: 3 + template: + metadata: + labels: + app: negative5 + tier: backend + track: stable + spec: + containers: + - name: negative5 + image: "gcr.io/google-samples/hello-go-gke:1.0" + ports: + - name: http + containerPort: 80 + +``` +
+
Negative test num. 6 - yaml file + +```yaml +apiVersion: v1 +kind: Service +metadata: + name: helloworld +spec: + type: NodePort + selector: + app: helloworld + ports: + - name: http + nodePort: 30475 + port: 8089 + protocol: TCP + targetPort: 8089 +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx3 + labels: + app: helloworld +spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 808 +--- +apiVersion: v1 +kind: Pod +metadata: + name: nginx + labels: + app: helloworld +spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 8089 + +``` +
diff --git a/docs/queries/kubernetes-queries/3d24b204-b73d-42cb-b0bf-1a5438c5f71e.md b/docs/queries/kubernetes-queries/3d24b204-b73d-42cb-b0bf-1a5438c5f71e.md new file mode 100644 index 00000000000..8f05835c863 --- /dev/null +++ b/docs/queries/kubernetes-queries/3d24b204-b73d-42cb-b0bf-1a5438c5f71e.md @@ -0,0 +1,81 @@ +--- +title: Secure Port Set To Zero +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3d24b204-b73d-42cb-b0bf-1a5438c5f71e +- **Query name:** Secure Port Set To Zero +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/secure_port_set_to_zero) + +### Description +When using kube-apiserver command, the --secure-port flag should not be 0
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--secure-port=0"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--secure-port=6443"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/3d658f8b-d988-41a0-a841-40043121de1e.md b/docs/queries/kubernetes-queries/3d658f8b-d988-41a0-a841-40043121de1e.md new file mode 100644 index 00000000000..b1768b80702 --- /dev/null +++ b/docs/queries/kubernetes-queries/3d658f8b-d988-41a0-a841-40043121de1e.md @@ -0,0 +1,78 @@ +--- +title: Secrets As Environment Variables +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3d658f8b-d988-41a0-a841-40043121de1e +- **Query name:** Secrets As Environment Variables +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/secrets_as_environment_variables) + +### Description +Container should not use secrets as environment variables
+[Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 12 30" +apiVersion: v1 +kind: Pod +metadata: + name: secret-env-pod +spec: + containers: + - name: mycontainer + image: redis + env: + - name: SECRET_USERNAME + valueFrom: + secretKeyRef: + name: mysecret + key: username + - name: SECRET_PASSWORD + valueFrom: + secretKeyRef: + name: mysecret + key: password + restartPolicy: Never +--- +apiVersion: v1 +kind: Pod +metadata: + name: envfrom-secret +spec: + containers: + - name: envars-test-container + image: nginx + envFrom: + - secretRef: + name: test-secret +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: secret-env-pod +spec: + containers: + - name: mycontainer + image: redis + restartPolicy: Never +``` diff --git a/docs/queries/kubernetes-queries/3f5ff8a7-5ad6-4d02-86f5-666307da1b20.md b/docs/queries/kubernetes-queries/3f5ff8a7-5ad6-4d02-86f5-666307da1b20.md new file mode 100644 index 00000000000..358dd17f9af --- /dev/null +++ b/docs/queries/kubernetes-queries/3f5ff8a7-5ad6-4d02-86f5-666307da1b20.md @@ -0,0 +1,81 @@ +--- +title: Etcd Client Certificate File Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3f5ff8a7-5ad6-4d02-86f5-666307da1b20 +- **Query name:** Etcd Client Certificate File Not Defined +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/etcd_client_certificate_file_not_defined) + +### Description +When using kube-apiserver commands, the '--etcd-cafile' flag should be defined
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--etcd-cafile=/path/to/ca/file.pem"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--etcd-cafile=/path/to/ca/file.pem"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2.md b/docs/queries/kubernetes-queries/46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2.md new file mode 100644 index 00000000000..e27fcd29481 --- /dev/null +++ b/docs/queries/kubernetes-queries/46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2.md @@ -0,0 +1,203 @@ +--- +title: Bind Address Not Properly Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 46a2e9ec-6a5f-4faa-9d39-4ea44d5d87a2 +- **Query name:** Bind Address Not Properly Set +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/bind_address_not_properly_set) + +### Description +When using kube-controller-manager or kube-scheduler commands, the '--bind-address' should not be set to 127.0.0.1
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager"] + args: ["--bind-address=127.0.0.1"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager","--bind-address=127.0.0.1"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="20" +apiVersion: v1 +kind: Pod +metadata: + labels: + component: kube-scheduler + tier: control-plane + name: kube-scheduler + namespace: kube-system +spec: + selector: + matchLabels: + app: kube-controller-manager + template: + metadata: + labels: + app: kube-controller-manager + containers: + - name: command-demo-container + image: k8s.gcr.io/kube-scheduler:v1.19.0 + command: ["kube-scheduler"] + args: ["--bind-address=127.0.0.1"] + restartPolicy: OnFailure + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="20" +apiVersion: v1 +kind: Pod +metadata: + labels: + component: kube-scheduler + tier: control-plane + name: kube-scheduler + namespace: kube-system +spec: + selector: + matchLabels: + app: kube-controller-manager + template: + metadata: + labels: + app: kube-controller-manager + containers: + - name: command-demo-container + image: k8s.gcr.io/kube-scheduler:v1.19.0 + command: ["kube-scheduler","--bind-address=127.0.0.1"] + args: [] + restartPolicy: OnFailure + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager","--bind-address=0.0.0.0"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + labels: + component: kube-scheduler + tier: control-plane + name: kube-scheduler + namespace: kube-system +spec: + selector: + matchLabels: + app: kube-controller-manager + template: + metadata: + labels: + app: kube-controller-manager + containers: + - name: command-demo-container + image: k8s.gcr.io/kube-scheduler:v1.19.0 + command: ["kube-scheduler"] + args: [] + restartPolicy: OnFailure + +``` +
Negative test num. 4 - yaml file + +```yaml +apiVersion: v1 +kind: Pod +metadata: + labels: + component: kube-scheduler + tier: control-plane + name: kube-scheduler + namespace: kube-system +spec: + selector: + matchLabels: + app: kube-controller-manager + template: + metadata: + labels: + app: kube-controller-manager + containers: + - name: command-demo-container + image: k8s.gcr.io/kube-scheduler:v1.19.0 + command: ["kube-scheduler","--bind-address=0.0.0.0"] + args: [] + restartPolicy: OnFailure + +``` +
diff --git a/docs/queries/kubernetes-queries/48471392-d4d0-47c0-b135-cdec95eb3eef.md b/docs/queries/kubernetes-queries/48471392-d4d0-47c0-b135-cdec95eb3eef.md new file mode 100644 index 00000000000..570756e5642 --- /dev/null +++ b/docs/queries/kubernetes-queries/48471392-d4d0-47c0-b135-cdec95eb3eef.md @@ -0,0 +1,185 @@ +--- +title: Service Account Token Automount Not Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 48471392-d4d0-47c0-b135-cdec95eb3eef +- **Query name:** Service Account Token Automount Not Disabled +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/service_account_token_automount_not_disabled) + +### Description +Service Account Tokens are automatically mounted even if not necessary
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="28 5 54" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: security.context.demo +spec: + automountServiceAccountToken: true + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false +--- +apiVersion: serving.knative.dev/v1 +kind: Configuration +metadata: + name: dummy-config + namespace: knative-sequence +spec: + template: + spec: + automountServiceAccountToken: true + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +apiVersion: v1 +kind: ServiceAccount +metadata: + name: redistest-sa +automountServiceAccountToken: true +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: demoenv + labels: + app: redis +spec: + selector: + matchLabels: + app: redis + template: + metadata: + labels: + app: redis + spec: + serviceAccountName: redistest-sa + containers: + - name: redis + image: redis:latest +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo +spec: + automountServiceAccountToken: false + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: ServiceAccount +metadata: + name: redistest-sa +automountServiceAccountToken: false +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: demoenv + labels: + app: redis +spec: + selector: + matchLabels: + app: redis + template: + metadata: + labels: + app: redis + spec: + serviceAccountName: redistest-sa + containers: + - name: redis + image: redis:latest + +``` diff --git a/docs/queries/kubernetes-queries/48a5beba-e4c0-4584-a2aa-e6894e4cf424.md b/docs/queries/kubernetes-queries/48a5beba-e4c0-4584-a2aa-e6894e4cf424.md new file mode 100644 index 00000000000..d37a3dd6452 --- /dev/null +++ b/docs/queries/kubernetes-queries/48a5beba-e4c0-4584-a2aa-e6894e4cf424.md @@ -0,0 +1,237 @@ +--- +title: Pod or Container Without ResourceQuota +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 48a5beba-e4c0-4584-a2aa-e6894e4cf424 +- **Query name:** Pod or Container Without ResourceQuota +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/pod_or_container_without_resource_quota) + +### Description +Each namespace should have a ResourceQuota policy associated to limit the total amount of resources Pods, Containers and PersistentVolumeClaims can consume
+[Documentation](https://kubernetes.io/docs/concepts/policy/resource-quotas/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +apiVersion: v1 +kind: Pod +metadata: + name: pod1 + namespace: myNewPod +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +apiVersion: v1 +kind: Pod +metadata: + name: pod2 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: my-kube-system + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + metadata: + labels: + name: fluentd-elasticsearch + spec: + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + terminationGracePeriodSeconds: 30 + volumes: + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="5" +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: webcontent + namespace: k8s-test9 + annotations: + volume.alpha.kubernetes.io/storage-class: default +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 5Gi + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: pod2 + namespace: myNewPod2 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" +--- +apiVersion: v1 +kind: ResourceQuota +metadata: + name: pods-high + namespace: myNewPod2 +spec: + hard: + cpu: "1000" + memory: 200Gi + pods: "10" + scopeSelector: + matchExpressions: + - operator : In + scopeName: PriorityClass + values: ["high"] + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: my-kube-system2 + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + metadata: + labels: + name: fluentd-elasticsearch + spec: + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + terminationGracePeriodSeconds: 30 + volumes: + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers +--- +apiVersion: v1 +kind: ResourceQuota +metadata: + name: pods-high + namespace: my-kube-system2 +spec: + hard: + cpu: "1000" + memory: 200Gi + pods: "10" + scopeSelector: + matchExpressions: + - operator : In + scopeName: PriorityClass + values: ["high"] + +``` diff --git a/docs/queries/kubernetes-queries/49113af4-29ca-458e-b8d4-724c01a4a24f.md b/docs/queries/kubernetes-queries/49113af4-29ca-458e-b8d4-724c01a4a24f.md new file mode 100644 index 00000000000..a03687d4873 --- /dev/null +++ b/docs/queries/kubernetes-queries/49113af4-29ca-458e-b8d4-724c01a4a24f.md @@ -0,0 +1,97 @@ +--- +title: Terminated Pod Garbage Collector Threshold Not Properly Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 49113af4-29ca-458e-b8d4-724c01a4a24f +- **Query name:** Terminated Pod Garbage Collector Threshold Not Properly Set +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/terminated_pod_garbage_collector_threshold_not_properly_set) + +### Description +When using kube-controller-manager commands, the '--terminated-pod-gc-threshold' should be set between 0 and 12501
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager","--terminated-pod-gc-threshold=0"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager"] + args: ["--terminated-pod-gc-threshold=12501"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager"] + args: ["--terminated-pod-gc-threshold=10"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager","--terminated-pod-gc-threshold=10"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/4a20ebac-1060-4c81-95d1-1f7f620e983b.md b/docs/queries/kubernetes-queries/4a20ebac-1060-4c81-95d1-1f7f620e983b.md new file mode 100644 index 00000000000..8d3ee08cce0 --- /dev/null +++ b/docs/queries/kubernetes-queries/4a20ebac-1060-4c81-95d1-1f7f620e983b.md @@ -0,0 +1,231 @@ +--- +title: Pod or Container Without LimitRange +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4a20ebac-1060-4c81-95d1-1f7f620e983b +- **Query name:** Pod or Container Without LimitRange +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/pod_or_container_without_limit_range) + +### Description +Each namespace should have a LimitRange policy associated to ensure that resource allocations of Pods, Containers and PersistentVolumeClaims do not exceed the defined boundaries
+[Documentation](https://kubernetes.io/docs/concepts/policy/limit-range/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +apiVersion: v1 +kind: Pod +metadata: + name: frontend1 + namespace: myPod +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +apiVersion: v1 +kind: Pod +metadata: + name: frontend2 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: kube-system + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + metadata: + labels: + name: fluentd-elasticsearch + spec: + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + terminationGracePeriodSeconds: 30 + volumes: + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="5" +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: webcontent + namespace: k8s-test9 + annotations: + volume.alpha.kubernetes.io/storage-class: default +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 5Gi + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: frontend + namespace: myPod2 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: cpu-min-max-demo-lr + namespace: myPod2 +spec: + limits: + - max: + cpu: "800m" + min: + cpu: "200m" + type: Container + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: kube-system2 + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + metadata: + labels: + name: fluentd-elasticsearch + spec: + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + terminationGracePeriodSeconds: 30 + volumes: + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers +--- +apiVersion: v1 +kind: LimitRange +metadata: + name: cpu-min-max-demo-lr + namespace: kube-system2 +spec: + limits: + - max: + cpu: "800m" + min: + cpu: "200m" + type: Container + +``` diff --git a/docs/queries/kubernetes-queries/4ac0e2b7-d2d2-4af7-8799-e8de6721ccda.md b/docs/queries/kubernetes-queries/4ac0e2b7-d2d2-4af7-8799-e8de6721ccda.md new file mode 100644 index 00000000000..940dc684b7b --- /dev/null +++ b/docs/queries/kubernetes-queries/4ac0e2b7-d2d2-4af7-8799-e8de6721ccda.md @@ -0,0 +1,99 @@ +--- +title: CPU Limits Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4ac0e2b7-d2d2-4af7-8799-e8de6721ccda +- **Query name:** CPU Limits Not Set +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/cpu_limits_not_set) + +### Description +CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
+[Documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 35 14 31" +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + limits: + memory: "64Mi" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + cpu: "250m" +--- +apiVersion: serving.knative.dev/v1 +kind: Configuration +metadata: + name: dummy-config + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + limits: + memory: "64Mi" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + cpu: "250m" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + limits: + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + +``` diff --git a/docs/queries/kubernetes-queries/4d7ee40f-fc5d-427d-8cac-dffbe22d42d1.md b/docs/queries/kubernetes-queries/4d7ee40f-fc5d-427d-8cac-dffbe22d42d1.md new file mode 100644 index 00000000000..22603b56769 --- /dev/null +++ b/docs/queries/kubernetes-queries/4d7ee40f-fc5d-427d-8cac-dffbe22d42d1.md @@ -0,0 +1,97 @@ +--- +title: Authorization Mode Node Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4d7ee40f-fc5d-427d-8cac-dffbe22d42d1 +- **Query name:** Authorization Mode Node Not Set +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/authorization_mode_node_not_set) + +### Description +When using kube-apiserver command, the 'authorization-mode' flag should have 'Node' mode
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--authorization-mode=AlwaysAllow"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--authorization-mode=RBAC"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--authorization-mode=RBAC,Node"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--authorization-mode=RBAC,Node"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/510d5810-9a30-443a-817d-5c1fa527b110.md b/docs/queries/kubernetes-queries/510d5810-9a30-443a-817d-5c1fa527b110.md new file mode 100644 index 00000000000..0be01fa74d6 --- /dev/null +++ b/docs/queries/kubernetes-queries/510d5810-9a30-443a-817d-5c1fa527b110.md @@ -0,0 +1,166 @@ +--- +title: Weak TLS Cipher Suites +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 510d5810-9a30-443a-817d-5c1fa527b110 +- **Query name:** Weak TLS Cipher Suites +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/weak_tls_cipher_suites) + +### Description +TLS Connection should use strong Cipher Suites
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--tls-cipher-suites=TLS_RSA_WITH_RC4_128_SHA"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="9" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +protectKernelDefaults: false +serializeImagePulls: false +tlsCertFile: "someFile.txt" +tlsPrivateKeyFile: "someFile.txt" +tlsCipherSuites: ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"] +evictionHard: + memory.available: "200Mi" + +``` +
Postitive test num. 4 - json file + +```json hl_lines="2" +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "port": 10250, + "readOnlyPort": 10255, + "cgroupDriver": "cgroupfs", + "hairpinMode": "promiscuous-bridge", + "serializeImagePulls": false, + "featureGates": { + "RotateKubeletClientCertificate": true, + "RotateKubeletServerCertificate": true + } + } + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: [] + restartPolicy: OnFailure + +``` +
Negative test num. 4 - json file + +```json +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "port": 10250, + "readOnlyPort": 10255, + "cgroupDriver": "cgroupfs", + "hairpinMode": "promiscuous-bridge", + "serializeImagePulls": false, + "tlsCipherSuites": ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"], + "featureGates": { + "RotateKubeletClientCertificate": true, + "RotateKubeletServerCertificate": true + } + } + +``` +
diff --git a/docs/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md b/docs/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md new file mode 100644 index 00000000000..8ef53376deb --- /dev/null +++ b/docs/queries/kubernetes-queries/52d70f2e-3257-474c-b3dc-8ad9ba6a061a.md @@ -0,0 +1,127 @@ +--- +title: Kubelet Client Periodic Certificate Switch Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 52d70f2e-3257-474c-b3dc-8ad9ba6a061a +- **Query name:** Kubelet Client Periodic Certificate Switch Disabled +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/kubelet_client_periodic_certificate_switch_disabled) + +### Description +Kubelet argument --rotate-certificates should be true
+[Documentation](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--rotate-certificates=false"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" +rotateCertificates: false + +``` +```json title="Postitive test num. 3 - json file" hl_lines="6" +{ + "port": 20250, + "evictionHard": { + "memory.available": "200Mi" + }, + "kind": "KubeletConfiguration", + "makeIPTablesUtilChains": true, + "address": "192.168.0.8", + "apiVersion": "kubelet.config.k8s.io/v1beta1" +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="2" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--rotate-certificates"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" +rotateCertificates: true + +``` +```json title="Negative test num. 3 - json file" +{ + "port": 20250, + "evictionHard": { + "memory.available": "200Mi" + }, + "kind": "KubeletConfiguration", + "rotateCertificates": true, + "serializeImagePulls": false, + "address": "192.168.0.8", + "apiVersion": "kubelet.config.k8s.io/v1beta1" +} + +``` diff --git a/docs/queries/kubernetes-queries/5308a7a8-06f8-45ac-bf10-791fe21de46e.md b/docs/queries/kubernetes-queries/5308a7a8-06f8-45ac-bf10-791fe21de46e.md new file mode 100644 index 00000000000..adf50836a99 --- /dev/null +++ b/docs/queries/kubernetes-queries/5308a7a8-06f8-45ac-bf10-791fe21de46e.md @@ -0,0 +1,438 @@ +--- +title: Workload Mounting With Sensitive OS Directory +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5308a7a8-06f8-45ac-bf10-791fe21de46e +- **Query name:** Workload Mounting With Sensitive OS Directory +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/workload_mounting_with_sensitive_os_directory) + +### Description +Workload is mounting a volume with sensitive OS Directory
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="193 66 229 70 265 203 299 175 112 145 115 280 250" +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: prometheus + chart: prometheus-11.1.2 + component: node-exporter + heritage: Helm + release: exporter + name: exporter-prometheus-node-exporter + namespace: monitoring +spec: + selector: + matchLabels: + app: prometheus + component: node-exporter + release: exporter + template: + metadata: + labels: + app: prometheus + chart: prometheus-11.1.2 + component: node-exporter + heritage: Helm + release: exporter + spec: + containers: + - args: + - --path.procfs=/host/proc + - --path.sysfs=/host/sys + image: prom/node-exporter:v0.18.1 + imagePullPolicy: IfNotPresent + name: prometheus-node-exporter + ports: + - containerPort: 9100 + hostPort: 9100 + name: metrics + protocol: TCP + resources: + limits: + cpu: 500m + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/proc + name: proc + readOnly: true + - mountPath: /host/sys + name: sys + readOnly: true + dnsPolicy: ClusterFirst + hostNetwork: true + hostPID: true + restartPolicy: Always + schedulerName: default-scheduler + serviceAccount: exporter-prometheus-node-exporter + serviceAccountName: exporter-prometheus-node-exporter + terminationGracePeriodSeconds: 30 + volumes: + - name: proc + hostPath: + path: /proc + type: "" + - name: sys + hostPath: + path: /sys + type: "" +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: logs + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + metadata: + labels: + name: fluentd-elasticsearch + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + cpu: 500m + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + terminationGracePeriodSeconds: 30 + volumes: + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: default + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - name: static-page-dir + mountPath: /var/www/app/static + volumes: + - name: static-page-dir + hostPath: + path: /var/local/static + type: DirectoryOrCreate +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment-undefined-ns + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - name: static-page-dir + mountPath: /var/www/app/static + volumes: + - name: static-page-dir + hostPath: + path: /root/local/static + type: DirectoryOrCreate +--- +apiVersion: v1 +kind: Pod +metadata: + name: redis-memcache + namespace: memcache +spec: + containers: + - name: redis + image: redis + volumeMounts: + - name: redis-storage + mountPath: /data/redis + volumes: + - name: redis-storage + hostPath: + path: /var/redis/data +--- +kind: Pod +apiVersion: v1 +metadata: + name: web-server-pod +spec: + volumes: + - name: nginx-host-config + hostPath: + path: "/etc/nginx" + containers: + - name: nginx-container + image: nginx + ports: + - containerPort: 80 + name: "http-server" + volumeMounts: + - mountPath: "/etc/nginx" + name: nginx-host-config +--- +apiVersion: v1 +kind: Pod +metadata: + name: malicious-pod + namespace: default +spec: + containers: + - name: evil-container + image: alpine + volumeMounts: + - name: rootdir + mountPath: / + volumes: + - name: rootdir + hostPath: + path: / +--- +apiVersion: v1 +kind: Pod +metadata: + name: dood +spec: + containers: + - name: docker-cmds + image: docker:1.12.6 + command: ["docker", "run", "-p", "80:80", "httpd:latest"] + resources: + requests: + cpu: 10m + memory: 256Mi + volumeMounts: + - mountPath: /var/run + name: docker-sock + volumes: + - name: docker-sock + hostPath: + path: /var/run +--- +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv-001 + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + hostPath: + path: "/dev/tty1" +--- +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv-002 + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + hostPath: + path: "/boot" +--- +apiVersion: serving.knative.dev/v1 +kind: Configuration +metadata: + name: dummy-config + namespace: default +spec: + template: + spec: + containers: + - name: evil-container + image: alpine + volumeMounts: + - name: rootdir + mountPath: / + volumes: + - name: rootdir + hostPath: + path: / + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: kube-system + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + metadata: + labels: + name: fluentd-elasticsearch + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + cpu: 500m + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: optmount + mountPath: /opt + terminationGracePeriodSeconds: 30 + volumes: + - name: optmount + hostPath: + path: /opt +--- +apiVersion: v1 +kind: Pod +metadata: + name: redis-empty-dir + namespace: kube-system +spec: + containers: + - name: redis + image: redis + volumeMounts: + - name: redis-storage + mountPath: /data/redis + volumes: + - name: redis-storage + emptyDir: {} +--- +apiVersion: v1 +kind: Pod +metadata: + name: redis-tmp-dir +spec: + containers: + - name: redis + image: redis + volumeMounts: + - name: redis-storage-tmp + mountPath: /data/redis + volumes: + - name: redis-storage-tmp + hostPath: + path: /tmp/redis-storage + type: DirectoryOrCreate +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - name: static-page-dir + mountPath: /var/www/app/static + volumes: + - name: static-page-dir + hostPath: + path: /tmp/static + type: DirectoryOrCreate + +``` diff --git a/docs/queries/kubernetes-queries/5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d.md b/docs/queries/kubernetes-queries/5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d.md new file mode 100644 index 00000000000..d1d4db198b8 --- /dev/null +++ b/docs/queries/kubernetes-queries/5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d.md @@ -0,0 +1,124 @@ +--- +title: Privilege Escalation Allowed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5572cc5e-1e4c-4113-92a6-7a8a3bd25e6d +- **Query name:** Privilege Escalation Allowed +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/privilege_escalation_allowed) + +### Description +Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 21" +apiVersion: v1 +kind: Pod +metadata: + name: pod2 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: true + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + runAsUser: 2000 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="9 13 17" +apiVersion: v1 +kind: Pod +metadata: + name: example-priv +spec: + containers: + - name: payment + image: nginx + securityContext: + capabilities: + drop: + - SYS_ADMIN + - name: payment2 + image: nginx + - name: payment4 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: payment3 + image: nginx + securityContext: + allowPrivilegeEscalation: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: pod1 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +``` diff --git a/docs/queries/kubernetes-queries/5744cbb8-5946-4b75-a196-ade44449525b.md b/docs/queries/kubernetes-queries/5744cbb8-5946-4b75-a196-ade44449525b.md new file mode 100644 index 00000000000..439e211715e --- /dev/null +++ b/docs/queries/kubernetes-queries/5744cbb8-5946-4b75-a196-ade44449525b.md @@ -0,0 +1,105 @@ +--- +title: HPA Targeted Deployments With Configured Replica Count +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5744cbb8-5946-4b75-a196-ade44449525b +- **Query name:** HPA Targeted Deployments With Configured Replica Count +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/hpa_targeted_deployments_with_configured_replica_count) + +### Description +Deployments targeted by HorizontalPodAutoscaler should not have a statically configured replica count set
+[Documentation](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +#this is a problematic code where the query should report a result(s) +apiVersion: apps/v1 +kind: Deployment +metadata: + name: php-apache-1 +spec: + selector: + matchLabels: + run: php-apache + replicas: 1 + template: + metadata: + labels: + run: php-apache + spec: + containers: + - name: php-apache + image: k8s.gcr.io/hpa-example + ports: + - containerPort: 80 + resources: + limits: + cpu: 500m + requests: + cpu: 200m +--- +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: php-apache +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: php-apache-1 + minReplicas: 1 + maxReplicas: 10 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 50 +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +apiVersion: apps/v1 +kind: Deployment +metadata: + name: php-apache +spec: + selector: + matchLabels: + run: php-apache + template: + metadata: + labels: + run: php-apache + spec: + containers: + - name: php-apache + image: k8s.gcr.io/hpa-example + ports: + - containerPort: 80 + resources: + limits: + cpu: 500m + requests: + cpu: 200m +``` diff --git a/docs/queries/kubernetes-queries/583053b7-e632-46f0-b989-f81ff8045385.md b/docs/queries/kubernetes-queries/583053b7-e632-46f0-b989-f81ff8045385.md new file mode 100644 index 00000000000..27e54af3ed1 --- /dev/null +++ b/docs/queries/kubernetes-queries/583053b7-e632-46f0-b989-f81ff8045385.md @@ -0,0 +1,70 @@ +--- +title: Invalid Image Tag +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 583053b7-e632-46f0-b989-f81ff8045385 +- **Query name:** Invalid Image Tag +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/invalid_image) + +### Description +Image tag must be defined and not be empty or equal to latest.
+[Documentation](https://kubernetes.io/docs/concepts/containers/images/#updating-images) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 19" +apiVersion: v1 +kind: Pod +metadata: + name: private-image-test-3 +spec: + containers: + - name: uses-private-image-container + image: nginx + imagePullPolicy: Always + command: [ "echo", "SUCCESS" ] +--- +apiVersion: v1 +kind: Pod +metadata: + name: private-image-test-33 +spec: + containers: + - name: uses-private-image-container + image: nginx:latest + imagePullPolicy: Always + command: [ "echo", "SUCCESS" ] + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: private-image-test-1 +spec: + containers: + - name: uses-private-image + image: nginx:1.21 + imagePullPolicy: Always + command: [ "echo", "SUCCESS" ] + +``` diff --git a/docs/queries/kubernetes-queries/591ade62-d6b0-4580-b1ae-209f80ba1cd9.md b/docs/queries/kubernetes-queries/591ade62-d6b0-4580-b1ae-209f80ba1cd9.md new file mode 100644 index 00000000000..cf1ff717b9a --- /dev/null +++ b/docs/queries/kubernetes-queries/591ade62-d6b0-4580-b1ae-209f80ba1cd9.md @@ -0,0 +1,126 @@ +--- +title: Service Account Name Undefined Or Empty +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 591ade62-d6b0-4580-b1ae-209f80ba1cd9 +- **Query name:** Service Account Name Undefined Or Empty +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/service_account_name_undefined_or_empty) + +### Description +A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'serviceAccountName' should be defined and not empty.
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="58 28 6" +#this is a problematic code where the query should report a result(s) +apiVersion: v1 +kind: Pod +metadata: + name: nginx.container +spec: + containers: + - image: nginx + name: nginx + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: vault-token + volumes: + - name: vault-token + projected: + sources: + - serviceAccountToken: + path: vault-token + expirationSeconds: 7200 + audience: vault + +--- + +apiVersion: v1 +kind: Pod +metadata: + name: nginx2.container.group +spec: + containers: + - image: nginx2 + name: nginx2 + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: vault-token + serviceAccountName: + volumes: + - name: vault-token + projected: + sources: + - serviceAccountToken: + path: vault-token + expirationSeconds: 7200 + audience: vault + +--- + +apiVersion: v1 +kind: Pod +metadata: + name: nginx3 +spec: + containers: + - image: nginx3 + name: nginx3 + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: vault-token + serviceAccountName: "" + volumes: + - name: vault-token + projected: + sources: + - serviceAccountToken: + path: vault-token + expirationSeconds: 7200 + audience: vault + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +apiVersion: v1 +kind: Pod +metadata: + name: nginx +spec: + containers: + - image: nginx + name: nginx + volumeMounts: + - mountPath: /var/run/secrets/tokens + name: vault-token + serviceAccountName: build-robot + volumes: + - name: vault-token + projected: + sources: + - serviceAccountToken: + path: vault-token + expirationSeconds: 7200 + audience: vault +``` diff --git a/docs/queries/kubernetes-queries/592ad21d-ad9b-46c6-8d2d-fad09d62a942.md b/docs/queries/kubernetes-queries/592ad21d-ad9b-46c6-8d2d-fad09d62a942.md new file mode 100644 index 00000000000..4cd80c7a786 --- /dev/null +++ b/docs/queries/kubernetes-queries/592ad21d-ad9b-46c6-8d2d-fad09d62a942.md @@ -0,0 +1,179 @@ +--- +title: Permissive Access to Create Pods +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 592ad21d-ad9b-46c6-8d2d-fad09d62a942 +- **Query name:** Permissive Access to Create Pods +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/permissive_access_to_create_pods) + +### Description +The permission to create pods in a cluster should be restricted because it allows privilege escalation.
+[Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="39 9 48 21 60 30" +#this is a problematic code where the query should report a result(s) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secret-reader +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: + - "get" + - "watch" + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secret-reader2 +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["get", "watch", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secret-reader3 +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secret-reader4 +rules: +- apiGroups: [""] + resources: ["*"] + verbs: ["get", "watch", "*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secret-reader5 +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: + - "get" + - "watch" + - "c*e" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secret-reader6 +rules: +- apiGroups: [""] + resources: ["p*ds"] + verbs: ["get", "watch", "create"] +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26" +#this is a problematic code where the query should report a result(s) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secret-reader +rules: + - apiGroups: + - "*" + resources: + - "*" + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - custom + verbs: + - create + - delete + - apiGroups: + - "*" + resources: + - "*" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secret-reader +rules: +- apiGroups: [""] + + resources: ["pods"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secret-reader2 +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secret-reader4 +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: + - "get" + - "watch" + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secret-reader +rules: + - apiGroups: + - apiextensions.k8s.io + resources: + - "*" + verbs: + - create + - delete + +``` diff --git a/docs/queries/kubernetes-queries/5da47109-f8d6-4585-9e2b-96a8958a12f5.md b/docs/queries/kubernetes-queries/5da47109-f8d6-4585-9e2b-96a8958a12f5.md new file mode 100644 index 00000000000..aef783a68c7 --- /dev/null +++ b/docs/queries/kubernetes-queries/5da47109-f8d6-4585-9e2b-96a8958a12f5.md @@ -0,0 +1,95 @@ +--- +title: Basic Auth File Is Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5da47109-f8d6-4585-9e2b-96a8958a12f5 +- **Query name:** Basic Auth File Is Set +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/basic_auth_file_is_set) + +### Description +When using kube-apiserver command, the 'basic-auth-file' flag should not be set
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver", "--basic-auth-file=/path/to/any/file"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--basic-auth-file=/path/to/any/file"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md b/docs/queries/kubernetes-queries/5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md new file mode 100644 index 00000000000..2cc4e955b3c --- /dev/null +++ b/docs/queries/kubernetes-queries/5f89001f-6dd9-49ff-9b15-d8cd71b617f4.md @@ -0,0 +1,147 @@ +--- +title: Kubelet Not Managing Ip Tables +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5f89001f-6dd9-49ff-9b15-d8cd71b617f4 +- **Query name:** Kubelet Not Managing Ip Tables +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/kubelet_not_managing_ip_tables) + +### Description +Kubelet argument --make-iptables-util-chains should be true
+[Documentation](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--make-iptables-util-chains=false"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" +makeIPTablesUtilChains: false + +``` +```json title="Postitive test num. 3 - json file" hl_lines="7" +{ + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "evictionHard": { + "memory.available": "200Mi" + }, + "kind": "KubeletConfiguration", + "makeIPTablesUtilChains": false, + "port": 20250, + "serializeImagePulls": false, + "address": "192.168.0.8" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--make-iptables-util-chains=true"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" +makeIPTablesUtilChains: true + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" + +``` +
Negative test num. 4 - yaml file + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: [""] + restartPolicy: OnFailure + +``` +
+
Negative test num. 5 - json file + +```json +{ + "port": 20250, + "evictionHard": { + "memory.available": "200Mi" + }, + "kind": "KubeletConfiguration", + "makeIPTablesUtilChains": true, + "serializeImagePulls": false, + "address": "192.168.0.8", + "apiVersion": "kubelet.config.k8s.io/v1beta1" +} + +``` +
diff --git a/docs/queries/kubernetes-queries/611ab018-c4aa-4ba2-b0f6-a448337509a6.md b/docs/queries/kubernetes-queries/611ab018-c4aa-4ba2-b0f6-a448337509a6.md new file mode 100644 index 00000000000..a33b654c06d --- /dev/null +++ b/docs/queries/kubernetes-queries/611ab018-c4aa-4ba2-b0f6-a448337509a6.md @@ -0,0 +1,190 @@ +--- +title: Using Unrecommended Namespace +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 611ab018-c4aa-4ba2-b0f6-a448337509a6 +- **Query name:** Using Unrecommended Namespace +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/using_unrecommended_namespace) + +### Description +Namespaces like 'default', 'kube-system' or 'kube-public' should not be used
+[Documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/kubernetes-objects/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +apiVersion: v1 +kind: Pod +metadata: + name: frontend + namespace: default +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="4" +apiVersion: v1 +kind: Pod +metadata: + name: frontend2 +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +apiVersion: v1 +kind: Pod +metadata: + name: mongo.db.collection.com + namespace: kube-public + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="5" +apiVersion: v1 +kind: Pod +metadata: + name: mongo.db.collection.com + namespace: kube-system + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="5" +apiVersion: serving.knative.dev/v1 +kind: Configuration +metadata: + name: dummy-config + namespace: default +spec: + template: + spec: + automountServiceAccountToken: true + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: frontend + namespace: cosmicPod +spec: + securityContext: + runAsUser: 1000 + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +--- +apiVersion: v1 +kind: CustomResourceDefinition +metadata: + name: mongo.db.collection.com + +``` diff --git a/docs/queries/kubernetes-queries/69bbc5e3-0818-4150-89cc-1e989b48f23b.md b/docs/queries/kubernetes-queries/69bbc5e3-0818-4150-89cc-1e989b48f23b.md new file mode 100644 index 00000000000..e8a4e77064c --- /dev/null +++ b/docs/queries/kubernetes-queries/69bbc5e3-0818-4150-89cc-1e989b48f23b.md @@ -0,0 +1,105 @@ +--- +title: Ingress Controller Exposes Workload +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 69bbc5e3-0818-4150-89cc-1e989b48f23b +- **Query name:** Ingress Controller Exposes Workload +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/ingress_controller_exposes_workload) + +### Description +Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks
+[Documentation](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="31" +apiVersion: v1 +kind: Service +metadata: + name: app + labels: + app: app +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: 3000 + selector: + app: app + + +--- + +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: app-ingress + annotations: + kubernetes.io/ingress.class: "nginx" + labels: + app: app +spec: + rules: + - host: app.acme.org + http: + paths: + - backend: + serviceName: app + servicePort: 3000 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Service +metadata: + name: app + labels: + app: app +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: 3000 + selector: + app: app + + +--- + +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: app-ingress + annotations: + kubernetes.io/ingress.class: "nginx" + labels: + app: app +spec: + rules: + - host: app.acme.org + http: + paths: + - backend: + serviceName: app2 + servicePort: 3000 + +``` diff --git a/docs/queries/kubernetes-queries/6a68bebe-c021-492e-8ddb-55b0567fb768.md b/docs/queries/kubernetes-queries/6a68bebe-c021-492e-8ddb-55b0567fb768.md new file mode 100644 index 00000000000..ebdb82f88e1 --- /dev/null +++ b/docs/queries/kubernetes-queries/6a68bebe-c021-492e-8ddb-55b0567fb768.md @@ -0,0 +1,97 @@ +--- +title: Security Context Deny Admission Control Plugin Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6a68bebe-c021-492e-8ddb-55b0567fb768 +- **Query name:** Security Context Deny Admission Control Plugin Not Set +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/security_context_deny_admission_control_plugin_not_set) + +### Description +When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'SecurityContextDeny' plugin and the plugin should be correctly configured in AdmissionControl Config file when 'PodSecurityPolicy' plugin is not set
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=AlwaysAdmit"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=SecurityContextDeny", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--enable-admission-plugins=SecurityContextDeny", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--enable-admission-plugins=PodSecurityPolicy", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a.md b/docs/queries/kubernetes-queries/6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a.md new file mode 100644 index 00000000000..ddea47d5eee --- /dev/null +++ b/docs/queries/kubernetes-queries/6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a.md @@ -0,0 +1,80 @@ +--- +title: Shared Host Network Namespace +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6b6bdfb3-c3ae-44cb-88e4-7405c1ba2c8a +- **Query name:** Shared Host Network Namespace +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/shared_host_network_namespace) + +### Description +Container should not share the host network namespace
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 6" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo +spec: + hostNetwork: true + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false +``` diff --git a/docs/queries/kubernetes-queries/6b896afb-ca07-467a-b256-1a0077a1c08e.md b/docs/queries/kubernetes-queries/6b896afb-ca07-467a-b256-1a0077a1c08e.md new file mode 100644 index 00000000000..40d439f0bc9 --- /dev/null +++ b/docs/queries/kubernetes-queries/6b896afb-ca07-467a-b256-1a0077a1c08e.md @@ -0,0 +1,89 @@ +--- +title: RBAC Wildcard In Rule +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6b896afb-ca07-467a-b256-1a0077a1c08e +- **Query name:** RBAC Wildcard In Rule +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/rbac_wildcard_in_rule) + +### Description +Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions
+[Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7 9 18 19 20 29 31" +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: rbac1 + name: configmap-modifier +rules: +- apiGroups: ["*"] + resources: ["configmaps"] + verbs: ["*"] +--- +# Define role for OPA/kube-mgmt to update configmaps with policy status. +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: rbac2 + name: configmap-modifier1 +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: rbac3 + name: configmap-modifier2 +rules: +- operations: ["CREATE", "UPDATE"] + apiGroups: ["*"] + apiVersions: ["*"] + resources: ["*"] + verbs: ["POST"] + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: opa + name: configmap-modifier +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["update", "patch"] +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: opa + name: configmap-modifier +rules: +- apiGroups: [""] + resources: ["searchmaps"] + verbs: ["create", "patch"] +``` diff --git a/docs/queries/kubernetes-queries/6cf42c97-facd-4fda-b8af-ea4529123355.md b/docs/queries/kubernetes-queries/6cf42c97-facd-4fda-b8af-ea4529123355.md new file mode 100644 index 00000000000..b5250a2d3b7 --- /dev/null +++ b/docs/queries/kubernetes-queries/6cf42c97-facd-4fda-b8af-ea4529123355.md @@ -0,0 +1,158 @@ +--- +title: Kubelet Protect Kernel Defaults Set To False +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6cf42c97-facd-4fda-b8af-ea4529123355 +- **Query name:** Kubelet Protect Kernel Defaults Set To False +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/kubelet_protect_kernel_defaults_set_to_false) + +### Description +--protect-kernel-defaults should be set to true
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--protect-kernel-defaults=false"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet","--protect-kernel-defaults=false"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +protectKernelDefaults: false +serializeImagePulls: false +tlsCertFile: "someFile.txt" +tlsPrivateKeyFile: "someFile.txt" +evictionHard: + memory.available: "200Mi" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="2" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +tlsCertFile: "someFile.txt" +tlsPrivateKeyFile: "someFile.txt" +evictionHard: + memory.available: "200Mi" + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--protect-kernel-defaults=true"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +protectKernelDefaults: true +tlsCertFile: "someFile.txt" +tlsPrivateKeyFile: "someFile.txt" +evictionHard: + memory.available: "200Mi" + +``` +
Negative test num. 4 - json file + +```json +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "port": 10250, + "readOnlyPort": 10255, + "cgroupDriver": "cgroupfs", + "protectKernelDefaults": true, + "hairpinMode": "promiscuous-bridge", + "serializeImagePulls": false, + "featureGates": { + "RotateKubeletClientCertificate": true, + "RotateKubeletServerCertificate": true + } + } + +``` +
diff --git a/docs/queries/kubernetes-queries/6d173be7-545a-46c6-a81d-2ae52ed1605d.md b/docs/queries/kubernetes-queries/6d173be7-545a-46c6-a81d-2ae52ed1605d.md new file mode 100644 index 00000000000..416c37dd1a7 --- /dev/null +++ b/docs/queries/kubernetes-queries/6d173be7-545a-46c6-a81d-2ae52ed1605d.md @@ -0,0 +1,93 @@ +--- +title: Tiller (Helm v2) Is Deployed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6d173be7-545a-46c6-a81d-2ae52ed1605d +- **Query name:** Tiller (Helm v2) Is Deployed +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/tiller_is_deployed) + +### Description +Check if Tiller is deployed.
+[Documentation](https://kubernetes.io/docs/concepts/containers/images/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 10 20 15" +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + labels: + app: helm + name: tiller + name: tiller-deploy +spec: + containers: + - + image: tiller-image + name: tiller-v1 + template: + metadata: + labels: + app: helm + name: tiller + spec: + containers: + - + args: + - "--listen=10.7.2.8:44134" + image: tiller-image + name: tiller-v2 + ports: + - + containerPort: 44134 + name: tiller + protocol: TCP + - + containerPort: 44135 + name: http + protocol: TCP + serviceAccountName: tiller + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false +``` diff --git a/docs/queries/kubernetes-queries/7307579a-3abb-46ad-9ce5-2a915634d5c8.md b/docs/queries/kubernetes-queries/7307579a-3abb-46ad-9ce5-2a915634d5c8.md new file mode 100644 index 00000000000..3e4f06fc1ac --- /dev/null +++ b/docs/queries/kubernetes-queries/7307579a-3abb-46ad-9ce5-2a915634d5c8.md @@ -0,0 +1,91 @@ +--- +title: PSP With Added Capabilities +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7307579a-3abb-46ad-9ce5-2a915634d5c8 +- **Query name:** PSP With Added Capabilities +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/psp_with_added_capabilities) + +### Description +PodSecurityPolicy should not have added capabilities
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: privileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: privileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + privileged: true + allowPrivilegeEscalation: true + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +``` diff --git a/docs/queries/kubernetes-queries/73e251f0-363d-4e53-86e2-0a93592437eb.md b/docs/queries/kubernetes-queries/73e251f0-363d-4e53-86e2-0a93592437eb.md new file mode 100644 index 00000000000..1856ac96805 --- /dev/null +++ b/docs/queries/kubernetes-queries/73e251f0-363d-4e53-86e2-0a93592437eb.md @@ -0,0 +1,141 @@ +--- +title: Audit Log Path Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 73e251f0-363d-4e53-86e2-0a93592437eb +- **Query name:** Audit Log Path Not Set +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/audit_log_path_not_set) + +### Description +When using kube-apiserver command, the 'audit-log-path' flag should be defined
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [""] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="40 27 12 55" +apiVersion: serving.knative.dev/v1 +kind: Service +metadata: + name: dummy + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure +--- +apiVersion: serving.knative.dev/v1 +kind: Configuration +metadata: + name: dummy-config + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure +--- +apiVersion: serving.knative.dev/v1 +kind: Revision +metadata: + name: dummy-rev + namespace: knative-sequence +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure +--- +apiVersion: sources.knative.dev/v1 +kind: ContainerSource +metadata: + name: dummy-cs + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-path=path/to/log"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--audit-log-path=path/to/log"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/768aab52-2504-4a2f-a3e3-329d5a679848.md b/docs/queries/kubernetes-queries/768aab52-2504-4a2f-a3e3-329d5a679848.md new file mode 100644 index 00000000000..f393865d441 --- /dev/null +++ b/docs/queries/kubernetes-queries/768aab52-2504-4a2f-a3e3-329d5a679848.md @@ -0,0 +1,157 @@ +--- +title: Audit Log Maxbackup Not Properly Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 768aab52-2504-4a2f-a3e3-329d5a679848 +- **Query name:** Audit Log Maxbackup Not Properly Set +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/audit_log_maxbackup_not_properly_set) + +### Description +When using kube-apiserver command, the '--audit-log-maxbackup' flag should be defined and set to 10 or more files
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxbackup=5"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="40 27 12 55" +apiVersion: serving.knative.dev/v1 +kind: Service +metadata: + name: dummy + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxbackup=5"] + restartPolicy: OnFailure +--- +apiVersion: serving.knative.dev/v1 +kind: Configuration +metadata: + name: dummy-config + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxbackup=5"] + restartPolicy: OnFailure +--- +apiVersion: serving.knative.dev/v1 +kind: Revision +metadata: + name: dummy-rev + namespace: knative-sequence +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxbackup=5"] + restartPolicy: OnFailure +--- +apiVersion: sources.knative.dev/v1 +kind: ContainerSource +metadata: + name: dummy-cs + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxbackup=5"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxbackup=10"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--audit-log-maxbackup=15"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/7c81d34c-8e5a-402b-9798-9f442630e678.md b/docs/queries/kubernetes-queries/7c81d34c-8e5a-402b-9798-9f442630e678.md new file mode 100644 index 00000000000..85212257080 --- /dev/null +++ b/docs/queries/kubernetes-queries/7c81d34c-8e5a-402b-9798-9f442630e678.md @@ -0,0 +1,58 @@ +--- +title: Image Without Digest +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7c81d34c-8e5a-402b-9798-9f442630e678 +- **Query name:** Image Without Digest +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/image_without_digest) + +### Description +Images should be specified together with their digests to ensure integrity
+[Documentation](https://kubernetes.io/docs/concepts/containers/images/#updating-images) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +apiVersion: v1 +kind: Pod +metadata: + name: private-image-test-1 +spec: + containers: + - name: uses-private-image + image: $PRIVATE_IMAGE_NAME + imagePullPolicy: Always + command: [ "echo", "SUCCESS" ] + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: private-image-test-1 +spec: + containers: + - name: uses-private-image + image: image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb + imagePullPolicy: Always + command: [ "echo", "SUCCESS" ] +``` diff --git a/docs/queries/kubernetes-queries/80f93444-b240-4ebb-a4c6-5c40b76c04ea.md b/docs/queries/kubernetes-queries/80f93444-b240-4ebb-a4c6-5c40b76c04ea.md new file mode 100644 index 00000000000..36fecf2a631 --- /dev/null +++ b/docs/queries/kubernetes-queries/80f93444-b240-4ebb-a4c6-5c40b76c04ea.md @@ -0,0 +1,67 @@ +--- +title: PSP Allows Sharing Host IPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 80f93444-b240-4ebb-a4c6-5c40b76c04ea +- **Query name:** PSP Allows Sharing Host IPC +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/psp_allows_sharing_host_ipc) + +### Description +Pod Security Policy allows containers to share the host IPC namespace
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: example +spec: + hostIPC: true + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: example +spec: + hostIPC: false + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + +``` diff --git a/docs/queries/kubernetes-queries/8320826e-7a9c-4b0b-9535-578333193432.md b/docs/queries/kubernetes-queries/8320826e-7a9c-4b0b-9535-578333193432.md new file mode 100644 index 00000000000..995a753a932 --- /dev/null +++ b/docs/queries/kubernetes-queries/8320826e-7a9c-4b0b-9535-578333193432.md @@ -0,0 +1,58 @@ +--- +title: RBAC Roles Allow Privilege Escalation +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8320826e-7a9c-4b0b-9535-578333193432 +- **Query name:** RBAC Roles Allow Privilege Escalation +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/rbac_roles_allow_privilege_escalation) + +### Description +Roles or ClusterRoles with RBAC permissions 'bind' or 'escalate' allow subjects to create new bindings with other roles. This is dangerous, as users with these privileges can bind to roles that may exceed their own privileges
+[Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: rbac-binder +rules: +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["bind"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterrolebindings"] + verbs: ["create"] + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: not-rbac-binder +rules: +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterrolebindings"] + verbs: ["create"] + +``` diff --git a/docs/queries/kubernetes-queries/845acfbe-3e10-4b8e-b656-3b404d36dfb2.md b/docs/queries/kubernetes-queries/845acfbe-3e10-4b8e-b656-3b404d36dfb2.md new file mode 100644 index 00000000000..80b15a0ab38 --- /dev/null +++ b/docs/queries/kubernetes-queries/845acfbe-3e10-4b8e-b656-3b404d36dfb2.md @@ -0,0 +1,66 @@ +--- +title: Service Type is NodePort +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 845acfbe-3e10-4b8e-b656-3b404d36dfb2 +- **Query name:** Service Type is NodePort +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/service_type_is_nodeport) + +### Description +Service type should not be NodePort
+[Documentation](https://kubernetes.io/docs/concepts/services-networking/service/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +apiVersion: v1 +kind: Service +metadata: + name: my-service +spec: + type: NodePort + selector: + app: MyApp + ports: + - port: 80 + targetPort: 80 + nodePort: 30007 +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Service +metadata: + name: my-service +spec: + selector: + app: MyApp + ports: + - protocol: TCP + port: 80 + targetPort: 9376 + clusterIP: 10.0.171.239 + type: LoadBalancer +status: + loadBalancer: + ingress: + - ip: 192.0.2.127 +``` diff --git a/docs/queries/kubernetes-queries/85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3.md b/docs/queries/kubernetes-queries/85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3.md new file mode 100644 index 00000000000..45e7d7917a2 --- /dev/null +++ b/docs/queries/kubernetes-queries/85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3.md @@ -0,0 +1,153 @@ +--- +title: Network Policy Is Not Targeting Any Pod +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 85ab1c5b-014e-4352-b5f8-d7dea3bb4fd3 +- **Query name:** Network Policy Is Not Targeting Any Pod +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/network_policy_is_not_targeting_any_pod) + +### Description +Check if any network policy is not targeting any pod.
+[Documentation](https://kubernetes.io/docs/concepts/services-networking/network-policies/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +apiVersion: v1 +kind: Pod +metadata: + name: nopolicy + labels: + app: easy +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: test-network-policy + namespace: default +spec: + podSelector: + matchLabels: + app: rarelabel + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 172.17.0.0/16 + except: + - 172.17.1.0/24 + - namespaceSelector: + matchLabels: + project: myproject + - podSelector: + matchLabels: + role: frontend + ports: + - protocol: TCP + port: 6379 + egress: + - to: + - ipBlock: + cidr: 10.0.0.0/24 + ports: + - protocol: TCP + port: 5978 +--- +apiVersion: v1 +kind: Pod +metadata: + name: partialpolicy + labels: + app: easy +spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: test-network-policy + namespace: default +spec: + podSelector: + matchLabels: + app: nginx + policyTypes: + - Ingress + - Egress + ingress: + - from: + - ipBlock: + cidr: 172.17.0.0/16 + except: + - 172.17.1.0/24 + - namespaceSelector: + matchLabels: + project: myproject + - podSelector: + matchLabels: + role: frontend + ports: + - protocol: TCP + port: 6379 + egress: + - to: + - ipBlock: + cidr: 10.0.0.0/24 + ports: + - protocol: TCP + port: 5978 +``` diff --git a/docs/queries/kubernetes-queries/87554eef-154d-411d-bdce-9dbd91e56851.md b/docs/queries/kubernetes-queries/87554eef-154d-411d-bdce-9dbd91e56851.md new file mode 100644 index 00000000000..3c51695ac86 --- /dev/null +++ b/docs/queries/kubernetes-queries/87554eef-154d-411d-bdce-9dbd91e56851.md @@ -0,0 +1,109 @@ +--- +title: PSP Allows Privilege Escalation +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 87554eef-154d-411d-bdce-9dbd91e56851 +- **Query name:** PSP Allows Privilege Escalation +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/psp_allows_privilege_escalation) + +### Description +PodSecurityPolicy should not allow privilege escalation
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 9" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: privileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + privileged: true + allowPrivilegeEscalation: true + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: privileged2 + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + privileged: true + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: privileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + privileged: true + allowPrivilegeEscalation: false + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +``` diff --git a/docs/queries/kubernetes-queries/895a5a95-3756-4b04-9924-2f3bc93181bd.md b/docs/queries/kubernetes-queries/895a5a95-3756-4b04-9924-2f3bc93181bd.md new file mode 100644 index 00000000000..23cd84ecb74 --- /dev/null +++ b/docs/queries/kubernetes-queries/895a5a95-3756-4b04-9924-2f3bc93181bd.md @@ -0,0 +1,97 @@ +--- +title: Etcd TLS Certificate Not Properly Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 895a5a95-3756-4b04-9924-2f3bc93181bd +- **Query name:** Etcd TLS Certificate Not Properly Configured +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/etcd_tls_certificate_not_properly_configured) + +### Description +When using kube-apiserver commands, the '--etcd-certfile' and '--etcd-keyfile' flags should be defined
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--etcd-keyfile=/path/to/key/file.key"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--etcd-certfile=/path/to/cert/file.crt"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--etcd-keyfile=/path/to/key/file.key","--etcd-certfile=/path/to/cert/file.crt"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--etcd-keyfile=/path/to/key/file.key","--etcd-certfile=/path/to/cert/file.crt"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/8b36775e-183d-4d46-b0f7-96a6f34a723f.md b/docs/queries/kubernetes-queries/8b36775e-183d-4d46-b0f7-96a6f34a723f.md new file mode 100644 index 00000000000..a1ec47f949f --- /dev/null +++ b/docs/queries/kubernetes-queries/8b36775e-183d-4d46-b0f7-96a6f34a723f.md @@ -0,0 +1,90 @@ +--- +title: Missing AppArmor Profile +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8b36775e-183d-4d46-b0f7-96a6f34a723f +- **Query name:** Missing AppArmor Profile +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/missing_app_armor_config) + +### Description +Containers should be configured with an AppArmor profile to enforce fine-grained access control over low-level system resources
+[Documentation](https://kubernetes.io/docs/tutorials/clusters/apparmor/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 5 36" +apiVersion: v1 +kind: Pod +metadata: + name: hello-apparmor-1 + annotations: + container.apparmor.security.beta.kubernetes.io/hello1: dummy + container.apparmor.security.beta.kubernetes.io/hello2: dummy +spec: + containers: + - name: hello1 + image: busybox + command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ] + - name: hello2 + image: busybox + command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ] + - name: hello3 + image: busybox + command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ubuntu-test1 + namespace: testns + labels: + deployment: ubuntu-1 +spec: + replicas: 1 + selector: + matchLabels: + container: ubuntu-1 + template: + metadata: + labels: + container: ubuntu-1 + annotations: + container.apparmor.security.beta.kubernetes.io/ubuntu-1-container: dummy + spec: + containers: + - name: ubuntu-1-container + image: 0x010/ubuntu-w-utils:latest + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: hello-apparmor-2positive + annotations: + container.apparmor.security.beta.kubernetes.io/hello: localhost/k8s-apparmor-example-allow-write +spec: + containers: + - name: hello + image: busybox + command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ] +``` diff --git a/docs/queries/kubernetes-queries/8b862ca9-0fbd-4959-ad72-b6609bdaa22d.md b/docs/queries/kubernetes-queries/8b862ca9-0fbd-4959-ad72-b6609bdaa22d.md new file mode 100644 index 00000000000..023977eb218 --- /dev/null +++ b/docs/queries/kubernetes-queries/8b862ca9-0fbd-4959-ad72-b6609bdaa22d.md @@ -0,0 +1,65 @@ +--- +title: Tiller Service Is Not Deleted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8b862ca9-0fbd-4959-ad72-b6609bdaa22d +- **Query name:** Tiller Service Is Not Deleted +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/tiller_service_is_not_deleted) + +### Description +Check if there is any Tiller Service present
+[Documentation](https://kubernetes.io/docs/concepts/services-networking/service) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4 12" +apiVersion: v1 +kind: Service +metadata: + name: tiller-deploy + labels: + app: helm + name: tiller +spec: + type: ClusterIP + selector: + app: helm + name: tiller + ports: + - name: tiller + port: 44134 + protocol: TCP + targetPort: tiller +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Service +metadata: + name: some-service + labels: + name: some-label +spec: + ports: + - protocol: TCP + port: 80 + targetPort: 9376 +``` diff --git a/docs/queries/kubernetes-queries/8cf4671a-cf3d-46fc-8389-21e7405063a2.md b/docs/queries/kubernetes-queries/8cf4671a-cf3d-46fc-8389-21e7405063a2.md new file mode 100644 index 00000000000..890c8cb265b --- /dev/null +++ b/docs/queries/kubernetes-queries/8cf4671a-cf3d-46fc-8389-21e7405063a2.md @@ -0,0 +1,140 @@ +--- +title: StatefulSet Requests Storage +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8cf4671a-cf3d-46fc-8389-21e7405063a2 +- **Query name:** StatefulSet Requests Storage +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/statefulset_requests_storage) + +### Description +A StatefulSet requests volume storage.
+[Documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="73 33 66" +#this is a problematic code where the query should report a result(s) +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: web +spec: + serviceName: "nginx" + replicas: 2 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: k8s.gcr.io/nginx-slim:0.8 + ports: + - containerPort: 80 + name: web + volumeMounts: + - name: www + mountPath: /usr/share/nginx/html + volumeClaimTemplates: + - metadata: + name: www + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 1Gi +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: web2 +spec: + serviceName: "nginx" + replicas: 2 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: k8s.gcr.io/nginx-slim:0.8 + ports: + - containerPort: 80 + name: web + volumeMounts: + - name: www + mountPath: /usr/share/nginx/html + volumeClaimTemplates: + - metadata: + name: www + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 1Gi + - metadata: + name: www2 + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 2Gi +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: web2 +spec: + serviceName: "nginx" + replicas: 2 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: k8s.gcr.io/nginx-slim:0.8 + ports: + - containerPort: 80 + name: web + volumeMounts: + - name: www + mountPath: /usr/share/nginx/html + volumeClaimTemplates: + - metadata: + name: www + spec: + accessModes: [ "ReadWriteOnce" ] +``` diff --git a/docs/queries/kubernetes-queries/9127f0d9-2310-42e7-866f-5fd9d20dcbad.md b/docs/queries/kubernetes-queries/9127f0d9-2310-42e7-866f-5fd9d20dcbad.md new file mode 100644 index 00000000000..619b1b62a3e --- /dev/null +++ b/docs/queries/kubernetes-queries/9127f0d9-2310-42e7-866f-5fd9d20dcbad.md @@ -0,0 +1,157 @@ +--- +title: Cluster Allows Unsafe Sysctls +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9127f0d9-2310-42e7-866f-5fd9d20dcbad +- **Query name:** Cluster Allows Unsafe Sysctls +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/cluster_allows_unsafe_sysctls) + +### Description +A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means 'spec.securityContext.sysctls' must not specify unsafe sysctls and the attribute 'allowedUnsafeSysctls' must be undefined.
+[Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 11 13" +#this is a problematic code where the query should report a result(s) +apiVersion: v1 +kind: Pod +metadata: + name: sysctl-example +spec: + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.core.somaxconn + value: "1024" + - name: kernel.msgmax + value: "65536" + containers: + - name: test1 + image: nginx +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: sysctl-psp +spec: + allowedUnsafeSysctls: + - kernel.msg* + forbiddenSysctls: + - kernel.shm_rmid_forced + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-app + labels: + app: test-app +spec: + selector: + matchLabels: + app: test-app + template: + metadata: + labels: + app: test-app + spec: + securityContext: + sysctls: + - name: kernel.sem + value: "128 32768 128 4096" + containers: + - name: test-ubuntu + image: ubuntu + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +apiVersion: v1 +kind: Pod +metadata: + name: sysctl-example +spec: + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: "0" + containers: + - name: test1 + image: nginx +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: sysctl-psp +spec: + forbiddenSysctls: + - kernel.shm_rmid_forced + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-app-neg + labels: + app: test-app-neg +spec: + selector: + matchLabels: + app: test-app-neg + template: + metadata: + labels: + app: test-app-neg + spec: + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net/ipv4/tcp_syncookies + value: "1" + containers: + - name: test-ubuntu + image: ubuntu + +``` diff --git a/docs/queries/kubernetes-queries/91dacd0e-d189-4a9c-8272-5999a3cc32d9.md b/docs/queries/kubernetes-queries/91dacd0e-d189-4a9c-8272-5999a3cc32d9.md new file mode 100644 index 00000000000..d8e09242364 --- /dev/null +++ b/docs/queries/kubernetes-queries/91dacd0e-d189-4a9c-8272-5999a3cc32d9.md @@ -0,0 +1,67 @@ +--- +title: PSP Allows Sharing Host PID +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 91dacd0e-d189-4a9c-8272-5999a3cc32d9 +- **Query name:** PSP Allows Sharing Host PID +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/psp_allows_sharing_host_pid) + +### Description +Pod Security Policy allows containers to share the host process ID namespace
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: example +spec: + hostPID: true + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: example +spec: + hostPID: false + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + +``` diff --git a/docs/queries/kubernetes-queries/9391103a-d8d7-4671-ac5d-606ba7ccb0ac.md b/docs/queries/kubernetes-queries/9391103a-d8d7-4671-ac5d-606ba7ccb0ac.md new file mode 100644 index 00000000000..3ce3b404d40 --- /dev/null +++ b/docs/queries/kubernetes-queries/9391103a-d8d7-4671-ac5d-606ba7ccb0ac.md @@ -0,0 +1,117 @@ +--- +title: Etcd Client Certificate Authentication Set To False +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9391103a-d8d7-4671-ac5d-606ba7ccb0ac +- **Query name:** Etcd Client Certificate Authentication Set To False +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/etcd_client_certificate_authentication_set_to_false) + +### Description +When using etcd commands, the '--client-cert-auth' flag should be defined
+[Documentation](https://etcd.io/docs/v3.4/op-guide/security/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--client-cert-auth=false"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: [] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--client-cert-auth=true"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/94b76ea5-e074-4ca2-8a03-c5a606e30645.md b/docs/queries/kubernetes-queries/94b76ea5-e074-4ca2-8a03-c5a606e30645.md new file mode 100644 index 00000000000..49e3d96c4ed --- /dev/null +++ b/docs/queries/kubernetes-queries/94b76ea5-e074-4ca2-8a03-c5a606e30645.md @@ -0,0 +1,207 @@ +--- +title: Object Is Using A Deprecated API Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 94b76ea5-e074-4ca2-8a03-c5a606e30645 +- **Query name:** Object Is Using A Deprecated API Version +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/object_is_using_a_deprecated_api_version) + +### Description +Kubernetes APIs evolve over time and are sometimes removed with newer releases. To prevent incompatibilities when upgrading Kubernetes, deprecated APIs should be replaced with newer and more stable API versions.
+[Documentation](https://kubernetes.io/docs/reference/using-api/deprecation-guide/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="1 76 23 58 94" +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 +--- +apiVersion: apps/v1beta2 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: kube-system + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + cpu: 500m + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: optmount + mountPath: /opt + terminationGracePeriodSeconds: 30 + volumes: + - name: optmount + hostPath: + path: /opt +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: minimal-ingress + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / +spec: + rules: + - http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: minimal-ingress1 + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / +spec: + rules: + - http: + paths: + - path: /testpath + pathType: Prefix + backend: + service: + name: test + port: + number: 80 +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + - date; echo Hello from kics + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: kube-system + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + cpu: 500m + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: optmount + mountPath: /opt + terminationGracePeriodSeconds: 30 + volumes: + - name: optmount + hostPath: + path: /opt + +``` diff --git a/docs/queries/kubernetes-queries/9587c890-0524-40c2-9ce2-663af7c2f063.md b/docs/queries/kubernetes-queries/9587c890-0524-40c2-9ce2-663af7c2f063.md new file mode 100644 index 00000000000..b3f049c8b30 --- /dev/null +++ b/docs/queries/kubernetes-queries/9587c890-0524-40c2-9ce2-663af7c2f063.md @@ -0,0 +1,97 @@ +--- +title: Service Account Admission Control Plugin Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9587c890-0524-40c2-9ce2-663af7c2f063 +- **Query name:** Service Account Admission Control Plugin Disabled +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/service_account_admission_control_plugin_disabled) + +### Description +When using kube-apiserver command, the '--disable-admission-plugins' flag should not have 'ServiceAccount' plugin
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--disable-admission-plugins=ServiceAccount"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--disable-admission-plugins=ServiceAccount"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=ServiceAccount", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/98ce8b81-7707-4734-aa39-627c6db3d84b.md b/docs/queries/kubernetes-queries/98ce8b81-7707-4734-aa39-627c6db3d84b.md new file mode 100644 index 00000000000..10b55e1001e --- /dev/null +++ b/docs/queries/kubernetes-queries/98ce8b81-7707-4734-aa39-627c6db3d84b.md @@ -0,0 +1,117 @@ +--- +title: Auto TLS Set To True +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 98ce8b81-7707-4734-aa39-627c6db3d84b +- **Query name:** Auto TLS Set To True +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/auto_tls_set_to_true) + +### Description +When using etcd commands, the '--auto-tls' should be set to false
+[Documentation](https://etcd.io/docs/v3.4/op-guide/security/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--auto-tls=true"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: [] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd", "--auto-tls=false"] + args: [] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/9d43040e-e703-4e16-8bfe-8d4da10fa7e6.md b/docs/queries/kubernetes-queries/9d43040e-e703-4e16-8bfe-8d4da10fa7e6.md new file mode 100644 index 00000000000..77ef309823f --- /dev/null +++ b/docs/queries/kubernetes-queries/9d43040e-e703-4e16-8bfe-8d4da10fa7e6.md @@ -0,0 +1,94 @@ +--- +title: Container CPU Requests Not Equal To It's Limits +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9d43040e-e703-4e16-8bfe-8d4da10fa7e6 +- **Query name:** Container CPU Requests Not Equal To It's Limits +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/container_cpu_requests_not_equal_to_its_limits) + +### Description +A Pod's Containers must have the same CPU requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.cpu' must equal 'limits.cpu', and both be defined.
+[Documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 26 11 22" +#this is a problematic code where the query should report a result(s) +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "128Mi" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "128Mi" + cpu: "500m" + limits: + memory: "128Mi" + - name: app2 + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "128Mi" + cpu: "500m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "128Mi" + cpu: "500m" + limits: + memory: "128Mi" + cpu: "500m" +``` diff --git a/docs/queries/kubernetes-queries/9f85c3f6-26fd-4007-938a-2e0cb0100980.md b/docs/queries/kubernetes-queries/9f85c3f6-26fd-4007-938a-2e0cb0100980.md new file mode 100644 index 00000000000..de1ce975c6d --- /dev/null +++ b/docs/queries/kubernetes-queries/9f85c3f6-26fd-4007-938a-2e0cb0100980.md @@ -0,0 +1,85 @@ +--- +title: RBAC Roles with Impersonate Permission +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9f85c3f6-26fd-4007-938a-2e0cb0100980 +- **Query name:** RBAC Roles with Impersonate Permission +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/rbac_roles_with_impersonate_permission) + +### Description +Roles or ClusterRoles with the permission 'impersonate' allow subjects to assume the rights of other users, groups, or service accounts. In case of compromise, attackers may abuse this sudo-like functionality to achieve privilege escalation
+[Documentation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: impersonator-role + namespace: default +rules: +- apiGroups: [""] + resources: ["users", "groups", "serviceaccounts"] + verbs: ["impersonate"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rbac-impersonate-binding +subjects: +- kind: ServiceAccount + name: impersonator-sa + namespace: default + apiGroup: "" +roleRef: + kind: ClusterRole + name: impersonator-role + apiGroup: "" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: impersonator-role-neg + namespace: default +rules: +- apiGroups: [""] + resources: ["users", "groups", "serviceaccounts"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rbac-impersonate-binding +subjects: +- kind: ServiceAccount + name: impersonator-sa-neg + namespace: default + apiGroup: "" +roleRef: + kind: ClusterRole + name: impersonator-role-neg + apiGroup: "" + +``` diff --git a/docs/queries/kubernetes-queries/a31b7b82-d994-48c4-bd21-3bab6c31827a.md b/docs/queries/kubernetes-queries/a31b7b82-d994-48c4-bd21-3bab6c31827a.md new file mode 100644 index 00000000000..9972f92ca71 --- /dev/null +++ b/docs/queries/kubernetes-queries/a31b7b82-d994-48c4-bd21-3bab6c31827a.md @@ -0,0 +1,107 @@ +--- +title: Deployment Has No PodAntiAffinity +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a31b7b82-d994-48c4-bd21-3bab6c31827a +- **Query name:** Deployment Has No PodAntiAffinity +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/deployment_has_no_pod_anti_affinity) + +### Description +Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.
+[Documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="19 39" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: label-mismatch +spec: + selector: + matchLabels: + app: web-store + replicas: 3 + template: + metadata: + labels: + app: web-shore + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: web-store + topologyKey: "kubernetes.io/hostname" + containers: + - name: web-app + image: nginx:1.16-alpine +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: no-affinity +spec: + selector: + matchLabels: + app: web-store + replicas: 3 + template: + metadata: + labels: + app: web-store + spec: + containers: + - name: web-app + image: nginx:1.16-alpine + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: web-server +spec: + selector: + matchLabels: + app: web-store + replicas: 3 + template: + metadata: + labels: + app: web-store + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - web-store + topologyKey: "kubernetes.io/hostname" + containers: + - name: web-app + image: nginx:1.16-alpine +``` diff --git a/docs/queries/kubernetes-queries/a33e9173-b674-4dfb-9d82-cf3754816e4b.md b/docs/queries/kubernetes-queries/a33e9173-b674-4dfb-9d82-cf3754816e4b.md new file mode 100644 index 00000000000..ad8e9966e3d --- /dev/null +++ b/docs/queries/kubernetes-queries/a33e9173-b674-4dfb-9d82-cf3754816e4b.md @@ -0,0 +1,91 @@ +--- +title: PSP Allows Containers To Share The Host Network Namespace +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a33e9173-b674-4dfb-9d82-cf3754816e4b +- **Query name:** PSP Allows Containers To Share The Host Network Namespace +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/psp_containers_share_host_network_namespace) + +### Description +Check if Pod Security Policies allow containers to share the host network namespace.
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="14" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: privileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + volumes: + - '*' + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: privileged + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + privileged: true + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + volumes: + - '*' + hostNetwork: false + hostPorts: + - min: 0 + max: 65535 + hostIPC: true + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' +``` diff --git a/docs/queries/kubernetes-queries/a5530bd7-225a-48f9-91bb-f40b04200165.md b/docs/queries/kubernetes-queries/a5530bd7-225a-48f9-91bb-f40b04200165.md new file mode 100644 index 00000000000..8ce3cceed88 --- /dev/null +++ b/docs/queries/kubernetes-queries/a5530bd7-225a-48f9-91bb-f40b04200165.md @@ -0,0 +1,81 @@ +--- +title: Service Account Lookup Set To False +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a5530bd7-225a-48f9-91bb-f40b04200165 +- **Query name:** Service Account Lookup Set To False +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/service_account_lookup_set_to_false) + +### Description +When using kube-apiserver command, the '--service-account-lookup' flag should be set to true
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--service-account-lookup=false"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--service-account-lookup=true"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3.md b/docs/queries/kubernetes-queries/a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3.md new file mode 100644 index 00000000000..66e085e644c --- /dev/null +++ b/docs/queries/kubernetes-queries/a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3.md @@ -0,0 +1,78 @@ +--- +title: Readiness Probe Is Not Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a659f3b5-9bf0-438a-bd9a-7d3a6427f1e3 +- **Query name:** Readiness Probe Is Not Configured +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/readiness_probe_is_not_configured) + +### Description +Check if Readiness Probe is not configured.
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +apiVersion: v1 +kind: Pod +metadata: + name: goproxy + labels: + app: goproxy +spec: + containers: + - name: goproxy + image: k8s.gcr.io/goproxy:0.1 + ports: + - containerPort: 8080 + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 20 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: goproxy + labels: + app: goproxy +spec: + containers: + - name: goproxy + image: k8s.gcr.io/goproxy:0.1 + ports: + - containerPort: 8080 + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 20 + +``` diff --git a/docs/queries/kubernetes-queries/a6f34658-fdfb-4154-9536-56d516f65828.md b/docs/queries/kubernetes-queries/a6f34658-fdfb-4154-9536-56d516f65828.md new file mode 100644 index 00000000000..03a7f58ddd6 --- /dev/null +++ b/docs/queries/kubernetes-queries/a6f34658-fdfb-4154-9536-56d516f65828.md @@ -0,0 +1,121 @@ +--- +title: Docker Daemon Socket is Exposed to Containers +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a6f34658-fdfb-4154-9536-56d516f65828 +- **Query name:** Docker Daemon Socket is Exposed to Containers +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/docker_daemon_socket_is_exposed_to_containers) + +### Description +Sees if Docker Daemon Socket is not exposed to Containers
+[Documentation](https://kubernetes.io/docs/concepts/storage/volumes/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="67 43 15" +apiVersion: v1 +kind: Pod +metadata: + name: test-pd +spec: + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var/run/docker.sock + type: Directory + +--- + +apiVersion: v1 +kind: ReplicationController +metadata: + name: node-manager + labels: + name: node-manager +spec: + selector: + name: node-manager + template: + metadata: + labels: + name: node-manager + spec: + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var/run/docker.sock + type: Directory + +--- + +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /var/run/docker.sock + type: Directory +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: test-pd +spec: + containers: + - image: k8s.gcr.io/test-webserver + name: test-container + volumeMounts: + - mountPath: /test-pd + name: test-volume + volumes: + - name: test-volume + hostPath: + path: /data + type: Directory +``` diff --git a/docs/queries/kubernetes-queries/a77f4d07-c6e0-4a48-8b35-0eeb51576f4f.md b/docs/queries/kubernetes-queries/a77f4d07-c6e0-4a48-8b35-0eeb51576f4f.md new file mode 100644 index 00000000000..b1cf4f2e932 --- /dev/null +++ b/docs/queries/kubernetes-queries/a77f4d07-c6e0-4a48-8b35-0eeb51576f4f.md @@ -0,0 +1,81 @@ +--- +title: Always Pull Images Admission Control Plugin Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a77f4d07-c6e0-4a48-8b35-0eeb51576f4f +- **Query name:** Always Pull Images Admission Control Plugin Not Set +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/always_pull_images_admission_control_plugin_not_set) + +### Description +When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'AlwaysPullImages' plugin and the plugin should be correctly configured in AdmissionControl Config file
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=AlwaysAdmit"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=AlwaysPullImages", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--enable-admission-plugins=AlwaysPullImages", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/a97a340a-0063-418e-b3a1-3028941d0995.md b/docs/queries/kubernetes-queries/a97a340a-0063-418e-b3a1-3028941d0995.md new file mode 100644 index 00000000000..0158105d13b --- /dev/null +++ b/docs/queries/kubernetes-queries/a97a340a-0063-418e-b3a1-3028941d0995.md @@ -0,0 +1,97 @@ +--- +title: Pod or Container Without Security Context +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a97a340a-0063-418e-b3a1-3028941d0995 +- **Query name:** Pod or Container Without Security Context +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/pod_or_container_without_security_context) + +### Description +A security context defines privilege and access control settings for a Pod or Container
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="19 5" +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + securityContext: + runAsUser: 1000 + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + +``` diff --git a/docs/queries/kubernetes-queries/a9c2f49d-0671-4fc9-9ece-f4e261e128d0.md b/docs/queries/kubernetes-queries/a9c2f49d-0671-4fc9-9ece-f4e261e128d0.md new file mode 100644 index 00000000000..3309d316f55 --- /dev/null +++ b/docs/queries/kubernetes-queries/a9c2f49d-0671-4fc9-9ece-f4e261e128d0.md @@ -0,0 +1,75 @@ +--- +title: Root Container Not Mounted Read-only +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a9c2f49d-0671-4fc9-9ece-f4e261e128d0 +- **Query name:** Root Container Not Mounted Read-only +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/root_container_not_mounted_as_read_only) + +### Description +Check if the root container filesystem is not being mounted read-only.
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="24 12" +apiVersion: v1 +kind: Pod +metadata: + name: rootfalse + labels: + app: goproxy +spec: + containers: + - name: contain1_1 + image: k8s.gcr.io/goproxy:0.1 + securityContext: + readOnlyRootFilesystem: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: noroot + labels: + app: goproxy +spec: + containers: + - name: contain1_2 + image: k8s.gcr.io/goproxy:0.1 + securityContext: + someotherthing: true +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: goproxy + labels: + app: goproxy +spec: + containers: + - name: goproxy + image: k8s.gcr.io/goproxy:0.1 + securityContext: + readOnlyRootFilesystem: true + +``` diff --git a/docs/queries/kubernetes-queries/aa8f7a35-9923-4cad-bd61-a19b7f6aac91.md b/docs/queries/kubernetes-queries/aa8f7a35-9923-4cad-bd61-a19b7f6aac91.md new file mode 100644 index 00000000000..83e083e2b00 --- /dev/null +++ b/docs/queries/kubernetes-queries/aa8f7a35-9923-4cad-bd61-a19b7f6aac91.md @@ -0,0 +1,331 @@ +--- +title: Non Kube System Pod With Host Mount +hide: + toc: true + navigation: true +--- + + + +- **Query id:** aa8f7a35-9923-4cad-bd61-a19b7f6aac91 +- **Query name:** Non Kube System Pod With Host Mount +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/non_kube_system_pod_with_host_mount) + +### Description +A non kube-system workload should not have hostPath mounted
+[Documentation](https://kubernetes.io/docs/concepts/storage/volumes/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="185 40 136 106 43 76 168 153 59" +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: logs + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + metadata: + labels: + name: fluentd-elasticsearch + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + cpu: 500m + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + terminationGracePeriodSeconds: 30 + volumes: + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers +--- +apiVersion: v1 +kind: Pod +metadata: + name: redis +spec: + containers: + - name: redis + image: redis + volumeMounts: + - name: redis-storage + mountPath: /data/redis + volumes: + - name: redis-storage + hostPath: + path: /var/redis/data +--- +apiVersion: v1 +kind: Pod +metadata: + name: redis-memcache + namespace: memcache +spec: + containers: + - name: redis + image: redis + volumeMounts: + - name: redis-storage + mountPath: /data/redis + volumes: + - name: redis-storage + hostPath: + path: /var/redis/data +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: default + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - name: static-page-dir + mountPath: /var/www/app/static + volumes: + - name: static-page-dir + hostPath: + path: /var/local/static + type: DirectoryOrCreate +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment-undefined-ns + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - name: static-page-dir + mountPath: /var/www/app/static + volumes: + - name: static-page-dir + hostPath: + path: /var/local/static + type: DirectoryOrCreate +--- +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv-001 + namespace: default + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + hostPath: + path: "/" +--- +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv-002 + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + hostPath: + path: "/boot" +--- +apiVersion: serving.knative.dev/v1 +kind: Revision +metadata: + name: dummy-rev + namespace: knative-sequence +spec: + containers: + - name: redis + image: redis + volumeMounts: + - name: redis-storage + mountPath: /data/redis + volumes: + - name: redis-storage + hostPath: + path: /var/redis/data + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: fluentd-elasticsearch + namespace: kube-system + labels: + k8s-app: fluentd-logging +spec: + selector: + matchLabels: + name: fluentd-elasticsearch + template: + metadata: + labels: + name: fluentd-elasticsearch + spec: + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + containers: + - name: fluentd-elasticsearch + image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2 + resources: + limits: + cpu: 500m + memory: 200Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - name: varlog + mountPath: /var/log + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + terminationGracePeriodSeconds: 30 + volumes: + - name: varlog + hostPath: + path: /var/log + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers +--- +apiVersion: v1 +kind: Pod +metadata: + name: redis + namespace: kube-system +spec: + containers: + - name: redis + image: redis + volumeMounts: + - name: redis-storage + mountPath: /data/redis + volumes: + - name: redis-storage + hostPath: + path: /var/redis/data +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: kube-system + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + volumeMounts: + - name: static-page-dir + mountPath: /var/www/app/static + volumes: + - name: static-page-dir + hostPath: + path: /var/local/static + type: DirectoryOrCreate +--- +kind: PersistentVolume +apiVersion: v1 +metadata: + name: pv-001 + namespace: kube-system + labels: + type: local +spec: + storageClassName: manual + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + hostPath: + path: "/sys" + +``` diff --git a/docs/queries/kubernetes-queries/aafa7d94-62de-4fbf-8838-b69ee217b0e6.md b/docs/queries/kubernetes-queries/aafa7d94-62de-4fbf-8838-b69ee217b0e6.md new file mode 100644 index 00000000000..1f90f87083f --- /dev/null +++ b/docs/queries/kubernetes-queries/aafa7d94-62de-4fbf-8838-b69ee217b0e6.md @@ -0,0 +1,94 @@ +--- +title: Container Memory Requests Not Equal To It's Limits +hide: + toc: true + navigation: true +--- + + + +- **Query id:** aafa7d94-62de-4fbf-8838-b69ee217b0e6 +- **Query name:** Container Memory Requests Not Equal To It's Limits +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/container_memory_requests_not_equal_to_its_limits) + +### Description +A Pod's Containers must have the same Memory requests as limits set, which is recommended to avoid resource DDOS of the node during spikes. This means the 'requests.memory' must equal 'limits.memory', and both be defined.
+[Documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 11 22" +#this is a problematic code where the query should report a result(s) +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + cpu: "500m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "128Mi" + cpu: "500m" + limits: + cpu: "500m" + - name: app2 + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "128Mi" + cpu: "500m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "128Mi" + cpu: "500m" + limits: + memory: "128Mi" + cpu: "500m" + +``` diff --git a/docs/queries/kubernetes-queries/ade74944-a674-4e00-859e-c6eab5bde441.md b/docs/queries/kubernetes-queries/ade74944-a674-4e00-859e-c6eab5bde441.md new file mode 100644 index 00000000000..80b943b2cc0 --- /dev/null +++ b/docs/queries/kubernetes-queries/ade74944-a674-4e00-859e-c6eab5bde441.md @@ -0,0 +1,95 @@ +--- +title: Liveness Probe Is Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ade74944-a674-4e00-859e-c6eab5bde441 +- **Query name:** Liveness Probe Is Not Defined +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/liveness_probe_is_not_defined) + +### Description +In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it
+[Documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#when-should-you-use-a-liveness-probe) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +apiVersion: v1 +kind: Pod +metadata: + labels: + test: liveness + name: liveness-exec +spec: + containers: + - name: liveness + image: k8s.gcr.io/busybox + args: + - /bin/sh + - -c + - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + labels: + test: liveness + name: liveness-exec +spec: + containers: + - name: liveness + image: k8s.gcr.io/busybox + args: + - /bin/sh + - -c + - touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600 + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + initialDelaySeconds: 5 + periodSeconds: 5 + +--- + +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: hello + image: busybox + imagePullPolicy: IfNotPresent + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure +``` diff --git a/docs/queries/kubernetes-queries/ae8827e2-4af9-4baa-9998-87539ae0d6f0.md b/docs/queries/kubernetes-queries/ae8827e2-4af9-4baa-9998-87539ae0d6f0.md new file mode 100644 index 00000000000..fa50c337346 --- /dev/null +++ b/docs/queries/kubernetes-queries/ae8827e2-4af9-4baa-9998-87539ae0d6f0.md @@ -0,0 +1,117 @@ +--- +title: Peer Auto TLS Set To True +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ae8827e2-4af9-4baa-9998-87539ae0d6f0 +- **Query name:** Peer Auto TLS Set To True +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/peer_auto_tls_set_to_true) + +### Description +When using etcd commands, the '--peer-auto-tls' should be set to false
+[Documentation](https://etcd.io/docs/v3.4/op-guide/security/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--peer-auto-tls=true"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: [] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd", "--peer-auto-tls=false"] + args: [] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/aee3c7d2-a811-4201-90c7-11c028be9a46.md b/docs/queries/kubernetes-queries/aee3c7d2-a811-4201-90c7-11c028be9a46.md new file mode 100644 index 00000000000..15e42a3c610 --- /dev/null +++ b/docs/queries/kubernetes-queries/aee3c7d2-a811-4201-90c7-11c028be9a46.md @@ -0,0 +1,119 @@ +--- +title: Container Requests Not Equal To It's Limits +hide: + toc: true + navigation: true +--- + + + +- **Query id:** aee3c7d2-a811-4201-90c7-11c028be9a46 +- **Query name:** Container Requests Not Equal To It's Limits +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/container_requests_not_equal_to_its_limits) + +### Description +Containers must have the same resource requests set as limits. This is recommended to avoid resource DDoS of the node during spikes and means that 'requests.memory' and 'requests.cpu' must equal 'limits.memory' and 'limits.cpu', respectively
+[Documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="26 51" +#this is a problematic code where the query should report a result(s) +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + cpu: "500m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "128Mi" + cpu: "500m" + limits: + cpu: "500m" + - name: app2 + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "500m" + limits: + memory: "128Mi" + cpu: "500m" + - name: app3 + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + limits: + memory: "64Mi" + cpu: "500m" + - name: app4 + image: images.my-company.example/app:v4 + resources: + requests: + memory: "128Mi" + cpu: "500m" + limits: + memory: "128Mi" + - name: app5 + image: images.my-company.example/app:v4 + resources: + requests: + memory: "128Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "128Mi" + cpu: "500m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "128Mi" + cpu: "500m" + limits: + memory: "128Mi" + cpu: "500m" +``` diff --git a/docs/queries/kubernetes-queries/afa36afb-39fe-4d94-b9b6-afb236f7a03d.md b/docs/queries/kubernetes-queries/afa36afb-39fe-4d94-b9b6-afb236f7a03d.md new file mode 100644 index 00000000000..bdbd7c819c4 --- /dev/null +++ b/docs/queries/kubernetes-queries/afa36afb-39fe-4d94-b9b6-afb236f7a03d.md @@ -0,0 +1,81 @@ +--- +title: Pod Security Policy Admission Control Plugin Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** afa36afb-39fe-4d94-b9b6-afb236f7a03d +- **Query name:** Pod Security Policy Admission Control Plugin Not Set +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/pod_security_policy_admission_control_plugin_not_set) + +### Description +When using kube-apiserver command, the '--enable-admission-plugins' flag should have 'PodSecurityPolicy' plugin and the plugin should be correctly configured in AdmissionControl Config file
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=AlwaysAdmit"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=PodSecurityPolicy", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--enable-admission-plugins=PodSecurityPolicy", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/b14d1bc4-a208-45db-92f0-e21f8e2588e9.md b/docs/queries/kubernetes-queries/b14d1bc4-a208-45db-92f0-e21f8e2588e9.md new file mode 100644 index 00000000000..834a7d3f104 --- /dev/null +++ b/docs/queries/kubernetes-queries/b14d1bc4-a208-45db-92f0-e21f8e2588e9.md @@ -0,0 +1,171 @@ +--- +title: Memory Limits Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b14d1bc4-a208-45db-92f0-e21f8e2588e9 +- **Query name:** Memory Limits Not Defined +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/memory_limits_not_defined) + +### Description +Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 57 38 23" +apiVersion: v1 +kind: Pod +metadata: + name: memory-demo-1 + namespace: mem-example +spec: + containers: + - name: memory-demo-ctr + image: polinux/stress + resources: + requests: + cpu: "0.5" + command: ["stress"] + args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: memory-demo-2 + namespace: mem-example +spec: + containers: + - name: memory-demo-ctr + image: polinux/stress + resources: + requests: + cpu: "0.5" + command: ["stress"] + args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: memory-demo-3 + namespace: mem-example +spec: + containers: + - name: memory-demo-ctr + image: polinux/stress + command: ["stress"] + args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: memory-demo-4 + namespace: mem-example +spec: + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: memory-demo-ctr + image: polinux/stress + command: ["stress"] + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-deployment + labels: + app: test +spec: + replicas: 3 + selector: + matchLabels: + app: test + template: + metadata: + labels: + app: test + spec: + containers: + - name: pause + image: k8s.gcr.io/pause + resources: + limits: + cpu: 1 + requests: + cpu: 0.5 + memory: 512Mi + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: memory-demo-negative + namespace: mem-example +spec: + containers: + - name: memory-demo-ctr + image: polinux/stress + resources: + limits: + memory: "200Mi" + requests: + memory: "100Mi" + command: ["stress"] + args: ["--vm", "1", "--vm-bytes", "150M", "--vm-hang", "1"] + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-deployment-neg + labels: + app: test-neg +spec: + replicas: 3 + selector: + matchLabels: + app: test-neg + template: + metadata: + labels: + app: test-neg + spec: + containers: + - name: pause + image: k8s.gcr.io/pause + resources: + limits: + cpu: 0.5 + memory: 512Mi + requests: + cpu: 0.5 + memory: 512Mi + +``` diff --git a/docs/queries/kubernetes-queries/b23e9b98-0cb6-4fc9-b257-1f3270442678.md b/docs/queries/kubernetes-queries/b23e9b98-0cb6-4fc9-b257-1f3270442678.md new file mode 100644 index 00000000000..5e0782a9103 --- /dev/null +++ b/docs/queries/kubernetes-queries/b23e9b98-0cb6-4fc9-b257-1f3270442678.md @@ -0,0 +1,101 @@ +--- +title: Deployment Without PodDisruptionBudget +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b23e9b98-0cb6-4fc9-b257-1f3270442678 +- **Query name:** Deployment Without PodDisruptionBudget +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/deployment_without_pod_disruption_budget) + +### Description +Deployments should be assigned with a PodDisruptionBudget to ensure high availability
+[Documentation](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="20" +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: nginx-pdb +spec: + minAvailable: 2 + selector: + matchLabels: + app: xpto +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: nginx-pdb +spec: + minAvailable: 2 + selector: + matchLabels: + app: nginx32 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + labels: + app: nginx +spec: + replicas: 3 + selector: + matchLabels: + app: nginx32 + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 + +``` diff --git a/docs/queries/kubernetes-queries/b7652612-de4e-4466-a0bf-1cd81f0c6063.md b/docs/queries/kubernetes-queries/b7652612-de4e-4466-a0bf-1cd81f0c6063.md new file mode 100644 index 00000000000..e295902df2a --- /dev/null +++ b/docs/queries/kubernetes-queries/b7652612-de4e-4466-a0bf-1cd81f0c6063.md @@ -0,0 +1,162 @@ +--- +title: Volume Mount With OS Directory Write Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b7652612-de4e-4466-a0bf-1cd81f0c6063 +- **Query name:** Volume Mount With OS Directory Write Permissions +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/volume_mount_with_os_directory_write_permissions) + +### Description +Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.
+[Documentation](https://kubernetes.io/docs/concepts/storage/volumes/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="40 11 37 14" +apiVersion: v1 +kind: Pod +metadata: + name: pod-0 +spec: + containers: + - image: k8s.gcr.io/test-webserver + name: pod-0 + volumeMounts: + - mountPath: /bin + name: vol-0 + - mountPath: /var/run + name: vol-1 + readOnly: false + volumes: + - name: vol-0 + scaleIO: + gateway: https://localhost:443/api + system: scaleio + protectionDomain: sd0 + storagePool: sp1 + volumeName: vol-0 + secretRef: + name: sio-secret + fsType: xfs +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod-1 +spec: + containers: + - image: k8s.gcr.io/test-webserver + name: pod-1 + volumeMounts: + - mountPath: /var/run + name: vol-0 + - mountPath: /bin + name: vol-1 + readOnly: false + volumes: + - name: vol-0 + scaleIO: + gateway: https://localhost:443/api + system: scaleio + protectionDomain: sd0 + storagePool: sp1 + volumeName: vol-0 + secretRef: + name: sio-secret + fsType: xfs + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: pod-0 +spec: + containers: + - image: k8s.gcr.io/test-webserver + name: pod-0 + volumeMounts: + - mountPath: /bin + name: vol-0 + readOnly: true + volumes: + - name: vol-0 + scaleIO: + gateway: https://localhost:443/api + system: scaleio + protectionDomain: sd0 + storagePool: sp1 + volumeName: vol-0 + secretRef: + name: sio-secret + fsType: xfs + +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod-1 +spec: + containers: + - image: k8s.gcr.io/test-webserver + name: pod-0 + volumeMounts: + - mountPath: /project-mount + name: vol-0 + volumes: + - name: vol-0 + scaleIO: + gateway: https://localhost:443/api + system: scaleio + protectionDomain: sd0 + storagePool: sp1 + volumeName: vol-0 + secretRef: + name: sio-secret + fsType: xfs + +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod-2 +spec: + containers: + - image: k8s.gcr.io/test-webserver + name: pod-0 + volumeMounts: + - mountPath: /var/run + name: vol-0 + readOnly: true + volumes: + - name: vol-0 + scaleIO: + gateway: https://localhost:443/api + system: scaleio + protectionDomain: sd0 + storagePool: sp1 + volumeName: vol-0 + secretRef: + name: sio-secret + fsType: xfs + +``` diff --git a/docs/queries/kubernetes-queries/b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14.md b/docs/queries/kubernetes-queries/b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14.md new file mode 100644 index 00000000000..3b7e5bc1132 --- /dev/null +++ b/docs/queries/kubernetes-queries/b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14.md @@ -0,0 +1,75 @@ +--- +title: RBAC Roles with Read Secrets Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14 +- **Query name:** RBAC Roles with Read Secrets Permissions +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/rbac_roles_with_read_secrets_permissions) + +### Description +Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys
+[Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 18" +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: default + name: role-secret-reader +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-role-secret-reader +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: default + name: role-pod-and-logs-reader +rules: +- apiGroups: [""] + resources: ["pods", "pods/logs"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-role-pod-and-pod-logs-reader +rules: +- apiGroups: [""] + resources: ["pods", "pods/log"] + verbs: ["get", "list"] + +``` diff --git a/docs/queries/kubernetes-queries/b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff.md b/docs/queries/kubernetes-queries/b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff.md new file mode 100644 index 00000000000..3d0996804e5 --- /dev/null +++ b/docs/queries/kubernetes-queries/b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff.md @@ -0,0 +1,117 @@ +--- +title: Etcd Peer Client Certificate Authentication Set To False +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff +- **Query name:** Etcd Peer Client Certificate Authentication Set To False +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/etcd_peer_client_certificate_authentication_set_to_false) + +### Description +When using etcd commands, the '--peer-client-cert-auth' flag should be set to true
+[Documentation](https://etcd.io/docs/v3.4/op-guide/security/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="21" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--peer-client-cert-auth=false"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: [] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: app-etcd-deployment +spec: + selector: + matchLabels: + app: app + replicas: 1 + template: + metadata: + labels: + app: app + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/etcd:v3.2.18 + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--peer-client-cert-auth=true"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/b9380fd3-5ffe-4d10-9290-13e18e71eee1.md b/docs/queries/kubernetes-queries/b9380fd3-5ffe-4d10-9290-13e18e71eee1.md new file mode 100644 index 00000000000..48c092b01d1 --- /dev/null +++ b/docs/queries/kubernetes-queries/b9380fd3-5ffe-4d10-9290-13e18e71eee1.md @@ -0,0 +1,95 @@ +--- +title: Insecure Bind Address Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b9380fd3-5ffe-4d10-9290-13e18e71eee1 +- **Query name:** Insecure Bind Address Set +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/insecure_bind_address_set) + +### Description +When using kube-apiserver command, the '--insecure-bind-address' flag should not be set
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver", "--insecure-bind-address=127.0.0.1"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--insecure-bind-address=127.0.0.1"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/b9c83569-459b-4110-8f79-6305aa33cb37.md b/docs/queries/kubernetes-queries/b9c83569-459b-4110-8f79-6305aa33cb37.md new file mode 100644 index 00000000000..53de1dec573 --- /dev/null +++ b/docs/queries/kubernetes-queries/b9c83569-459b-4110-8f79-6305aa33cb37.md @@ -0,0 +1,109 @@ +--- +title: Using Kubernetes Native Secret Management +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b9c83569-459b-4110-8f79-6305aa33cb37 +- **Query name:** Using Kubernetes Native Secret Management +- **Platform:** Kubernetes +- **Severity:** Info +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/using_kubernetes_native_secret_management) + +### Description +Kubernetes External Secret Storage and Management System usage should be considered if you have more complex secret management needs, rather than using Kubernetes Secrets directly. Additionally, ensure that access to secrets is carefully limited
+[Documentation](https://kubernetes.io/docs/concepts/configuration/secret/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="4" +apiVersion: v1 +kind: Secret +metadata: + name: cluster-secrets +data: + # Fill with your encoded base64 CA + certificate-authority-data: Cg== +stringData: + # Fill with your string Token + bearerToken: "my-token" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: azure-kvname + namespace: myNameSpace +spec: + provider: azure + parameters: + usePodIdentity: "true" + keyvaultName: "" + objects: | + array: + - | + objectName: secret1 + objectType: secret + - | + objectName: key1 + objectType: key + tenantId: "" + objects: + array: + - {objectName: secret1, objectType: secret} + - {objectName: key1 , objectType: key} + tenantId: " + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** bb241e61-77c3-4b97-9575-c0f8a1e008d0 +- **Query name:** StatefulSet Without Service Name +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/statefulset_without_service_name) + +### Description +StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.
+[Documentation](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="26" +#this is a problematic code where the query should report a result(s) +apiVersion: v1 +kind: Service +metadata: + name: nginx + namespace: nginx + labels: + app: nginx2 +spec: + ports: + - port: 80 + name: web + clusterIP: All + selector: + app: nginx +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: web + namespace: nginx +spec: + selector: + matchLabels: + app: nginx + serviceName: "nginx" + replicas: 3 + template: + metadata: + labels: + app: nginx + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: nginx + image: k8s.gcr.io/nginx-slim:0.8 + ports: + - containerPort: 80 + name: web + volumeMounts: + - name: www + mountPath: /usr/share/nginx/html + volumeClaimTemplates: + - metadata: + name: www + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "my-storage-class" + resources: + requests: + storage: 1Gi + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this is a problematic code where the query should report a result(s) +apiVersion: v1 +kind: Service +metadata: + name: nginx2 + namespace: nginx2 + labels: + app: nginx2 +spec: + ports: + - port: 80 + name: web + clusterIP: None + selector: + app: nginx2 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: web2 + namespace: nginx2 +spec: + selector: + matchLabels: + app: nginx2 + serviceName: "nginx2" + replicas: 3 + template: + metadata: + labels: + app: nginx2 + foo: bar + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: nginx2 + image: k8s.gcr.io/nginx-slim:0.8 + ports: + - containerPort: 80 + name: web + volumeMounts: + - name: www + mountPath: /usr/share/nginx/html + volumeClaimTemplates: + - metadata: + name: www + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: "my-storage-class" + resources: + requests: + storage: 1Gi + +``` diff --git a/docs/queries/kubernetes-queries/bf36b900-b5ef-4828-adb7-70eb543b7cfb.md b/docs/queries/kubernetes-queries/bf36b900-b5ef-4828-adb7-70eb543b7cfb.md new file mode 100644 index 00000000000..c3520343235 --- /dev/null +++ b/docs/queries/kubernetes-queries/bf36b900-b5ef-4828-adb7-70eb543b7cfb.md @@ -0,0 +1,81 @@ +--- +title: Kubelet Hostname Override Is Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bf36b900-b5ef-4828-adb7-70eb543b7cfb +- **Query name:** Kubelet Hostname Override Is Set +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/kubelet_hostname_override_is_set) + +### Description +Hostnames should not be overrided
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--hostname-override=host"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet","--hostname-override=host"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/c1032cf7-3628-44e2-bd53-38c17cf31b6b.md b/docs/queries/kubernetes-queries/c1032cf7-3628-44e2-bd53-38c17cf31b6b.md new file mode 100644 index 00000000000..77e913ba197 --- /dev/null +++ b/docs/queries/kubernetes-queries/c1032cf7-3628-44e2-bd53-38c17cf31b6b.md @@ -0,0 +1,77 @@ +--- +title: Shared Service Account +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c1032cf7-3628-44e2-bd53-38c17cf31b6b +- **Query name:** Shared Service Account +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/shared_service_account) + +### Description +A Service Account token is shared between workloads
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 6" +apiVersion: v1 +kind: Pod +metadata: + name: pod1 +spec: + serviceAccountName : service1 + containers: + - name: mycontainer + image: redis +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod2 +spec: + serviceAccountName : service1 + containers: + - name: envars-test-container + image: nginx + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: pod1 +spec: + serviceAccountName : service1 + containers: + - name: mycontainer + image: redis +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod2 +spec: + serviceAccountName : service2 + containers: + - name: envars-test-container + image: nginx + +``` diff --git a/docs/queries/kubernetes-queries/c48e57d3-d642-4e0b-90db-37f807b41b91.md b/docs/queries/kubernetes-queries/c48e57d3-d642-4e0b-90db-37f807b41b91.md new file mode 100644 index 00000000000..661d8ae69e3 --- /dev/null +++ b/docs/queries/kubernetes-queries/c48e57d3-d642-4e0b-90db-37f807b41b91.md @@ -0,0 +1,71 @@ +--- +title: PSP Set To Privileged +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c48e57d3-d642-4e0b-90db-37f807b41b91 +- **Query name:** PSP Set To Privileged +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/psp_set_to_privileged) + +### Description +Do not allow pod to request execution as privileged.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#privileged) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="6" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: example +spec: + privileged: true + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - '*' + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: example +spec: + privileged: false + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - '*' + +``` diff --git a/docs/queries/kubernetes-queries/c589f42c-7924-4871-aee2-1cede9bc7cbc.md b/docs/queries/kubernetes-queries/c589f42c-7924-4871-aee2-1cede9bc7cbc.md new file mode 100644 index 00000000000..4a1957742d9 --- /dev/null +++ b/docs/queries/kubernetes-queries/c589f42c-7924-4871-aee2-1cede9bc7cbc.md @@ -0,0 +1,83 @@ +--- +title: RBAC Roles with Exec Permission +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c589f42c-7924-4871-aee2-1cede9bc7cbc +- **Query name:** RBAC Roles with Exec Permission +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/rbac_roles_with_exec_permission) + +### Description +Roles or ClusterRoles with RBAC permissions to run commands in containers via 'kubectl exec' could be abused by attackers to execute malicious code in case of compromise. To prevent this, the 'pods/exec' verb should not be used in production environments
+[Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: my-namespace + name: allow-exec +rules: +- apiGroups: [""] + resources: ["pods", "pods/exec"] + verbs: ["get", "list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: allow-exec + namespace: my-namespace +subjects: +- kind: User + name: bob + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: allow-exec + apiGroup: "" +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: my-namespace + name: allow-exec-neg +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: allow-exec-neg + namespace: my-namespace +subjects: +- kind: User + name: bob + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: allow-exec-neg + apiGroup: "" +``` diff --git a/docs/queries/kubernetes-queries/ca469dd4-c736-448f-8ac1-30a642705e0a.md b/docs/queries/kubernetes-queries/ca469dd4-c736-448f-8ac1-30a642705e0a.md new file mode 100644 index 00000000000..d859868364e --- /dev/null +++ b/docs/queries/kubernetes-queries/ca469dd4-c736-448f-8ac1-30a642705e0a.md @@ -0,0 +1,135 @@ +--- +title: CPU Requests Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ca469dd4-c736-448f-8ac1-30a642705e0a +- **Query name:** CPU Requests Not Set +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/cpu_requests_not_set) + +### Description +CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node
+[Documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 10 34 41" +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + limits: + memory: "128Mi" + cpu: "500m" +--- +apiVersion: serving.knative.dev/v1 +kind: Configuration +metadata: + name: dummy-config + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + limits: + memory: "128Mi" + cpu: "500m" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: frontend +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" +--- +apiVersion: serving.knative.dev/v1 +kind: Configuration +metadata: + name: dummy-config + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: app + image: images.my-company.example/app:v4 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + +``` diff --git a/docs/queries/kubernetes-queries/caa3479d-885d-4882-9aac-95e5e78ef5c2.md b/docs/queries/kubernetes-queries/caa3479d-885d-4882-9aac-95e5e78ef5c2.md new file mode 100644 index 00000000000..1b739eed0c1 --- /dev/null +++ b/docs/queries/kubernetes-queries/caa3479d-885d-4882-9aac-95e5e78ef5c2.md @@ -0,0 +1,98 @@ +--- +title: Image Pull Policy Of The Container Is Not Set To Always +hide: + toc: true + navigation: true +--- + + + +- **Query id:** caa3479d-885d-4882-9aac-95e5e78ef5c2 +- **Query name:** Image Pull Policy Of The Container Is Not Set To Always +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/image_pull_policy_of_container_is_not_always) + +### Description +Image Pull Policy of the container must be defined and set to Always
+[Documentation](https://kubernetes.io/docs/concepts/containers/images/#updating-images) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +apiVersion: v1 +kind: Pod +metadata: + name: private-image-test-always +spec: + containers: + - name: uses-private-image + image: $PRIVATE_IMAGE_NAME:1.2 + imagePullPolicy: Never + command: [ "echo", "SUCCESS" ] +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-with-image-pull-policy +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: library/nginx:1.20.0 + imagePullPolicy: IfNotPresent + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="16" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-with-image-pull-policy1 +spec: + replicas: 3 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: library/nginx:1.20.0 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: private-image-test-1 +spec: + containers: + - name: uses-private-image + image: $PRIVATE_IMAGE_NAME + imagePullPolicy: Always + command: [ "echo", "SUCCESS" ] +``` diff --git a/docs/queries/kubernetes-queries/caa93370-791f-4fc6-814b-ba6ce0cb4032.md b/docs/queries/kubernetes-queries/caa93370-791f-4fc6-814b-ba6ce0cb4032.md new file mode 100644 index 00000000000..e75ea1532a0 --- /dev/null +++ b/docs/queries/kubernetes-queries/caa93370-791f-4fc6-814b-ba6ce0cb4032.md @@ -0,0 +1,131 @@ +--- +title: Not Limited Capabilities For Pod Security Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** caa93370-791f-4fc6-814b-ba6ce0cb4032 +- **Query name:** Not Limited Capabilities For Pod Security Policy +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/not_limited_capabilities_for_pod_security_policy) + +### Description +Limit capabilities for a Pod Security Policy
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: restricted + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + # Assume that persistentVolumes set up by the cluster admin are safe to use. + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'MustRunAsNonRoot' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: restricted + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + # Assume that persistentVolumes set up by the cluster admin are safe to use. + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'MustRunAsNonRoot' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + +``` diff --git a/docs/queries/kubernetes-queries/cb7e695d-6a85-495c-b15f-23aed2519303.md b/docs/queries/kubernetes-queries/cb7e695d-6a85-495c-b15f-23aed2519303.md new file mode 100644 index 00000000000..ee46ece8641 --- /dev/null +++ b/docs/queries/kubernetes-queries/cb7e695d-6a85-495c-b15f-23aed2519303.md @@ -0,0 +1,119 @@ +--- +title: Not Unique Certificate Authority +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cb7e695d-6a85-495c-b15f-23aed2519303 +- **Query name:** Not Unique Certificate Authority +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/not_unique_certificate_authority) + +### Description +Certificate Authority should be unique for etcd
+[Documentation](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: database +spec: + selector: + matchLabels: + app: database + version: v1 + replicas: 1 + template: + metadata: + labels: + app: database + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/kube-apiserver:certification + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--trusted-ca-file=/etc/env/valid3.pem"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure +--- +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--client-ca-file=/etc/env/valid3.pem"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--client-ca-file=/etc/env/valid.pem"] + restartPolicy: OnFailure +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: database +spec: + selector: + matchLabels: + app: database + version: v1 + replicas: 1 + template: + metadata: + labels: + app: database + version: v1 + spec: + serviceAccountName: database + containers: + - name: database + image: gcr.io/google_containers/kube-apiserver:certification + imagePullPolicy: IfNotPresent + command: ["etcd"] + args: ["--trusted-ca-file=/etc/env/valid2.pem"] + nodeSelector: + kubernetes.io/hostname: worker02 + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/cbd2db69-0b21-4c14-8a40-7710a50571a9.md b/docs/queries/kubernetes-queries/cbd2db69-0b21-4c14-8a40-7710a50571a9.md new file mode 100644 index 00000000000..cf4cea060ef --- /dev/null +++ b/docs/queries/kubernetes-queries/cbd2db69-0b21-4c14-8a40-7710a50571a9.md @@ -0,0 +1,81 @@ +--- +title: Encryption Provider Config Is Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cbd2db69-0b21-4c14-8a40-7710a50571a9 +- **Query name:** Encryption Provider Config Is Not Defined +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/encryption_provider_config_is_not_defined) + +### Description +When using kube-apiserver commands, the '--encryption-provider-config' flag should be defined and the encryption should be correctly configured in Encryption Configuration file
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--encryption-provider-config=/path/to/config/file.yaml"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--encryption-provider-config=/path/to/config/file.yaml"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/ccc98ff7-68a7-436e-9218-185cb0b0b780.md b/docs/queries/kubernetes-queries/ccc98ff7-68a7-436e-9218-185cb0b0b780.md new file mode 100644 index 00000000000..be23ca05255 --- /dev/null +++ b/docs/queries/kubernetes-queries/ccc98ff7-68a7-436e-9218-185cb0b0b780.md @@ -0,0 +1,81 @@ +--- +title: Service Account Private Key File Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ccc98ff7-68a7-436e-9218-185cb0b0b780 +- **Query name:** Service Account Private Key File Not Defined +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/service_account_private_key_file_not_defined) + +### Description +When using kube-controller-manager commands, the '--service-account-private-key-file' should be defined
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager"] + args: ["--service-account-private-key-file=/path/to/key/file.pem"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-controller-manager-amd64:v1.6.0 + command: ["kube-controller-manager","--service-account-private-key-file=/path/to/key/file.pem"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/cd290efd-6c82-4e9d-a698-be12ae31d536.md b/docs/queries/kubernetes-queries/cd290efd-6c82-4e9d-a698-be12ae31d536.md new file mode 100644 index 00000000000..e510b7ea356 --- /dev/null +++ b/docs/queries/kubernetes-queries/cd290efd-6c82-4e9d-a698-be12ae31d536.md @@ -0,0 +1,81 @@ +--- +title: Shared Host IPC Namespace +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cd290efd-6c82-4e9d-a698-be12ae31d536 +- **Query name:** Shared Host IPC Namespace +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/shared_host_ipc_namespace) + +### Description +Container should not share the host IPC namespace
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 6" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo +spec: + hostIPC: true + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo +spec: + hostIPC: false + securityContext: + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + volumes: + - name: sec-ctx-vol + emptyDir: { } + containers: + - name: sec-ctx-demo + image: busybox + command: [ "sh", "-c", "sleep 1h" ] + volumeMounts: + - name: sec-ctx-vol + mountPath: /data/demo + securityContext: + allowPrivilegeEscalation: false +``` diff --git a/docs/queries/kubernetes-queries/cdc8b54e-6b16-4538-a1b0-35849dbe29cf.md b/docs/queries/kubernetes-queries/cdc8b54e-6b16-4538-a1b0-35849dbe29cf.md new file mode 100644 index 00000000000..a677d92eb6f --- /dev/null +++ b/docs/queries/kubernetes-queries/cdc8b54e-6b16-4538-a1b0-35849dbe29cf.md @@ -0,0 +1,80 @@ +--- +title: Kubelet HTTPS Set To False +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cdc8b54e-6b16-4538-a1b0-35849dbe29cf +- **Query name:** Kubelet HTTPS Set To False +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/kubelet_https_set_to_false) + +### Description +When using kube-apiserver command, the '--kubelet-https' flag should not be set to false
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--kubelet-https=false"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--kubelet-https=true"] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/ce30e584-b33f-4c7d-b418-a3d7027f8f60.md b/docs/queries/kubernetes-queries/ce30e584-b33f-4c7d-b418-a3d7027f8f60.md new file mode 100644 index 00000000000..37d22e16639 --- /dev/null +++ b/docs/queries/kubernetes-queries/ce30e584-b33f-4c7d-b418-a3d7027f8f60.md @@ -0,0 +1,81 @@ +--- +title: Always Admit Admission Control Plugin Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ce30e584-b33f-4c7d-b418-a3d7027f8f60 +- **Query name:** Always Admit Admission Control Plugin Set +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/always_admit_admission_control_plugin_set) + +### Description +When using kube-apiserver command, the '--enable-admission-plugins' flag should not have 'AlwaysAdmit' plugin
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=AlwaysAdmit", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--enable-admission-plugins=EventRateLimit", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/cf34805e-3872-4c08-bf92-6ff7bb0cfadb.md b/docs/queries/kubernetes-queries/cf34805e-3872-4c08-bf92-6ff7bb0cfadb.md new file mode 100644 index 00000000000..5d285869f0a --- /dev/null +++ b/docs/queries/kubernetes-queries/cf34805e-3872-4c08-bf92-6ff7bb0cfadb.md @@ -0,0 +1,199 @@ +--- +title: Container Running As Root +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cf34805e-3872-4c08-bf92-6ff7bb0cfadb +- **Query name:** Container Running As Root +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/containers_running_as_root) + +### Description +Containers should only run as non-root user. This limits the exploitability of security misconfigurations and restricts an attacker's possibilities in case of compromise
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="44 13 38" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-2 +spec: + securityContext: + runAsUser: 1000 + runAsNonRoot: false + containers: + - name: sec-ctx-demo-2 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 0 + allowPrivilegeEscalation: false + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-3 +spec: + securityContext: + runAsUser: 1000 + runAsNonRoot: false + containers: + - name: sec-ctx-demo-2 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false +--- +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-4 +spec: + securityContext: + runAsUser: 1000 + runAsNonRoot: true + containers: + - name: sec-ctx-demo-2 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 0 + allowPrivilegeEscalation: false + runAsNonRoot: false + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="18 13" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-2 +spec: + securityContext: + runAsUser: 10 + runAsNonRoot: false + containers: + - name: sec-ctx-demo-100 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 0 + runAsNonRoot: false + - name: sec-ctx-demo-200 + image: gcr.io/google-samples/node-hedwfwllo:1.0 + securityContext: + runAsUser: 0 + runAsNonRoot: false + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="13" +apiVersion: v1 +kind: Pod +metadata: + name: containers-runs-as-root +spec: + securityContext: + runAsUser: 0 + runAsNonRoot: false + containers: + - name: sec-ctx-demo-100 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 0 + runAsNonRoot: false + + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="12 7" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-2 +spec: + containers: + - name: sec-ctx-demo-1 + image: gcr.io/google-samples/node-hello:1.0 + - name: sec-ctx-demo-2 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 0 + allowPrivilegeEscalation: false + runAsNonRoot: false + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-2 +spec: + securityContext: + runAsUser: 10000 + runAsNonRoot: true + containers: + - name: sec-ctx-demo-2 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 10100 + allowPrivilegeEscalation: false + runAsNonRoot: true + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-1 +spec: + securityContext: + runAsUser: 1000 + runAsNonRoot: true + containers: + - name: sec-ctx-demo-100 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 1000 + runAsNonRoot: false + - name: sec-ctx-demo-200 + image: gcr.io/google-samples/node-hedwfwllo:1.0 + securityContext: + runAsUser: 2000 + runAsNonRoot: true + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: containers-runs-as-root +spec: + securityContext: + runAsUser: 0 + runAsNonRoot: false + containers: + - name: sec-ctx-demo-100 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + runAsUser: 1000 + runAsNonRoot: false + +``` diff --git a/docs/queries/kubernetes-queries/d2ad057f-0928-41ef-a83c-f59203bb855b.md b/docs/queries/kubernetes-queries/d2ad057f-0928-41ef-a83c-f59203bb855b.md new file mode 100644 index 00000000000..882a93e79f1 --- /dev/null +++ b/docs/queries/kubernetes-queries/d2ad057f-0928-41ef-a83c-f59203bb855b.md @@ -0,0 +1,116 @@ +--- +title: Dashboard Is Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d2ad057f-0928-41ef-a83c-f59203bb855b +- **Query name:** Dashboard Is Enabled +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/dashboard_is_enabled) + +### Description +If not needed, disabling the dashboard can prevent from being used as an attack vector
+[Documentation](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="67 22" + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-1 + namespace: kube-system +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-dashboard + template: + metadata: + labels: + k8s-app: kubernetes-dashboard + spec: + containers: + - name: kubernetes-dashboard + image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumes: + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} + serviceAccountName: kubernetes-dashboard + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + +--- + +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: myapp-container + image: busybox:1.28 + command: ['sh', '-c', 'echo The app is running! && sleep 3600'] + initContainers: + - name: init-myservice + image: k8s.gcr.io/kubernetesui:v1.10.1 + command: ['sh', '-c', "until nslookup myservice.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for myservice; sleep 2; done"] + - name: init-mydb + image: busybox:1.28 + command: ['sh', '-c', "until nslookup mydb.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local; do echo waiting for mydb; sleep 2; done"] +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Secret +metadata: + labels: + app.kubernetes.io/name: mysql + name: kubernetes-dashboard-certs + namespace: kube-system +type: Opaque +``` diff --git a/docs/queries/kubernetes-queries/d45330fd-f58d-45fb-a682-6481477a0f84.md b/docs/queries/kubernetes-queries/d45330fd-f58d-45fb-a682-6481477a0f84.md new file mode 100644 index 00000000000..b833db71a00 --- /dev/null +++ b/docs/queries/kubernetes-queries/d45330fd-f58d-45fb-a682-6481477a0f84.md @@ -0,0 +1,85 @@ +--- +title: RBAC Roles with Attach Permission +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d45330fd-f58d-45fb-a682-6481477a0f84 +- **Query name:** RBAC Roles with Attach Permission +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/rbac_roles_with_attach_permission) + +### Description +Roles or ClusterRoles with RBAC permissions to attach to containers via 'kubectl attach' could be abused by attackers to read log output (stdout, stderr) and send input data (stdin) to running processes. Additionally, it would allow a malicious user to attach to a privileged container resulting in a privilege escalation attack. To prevent this, the 'pods/attach' verb should not be used in production environments
+[Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: my-namespace + name: allow-attach +rules: +- apiGroups: [""] + resources: ["pods", "pods/attach"] + verbs: ["get", "list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: allow-attach + namespace: my-namespace +subjects: +- kind: User + name: bob + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: allow-attach + apiGroup: "" + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: my-namespace + name: allow-attach-neg +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: allow-attach-neg + namespace: my-namespace +subjects: +- kind: User + name: bob + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: allow-attach-neg + apiGroup: "" + +``` diff --git a/docs/queries/kubernetes-queries/d740d048-8ed3-49d3-b77b-6f072f3b669e.md b/docs/queries/kubernetes-queries/d740d048-8ed3-49d3-b77b-6f072f3b669e.md new file mode 100644 index 00000000000..b123381ef6f --- /dev/null +++ b/docs/queries/kubernetes-queries/d740d048-8ed3-49d3-b77b-6f072f3b669e.md @@ -0,0 +1,140 @@ +--- +title: StatefulSet Has No PodAntiAffinity +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d740d048-8ed3-49d3-b77b-6f072f3b669e +- **Query name:** StatefulSet Has No PodAntiAffinity +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/statefulset_has_no_pod_anti_affinity) + +### Description +Check if StatefulSet resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.
+[Documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="53 23" +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: zk-mismatch +spec: + selector: + matchLabels: + app: zk + serviceName: zk-hs + replicas: 3 + updateStrategy: + type: RollingUpdate + podManagementPolicy: OrderedReady + template: + metadata: + labels: + app: abc + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: zk + topologyKey: "kubernetes.io/hostname" + containers: + - name: kubernetes-zookeeper + imagePullPolicy: Always + image: "k8s.gcr.io/kubernetes-zookeeper:1.0-3.4.10" + resources: + requests: + memory: "1Gi" + cpu: "0.5" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: zk-noaffinity +spec: + selector: + matchLabels: + app: zk + serviceName: zk-hs + replicas: 3 + updateStrategy: + type: RollingUpdate + podManagementPolicy: OrderedReady + template: + metadata: + labels: + app: zk + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - store + topologyKey: "kubernetes.io/hostname" + containers: + - name: kubernetes-zookeeper + imagePullPolicy: Always + image: "k8s.gcr.io/kubernetes-zookeeper:1.0-3.4.10" + resources: + requests: + memory: "1Gi" + cpu: "0.5" +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: zk +spec: + selector: + matchLabels: + app: zk + serviceName: zk-hs + replicas: 3 + updateStrategy: + type: RollingUpdate + podManagementPolicy: OrderedReady + template: + metadata: + labels: + app: zk + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: zk + topologyKey: "kubernetes.io/hostname" + containers: + - name: kubernetes-zookeeper + imagePullPolicy: Always + image: "k8s.gcr.io/kubernetes-zookeeper:1.0-3.4.10" + resources: + requests: + memory: "1Gi" + cpu: "0.5" +``` diff --git a/docs/queries/kubernetes-queries/d89a15bb-8dba-4c71-9529-bef6729b9c09.md b/docs/queries/kubernetes-queries/d89a15bb-8dba-4c71-9529-bef6729b9c09.md new file mode 100644 index 00000000000..e411882700f --- /dev/null +++ b/docs/queries/kubernetes-queries/d89a15bb-8dba-4c71-9529-bef6729b9c09.md @@ -0,0 +1,170 @@ +--- +title: Request Timeout Not Properly Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d89a15bb-8dba-4c71-9529-bef6729b9c09 +- **Query name:** Request Timeout Not Properly Set +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/request_timeout_not_properly_set) + +### Description +When using kube-apiserver command, the '--request-timeout' flag value should not be too long
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--request-timeout=6m"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--request-timeout=1h0s"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--request-timeout=6m10s"] + restartPolicy: OnFailure + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--request-timeout=400s"] + restartPolicy: OnFailure + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--request-timeout=1h1m"] + restartPolicy: OnFailure + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--request-timeout=1h1m1s"] + restartPolicy: OnFailure + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--request-timeout=300s"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/da9f3aa8-fbfb-472f-b5a1-576127944218.md b/docs/queries/kubernetes-queries/da9f3aa8-fbfb-472f-b5a1-576127944218.md new file mode 100644 index 00000000000..422448b74fe --- /dev/null +++ b/docs/queries/kubernetes-queries/da9f3aa8-fbfb-472f-b5a1-576127944218.md @@ -0,0 +1,157 @@ +--- +title: Audit Log Maxage Not Properly Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** da9f3aa8-fbfb-472f-b5a1-576127944218 +- **Query name:** Audit Log Maxage Not Properly Set +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/audit_log_maxage_not_properly_set) + +### Description +When using kube-apiserver command, the '--audit-log-maxage' flag should be defined and set to 30 or more days
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxage=26"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="40 27 12 55" +apiVersion: serving.knative.dev/v1 +kind: Service +metadata: + name: dummy + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure +--- +apiVersion: serving.knative.dev/v1 +kind: Configuration +metadata: + name: dummy-config + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure +--- +apiVersion: serving.knative.dev/v1 +kind: Revision +metadata: + name: dummy-rev + namespace: knative-sequence +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure +--- +apiVersion: sources.knative.dev/v1 +kind: ContainerSource +metadata: + name: dummy-cs + namespace: knative-sequence +spec: + template: + spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--audit-log-maxage=30"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--audit-log-maxage=35"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/dab4ec72-ce2e-4732-b7c3-1757dcce01a1.md b/docs/queries/kubernetes-queries/dab4ec72-ce2e-4732-b7c3-1757dcce01a1.md new file mode 100644 index 00000000000..e1708681aee --- /dev/null +++ b/docs/queries/kubernetes-queries/dab4ec72-ce2e-4732-b7c3-1757dcce01a1.md @@ -0,0 +1,65 @@ +--- +title: Service Account Key File Not Properly Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dab4ec72-ce2e-4732-b7c3-1757dcce01a1 +- **Query name:** Service Account Key File Not Properly Set +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/service_account_key_file_not_properly_set) + +### Description +When using kube-apiserver command, the '--service-account-key-file' flag should be defined
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--service-account-key-file=/path/to/file.pem"] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/dbbc6705-d541-43b0-b166-dd4be8208b54.md b/docs/queries/kubernetes-queries/dbbc6705-d541-43b0-b166-dd4be8208b54.md new file mode 100644 index 00000000000..0d2a1e9c59e --- /dev/null +++ b/docs/queries/kubernetes-queries/dbbc6705-d541-43b0-b166-dd4be8208b54.md @@ -0,0 +1,123 @@ +--- +title: NET_RAW Capabilities Not Being Dropped +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dbbc6705-d541-43b0-b166-dd4be8208b54 +- **Query name:** NET_RAW Capabilities Not Being Dropped +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/net_raw_capabilities_not_being_dropped) + +### Description +Containers should drop 'ALL' or at least 'NET_RAW' capabilities
+[Documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="13 18 11 21" +apiVersion: v1 +kind: Pod +metadata: + name: example +spec: + containers: + - name: payment + image: nginx + securityContext: + capabilities: + drop: + - SYS_ADMIN + - name: payment2 + image: nginx + - name: payment4 + image: nginx + securityContext: + capabilities: + add: + - NET_BIND_SERVICE + - name: payment3 + image: nginx + securityContext: + allowPrivilegeEscalation: false + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="31" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-unhealthy-deployment + labels: + app: redis +spec: + replicas: 3 + selector: + matchLabels: + app: redis + template: + metadata: + labels: + app: redis + spec: + hostNetwork: true + hostPID: true + hostIPC: true + containers: + - name: redis + image: redis:latest + ports: + - containerPort: 9001 + hostPort: 9001 + securityContext: + privileged: true + readOnlyRootFilesystem: false + allowPrivilegeEscalation: true + runAsUser: 0 + capabilities: + add: + - NET_ADMIN +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: example +spec: + containers: + - name: payment + image: nginx + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + privileged: false + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + fsGroup: + rule: RunAsAny + volumes: + - '*' + +``` diff --git a/docs/queries/kubernetes-queries/dd29336b-fe57-445b-a26e-e6aa867ae609.md b/docs/queries/kubernetes-queries/dd29336b-fe57-445b-a26e-e6aa867ae609.md new file mode 100644 index 00000000000..bca975219f3 --- /dev/null +++ b/docs/queries/kubernetes-queries/dd29336b-fe57-445b-a26e-e6aa867ae609.md @@ -0,0 +1,103 @@ +--- +title: Container Is Privileged +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dd29336b-fe57-445b-a26e-e6aa867ae609 +- **Query name:** Container Is Privileged +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/container_is_privileged) + +### Description +Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false
+[Documentation](https://kubernetes.io/docs/concepts/workloads/pods/#privileged-mode-for-containers) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 23" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-4 +spec: + containers: + - name: sec-ctx-4 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + privileged: true + capabilities: + add: ["NET_ADMIN", "SYS_TIME"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-5 +spec: + initContainers: + - name: sec-ctx-4 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + privileged: true + capabilities: + add: ["NET_ADMIN", "SYS_TIME"] + containers: + - name: sec-ctx-4 + image: gcr.io/google-samples/node-hello:1.0 + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: test-deployment + labels: + app: test +spec: + replicas: 3 + selector: + matchLabels: + app: test + template: + metadata: + labels: + app: test + spec: + containers: + - name: pause + image: k8s.gcr.io/pause + securityContext: + privileged: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: security-context-demo-4 +spec: + containers: + - name: sec-ctx-4 + image: gcr.io/google-samples/node-hello:1.0 + securityContext: + privileged: false + capabilities: + add: ["NET_ADMIN", "SYS_TIME"] + +``` diff --git a/docs/queries/kubernetes-queries/de4421f1-4e35-43b4-9783-737dd4e4a47e.md b/docs/queries/kubernetes-queries/de4421f1-4e35-43b4-9783-737dd4e4a47e.md new file mode 100644 index 00000000000..7dec159eb27 --- /dev/null +++ b/docs/queries/kubernetes-queries/de4421f1-4e35-43b4-9783-737dd4e4a47e.md @@ -0,0 +1,109 @@ +--- +title: PSP With Unrestricted Access to Host Path +hide: + toc: true + navigation: true +--- + + + +- **Query id:** de4421f1-4e35-43b4-9783-737dd4e4a47e +- **Query name:** PSP With Unrestricted Access to Host Path +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/psp_with_unrestricted_access_to_host_path) + +### Description +PodSecurityPolicy should set 'readOnly' to true in every host path allowed
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: example +spec: + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: example +spec: + hostIPC: false + allowedHostPaths: + - pathPrefix: /dev + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="9" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: example +spec: + hostIPC: false + allowedHostPaths: + - pathPrefix: /dev + readOnly: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: example +spec: + hostIPC: false + allowedHostPaths: + - pathPrefix: "/foo" + readOnly: true + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + +``` diff --git a/docs/queries/kubernetes-queries/e0099af2-fe17-411f-9991-0de28fe15f3c.md b/docs/queries/kubernetes-queries/e0099af2-fe17-411f-9991-0de28fe15f3c.md new file mode 100644 index 00000000000..18997f9c3ae --- /dev/null +++ b/docs/queries/kubernetes-queries/e0099af2-fe17-411f-9991-0de28fe15f3c.md @@ -0,0 +1,81 @@ +--- +title: Event Rate Limit Admission Control Plugin Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e0099af2-fe17-411f-9991-0de28fe15f3c +- **Query name:** Event Rate Limit Admission Control Plugin Not Set +- **Platform:** Kubernetes +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/event_rate_limit_admission_control_plugin_not_set) + +### Description +When using kube-apiserver command, the --enable-admission-plugins flag should have 'EventRateLimit' plugin and the plugin should be correctly configured in AdmissionControl Config file
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=AlwaysAdmit"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--enable-admission-plugins=EventRateLimit", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--enable-admission-plugins=EventRateLimit", "--admission-control-config-file=path/to/plugin/config/file.yaml"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/e0e00aba-5f1c-4981-a542-9a9563c0ee20.md b/docs/queries/kubernetes-queries/e0e00aba-5f1c-4981-a542-9a9563c0ee20.md new file mode 100644 index 00000000000..43df9c7633d --- /dev/null +++ b/docs/queries/kubernetes-queries/e0e00aba-5f1c-4981-a542-9a9563c0ee20.md @@ -0,0 +1,278 @@ +--- +title: Client Certificate Authentication Not Setup Properly +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e0e00aba-5f1c-4981-a542-9a9563c0ee20 +- **Query name:** Client Certificate Authentication Not Setup Properly +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/client_certificate_authentication_not_setup_properly) + +### Description +Client Certificate Authentication should be Setup with a .pem or .crt file
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--client-ca-file=/var/lib/ca.txt"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--client-ca-file=/var/lib/ca.txt"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="2" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +protectKernelDefaults: false +serializeImagePulls: false +authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: "/var/lib/kubernetes/ca.txt" +authorization: +evictionHard: + memory.available: "200Mi" + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="2" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +protectKernelDefaults: false +serializeImagePulls: false +authentication: + anonymous: + enabled: false + webhook: + enabled: true +authorization: +evictionHard: + memory.available: "200Mi" + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="2" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +protectKernelDefaults: false +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--client-ca-file=/var/lib/ca.pem"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: [] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--client-ca-file=/var/lib/ca.pem"] + restartPolicy: OnFailure + +``` +
Negative test num. 4 - yaml file + +```yaml +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +protectKernelDefaults: false +serializeImagePulls: false +authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: "/var/lib/kubernetes/ca.pem" +authorization: +evictionHard: + memory.available: "200Mi" + +``` +
+
Negative test num. 5 - json file + +```json +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "port": 10250, + "readOnlyPort": 10255, + "cgroupDriver": "cgroupfs", + "hairpinMode": "promiscuous-bridge", + "serializeImagePulls": false, + "authentication":{ + "anonymous":{ + "enabled": false + }, + "webhook":{ + "enabled": true + }, + "x509":{ + "clientCAFile":"/var/lib/kubernetes/ca.pem" + } + }, + "featureGates": { + "RotateKubeletClientCertificate": true, + "RotateKubeletServerCertificate": true + } + } + +``` +
+
Negative test num. 6 - yaml file + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--client-ca-file=/var/lib/ca.crt"] + restartPolicy: OnFailure + +``` +
+
Negative test num. 7 - yaml file + +```yaml +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +protectKernelDefaults: false +serializeImagePulls: false +authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: "/var/lib/kubernetes/ca.crt" +authorization: +evictionHard: + memory.available: "200Mi" + +``` +
diff --git a/docs/queries/kubernetes-queries/e17fa86a-6222-4584-a914-56e8f6c87e06.md b/docs/queries/kubernetes-queries/e17fa86a-6222-4584-a914-56e8f6c87e06.md new file mode 100644 index 00000000000..0f8cd9ae674 --- /dev/null +++ b/docs/queries/kubernetes-queries/e17fa86a-6222-4584-a914-56e8f6c87e06.md @@ -0,0 +1,126 @@ +--- +title: Tiller Deployment Is Accessible From Within The Cluster +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e17fa86a-6222-4584-a914-56e8f6c87e06 +- **Query name:** Tiller Deployment Is Accessible From Within The Cluster +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/tiller_deployment_is_accessible_from_within_the_cluster) + +### Description +Check if any Tiller Deployment container allows access from within the cluster.
+[Documentation](https://kubernetes.io/docs/concepts/containers/images/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="53 21" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: helm + name: tiller + name: tiller-bad-args +spec: + selector: + matchLabels: + name: tiller + template: + metadata: + labels: + app: helm + name: tiller + spec: + containers: + - + args: + - "--listen=10.7.2.8:44134" + image: tiller-image + name: tiller-v2 + ports: + - + containerPort: 44134 + name: tiller + protocol: TCP + - + containerPort: 44135 + name: http + protocol: TCP + serviceAccountName: tiller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: helm + name: tiller + name: tiller-deploy-no-args +spec: + selector: + matchLabels: + name: tiller + template: + metadata: + labels: + app: helm + name: tiller + spec: + containers: + - + name: tiller-v2 + image: tiller-image + serviceAccountName: tiller + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tiller-deploy + labels: + app: helm + name: tiller +spec: + selector: + matchLabels: + app: helm + name: tiller + template: + metadata: + labels: + app: helm + name: tiller + spec: + serviceAccountName: tiller + containers: + - name: tiller + image: "tiller-image" + args: ["--listen=127.0.0.1:44134"] + ports: + - containerPort: 44134 + name: tiller + protocol: TCP + - containerPort: 44135 + name: http + protocol: TCP + +``` diff --git a/docs/queries/kubernetes-queries/e3aa0612-4351-4a0d-983f-aefea25cf203.md b/docs/queries/kubernetes-queries/e3aa0612-4351-4a0d-983f-aefea25cf203.md new file mode 100644 index 00000000000..cd395fe4622 --- /dev/null +++ b/docs/queries/kubernetes-queries/e3aa0612-4351-4a0d-983f-aefea25cf203.md @@ -0,0 +1,124 @@ +--- +title: Root Containers Admitted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e3aa0612-4351-4a0d-983f-aefea25cf203 +- **Query name:** Root Containers Admitted +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/root_containers_admitted) + +### Description +Containers must not be allowed to run with root privileges, which means the attributes 'privileged','allowPrivilegeEscalation' and 'readOnlyRootFilesystem' must be set to false, 'runAsUser.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="32 12 13 27 31" +#this is a problematic code where the query should report a result(s) +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: restricted + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: true + allowPrivilegeEscalation: true + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 0 + max: 65535 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: restricted + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + privileged: false + # Required to prevent escalations to root. + allowPrivilegeEscalation: false + # This is redundant with non-root + disallow privilege escalation, + # but we can provide it for defense in depth. + requiredDropCapabilities: + - ALL + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + # Assume that persistentVolumes set up by the cluster admin are safe to use. + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + # Require the container to run without root privileges. + rule: 'MustRunAsNonRoot' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: true + +``` diff --git a/docs/queries/kubernetes-queries/e84eaf4d-2f45-47b2-abe8-e581b06deb66.md b/docs/queries/kubernetes-queries/e84eaf4d-2f45-47b2-abe8-e581b06deb66.md new file mode 100644 index 00000000000..79b3507af16 --- /dev/null +++ b/docs/queries/kubernetes-queries/e84eaf4d-2f45-47b2-abe8-e581b06deb66.md @@ -0,0 +1,101 @@ +--- +title: Ensure Administrative Boundaries Between Resources +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e84eaf4d-2f45-47b2-abe8-e581b06deb66 +- **Query name:** Ensure Administrative Boundaries Between Resources +- **Platform:** Kubernetes +- **Severity:** Info +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/ensure_administrative_boundaries_between_resources) + +### Description +As a best practice, ensure that is made the correct use of namespaces to adequately administer your resources. Kubernetes Authorization plugins can also be used to create policies that segregate user access to namespaces.
+[Documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="5" +apiVersion: v1 +kind: Pod +metadata: + name: frontend + namespace: cosmic-namespace +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: frontend2 + namespace: cosmic-namespace +spec: + containers: + - name: app + image: images.my-company.example/app:v4 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + - name: log-aggregator + image: images.my-company.example/log-aggregator:v6 + securityContext: + allowPrivilegeEscalation: false + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" + +``` diff --git a/docs/queries/kubernetes-queries/ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0.md b/docs/queries/kubernetes-queries/ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0.md new file mode 100644 index 00000000000..6611931fc36 --- /dev/null +++ b/docs/queries/kubernetes-queries/ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0.md @@ -0,0 +1,80 @@ +--- +title: Kubelet Certificate Authority Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ec18a0d3-0069-4a58-a7fb-fbfe0b4bbbe0 +- **Query name:** Kubelet Certificate Authority Not Set +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/kubelet_certificate_authority_not_set) + +### Description +When using kube-apiserver command, the 'kubelet-certificate-authority' flag should be set
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--kubelet-certificate-authority=/path/to/any/cert/file.pem"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--kubelet-certificate-authority=/path/to/any/cert/file.crt"] + args: [] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md b/docs/queries/kubernetes-queries/ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md new file mode 100644 index 00000000000..c1a7bed6da8 --- /dev/null +++ b/docs/queries/kubernetes-queries/ed89b97d-04e9-4fd4-919f-ee5b27e555e9.md @@ -0,0 +1,113 @@ +--- +title: Kubelet Streaming Connection Timeout Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ed89b97d-04e9-4fd4-919f-ee5b27e555e9 +- **Query name:** Kubelet Streaming Connection Timeout Disabled +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/kubelet_streaming_connection_timeout_disabled) + +### Description +The flag --streaming-connection-idle-timeout should not be set to 0
+[Documentation](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--streaming-connection-idle-timeout=0"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" +streamingConnectionIdleTimeout: 0s + +``` +```json title="Postitive test num. 3 - json file" hl_lines="10" +{ + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "evictionHard": { + "memory.available": "200Mi" + }, + "kind": "KubeletConfiguration", + "serializeImagePulls": false, + "address": "192.168.0.8", + "port": 20250, + "streamingConnectionIdleTimeout": "0s" +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: [""] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" + +``` +```json title="Negative test num. 3 - json file" +{ + "address": "192.168.0.8", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "evictionHard": { + "memory.available": "200Mi" + }, + "kind": "KubeletConfiguration", + "port": 20250, + "serializeImagePulls": false +} + +``` diff --git a/docs/queries/kubernetes-queries/f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md b/docs/queries/kubernetes-queries/f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md new file mode 100644 index 00000000000..ff21dc5b313 --- /dev/null +++ b/docs/queries/kubernetes-queries/f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5.md @@ -0,0 +1,225 @@ +--- +title: Authorization Mode Set To Always Allow +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f1f4d8da-1ac4-47d0-b1aa-91e69d33f7d5 +- **Query name:** Authorization Mode Set To Always Allow +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/authorization_mode_set_to_always_allow) + +### Description +When using the kubelet command, the authorization-mode flag should not have 'AlwaysAllow' mode
+[Documentation](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: + ["--anonymous-auth=false", "--authorization-mode=MyMode,AlwaysAllow"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver", "--authorization-mode=MyMode,AlwaysAllow"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: + ["--anonymous-auth=false", "--authorization-mode=MyMode,AlwaysAllow"] + restartPolicy: OnFailure + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet", "--authorization-mode=MyMode,AlwaysAllow"] + restartPolicy: OnFailure + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="11" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +readOnlyPort: 0 +authentication: + anonymous: + enabled: false +authorization: + mode: AlwaysAllow + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="6" +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "address": "0.0.0.0", + "authorization": { + "mode": "AlwaysAllow" + } +} +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--authorization-mode=MyMode"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver", "--authorization-mode=MyMode"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: ["--authorization-mode=MyMode"] + restartPolicy: OnFailure + +``` +
Negative test num. 4 - yaml file + +```yaml +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet", "--authorization-mode=MyMode"] + restartPolicy: OnFailure + +``` +
+
Negative test num. 5 - yaml file + +```yaml +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +readOnlyPort: 0 +authentication: + anonymous: + enabled: false +authorization: + mode: webhook + +``` +
+
Negative test num. 6 - json file + +```json +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "address": "0.0.0.0", + "authorization": { + "mode": "webhook" + } +} +``` +
diff --git a/docs/queries/kubernetes-queries/f377b83e-bd07-4f48-a591-60c82b14a78b.md b/docs/queries/kubernetes-queries/f377b83e-bd07-4f48-a591-60c82b14a78b.md new file mode 100644 index 00000000000..3c4cd4f72d6 --- /dev/null +++ b/docs/queries/kubernetes-queries/f377b83e-bd07-4f48-a591-60c82b14a78b.md @@ -0,0 +1,288 @@ +--- +title: Seccomp Profile Is Not Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f377b83e-bd07-4f48-a591-60c82b14a78b +- **Query name:** Seccomp Profile Is Not Configured +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/seccomp_profile_is_not_configured) + +### Description +Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
+[Documentation](https://kubernetes.io/docs/tutorials/security/seccomp/#create-pod-that-uses-the-container-runtime-default-seccomp-profile) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="43 18 26 7" +apiVersion: v1 +kind: Pod +metadata: + name: pod-test-1 +spec: + containers: + - name: foobar + image: foo/bar:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod-test-2 + annotations: + some-annotation: myannotation +spec: + containers: + - name: foobar + image: foo/bar:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod-test-3 + annotations: + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'rntim/dfl' +spec: + containers: + - name: foobar + image: foo/bar:latest +--- +apiVersion: batch/v1beta1 +kind: CronJob +metadata: + name: hello +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'rntim/dfl' + spec: + containers: + - name: hello + image: busybox + imagePullPolicy: IfNotPresent + args: + - /bin/sh + - -c + - date; echo Hello from the Kubernetes cluster + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="24" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: securitydemo + labels: + app: web +spec: + replicas: 2 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + spec: + securityContext: + runAsUser: 19000 + containers: + - name: frontend + image: nginx + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: false + - name: echoserver + image: k8s.gcr.io/echoserver:1.4 + ports: + - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="24 33" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: securitydemo + labels: + app: web +spec: + replicas: 2 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + spec: + securityContext: + runAsUser: 19000 + containers: + - name: frontend + image: nginx + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: false + - name: echoserver + image: k8s.gcr.io/echoserver:1.4 + ports: + - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="35" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: securitydemo + labels: + app: web +spec: + replicas: 2 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + spec: + securityContext: + runAsUser: 19000 + seccompProfile: + type: RuntimeDefault + containers: + - name: frontend + image: nginx + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: false + - name: echoserver + image: k8s.gcr.io/echoserver:1.4 + ports: + - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: pod-test-1 + annotations: + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default' +spec: + containers: + - name: foobar + image: foo/bar:latest +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: securitydemo + labels: + app: web +spec: + replicas: 2 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + spec: + securityContext: + runAsUser: 19000 + seccompProfile: + type: RuntimeDefault + containers: + - name: frontend + image: nginx + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: false + - name: echoserver + image: k8s.gcr.io/echoserver:1.4 + ports: + - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: apps/v1 +kind: Deployment +metadata: + name: securitydemo + labels: + app: web +spec: + replicas: 2 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + spec: + securityContext: + runAsUser: 19000 + containers: + - name: frontend + image: nginx + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + - name: echoserver + image: k8s.gcr.io/echoserver:1.4 + ports: + - containerPort: 8080 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + +``` diff --git a/docs/queries/kubernetes-queries/f922827f-aab6-447c-832a-e1ff63312bd3.md b/docs/queries/kubernetes-queries/f922827f-aab6-447c-832a-e1ff63312bd3.md new file mode 100644 index 00000000000..16a607ececf --- /dev/null +++ b/docs/queries/kubernetes-queries/f922827f-aab6-447c-832a-e1ff63312bd3.md @@ -0,0 +1,135 @@ +--- +title: Container Runs Unmasked +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f922827f-aab6-447c-832a-e1ff63312bd3 +- **Query name:** Container Runs Unmasked +- **Platform:** Kubernetes +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/container_runs_unmasked) + +### Description +Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.
+[Documentation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#allowedprocmounttypes) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="12" +#this is a problematic code where the query should report a result(s) +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + kubernetes.io/description: 'restricted psp for all standard use-cases' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default + name: restricted +spec: + allowPrivilegeEscalation: false # Disallow privilege escalation to any special capabilities + allowedProcMountTypes: + - Unmasked + fsGroup: # disallow root fsGroups for volume mounts + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + hostIPC: false # disallow sharing the host IPC namespace + hostNetwork: false # disallow host networking + hostPID: false # disallow sharing the host process ID namespace + hostPorts: # disallow low host ports (this seems to only apply to eth0 on EKS) + - max: 65535 + min: 1025 + privileged: false # disallow privileged pods + readOnlyRootFilesystem: true # change default from 'false' to 'true' + requiredDropCapabilities: # Drop all privileges in the Linux kernel + - AUDIT_CONTROL + - CHOWN + runAsGroup: # disallow GID 0 for pods (block root group) + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + runAsUser: # disallow UID 0 for pods + rule: MustRunAsNonRoot + seLinux: # Harness for SELinux + rule: RunAsAny + supplementalGroups: # restrict supplemental GIDs to be non-zero (non-root) + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: # allow only these volume types + - configMap + - downwardAPI + - emptyDir + - projected + - secret +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +#this code is a correct code for which the query should not find any result +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + kubernetes.io/description: 'restricted psp for all standard use-cases' + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default + name: restricted +spec: + allowPrivilegeEscalation: false # Disallow privilege escalation to any special capabilities + allowedProcMountTypes: + - Default # Disallow full /proc mounts, only allow the "default" masked /proc + fsGroup: # disallow root fsGroups for volume mounts + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + hostIPC: false # disallow sharing the host IPC namespace + hostNetwork: false # disallow host networking + hostPID: false # disallow sharing the host process ID namespace + hostPorts: # disallow low host ports (this seems to only apply to eth0 on EKS) + - max: 65535 + min: 1025 + privileged: false # disallow privileged pods + readOnlyRootFilesystem: true # change default from 'false' to 'true' + requiredDropCapabilities: # Drop all privileges in the Linux kernel + - AUDIT_CONTROL + - CHOWN + runAsGroup: # disallow GID 0 for pods (block root group) + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + runAsUser: # disallow UID 0 for pods + rule: MustRunAsNonRoot + seLinux: # Harness for SELinux + rule: RunAsAny + supplementalGroups: # restrict supplemental GIDs to be non-zero (non-root) + rule: MustRunAs + ranges: + - max: 65535 + min: 1 + volumes: # allow only these volume types + - configMap + - downwardAPI + - emptyDir + - projected + - secret +``` diff --git a/docs/queries/kubernetes-queries/fa4def8c-1898-4a35-a139-7b76b1acdef0.md b/docs/queries/kubernetes-queries/fa4def8c-1898-4a35-a139-7b76b1acdef0.md new file mode 100644 index 00000000000..8aff06f50cc --- /dev/null +++ b/docs/queries/kubernetes-queries/fa4def8c-1898-4a35-a139-7b76b1acdef0.md @@ -0,0 +1,95 @@ +--- +title: Insecure Port Not Properly Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fa4def8c-1898-4a35-a139-7b76b1acdef0 +- **Query name:** Insecure Port Not Properly Set +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/insecure_port_not_properly_set) + +### Description +When using kube-apiserver command, the '--insecure-port' flag should be defined and set to 0
+[Documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver", "--insecure-port=1143"] + restartPolicy: OnFailure + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver","--insecure-port=0"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--insecure-port=0"] + restartPolicy: OnFailure + +``` diff --git a/docs/queries/kubernetes-queries/fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md b/docs/queries/kubernetes-queries/fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md new file mode 100644 index 00000000000..cc2b9d524a9 --- /dev/null +++ b/docs/queries/kubernetes-queries/fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f.md @@ -0,0 +1,134 @@ +--- +title: TSL Connection Certificate Not Setup +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fa750c81-93c2-4fab-9c6d-d3fd3ce3b89f +- **Query name:** TSL Connection Certificate Not Setup +- **Platform:** Kubernetes +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/k8s/tls_connection_certificate_not_setup) + +### Description +TSL Connection Certificate files should be Setup
+[Documentation](https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: [] + restartPolicy: OnFailure + + + + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +evictionHard: + memory.available: "200Mi" + + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0 + command: ["kube-apiserver"] + args: ["--tls-cert-file=someFile.txt","--tls-private-key-file=someFile.txt"] + restartPolicy: OnFailure + +``` +```yaml title="Negative test num. 2 - yaml file" +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +address: "192.168.0.8" +port: 20250 +serializeImagePulls: false +tlsCertFile: "someFile.txt" +tlsPrivateKeyFile: "someFile.txt" +evictionHard: + memory.available: "200Mi" + + + +``` +```yaml title="Negative test num. 3 - yaml file" +apiVersion: v1 +kind: Pod +metadata: + name: command-demo + labels: + purpose: demonstrate-command +spec: + containers: + - name: command-demo-container + image: joaodanielrufino/kubelet + command: ["kubelet"] + args: [] + restartPolicy: OnFailure + + + + +``` +
Negative test num. 4 - json file + +```json +{ + "kind": "KubeletConfiguration", + "apiVersion": "kubelet.config.k8s.io/v1beta1", + "port": 10250, + "readOnlyPort": 10255, + "cgroupDriver": "cgroupfs", + "hairpinMode": "promiscuous-bridge", + "serializeImagePulls": false, + "tlsCertFile": "someFile.txt", + "tlsPrivateKeyFile": "someFile.txt", + "featureGates": { + "RotateKubeletClientCertificate": true, + "RotateKubeletServerCertificate": true + } +} + +``` +
diff --git a/docs/queries/openapi-queries.md b/docs/queries/openapi-queries.md index 640140447aa..b933411aaa8 100644 --- a/docs/queries/openapi-queries.md +++ b/docs/queries/openapi-queries.md @@ -8,82 +8,82 @@ Bellow are listed queries related with OpenAPI 3.0: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation|Documentation
| -|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme|Documentation
| -|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication|Documentation
| -|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client|Documentation
| -|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field|Documentation
| -|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication|Documentation
| -|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication|Documentation
| -|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay|Documentation
| -|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry|Documentation
| -|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|Documentation
| -|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http'|Documentation
| -|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined|Documentation
| -|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible|Documentation
| -|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined|Documentation
| -|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf|Documentation
| -|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Trace should define the '200' successful code|Documentation
| -|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined|Documentation
| -|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| -|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network|Documentation
| -|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead|Documentation
| -|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network|Documentation
| -|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| -|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition|Documentation
| -|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition|Documentation
| -|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition|Documentation
| -|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored.|Documentation
| -|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition|Documentation
| -|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition|Documentation
| -|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition|Documentation
| -|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true}|Documentation
| -|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.|Documentation
| -|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition|Documentation
| -|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition|Documentation
| -|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry|Documentation
| -|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|Documentation
| -|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|Documentation
| -|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes'|Documentation
| -|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters'|Documentation
| -|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL|Documentation
| -|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters|Documentation
| -|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set.|Documentation
| -|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field|Documentation
| -|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field|Documentation
| -|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field|Documentation
| -|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field|Documentation
| -|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|Documentation
| -|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links'|Documentation
| -|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field|Documentation
| -|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field|Documentation
| -|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers'|Documentation
| -|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies'|Documentation
| -|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field|Documentation
| -|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses'|Documentation
| -|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|Documentation
| -|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true|Documentation
| -|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$`|Documentation
| -|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas'|Documentation
| -|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples|Documentation
| -|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks'|Documentation
| -|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|Documentation
| -|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes'|Documentation
| -|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive.|Documentation
| -|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field|Documentation
| -|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties|Documentation
| -|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL.|Documentation
| -|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty|Documentation
| -|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect'|Documentation
| -|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'.|Documentation
| +|Cleartext Credentials With Basic Authentication For Operation
86b1fa30-9790-4980-994d-a27e0f6f27c1|High|Access Control|Cleartext credentials over unencrypted channel should not be accepted for the operation (read more)|Documentation
| +|Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme (read more)|Documentation
| +|Security Scheme Using HTTP Negotiate
f525cc92-9050-4c41-a75c-890dc6f64449|Medium|Access Control|Security Scheme HTTP should not be using negotiate authentication (read more)|Documentation
| +|OAuth2 With Password Flow
3979b0a4-532c-4ea7-86e4-34c090eaa4f2|Medium|Access Control|OAuth2 password flow insecurely exposes the credentials of the resource owner to the client (read more)|Documentation
| +|Invalid OAuth2 Token URL (v3)
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control|OAuth2 security scheme flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v3)
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Implicit Flow in OAuth2 (v3)
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Security Scheme Using HTTP Basic
68e5fcac-390c-4939-a373-6074b7be7c71|Medium|Access Control|Security Scheme HTTP should not be using basic authentication (read more)|Documentation
| +|Security Scheme Using HTTP Digest
a4247b11-890b-45df-bf42-350a7a3af9be|Medium|Access Control|Security Scheme HTTP should not be using digest authentication (read more)|Documentation
| +|OAuth2 With Implicit Flow
39cb32f2-3a42-4af0-8037-82a7a9654b6c|Medium|Access Control|OAuth2 implicit flow is vulnerable to access token leakage and access token replay (read more)|Documentation
| +|Security Scheme HTTP Unknown Scheme
06764426-3c56-407e-981f-caa25db1c149|Medium|Access Control|Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry (read more)|Documentation
| +|Path Server Object Uses HTTP (v3)
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection (read more)|Documentation
| +|Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Parameter Object Without Schema
8fe1846f-52cc-4413-ace9-1933d7d23672|Medium|Insecure Configurations|The Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Additional Properties Too Permissive
9f88c88d-824d-4d9a-b985-e22977046042|Medium|Insecure Configurations|Objects should not accept 'additionalProperties' if it is possible (read more)|Documentation
| +|Media Type Object Without Schema
f79b9d26-e945-44e7-98a1-b93f0f7a68a0|Medium|Insecure Configurations|The Media Type Object should have the attribute 'schema' defined (read more)|Documentation
| +|Additional Properties Too Restrictive
a19c3bbd-c056-40d7-9e1c-eeb0634e320d|Medium|Insecure Configurations|Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf (read more)|Documentation
| +|Success Response Code Undefined for Trace Operation
105e20dd-8449-4d71-95c6-d5dac96639af|Medium|Networking and Firewall|Trace should define the '200' successful code (read more)|Documentation
| +|Header Object Without Schema
50de3b5b-6465-4e06-a9b0-b4c2ba34326b|Medium|Networking and Firewall|The header object should have schema defined (read more)|Documentation
| +|Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|API Key Exposed In Global Security Scheme
40e1d1bf-11a9-4f63-a3a2-a8b84c602839|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| +|Security Scheme Using Oauth 1.0
1bc3205c-0d60-44e6-84f3-44fbf4dac5b3|Low|Access Control|Oauth 1.0 is deprecated, OAuth2 should be used instead (read more)|Documentation
| +|Global Security Scheme Using Basic Authentication
77276d82-4f45-4cf1-8e2b-4d345b936228|Low|Access Control|A security scheme is allowing basic authentication credentials to be transported over network (read more)|Documentation
| +|Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker (read more)|Documentation
| +|Property 'allowReserved' of Encoding Object Ignored
4190dda7-af03-4cf0-a128-70ac1661ca09|Info|Best Practices|Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Header Definition Is Unused
a68da022-e95a-4bc2-97d3-481e0bd6d446|Info|Best Practices|Components headers definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Unknown Prefix (v3)
a5375be3-521c-43bb-9eab-e2432e368ee4|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Components Request Body Definition Is Unused
6b76f589-9713-44ab-97f5-59a3dba1a285|Info|Best Practices|Components request bodies definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'explode' of Encoding Object Ignored
a4dd69b8-49fa-45d2-a060-c76655405b05|Info|Best Practices|Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Components Callback Definition Is Unused
d15db953-a553-4b8a-9a14-a3d62ea3d79d|Info|Best Practices|Components callbacks definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Encoding Header 'Content-Type' Improperly Defined
4cd8de87-b595-48b6-ab3c-1904567135ab|Info|Best Practices|Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored. (read more)|Documentation
| +|Components Parameter Definition Is Unused
698a464e-bb3e-4ba8-ab5e-e6599b7644a0|Info|Best Practices|Components parameters definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Response Definition Is Unused
9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae|Info|Best Practices|Components responses definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Example Definition Is Unused
b05bb927-2df5-43cc-8d7b-6825c0e71625|Info|Best Practices|Components examples definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Property 'allowEmptyValue' Ignored
59c2f769-7cc2-49c8-a3de-4e211135cfab|Info|Best Practices|Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true} (read more)|Documentation
| +|Property 'style' of Encoding Object Ignored
d3ea644a-9a5c-4fee-941f-f8a6786c0470|Info|Best Practices|Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored. (read more)|Documentation
| +|Invalid Media Type Value (v3)
cf4a5f45-a27b-49df-843a-9911dbfe71d4|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Components Link Definition Is Unused
c19779a9-5774-4d2f-a3a1-a99831730375|Info|Best Practices|Components links definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Components Schema Definition Is Unused
962fa01e-b791-4dcc-b04a-4a3e7389be5e|Info|Best Practices|Components schemas definitions should be referenced or removed from Open API definition (read more)|Documentation
| +|Parameter Object Content With Multiple Entries
8bfed1c6-2d59-4924-bc7f-9b9d793ed0df|Info|Structure and Semantics|The map content property of the parameter object should only contain one entry (read more)|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array) (read more)|Documentation
| +|Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property (read more)|Documentation
| +|Security Field Undefined
ab1263c2-81df-46f0-9f2c-0b62fdb68419|Info|Structure and Semantics|Security field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v3)
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#/components/parameters' (read more)|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL (read more)|Documentation
| +|Property 'allowReserved' Improperly Defined
7f203940-39c4-4ea7-91ee-7aba16bca9e2|Info|Structure and Semantics|Property 'allowReserved' should be only defined for query parameters (read more)|Documentation
| +|Request Body Object With Incorrect Media Type
58f06434-a88c-4f74-826c-db7e10cc7def|Info|Structure and Semantics|The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set. (read more)|Documentation
| +|Link JSON Reference Does Not Exists
801f0c6a-a834-4467-89c6-ddecffb46b5a|Info|Structure and Semantics|Link reference should exists on components field (read more)|Documentation
| +|Callback JSON Reference Does Not Exists
f29904c8-6041-4bca-b043-dfa0546b8079|Info|Structure and Semantics|Callback reference should exists on components field (read more)|Documentation
| +|Response JSON Reference Does Not Exists (v3)
7a01dfbd-da62-4165-aed7-71349ad42ab4|Info|Structure and Semantics|Response reference should exists on components field (read more)|Documentation
| +|Example JSON Reference Does Not Exists
6a2c219f-da5e-4745-941e-5ea8cde23356|Info|Structure and Semantics|Example reference should exists on components field (read more)|Documentation
| +|Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'. (read more)|Documentation
| +|Link Object Incorrect Ref
b9db8a10-020c-49ca-88c6-780e5fdb4328|Info|Structure and Semantics|Link object reference must always point to '#/components/links' (read more)|Documentation
| +|Header JSON Reference Does Not Exists
376c9390-7e9e-4cb8-a067-fd31c05451fd|Info|Structure and Semantics|Header reference should exists on components field (read more)|Documentation
| +|Object Without Required Property (v3)
d172a060-8569-4412-8045-3560ebd477e8|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Request Body JSON Reference Does Not Exists
ca02f4e8-d3ae-4832-b7db-bb037516d9e7|Info|Structure and Semantics|Request Body reference should exists on components field (read more)|Documentation
| +|Header Object With Incorrect Ref
2d6646f4-2946-420f-8c14-3232d49ae0cb|Info|Structure and Semantics|Header Object reference must always point to '#/components/headers' (read more)|Documentation
| +|Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#/components/RequestBodies' (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v3)
2e275f16-b627-4d3f-ae73-a6153a23ae8f|Info|Structure and Semantics|Parameter reference should exists on components field (read more)|Documentation
| +|Response Object With Incorrect Ref (v3)
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#/components/responses' (read more)|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition (read more)|Documentation
| +|Schema With Both ReadOnly And WriteOnly
d2361d58-361c-49f0-9e50-b957fd608b29|Info|Structure and Semantics|Schema should not have both 'writeOnly' and 'readOnly' set to true (read more)|Documentation
| +|Components Object Fixed Field Key Improperly Named
151331e2-11f4-4bb6-bd35-9a005e695087|Info|Structure and Semantics|Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$` (read more)|Documentation
| +|Schema Object Incorrect Ref (v3)
4cac7ace-b0fb-477d-830d-65395d9109d9|Info|Structure and Semantics|Schema Object reference must always point to '#/components/schemas' (read more)|Documentation
| +|Example JSON Reference Outside Components Examples
bac56e3c-1f71-4a74-8ae6-2fba07efcddb|Info|Structure and Semantics|Reference to examples should point to #/components/examples (read more)|Documentation
| +|Callback Object With Incorrect Ref
ba066cda-e808-450d-92b6-f29109754d45|Info|Structure and Semantics|Callback Object reference must always point to '#/components/callbacks' (read more)|Documentation
| +|Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive (read more)|Documentation
| +|Security Operation Field Undefined
20a482d5-c5d9-4a7a-b7a4-60d0805047b4|Info|Structure and Semantics|Security operation field should be defined in '#/components/securitySchemes' (read more)|Documentation
| +|Link Object With Both 'operationId' And 'operationRef'
60fb6621-9f02-473b-9424-ba9a825747d3|Info|Structure and Semantics|Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive. (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v3)
015eac96-6313-43c0-84e5-81b1374fa637|Info|Structure and Semantics|Schema reference should exists on components field (read more)|Documentation
| +|Encoding Map Key Mismatch Schema Defined Properties
cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b|Info|Structure and Semantics|Encoding Map Key should be set in schema defined properties (read more)|Documentation
| +|Server Object Variable Not Used
8aee4754-970d-4c5f-8142-a49dfe388b1a|Info|Structure and Semantics|Every defined Server Variable Object should be used in a Service URL. (read more)|Documentation
| +|Empty Array
5915c20f-dffa-4cee-b5d4-f457ddc0151a|Info|Structure and Semantics|All array fields should not be empty (read more)|Documentation
| +|Security Requirement Object With Wrong Scopes
37140f7f-724a-4c87-a536-e9cee1d61533|Info|Structure and Semantics|Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect' (read more)|Documentation
| +|Unknown Property (v3)
fb7d81e7-4150-48c4-b914-92fc05da6a2f|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|Server URL Uses Undefined Variables
8d0921d6-4131-461f-a253-99e873f8f77e|Info|Structure and Semantics|Any variable used in the Service URL should be defined in the Service Object through 'variables'. (read more)|Documentation
| ### SHARED (V2/V3) Bellow are listed queries related with OpenAPI SHARED (V2/V3): @@ -93,153 +93,153 @@ Bellow are listed queries related with OpenAPI SHARED (V2/V3): | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| |Security Field On Operations Has An Empty Object Definition (v2)
74581e3b-1d55-4323-a139-5959a7b3abc5|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| -|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Security object for operations should not be empty object or has any empty object definition|Documentation
| +|Security Field On Operations Has An Empty Object Definition (v3)
baade968-7467-41e4-bf22-83ca222f5800|High|Access Control|Security object for operations should not be empty object or has any empty object definition (read more)|Documentation
| |Cleartext API Key In Operation Security (v2)
99733b39-6413-4ed8-8acf-dc7cdc9b4e51|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Operation Security (v3)
d90d4e40-44c1-4125-87a0-e072c3e195b5|High|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| |Global Security Field Has An Empty Array (v2)
da31d54b-ad54-41dc-95eb-8b3828629213|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| -|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme|Documentation
| +|Global Security Field Has An Empty Array (v3)
d674aea4-ba8b-454b-bb97-88a772ea33f0|High|Access Control|Security object need to have defined rules in its array and rules should be defined on securityScheme (read more)|Documentation
| |Global Security Field Is Undefined (v2)
74703c89-0ea2-49ab-a7db-bf04f19f5a57|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securityDefinitions|Documentation
| -|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes|Documentation
| +|Global Security Field Is Undefined (v3)
8af270ce-298b-4405-9922-82a10aee7a4f|High|Access Control|Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes (read more)|Documentation
| |Global security field has an empty object (v2)
292919fb-7b26-4454-bee9-ce29094768dd|High|Access Control|Global security definition must not have empty objects|Documentation
| -|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects|Documentation
| +|Global security field has an empty object (v3)
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects (read more)|Documentation
| |Security Field On Operations Has An Empty Array (v2)
5d29effc-5d68-481f-9721-d74e5919226b|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| -|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error|Documentation
| +|Security Field On Operations Has An Empty Array (v3)
663c442d-f918-4f62-b096-0bf5dcbeb655|High|Access Control|Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error (read more)|Documentation
| |No Global And Operation Security Defined (v2)
586abcee-9653-462d-ad7b-2638a32bd6e6|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| -|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|No Global And Operation Security Defined (v3)
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined (read more)|Documentation
| |Array Items Has No Type (v2)
8697a1a4-82c6-4603-8ac8-57529756744e|High|Insecure Configurations|Schema/Parameter array items type should be defined|Documentation
| -|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|High|Insecure Configurations|Schema array items type should be defined|Documentation
| +|Array Items Has No Type (v3)
be0e0df7-f3d9-42a1-9b6f-d425f94872c4|High|Insecure Configurations|Schema array items type should be defined (read more)|Documentation
| |Array Without Maximum Number of Items (v2)
99eb2c95-2040-4104-9e7c-e16f7474d218|High|Insecure Configurations|Array schema/parameter should have the field 'maxItems' set|Documentation
| -|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Array schema should have the field 'maxItems' set|Documentation
| +|Array Without Maximum Number of Items (v3)
6998389e-66b2-473d-8d05-c8d71ac4d04d|High|Insecure Configurations|Array schema should have the field 'maxItems' set (read more)|Documentation
| |Cleartext API Key In Global Security (v2)
70d3873e-d537-46e5-ac3b-4e48fbdd29b4|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| -|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel|Documentation
| +|Cleartext API Key In Global Security (v3)
9c238c97-1991-4c0b-9c7d-6c7912e1dc7c|Medium|Access Control|API Keys should not be sent as cleartext over an unencrypted channel (read more)|Documentation
| |API Key Exposed In Global Security (v2)
533a0d13-6e89-4551-ae33-bce14e5849c1|Medium|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|Medium|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Global Security (v3)
aecee30b-8ea1-4776-a99c-d6d600f0862f|Medium|Access Control|API Keys should not be transported over network (read more)|Documentation
| |JSON Object Schema Without Type (v2)
62d52544-82ef-4b75-8308-cad49d50212b|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| -|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined.|Documentation
| +|JSON Object Schema Without Type (v3)
e2ffa504-d22a-4c94-b6c5-f661849d2db7|Medium|Insecure Configurations|Schema of the JSON object should have 'type' defined. (read more)|Documentation
| |String Schema with Broad Pattern (v2)
e4a019f0-9af3-49c8-bf68-1939a6ff240d|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| -|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern|Documentation
| +|String Schema with Broad Pattern (v3)
8c81d6c0-716b-49ec-afa5-2d62da4e3f3c|Medium|Insecure Configurations|String schema should restrict the pattern (read more)|Documentation
| |Maximum Length Undefined (v2)
2ec86e48-ab90-4cb6-a131-0502afd1f442|Medium|Insecure Configurations|String schema/parameter/header should have 'maxLength' defined.|Documentation
| -|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|String schema should have 'maxLength' defined.|Documentation
| +|Maximum Length Undefined (v3)
8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85|Medium|Insecure Configurations|String schema should have 'maxLength' defined. (read more)|Documentation
| |Numeric Schema Without Maximum (v2)
203eee11-15b6-4d47-b888-4c7f534967ee|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| -|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.|Documentation
| +|Numeric Schema Without Maximum (v3)
2ea04bef-c769-409e-9179-ee3a50b5c0ac|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined. (read more)|Documentation
| |JSON Object Schema Without Properties (v2)
3d28f751-bc18-4f83-ace0-216b6086410b|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| -|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false.|Documentation
| +|JSON Object Schema Without Properties (v3)
9d967a2b-9d64-41a6-abea-dfc4960299bd|Medium|Insecure Configurations|Schema of the JSON object should have properties defined and 'additionalProperties' set to false. (read more)|Documentation
| |Pattern Undefined (v2)
afde15cf-9444-4126-8c62-41cd79db1d1d|Medium|Insecure Configurations|String schema/parameter/header should have 'pattern' defined.|Documentation
| -|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined.|Documentation
| +|Pattern Undefined (v3)
00b78adf-b83f-419c-8ed8-c6018441dd3a|Medium|Insecure Configurations|String schema should have 'pattern' defined. (read more)|Documentation
| |Numeric Schema Without Minimum (v2)
efd1dfc8-da91-4909-a3f3-c23abc5ec799|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| -|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.|Documentation
| +|Numeric Schema Without Minimum (v3)
181bd815-767e-4e95-a24d-bb3c87328e19|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined. (read more)|Documentation
| |Schema Object is Empty (v2)
967575e5-eb44-4c24-aadb-7e33608ed30a|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| -|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values|Documentation
| +|Schema Object is Empty (v3)
500ce696-d501-41dd-86eb-eceb011a386f|Medium|Insecure Configurations|The Schema Object should not be empty to avoid accepting any JSON values (read more)|Documentation
| |Numeric Schema Without Format (v2)
3ed8fc82-c2bb-49e0-811f-c53923674c49|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| -|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined.|Documentation
| +|Numeric Schema Without Format (v3)
fbf699b5-ef74-4542-9cf1-f6eeac379373|Medium|Insecure Configurations|Numeric schema (type set to 'integer' or 'number') should have 'format' defined. (read more)|Documentation
| |Response on operations that should not have a body has declared content (v2)
268defd2-2839-4e15-8cbc-de86eb38c231|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a schema defined|Documentation
| -|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined|Documentation
| +|Response on operations that should not have a body has declared content (v3)
12a7210b-f4b4-47d0-acac-0a819e2a0ca3|Medium|Networking and Firewall|If a response is head or its code is 204 or 304, it shouldn't have a content defined (read more)|Documentation
| |Success Response Code Undefined for Delete Operation (v2)
ad432855-b7fb-4429-92a3-93b5ce34f0b1|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Delete Operation (v3)
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |Response on operations that should have a body has undefined schema (v2)
31afbcb7-70e0-48bb-a31a-3374f95cf859|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| -|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined|Documentation
| +|Response on operations that should have a body has undefined schema (v3)
a92be1d5-d762-484a-86d6-8cd0907ba100|Medium|Networking and Firewall|If a response is not head or its code is not 204 or 304, it should have a schema defined (read more)|Documentation
| |Response Code Missing (v2)
6e96ed39-bf45-4089-99ba-f1fe7cf6966f|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| -|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.|Documentation
| +|Response Code Missing (v3)
6c35d2c6-09f2-4e5c-a094-e0e91327071d|Medium|Networking and Firewall|500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined. (read more)|Documentation
| |Default Response Undefined On Operations (v2)
5f34c7ae-4f3f-4cbb-8fe3-a11d6961062f|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| -|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined|Documentation
| +|Default Response Undefined On Operations (v3)
86e3702f-c868-44b2-b61d-ea5316c18110|Medium|Networking and Firewall|Operations responses should have a default response defined (read more)|Documentation
| |Success Response Code Undefined for Post Operation (v2)
9fedee41-2e6d-4091-b011-4a16b4c18c70|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Post Operation (v3)
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |Success Response Code Undefined for Patch Operation (v2)
f36e87cc-a209-4f37-8571-66833e4aead7|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Patch Operation (v3)
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |Success Response Code Undefined for Head Operation (v2)
4f0b30e3-a498-4dd7-b3f2-f4b6471a8d5a|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Head Operation (v3)
3b066059-f411-4554-ac8d-96f32bff90da|Medium|Networking and Firewall|Head should define at least one success response (200 or 202) (read more)|Documentation
| |Success Response Code Undefined for Get Operation (v2)
9b633f3b-c94b-4fbb-a65b-1a4e9134fb63|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| -|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202)|Documentation
| +|Success Response Code Undefined for Get Operation (v3)
b2f275be-7d64-4064-b418-be6b431363a7|Medium|Networking and Firewall|Get should define at least one success response (200 or 202) (read more)|Documentation
| |Success Response Code Undefined for Put Operation (v2)
965a043f-5f3c-4d0a-be72-d9ce12fdb4d6|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| -|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Undefined for Put Operation (v3)
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204) (read more)|Documentation
| |API Key Exposed In Operation Security (v2)
392599e4-a4e2-403d-bc56-3fe05755782d|Low|Access Control|API Keys should not be transported over network|Documentation
| -|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|Low|Access Control|API Keys should not be transported over network|Documentation
| +|API Key Exposed In Operation Security (v3)
281b8071-6226-4a43-911d-fec246d422c2|Low|Access Control|API Keys should not be transported over network (read more)|Documentation
| |Invalid Format (v2)
caf1793e-95dd-4b18-8d90-8f3c0ab5bddf|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| -|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double|Documentation
| +|Invalid Format (v3)
d929c031-078f-4241-b802-e224656ad890|Low|Insecure Configurations|The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double (read more)|Documentation
| |Header Parameter Named as 'Content-Type' (v2)
51978067-3b22-4c29-aaf3-96bf0bc28897|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Content-Type' (v3)
72d259ca-9741-48dd-9f62-eb11f2936b37|Info|Best Practices|The header Parameter should not be named as 'Content-Type'. If so, it will be ignored. (read more)|Documentation
| |Header Parameter Named as 'Accept' (v2)
3ddd74cc-6582-486c-8b0c-2b48cb38e0a3|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Accept' (v3)
f2702af5-6016-46cb-bbc8-84c766032095|Info|Best Practices|The header Parameter should not be named as 'Accept'. If so, it will be ignored. (read more)|Documentation
| |JSON '$ref' alongside other properties (v2)
f34c1c68-4773-4df0-a103-6e2ca32e585f|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| -|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key|Documentation
| +|JSON '$ref' alongside other properties (v3)
96beb800-566f-49a9-a0ea-dbdf4bc80429|Info|Best Practices|Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key (read more)|Documentation
| |Invalid Contact URL (v2)
c7000383-16d0-4509-8cd3-585e5ea2e2f2|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| -|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL|Documentation
| +|Invalid Contact URL (v3)
332cf2ad-380d-4b90-b436-46f8e635cf38|Info|Best Practices|Contact Object URL should be a valid URL (read more)|Documentation
| |Header Response Name Is Invalid (v2)
86733e01-a435-4bd5-a8b0-5108be9dc1e4|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| -|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.|Documentation
| +|Header Response Name Is Invalid (v3)
d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd|Info|Best Practices|The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored. (read more)|Documentation
| |Invalid License URL (v2)
de2b4910-8484-46d6-a055-dc1e793ee3ff|Info|Best Practices|License Object URL should be a valid URL|Documentation
| -|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL|Documentation
| +|Invalid License URL (v3)
9239c289-9e4c-4d92-8be1-9d506057c971|Info|Best Practices|License Object URL should be a valid URL (read more)|Documentation
| |Header Parameter Named as 'Authorization' (v2)
e2e00c97-7171-4fb4-b461-d631df9a711c|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| -|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored.|Documentation
| +|Header Parameter Named as 'Authorization' (v3)
8c84f75e-5048-4926-a4cb-33e7b3431300|Info|Best Practices|The header Parameter should not be named as 'Authorization'. If so, it will be ignored. (read more)|Documentation
| |Example Not Compliant With Schema Type (v2)
448db771-06ea-4dee-b48c-1689cbfb4b43|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| -|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type|Documentation
| +|Example Not Compliant With Schema Type (v3)
881a6e71-c2a7-4fe2-b9c3-dfcf08895331|Info|Best Practices|Examples values and fields should be compliant with the schema type (read more)|Documentation
| |Invalid Tag External Documentation URL (v2)
b4a7d925-738b-4219-99d9-87d6ee262a03|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| -|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|Info|Best Practices|Tag External Documentation URL should be a valid URL|Documentation
| +|Invalid Tag External Documentation URL (v3)
5aea1d7e-b834-4749-b143-2c7ec3bd5922|Info|Best Practices|Tag External Documentation URL should be a valid URL (read more)|Documentation
| |Operation Without Successful HTTP Status Code (v2)
a1ee6ebe-3877-42ec-b9a6-e524e7d06aa2|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| -|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined|Documentation
| +|Operation Without Successful HTTP Status Code (v3)
48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd|Info|Best Practices|Operation Object should have at least one successful HTTP status code defined (read more)|Documentation
| |Invalid Schema External Documentation URL (v2)
f7fa95b7-d819-484c-9a2b-665dd1bba25e|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| -|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Schema External Documentation URL should be a valid URL|Documentation
| +|Invalid Schema External Documentation URL (v3)
6952a7e0-6e48-4285-bbc1-27c64e60f888|Info|Best Practices|Schema External Documentation URL should be a valid URL (read more)|Documentation
| |Path Without Operation (v2)
609cd557-66b4-41fa-8edd-2abc6c7cfd08|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| -|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined|Documentation
| +|Path Without Operation (v3)
84c826c9-1893-4b34-8cdd-db97645b4bf3|Info|Best Practices|Path object should have at least one operation object defined (read more)|Documentation
| |Invalid Global External Documentation URL (v2)
46d3b74d-9fe9-45bf-9e9e-efb7f701ee28|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| -|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL|Documentation
| +|Invalid Global External Documentation URL (v3)
b2d9dbf6-539c-4374-a1fd-210ddf5563a8|Info|Best Practices|Global External Documentation URL should be a valid URL (read more)|Documentation
| |Required Property With Default Value (v2)
f7ab6c83-ef89-40e1-8a99-32e2599fb665|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| -|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value|Documentation
| +|Required Property With Default Value (v3)
013bdb4b-9246-4248-b0c3-7fb0fee42a29|Info|Best Practices|Required properties receive value from requests, which makes unnecessary declare a default value (read more)|Documentation
| |Invalid Operation External Documentation URL (v2)
25635c31-ee32-4708-88e5-fced87516f51|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| -|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL|Documentation
| +|Invalid Operation External Documentation URL (v3)
5ea61624-3733-4a3a-8ca4-b96fec9c5aeb|Info|Best Practices|Operation External Documentation URL should be a valid URL (read more)|Documentation
| |Invalid Contact Email (v2)
d83bebc8-4e5e-4241-b783-cba9fb5a1c9a|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| -|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| +|Invalid Contact Email (v3)
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email (read more)|Documentation
| |Object Using Enum With Keyword (v2)
7f15962a-d862-451c-ac9b-84ec13747aa6|Info|Best Practices|Schema/Parameter/Header Object properties should not contain 'enum' and schema keywords|Documentation
| -|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords|Documentation
| +|Object Using Enum With Keyword (v3)
2e9b6612-8f69-42e0-a5b8-ed17739c2f3a|Info|Best Practices|Schema Object properties should not contain 'enum' and schema keywords (read more)|Documentation
| |Path Template is Empty (v2)
c201b7ad-6173-4598-a407-5edb04a1bcd7|Info|Structure and Semantics|All path templates should not be empty|Documentation
| -|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty|Documentation
| +|Path Template is Empty (v3)
ae13a37d-943b-47a7-a970-83c8598bcca3|Info|Structure and Semantics|All path templates should not be empty (read more)|Documentation
| |Responses Object Is Empty (v2)
6172e7ab-d2b7-45f8-a7db-1603931d8ba3|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| -|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Responses Object should not be empty|Documentation
| +|Responses Object Is Empty (v3)
990eaf09-d6f1-4c3c-b174-a517b1de8917|Info|Structure and Semantics|Responses Object should not be empty (read more)|Documentation
| |Schema Discriminator Property Not String (v2)
949376f1-f560-4c6d-a016-63424ca931bb|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| -|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string|Documentation
| +|Schema Discriminator Property Not String (v3)
dadc2f36-1f5a-46c0-8289-75e626583123|Info|Structure and Semantics|Schema discriminator property should be a string (read more)|Documentation
| |Items Undefined (v2)
3e4d34d2-36cf-4449-976d-6c256db8fc49|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| -|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array.|Documentation
| +|Items Undefined (v3)
a8e859da-4a43-4e7f-94b8-25d6e3bf8e90|Info|Structure and Semantics|Schema/Parameter items should be defined when the schema/parameter is set to an array. (read more)|Documentation
| |Parameters Name In Combination Not Unique (v2)
ab871897-ec02-4835-9818-702536ee1dda|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| -|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations|Documentation
| +|Parameters Name In Combination Not Unique (v3)
f5b2e6af-76f5-496d-8482-8f898c5fdb4a|Info|Structure and Semantics|Parameters properties 'name' and 'in' should have unique combinations (read more)|Documentation
| |Property 'allowEmptyValue' Improperly Defined (v2)
0bc1477d-0922-478b-ae16-674a7634a1a8|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| -|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters|Documentation
| +|Property 'allowEmptyValue' Improperly Defined (v3)
4bcbcd52-3028-469f-bc14-02c7dbba2df2|Info|Structure and Semantics|Property 'allowEmptyValue' should be only defined for query parameters and formData parameters (read more)|Documentation
| |Type Has Invalid Keyword (v2)
492c6cbb-f3f8-4807-aa4f-42b8b1c46b59|Info|Structure and Semantics|Schema/Parameter/Header Object define type should not use a keyword of another type|Documentation
| -|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type|Documentation
| +|Type Has Invalid Keyword (v3)
a9228976-10cf-4b5f-b902-9e962aad037a|Info|Structure and Semantics|Schema Object define type should not use a keyword of another type (read more)|Documentation
| |Non-Array Schema With Items (v2)
9d47956b-29cd-43b1-9e6e-b39a4d484353|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| -|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined|Documentation
| +|Non-Array Schema With Items (v3)
20cb3159-b219-496b-8dac-54ae3ab2021a|Info|Structure and Semantics|Non-Array Schema should not have 'items' defined (read more)|Documentation
| |Responses With Wrong HTTP Status Code (v2)
069a5378-2091-43f0-aa3b-ee8f20996e99|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| -|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| +|Responses With Wrong HTTP Status Code (v3)
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599] (read more)|Documentation
| |Schema Discriminator Mismatch Defined Properties (v2)
addc0eab-27f6-4c26-8526-d2ccd3732662|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| -|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties.|Documentation
| +|Schema Discriminator Mismatch Defined Properties (v3)
40d3df21-c170-4dbe-9c02-4289b51f994f|Info|Structure and Semantics|Schema discriminator values should match defined properties. (read more)|Documentation
| |Properties Missing Required Property (v2)
71beb6ab-8b70-4816-a9ac-a0ff1fb22a62|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| -|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined|Documentation
| +|Properties Missing Required Property (v3)
3fb03214-25d4-4bd4-867c-c2d8d708a483|Info|Structure and Semantics|Schema Object should have all required properties defined (read more)|Documentation
| |Schema Enum Invalid (v2)
8fe6d18a-ad4c-4397-8884-e3a9da57f4c9|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| -|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type|Documentation
| +|Schema Enum Invalid (v3)
03856cb2-e46c-4daf-bfbf-214ec93c882b|Info|Structure and Semantics|The field 'enum' of Schema Object should be consistent with the schema's type (read more)|Documentation
| |Schema Object With Circular Ref (v2)
cbff2508-85c9-4448-a8b3-770070edf5ca|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| -|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties|Documentation
| +|Schema Object With Circular Ref (v3)
1a1aea94-745b-40a7-b860-0702ea6ee636|Info|Structure and Semantics|Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties (read more)|Documentation
| |Schema Object Properties With Duplicated Keys (v2)
ded017bf-fb13-4f8d-868b-84aebcc572ad|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| -|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'|Documentation
| +|Schema Object Properties With Duplicated Keys (v3)
10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa|Info|Structure and Semantics|Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties' (read more)|Documentation
| |Paths Object is Empty (v2)
3e6c7b1c-8a8d-43ab-98b9-65159f44db4a|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| -|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| +|Paths Object is Empty (v3)
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed (read more)|Documentation
| |OperationId Not Unique (v2)
21245007-91c4-40e5-964e-40c85d1e5aa6|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| -|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined|Documentation
| +|OperationId Not Unique (v3)
c254adc4-ef25-46e1-8270-b7944adb4198|Info|Structure and Semantics|OperationId should be unique when defined (read more)|Documentation
| |Schema Has A Required Property Undefined (v2)
811762c8-2e99-4f70-88f9-a63875a953b1|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| -|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties|Documentation
| +|Schema Has A Required Property Undefined (v3)
2bd608ae-8a1f-457f-b710-c237883cb313|Info|Structure and Semantics|Schema Object should not be have a required property that is not defined on properties (read more)|Documentation
| |Template Path With No Corresponding Path Parameter (v2)
e7656d8d-7288-4bbe-b07b-22b389be75ce|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| -|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation|Documentation
| +|Template Path With No Corresponding Path Parameter (v3)
561710b1-b845-4562-95ce-2397a05ccef4|Info|Structure and Semantics|The template path must have a corresponding path parameter for a given operation (read more)|Documentation
| |Default Invalid (v2)
78dfd8f0-a6ee-48ec-af8c-e4d9b3292a07|Info|Structure and Semantics|The field 'default' of Schema/Parameter/Header Object should be consistent with the schema's/parameter's/header's type|Documentation
| -|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type|Documentation
| +|Default Invalid (v3)
a96bbc06-8cde-4295-ad3c-ee343a7f658e|Info|Structure and Semantics|The field 'default' of Schema Object should be consistent with the schema's type (read more)|Documentation
| |Schema Discriminator Not Required (v2)
be6a3722-af60-438c-b1b9-2a03e2958ab7|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| -|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| +|Schema Discriminator Not Required (v3)
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property (read more)|Documentation
| |Path Parameter With No Corresponding Template Path (v2)
194ef1f8-360e-4c14-8ed2-e83e2bafa142|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| -|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation|Documentation
| +|Path Parameter With No Corresponding Template Path (v3)
69d7aefd-149d-47b8-8d89-1c2181a8067b|Info|Structure and Semantics|The path parameter must have a corresponding template path for a given operation (read more)|Documentation
| |Parameter Objects Headers With Duplicated Name (v2)
bd2cbef5-62c4-40f1-af07-4b7f9ced6616|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| -|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| +|Parameter Objects Headers With Duplicated Name (v3)
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive. (read more)|Documentation
| |Property Defining Minimum Greater Than Maximum (v2)
b5102ea9-6527-4bb7-94fc-9b4076150e55|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| -|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined|Documentation
| +|Property Defining Minimum Greater Than Maximum (v3)
ab2af219-cd08-4233-b5a1-a788aac88b51|Info|Structure and Semantics|Property defining minimum has greater value than maximum defined (read more)|Documentation
| |Path Is Ambiguous (v2)
b2468463-3ac4-4930-890c-f35b2bf4485d|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| -|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object|Documentation
| +|Path Is Ambiguous (v3)
237402e2-c2f0-46c9-9cf5-286160cf7bfc|Info|Structure and Semantics|All path should be unique, if has more than one operation, all operations should be part of same Path Object (read more)|Documentation
| |Path Parameter Not Required (v2)
ccd0613f-cb77-4684-a892-183bd2674d12|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| -|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Path Parameter Not Required (v3)
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true. (read more)|Documentation
| ### 2.0 Bellow are listed queries related with OpenAPI 2.0: @@ -248,50 +248,50 @@ Bellow are listed queries related with OpenAPI 2.0: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Security Definitions Object should be set and not empty|Documentation
| -|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty|Documentation
| -|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions'|Documentation
| -|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field|Documentation
| -|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication|Documentation
| -|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| -|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated|Documentation
| -|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication|Documentation
| -|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection|Documentation
| -|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http'|Documentation
| -|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials|Documentation
| -|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation|Documentation
| -|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations|Documentation
| -|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication|Documentation
| -|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow|Documentation
| -|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker|Documentation
| -|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication|Documentation
| -|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Operation summary should be short (less than 120 characters)|Documentation
| -|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values|Documentation
| -|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use|Documentation
| -|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'|Documentation
| -|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use|Documentation
| -|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use|Documentation
| -|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it|Documentation
| -|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters]|Documentation
| -|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'|Documentation
| -|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/'|Documentation
| -|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters'|Documentation
| -|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name|Documentation
| -|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined|Documentation
| -|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field|Documentation
| -|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations|Documentation
| -|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field|Documentation
| -|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'|Documentation
| -|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields|Documentation
| -|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field|Documentation
| -|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses'|Documentation
| -|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions'|Documentation
| -|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API|Documentation
| -|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file'|Documentation
| -|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field|Documentation
| -|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both|Documentation
| -|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known|Documentation
| -|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'|Documentation
| +|Security Definitions Undefined or Empty
e3f026e8-fdb4-4d5a-bcfd-bd94452073fe|High|Access Control|Security Definitions Object should be set and not empty (read more)|Documentation
| +|Non OAuth2 Security Requirement Defining OAuth2 Scopes
ba239cb9-f342-4c20-812d-7b5a2aa6969e|High|Structure and Semantics|If the security scheme is not of type 'oauth2', the array value must be empty (read more)|Documentation
| +|Security Requirement Not Defined In Security Definition
a599b0d1-ff89-4cb8-9ece-9951854c06f6|High|Structure and Semantics|All security requirement objects must be defined in 'securityDefinitions' (read more)|Documentation
| +|Invalid OAuth2 Token URL (v2)
274f910a-0665-4f08-b66d-7058fe927dba|Medium|Access Control|OAuth2 security definition flow requires a valid URL in the tokenUrl field (read more)|Documentation
| +|Security Definitions Allows Password Flow
773116aa-2e6d-416f-bd85-f0301cc05d76|Medium|Access Control|Security Definition Object should not allow 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Invalid OAuth2 Authorization URL (v2)
33d96c65-977d-4c33-943f-440baca49185|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL (read more)|Documentation
| +|Implicit Flow in OAuth2 (v2)
e9817ad8-a8c9-4038-8a2f-db0e6e7b284b|Medium|Access Control|There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated (read more)|Documentation
| +|Operation Using Password Flow
2e44e632-d617-43cb-b294-6bfe72a08938|Medium|Access Control|Operation Object should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Global Security Using Password Flow
2da46be4-4317-4650-9285-56d7103c4f93|Medium|Access Control|Security should not use 'password' Flow in OAuth2 authentication (read more)|Documentation
| +|Path Scheme Accepts HTTP (v2)
a6847dc6-f4ea-45ac-a81f-93291ae6c573|Medium|Encryption|The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection (read more)|Documentation
| +|Global Schemes Uses HTTP
f30ee711-0082-4480-85ab-31d922d9a2b2|Medium|Encryption|Global Schemes should use 'https' protocol instead of 'http' (read more)|Documentation
| +|Schemes Uses HTTP
a46928f1-43d7-4671-94e0-2dd99746f389|Medium|Encryption|Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials (read more)|Documentation
| +|Operation Object Without 'produces'
be3e170e-1572-461e-a8b6-d963def581ec|Medium|Insecure Configurations|Operation Object should have 'produces' feild defined for 'GET'operation (read more)|Documentation
| +|Operation Object Without 'consumes'
0c79e50e-b3cf-490c-b8f6-587c644d4d0c|Medium|Insecure Configurations|Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On Global 'security' Field
9aa6e95c-d964-4239-a3a8-9f37a3c5a31f|Low|Access Control|Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Security Definitions Using Basic Auth
221015a8-aa2a-43f5-b00b-ad7d2b1d47a8|Low|Access Control|Security Definition Object should not use basic authentication (read more)|Documentation
| +|Operation Using Implicit Flow
f42dfe7e-787d-4478-a75e-a5f3d8a2269e|Low|Access Control|Operation Object should not use implicit flow (read more)|Documentation
| +|Undefined Scope 'securityDefinition' On 'security' Field On Operations
3847280c-9193-40bc-8009-76168e822ce2|Low|Access Control|Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker (read more)|Documentation
| +|Operation Using Basic Auth
ceefb058-8065-418f-9c4c-584a78c7e104|Low|Access Control|Operation Object should not use basic authentication (read more)|Documentation
| +|Operation Summary Too Long
d47940ca-5970-45cc-bdd1-4d81398cee1f|Low|Best Practices|Operation summary should be short (less than 120 characters) (read more)|Documentation
| +|Constraining Enum Property
be1d8733-3731-40c7-a845-734741c6871d|Info|Best Practices|There is a constraining keyword in a property which is already restricted by enum values (read more)|Documentation
| +|Global Parameter Definition Not Being Used
b30981fa-a12e-49c7-a5bb-eeafb61d0f0f|Info|Best Practices|All global parameters definitions should be in use (read more)|Documentation
| +|Unknown Prefix (v2)
3b615f00-c443-4ba9-acc4-7c308716917d|Info|Best Practices|The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video' (read more)|Documentation
| +|Global Schema Definition Not Being Used
6d2e0790-cc3d-4c74-b973-d4e8b09f4455|Info|Best Practices|All global schemas definitions should be in use (read more)|Documentation
| +|Global Responses Definition Not Being Used
0b76d993-ee52-43e0-8b39-3787d2ddabf1|Info|Best Practices|All global responses definitions should be in use (read more)|Documentation
| +|Schema with 'additionalProperties' set as Boolean
3a01790c-ebee-4da6-8fd3-e78657383b75|Info|Best Practices|The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it (read more)|Documentation
| +|Invalid Media Type Value (v2)
f985a7d2-d404-4a7f-9814-f645f791e46e|Info|Best Practices|The Media Type value should match the following format: /[+suffix][;parameters] (read more)|Documentation
| +|Non Body Parameter Without Schema
73c3bc54-3cc6-4c0a-b30a-e19f2abfc951|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Body Parameter With Wrong Property
c38d630d-a415-4e3e-bac2-65475979ba88|Info|Structure and Semantics|The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema' (read more)|Documentation
| +|BasePath With Wrong Format
b4803607-ed72-4d60-99e2-3fa6edf471c6|Info|Structure and Semantics|The 'basePath' value format must match the pattern '^/' (read more)|Documentation
| +|Parameter Object With Incorrect Ref (v2)
2596545e-1757-4ff7-a15a-8a9a180a42f3|Info|Structure and Semantics|Parameter Object reference must always point to '#/parameters' (read more)|Documentation
| +|Host With Invalid Pattern
3d7d7b6c-fb0a-475e-8a28-c125e30d15f0|Info|Structure and Semantics|Host field should be an IP or a valid host name (read more)|Documentation
| +|Body Parameter Without Schema
ed48229d-d43e-4da7-b453-5f98d964a57a|Info|Structure and Semantics|The Body Parameter Object should have the attribute 'schema' defined (read more)|Documentation
| +|Responses JSON Reference Does Not Exists (v2)
e9db5fb4-6a84-4abb-b4af-3b94fbdace6d|Info|Structure and Semantics|Responses reference should exist on responses definition field (read more)|Documentation
| +|Operation Object Parameters With 'body' And 'formatData' locations
eb3f9744-d24e-4614-b1ff-2a9514eca21c|Info|Structure and Semantics|Operation object parameters should not have both 'body' and 'formatData' locations (read more)|Documentation
| +|Multiple Body Parameters In The Same Operation
b90033cf-ad9f-4fb9-acd1-1b9d6d278c87|Info|Structure and Semantics|Only one body parameter is allowed on operation's parameters type field (read more)|Documentation
| +|Multi 'collectionformat' Not Valid For 'in' Parameter
750f6448-27c0-49f8-a153-b81735c1e19c|Info|Structure and Semantics|When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData' (read more)|Documentation
| +|Object Without Required Property (v2)
5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275|Info|Structure and Semantics|OpenAPI Object should contain all of its required fields (read more)|Documentation
| +|Parameter JSON Reference Does Not Exists (v2)
fb889ae9-2d16-40b5-b41f-9da716c5abc1|Info|Structure and Semantics|Parameter reference should exist on parameters definition field (read more)|Documentation
| +|Response Object With Incorrect Ref (v2)
bccfa089-89e4-47e0-a0e5-185fe6902220|Info|Structure and Semantics|Response Object reference must always point to '#/responses' (read more)|Documentation
| +|Schema Object Incorrect Ref (v2)
0220e1c5-65d1-49dd-b7c2-cef6d6cb5283|Info|Structure and Semantics|Schema Object reference must always point to '#/definitions' (read more)|Documentation
| +|Property Not Unique
750b40be-4bac-4f59-bdc4-1ca0e6c3450e|Info|Structure and Semantics|Every defined property must be unique throughout the whole API (read more)|Documentation
| +|Parameter File Type Not In 'formData'
c3cab8c4-6c52-47a9-942b-c27f26fbd7d2|Info|Structure and Semantics|The In field of Parameter Object must be 'formData' when type is 'file' (read more)|Documentation
| +|Schema JSON Reference Does Not Exists (v2)
98295b32-ec09-4b5b-89a9-39853197f914|Info|Structure and Semantics|Schema reference should exists on definitions field (read more)|Documentation
| +|File Parameter With Wrong Consumes Property
7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a|Info|Structure and Semantics|Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both (read more)|Documentation
| +|Unknown Property (v2)
429b2106-ba37-43ba-9727-7f699cc611e1|Info|Structure and Semantics|All properties defined in OpenAPI objects should be known (read more)|Documentation
| +|Operation Example Mismatch Produces MimeType
2cf35b40-ded3-43d6-9633-c8dcc8bcc822|Info|Structure and Semantics|Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces' (read more)|Documentation
| diff --git a/docs/queries/openapi-queries/00b78adf-b83f-419c-8ed8-c6018441dd3a.md b/docs/queries/openapi-queries/00b78adf-b83f-419c-8ed8-c6018441dd3a.md new file mode 100644 index 00000000000..c255eeb2bf0 --- /dev/null +++ b/docs/queries/openapi-queries/00b78adf-b83f-419c-8ed8-c6018441dd3a.md @@ -0,0 +1,713 @@ +--- +title: Pattern Undefined (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 00b78adf-b83f-419c-8ed8-c6018441dd3a +- **Query name:** Pattern Undefined (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/pattern_undefined) + +### Description +String schema should have 'pattern' defined.
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="58 63" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "maxLength": 15, + "format": "int32" + }, + "message": { + "type": "string", + "maxLength": 15 + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="32 27" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "maxLength": 15, + "format": "int32" + }, + "message": { + "type": "string", + "maxLength": 15 + } + }, + "required": [ + "petType" + ], + "type": "object" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="34 38" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + maxLength: 15 + format: int32 + message: + type: string + maxLength: 15 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="26 22" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + maxLength: 15 + format: int32 + message: + type: string + maxLength: 15 + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="28 23" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "maxLength": 15, + "format": "int32" + }, + "message": { + "type": "string", + "maxLength": 15 + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="19 23" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: petType + additionalProperties: false + properties: + code: + type: string + maxLength: 15 + format: int32 + message: + type: string + maxLength: 15 + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "maxLength": 15, + "format": "int32", + "pattern": "^[0-9a-z]{15}$" + }, + "message": { + "type": "string", + "maxLength": 15, + "pattern": "^[0-9a-z]{15}$" + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "maxLength": 15, + "format": "int32", + "pattern": "^[0-9a-z]{15}$" + }, + "message": { + "type": "string", + "maxLength": 15, + "pattern": "^[0-9a-z]{15}$" + } + }, + "required": [ + "petType" + ], + "type": "object" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + maxLength: 15 + format: int32 + pattern: ^[0-9a-z]{15}$ + message: + type: string + maxLength: 15 + pattern: ^[0-9a-z]{15}$ + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + maxLength: 15 + format: int32 + pattern: ^[0-9a-z]{15}$ + message: + type: string + maxLength: 15 + pattern: ^[0-9a-z]{15}$ + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "maxLength": 15, + "format": "int32", + "pattern": "^[0-9a-z]{15}$" + }, + "message": { + "type": "string", + "maxLength": 15, + "pattern": "^[0-9a-z]{15}$" + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: petType + additionalProperties: false + properties: + code: + type: string + maxLength: 15 + format: int32 + pattern: ^[0-9a-z]{15}$ + message: + type: string + maxLength: 15 + pattern: ^[0-9a-z]{15}$ + +``` +
diff --git a/docs/queries/openapi-queries/013bdb4b-9246-4248-b0c3-7fb0fee42a29.md b/docs/queries/openapi-queries/013bdb4b-9246-4248-b0c3-7fb0fee42a29.md new file mode 100644 index 00000000000..18d20dd4125 --- /dev/null +++ b/docs/queries/openapi-queries/013bdb4b-9246-4248-b0c3-7fb0fee42a29.md @@ -0,0 +1,475 @@ +--- +title: Required Property With Default Value (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 013bdb4b-9246-4248-b0c3-7fb0fee42a29 +- **Query name:** Required Property With Default Value (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/required_property_default_value) + +### Description +Required properties receive value from requests, which makes unnecessary declare a default value
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="30" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "type": "string", + "default": "4056684e4e1347579362617ad82e5b4e" + }, + "name": { + "type": "string", + "default": "guest" + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="25" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "success", + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "type": "string", + "default": "4056684e4e1347579362617ad82e5b4e" + }, + "name": { + "type": "string", + "default": "guest" + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="22" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/MyObject" +components: + schemas: + MyObject: + type: object + required: + - id + properties: + id: + type: string + default: 4056684e4e1347579362617ad82e5b4e + name: + type: string + default: guest + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="23" +--- +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: success + content: + application/json: + schema: + type: object + required: + - id + properties: + id: + type: string + default: 4056684e4e1347579362617ad82e5b4e + name: + type: string + default: guest + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="23" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "post": { + "summary": "Add a new item", + "parameters": [ + { + "in": "body", + "name": "item", + "schema": { + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "type": "string", + "default": "4056684e4e1347579362617ad82e5b4e" + }, + "name": { + "type": "string", + "default": "guest" + } + } + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="19" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + post: + summary: Add a new item + parameters: + - in: body + name: item + schema: + type: object + required: + - id + properties: + id: + type: string + default: 4056684e4e1347579362617ad82e5b4e + name: + type: string + default: guest + responses: + "200": + description: 200 response + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string", + "default": "guest" + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "success", + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string", + "default": "guest" + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/MyObject" +components: + schemas: + MyObject: + type: object + required: + - id + properties: + id: + type: string + name: + type: string + default: guest + +``` +
Negative test num. 4 - yaml file + +```yaml +--- +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: success + content: + application/json: + schema: + type: object + required: + - id + properties: + id: + type: string + name: + type: string + default: guest + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "post": { + "summary": "Add a new item", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "in": "body", + "name": "item", + "schema": { + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string", + "default": "guest" + } + } + } + } + ] + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + post: + summary: Add a new item + responses: + "200": + description: 200 response + parameters: + - in: body + name: item + schema: + type: object + required: + - id + properties: + id: + type: string + name: + type: string + default: guest + +``` +
diff --git a/docs/queries/openapi-queries/015eac96-6313-43c0-84e5-81b1374fa637.md b/docs/queries/openapi-queries/015eac96-6313-43c0-84e5-81b1374fa637.md new file mode 100644 index 00000000000..0f8ff3e7025 --- /dev/null +++ b/docs/queries/openapi-queries/015eac96-6313-43c0-84e5-81b1374fa637.md @@ -0,0 +1,158 @@ +--- +title: Schema JSON Reference Does Not Exists (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 015eac96-6313-43c0-84e5-81b1374fa637 +- **Query name:** Schema JSON Reference Does Not Exists (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/json_reference_does_not_exists_schema) + +### Description +Schema reference should exists on components field
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="14" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyWrongObject" + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +--- +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/MyWrongObject" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/MyObject" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + +``` diff --git a/docs/queries/openapi-queries/0220e1c5-65d1-49dd-b7c2-cef6d6cb5283.md b/docs/queries/openapi-queries/0220e1c5-65d1-49dd-b7c2-cef6d6cb5283.md new file mode 100644 index 00000000000..dadaa187935 --- /dev/null +++ b/docs/queries/openapi-queries/0220e1c5-65d1-49dd-b7c2-cef6d6cb5283.md @@ -0,0 +1,247 @@ +--- +title: Schema Object Incorrect Ref (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0220e1c5-65d1-49dd-b7c2-cef6d6cb5283 +- **Query name:** Schema Object Incorrect Ref (v2) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/schema_object_incorrect_ref) + +### Description +Schema Object reference must always point to '#/definitions'
+[Documentation](https://swagger.io/specification/v2/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="29" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/responses/Success" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "responses": { + "Success": { + "description": "An array with users", + "schema": { + "$ref": "#/responses/Success" + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/responses/Success" + parameters: + - "$ref": "#/parameters/limitParam" +responses: + Success: + description: An array with users + schema: + "$ref": "#/responses/Success" +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/responses/Success" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "responses": { + "Success": { + "description": "An array with users", + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/responses/Success" + parameters: + - "$ref": "#/parameters/limitParam" +responses: + Success: + description: An array with users + schema: + "$ref": "#/definitions/User" +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` diff --git a/docs/queries/openapi-queries/03856cb2-e46c-4daf-bfbf-214ec93c882b.md b/docs/queries/openapi-queries/03856cb2-e46c-4daf-bfbf-214ec93c882b.md new file mode 100644 index 00000000000..bf9a8502ff2 --- /dev/null +++ b/docs/queries/openapi-queries/03856cb2-e46c-4daf-bfbf-214ec93c882b.md @@ -0,0 +1,485 @@ +--- +title: Schema Enum Invalid (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 03856cb2-e46c-4daf-bfbf-214ec93c882b +- **Query name:** Schema Enum Invalid (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/schema_enum_invalid) + +### Description +The field 'enum' of Schema Object should be consistent with the schema's type
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="20" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "201": { + "description": "201 response", + "content": { + "text/html": { + "schema": { + "type": "number", + "enum": [ + "black" + ] + } + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="20" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "201": { + "description": "201 response", + "content": { + "text/html": { + "schema": { + "type": "integer", + "enum": [ + "black" + ] + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="18" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "201": + description: 201 response + content: + "text/html": + schema: + type: number + enum: + - black + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="18" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "201": + description: 201 response + content: + "text/html": + schema: + type: integer + enum: + - black + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="52" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/definitions/User" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string", + "enum": [ + "kics", + 1 + ] + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="37" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + enum: + - kics + - 1 + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "201": { + "description": "201 response", + "content": { + "text/html": { + "schema": { + "type": "number", + "enum": [ + 1, + 2, + 3, + 4, + 5 + ] + } + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "201": { + "description": "201 response", + "content": { + "text/html": { + "schema": { + "type": "integer", + "enum": [ + 1, + 2, + 3, + 4, + 5 + ] + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "201": + description: 201 response + content: + "text/html": + schema: + type: number + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "201": + description: 201 response + content: + "text/html": + schema: + type: integer + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/definitions/User" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string", + "enum": [ + "kics", + "checkmarx" + ] + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + enum: + - kics + - checkmarx + +``` +
diff --git a/docs/queries/openapi-queries/05505192-ba2c-4a81-9b25-dcdbcc973746.md b/docs/queries/openapi-queries/05505192-ba2c-4a81-9b25-dcdbcc973746.md new file mode 100644 index 00000000000..78d8a682d7c --- /dev/null +++ b/docs/queries/openapi-queries/05505192-ba2c-4a81-9b25-dcdbcc973746.md @@ -0,0 +1,751 @@ +--- +title: Parameter Objects Headers With Duplicated Name (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 05505192-ba2c-4a81-9b25-dcdbcc973746 +- **Query name:** Parameter Objects Headers With Duplicated Name (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/parameter_objects_headers_dup_name) + +### Description +Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="82 68 28 14" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "parameters": [ + { + "name": "id", + "in": "header", + "description": "id to be passed as a header", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "integer", + "format": "int64" + } + }, + "style": "simple" + }, + { + "name": "ID", + "in": "header", + "description": "ID to fetch", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "token", + "in": "header", + "description": "token to be passed as a header", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "integer", + "format": "int64" + } + }, + "style": "simple" + }, + { + "name": "Token", + "in": "header", + "description": "token to fetch", + "required": true, + "schema": { + "type": "string" + } + } + ] + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11 21 43 53" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + parameters: + - name: id + in: header + description: id to be passed as a header + required: true + schema: + type: array + items: + type: integer + format: int64 + style: simple + - name: ID + in: header + description: ID to fetch + required: true + schema: + type: string + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: token + in: header + description: token to be passed as a header + required: true + schema: + type: array + items: + type: integer + format: int64 + style: simple + - name: Token + in: header + description: token to fetch + required: true + schema: + type: string + +``` +```json title="Postitive test num. 3 - json file" hl_lines="24 10" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "components": { + "parameters": { + "token": { + "name": "token", + "in": "header", + "description": "token to be passed as a header", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "integer", + "format": "int64" + } + }, + "style": "simple" + }, + "Token": { + "name": "Token", + "in": "header", + "description": "token to fetch", + "required": true, + "schema": { + "type": "string" + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="8 19" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +components: + parameters: + token: + name: token + in: header + description: token to be passed as a header + required: true + schema: + type: array + items: + type: integer + format: int64 + style: simple + Token: + name: Token + in: header + description: token to fetch + required: true + schema: + type: string +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="18 11 47 39" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "parameters": [ + { + "name": "Token", + "in": "header", + "description": "Token", + "required": true, + "type": "string" + }, + { + "name": "token", + "in": "header", + "description": "id", + "required": true, + "type": "string" + } + ], + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "oneParam": { + "type": "string", + "name": "Token2", + "in": "header", + "description": "Token", + "required": true + }, + "anotherParam": { + "required": true, + "type": "string", + "name": "token2", + "in": "header", + "description": "token" + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="32 26 19 14" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: Token + in: header + description: Token + required: true + type: string + - name: token + in: header + description: token + required: true + type: string +parameters: + oneParam: + name: Token2 + in: header + description: Token + required: true + type: string + anotherParam: + name: token2 + in: header + description: token + required: true + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "token", + "in": "header", + "description": "token to be passed as a header", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "integer", + "format": "int64" + } + }, + "style": "simple" + }, + { + "name": "username", + "in": "header", + "description": "username to fetch", + "required": true, + "schema": { + "type": "string" + } + } + ] + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: token + in: header + description: token to be passed as a header + required: true + schema: + type: array + items: + type: integer + format: int64 + style: simple + - name: username + in: header + description: username to fetch + required: true + schema: + type: string + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "components": { + "parameters": { + "token": { + "name": "token", + "in": "header", + "description": "token to be passed as a header", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "integer", + "format": "int64" + } + }, + "style": "simple" + }, + "username": { + "name": "username", + "in": "header", + "description": "username to fetch", + "required": true, + "schema": { + "type": "string" + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +components: + parameters: + token: + name: token + in: header + description: token to be passed as a header + required: true + schema: + type: array + items: + type: integer + format: int64 + style: simple + username: + name: username + in: header + description: username to fetch + required: true + schema: + type: string +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response" + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + }, + "parameters": [ + { + "name": "Token", + "in": "header", + "description": "Token", + "required": true, + "type": "string" + }, + { + "name": "id", + "in": "header", + "description": "id", + "required": true, + "type": "string" + } + ] + } + }, + "parameters": { + "oneParam": { + "type": "string", + "name": "Token", + "in": "header", + "description": "Token", + "required": true + }, + "anotherParam": { + "required": true, + "type": "string", + "name": "id", + "in": "header", + "description": "token" + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: Token + in: header + description: Token + required: true + type: string + - name: id + in: header + description: token + required: true + type: string +parameters: + oneParam: + name: Token + in: header + description: Token + required: true + type: string + anotherParam: + name: id + in: header + description: token + required: true + type: string + +``` +
diff --git a/docs/queries/openapi-queries/06764426-3c56-407e-981f-caa25db1c149.md b/docs/queries/openapi-queries/06764426-3c56-407e-981f-caa25db1c149.md new file mode 100644 index 00000000000..847c0f7e92b --- /dev/null +++ b/docs/queries/openapi-queries/06764426-3c56-407e-981f-caa25db1c149.md @@ -0,0 +1,233 @@ +--- +title: Security Scheme HTTP Unknown Scheme +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 06764426-3c56-407e-981f-caa25db1c149 +- **Query name:** Security Scheme HTTP Unknown Scheme +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/security_schemes_http_unknown_scheme) + +### Description +Security Scheme HTTP scheme should be registered in the IANA Authentication Scheme registry
+[Documentation](https://swagger.io/specification/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="57" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "http", + "scheme": "test" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="33" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: http + scheme: test + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "http", + "scheme": "basic" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: http + scheme: basic + +``` diff --git a/docs/queries/openapi-queries/0b76d993-ee52-43e0-8b39-3787d2ddabf1.md b/docs/queries/openapi-queries/0b76d993-ee52-43e0-8b39-3787d2ddabf1.md new file mode 100644 index 00000000000..5afd7b831ae --- /dev/null +++ b/docs/queries/openapi-queries/0b76d993-ee52-43e0-8b39-3787d2ddabf1.md @@ -0,0 +1,181 @@ +--- +title: Global Responses Definition Not Being Used +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0b76d993-ee52-43e0-8b39-3787d2ddabf1 +- **Query name:** Global Responses Definition Not Being Used +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/unused_response_definition) + +### Description +All global responses definitions should be in use
+[Documentation](https://swagger.io/specification/v2/#responsesDefinitionsObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="41 38" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/responses/Success" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "string" + }, + "desc": { + "type": "string" + } + } + ] + } + } + }, + "responses": { + "Success": { + "description": "200 response" + }, + "IllegalInput": { + "description": "Illegal input for operation." + }, + "GeneralError": { + "description": "General Error" + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="25 27" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + $ref: "#/responses/Success" + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: string + desc: + type: string +responses: + Success: + description: "200 response" + IllegalInput: + description: Illegal input for operation. + GeneralError: + description: General Error + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/responses/Success" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "string" + }, + "desc": { + "type": "string" + } + } + ] + } + } + }, + "responses": { + "Success": { + "description": "200 response" + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + $ref: "#/responses/Success" + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: string + desc: + type: string +responses: + Success: + description: "200 response" + +``` diff --git a/docs/queries/openapi-queries/0c79e50e-b3cf-490c-b8f6-587c644d4d0c.md b/docs/queries/openapi-queries/0c79e50e-b3cf-490c-b8f6-587c644d4d0c.md new file mode 100644 index 00000000000..9f68955a5e4 --- /dev/null +++ b/docs/queries/openapi-queries/0c79e50e-b3cf-490c-b8f6-587c644d4d0c.md @@ -0,0 +1,116 @@ +--- +title: Operation Object Without 'consumes' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0c79e50e-b3cf-490c-b8f6-587c644d4d0c +- **Query name:** Operation Object Without 'consumes' +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/operation_object_without_consumes) + +### Description +Operation Object should have 'consumes' feild defined for 'POST', 'PUT' and 'PATCH' operations
+[Documentation](https://swagger.io/specification/v2/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="9" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "put": { + "operationId": "updateVersionsv2", + "summary": "Update API versions", + "produces": [ + "application/json", + "application/xml" + ], + "parameters": [] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + put: + operationId: updateVersionsv2 + summary: Update API versions + produces: + - application/json + - application/xml + parameters: [] + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "put": { + "operationId": "updateVersionsv2", + "summary": "Update API versions", + "produces": [ + "application/json", + "application/xml" + ], + "consumes": [ + "application/x-www-form-urlencoded" + ], + "parameters": [] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + put: + operationId: updateVersionsv2 + summary: Update API versions + produces: + - application/json + - application/xml + consumes: + - application/x-www-form-urlencoded + parameters: [] + +``` diff --git a/docs/queries/openapi-queries/0de50145-e845-47f4-9a15-23bcf2125710.md b/docs/queries/openapi-queries/0de50145-e845-47f4-9a15-23bcf2125710.md new file mode 100644 index 00000000000..5eb374b7408 --- /dev/null +++ b/docs/queries/openapi-queries/0de50145-e845-47f4-9a15-23bcf2125710.md @@ -0,0 +1,650 @@ +--- +title: Path Parameter Not Required (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0de50145-e845-47f4-9a15-23bcf2125710 +- **Query name:** Path Parameter Not Required (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/path_parameter_not_required) + +### Description +The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API version", + "required": false, + "schema": { + "type": "integer" + } + } + ] + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: false + schema: + type: integer + +``` +```json title="Postitive test num. 3 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API version", + "schema": { + "type": "integer" + } + } + ] + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + schema: + type: integer + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="10 19" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "components": { + "parameters": { + "idParam": { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": false, + "schema": { + "type": "integer" + } + }, + "nameParam": { + "name": "nameAPI", + "in": "path", + "description": "Name of the API the version", + "schema": { + "type": "integer" + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "$ref": "#components/parameters/idParam" + } + ] + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="8 15" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + parameters: + idParam: + name: id + in: path + description: ID of the API version + required: false + schema: + type: integer + nameParam: + name: nameAPI + in: path + description: Name of the API version + schema: + type: integer +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - $ref: "#components/parameters/idParam" + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="20" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API version", + "type": "string" + } + ] + } + } +} + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="14" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: id + in: path + description: ID of the API version + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: true + schema: + type: integer + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "components": { + "parameters": { + "idParam": { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "integer" + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "$ref": "#components/parameters/idParam" + } + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + parameters: + idParam: + name: id + in: path + description: ID of the API version + required: true + schema: + type: integer +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - $ref: "#components/parameters/idParam" + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API version", + "type": "string", + "required": true + } + ] + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: id + in: path + description: ID of the API version + type: string + required: true + +``` +
diff --git a/docs/queries/openapi-queries/0f6cd0ab-c366-4595-84fc-fbd8b9901e4d.md b/docs/queries/openapi-queries/0f6cd0ab-c366-4595-84fc-fbd8b9901e4d.md new file mode 100644 index 00000000000..8ad10019d2a --- /dev/null +++ b/docs/queries/openapi-queries/0f6cd0ab-c366-4595-84fc-fbd8b9901e4d.md @@ -0,0 +1,245 @@ +--- +title: Request Body With Incorrect Ref +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0f6cd0ab-c366-4595-84fc-fbd8b9901e4d +- **Query name:** Request Body With Incorrect Ref +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/request_body_incorrect_ref) + +### Description +Request Body reference must always point to '#/components/RequestBodies'
+[Documentation](https://swagger.io/specification/#request-body-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="30" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "components": { + "requestBodies": { + "List": { + "description": "id of api version", + "content": { + "text/plain": { + "schema": { + "type": "array", + "items": { + "type": "integer" + } + } + } + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "requestBody": { + "$ref": "#/components/schemas/List" + }, + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="22" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +components: + requestBodies: + List: + description: id of api version + required: true + content: + text/plain: + schema: + type: array + items: + type: integer +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + requestBody: + $ref: "#/components/schemas/List" + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "components": { + "requestBodies": { + "List": { + "description": "id of api version", + "content": { + "text/plain": { + "schema": { + "type": "array", + "items": { + "type": "integer" + } + } + } + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "requestBody": { + "$ref": "#/components/requestBodies/List" + }, + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +components: + requestBodies: + List: + description: id of api version + required: true + content: + text/plain: + schema: + type: array + items: + type: integer +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + requestBody: + $ref: "#/components/requestBodies/List" + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` diff --git a/docs/queries/openapi-queries/105e20dd-8449-4d71-95c6-d5dac96639af.md b/docs/queries/openapi-queries/105e20dd-8449-4d71-95c6-d5dac96639af.md new file mode 100644 index 00000000000..95530514119 --- /dev/null +++ b/docs/queries/openapi-queries/105e20dd-8449-4d71-95c6-d5dac96639af.md @@ -0,0 +1,201 @@ +--- +title: Success Response Code Undefined for Trace Operation +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 105e20dd-8449-4d71-95c6-d5dac96639af +- **Query name:** Success Response Code Undefined for Trace Operation +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/success_response_code_undefined_trace_operation) + +### Description +Trace should define the '200' successful code
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "trace": { + "operationId": "traceItem", + "summary": "Trace item", + "responses": { + "default": { + "description": "Error", + "schema": { + "$ref": "#/components/schemas/Error" + } + } + } + } + } + }, + "components": { + "schemas": { + "Error": { + "type": "object", + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + trace: + operationId: traceItem + summary: Trace item + responses: + default: + description: Error + schema: + "$ref": "#/components/schemas/Error" +components: + schemas: + Error: + type: object + properties: + code: + type: string + message: + type: string + required: + - code + - message + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "trace": { + "operationId": "traceItem", + "summary": "Trace item", + "responses": { + "200": { + "description": "success" + }, + "default": { + "description": "Success" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "default": { + "description": "Error", + "schema": { + "$ref": "#/components/schemas/Error" + } + } + } + } + } + }, + "components": { + "schemas": { + "Error": { + "type": "object", + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + trace: + operationId: traceItem + summary: Trace item + responses: + "200": + description: success + default: + description: Success + patch: + operationId: updateItem + summary: Update item + responses: + default: + description: Error + schema: + "$ref": "#/components/schemas/Error" +components: + schemas: + Error: + type: object + properties: + code: + type: string + message: + type: string + required: + - code + - message + +``` diff --git a/docs/queries/openapi-queries/10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa.md b/docs/queries/openapi-queries/10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa.md new file mode 100644 index 00000000000..4cf056be5d5 --- /dev/null +++ b/docs/queries/openapi-queries/10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa.md @@ -0,0 +1,758 @@ +--- +title: Schema Object Properties With Duplicated Keys (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 10c61e4b-eed5-49cf-9c7d-d4bf02e9edfa +- **Query name:** Schema Object Properties With Duplicated Keys (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/schema_object_properties_with_duplicated_keys) + +### Description +Schema Object Property key should be unique through out the fields 'properties', 'allOf', 'additionalProperties'
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="19 53 38" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": {}, + "components": { + "schemas": { + "ErrorModel": { + "type": "object", + "required": [ + "message", + "code" + ], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + }, + "allOf": [ + { + "$ref": "#/components/schemas/ErrorModel" + }, + { + "type": "object", + "required": [ + "code" + ], + "properties": { + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + } + } + ], + "additionalProperties": [ + { + "type": "object", + "required": [ + "code" + ], + "properties": { + "code": { + "type": "string" + } + } + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="16 28 37" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.c +paths: {} +components: + schemas: + ErrorModel: + type: object + required: + - message + - code + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + allOf: + - "$ref": "#/components/schemas/ErrorModel" + - type: object + required: + - code + properties: + code: + type: integer + minimum: 100 + maximum: 600 + additionalProperties: + - type: object + required: + - code + properties: + code: + type: string + +``` +```json title="Postitive test num. 3 - json file" hl_lines="57 28 44" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + }, + "allOf": [ + { + "$ref": "#/components/schemas/ErrorModel" + }, + { + "type": "object", + "required": [ + "message" + ], + "properties": { + "message": { + "type": "string" + } + } + } + ], + "additionalProperties": [ + { + "type": "object", + "required": [ + "message" + ], + "properties": { + "message": { + "type": "string" + } + } + } + ] + } + } + } + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="24 41 34" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.c +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + allOf: + - "$ref": "#/components/schemas/ErrorModel" + - type: object + required: + - message + properties: + message: + type: string + additionalProperties: + - type: object + required: + - message + properties: + message: + type: string + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="57 28 44" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + }, + "allOf": [ + { + "$ref": "#/definitions/ErrorModel" + }, + { + "type": "object", + "required": [ + "message" + ], + "properties": { + "message": { + "type": "string" + } + } + } + ], + "additionalProperties": [ + { + "type": "object", + "required": [ + "message" + ], + "properties": { + "message": { + "type": "string" + } + } + } + ] + } + } + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="24 41 34" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.c +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + allOf: + - "$ref": "#/definitions/ErrorModel" + - type: object + required: + - message + properties: + message: + type: string + additionalProperties: + - type: object + required: + - message + properties: + message: + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": {}, + "components": { + "schemas": { + "ErrorModel": { + "type": "object", + "required": [ + "message", + "code" + ], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + }, + "allOf": [ + { + "$ref": "#/components/schemas/ErrorModel" + }, + { + "type": "object", + "required": [ + "rootCause" + ], + "properties": { + "rootCause": { + "type": "string" + } + } + } + ] + }, + "ErrorModel_2": { + "type": "object", + "required": [ + "message2", + "code2" + ], + "properties": { + "message2": { + "type": "string" + }, + "code2": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + }, + "allOf": [ + { + "$ref": "#/components/schemas/ErrorModel" + }, + { + "type": "object", + "required": [ + "rootCause2" + ], + "properties": { + "rootCause2": { + "type": "string" + } + } + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.c +paths: {} +components: + schemas: + ErrorModel: + type: object + required: + - message + - code + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + allOf: + - "$ref": "#/components/schemas/ErrorModel" + - type: object + required: + - rootCause + properties: + rootCause: + type: string + ErrorModel_2: + type: object + required: + - message2 + - code2 + properties: + message2: + type: string + code2: + type: integer + minimum: 100 + maximum: 600 + allOf: + - "$ref": "#/components/schemas/ErrorModel" + - type: object + required: + - rootCause2 + properties: + rootCause2: + type: string + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + }, + "allOf": [ + { + "$ref": "#/components/schemas/ErrorModel" + }, + { + "type": "object", + "required": [ + "rootCause" + ], + "properties": { + "rootCause": { + "type": "string" + } + } + } + ] + } + } + } + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.c +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + allOf: + - "$ref": "#/components/schemas/ErrorModel" + - type: object + required: + - rootCause + properties: + rootCause: + type: string + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + }, + "allOf": [ + { + "$ref": "#/definitions/ErrorModel" + }, + { + "type": "object", + "required": [ + "rootCause" + ], + "properties": { + "rootCause": { + "type": "string" + } + } + } + ] + } + } + } + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.c +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + allOf: + - "$ref": "#/definitions/ErrorModel" + - type: object + required: + - rootCause + properties: + rootCause: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/12a7210b-f4b4-47d0-acac-0a819e2a0ca3.md b/docs/queries/openapi-queries/12a7210b-f4b4-47d0-acac-0a819e2a0ca3.md new file mode 100644 index 00000000000..d93696dd3b8 --- /dev/null +++ b/docs/queries/openapi-queries/12a7210b-f4b4-47d0-acac-0a819e2a0ca3.md @@ -0,0 +1,416 @@ +--- +title: Response on operations that should not have a body has declared content (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 12a7210b-f4b4-47d0-acac-0a819e2a0ca3 +- **Query name:** Response on operations that should not have a body has declared content (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/response_operations_body_schema_incorrect_defined) + +### Description +If a response is head or its code is 204 or 304, it shouldn't have a content defined
+[Documentation](https://swagger.io/docs/specification/describing-responses/) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="29" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "delete": { + "operationId": "deleteVersion", + "summary": "Deletes API versions", + "responses": { + "204": { + "description": "has content", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/ApiVersion" + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "ApiVersion": { + "type": "object", + "discriminator": { + "propertyName": "ApiVersion" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "version": { + "type": "string" + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="20" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "head": { + "operationId": "headers", + "summary": "headers", + "responses": { + "200": { + "description": "has content", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/ApiVersion" + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "ApiVersion": { + "type": "object", + "discriminator": { + "propertyName": "ApiVersion" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "version": { + "type": "string" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="23" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + delete: + operationId: deleteVersion + summary: Deletes API versions + responses: + "204": + description: wrong example + content: + application/json: + schema: + "$ref": "#/components/ApiVersion" +components: + schemas: + ApiVersion: + type: object + discriminator: + propertyName: ApiVersion + properties: + code: + type: integer + format: int32 + version: + type: string + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="17" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + head: + operationId: headers + summary: headers + responses: + "200": + description: wrong example + content: + application/json: + schema: + "$ref": "#/components/ApiVersion" +components: + schemas: + ApiVersion: + type: object + discriminator: + propertyName: ApiVersion + properties: + code: + type: integer + format: int32 + version: + type: string + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="13" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + head: + operationId: headers + summary: headers + responses: + "200": + description: wrong example + schema: + type: object + discriminator: + propertyName: ApiVersion + properties: + code: + type: integer + format: int32 + version: + type: string + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="15" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "head": { + "operationId": "headers", + "summary": "headers", + "responses": { + "200": { + "description": "wrong example", + "schema": { + "type": "object", + "discriminator": { + "propertyName": "ApiVersion" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "version": { + "type": "string" + } + } + } + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "delete": { + "operationId": "deleteVersion", + "summary": "Deletes API versions", + "responses": { + "204": { + "description": "no content" + } + } + }, + "head": { + "operationId": "headers", + "summary": "headers", + "responses": { + "200": { + "description": "no content" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + delete: + operationId: deleteVersion + summary: Deletes API versions + responses: + "204": + description: no content + head: + operationId: headers + summary: headers + responses: + "200": + description: no content + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "delete": { + "operationId": "deleteVersion", + "summary": "Deletes API versions", + "responses": { + "204": { + "description": "no content" + } + } + }, + "head": { + "operationId": "headers", + "summary": "headers", + "responses": { + "200": { + "description": "no content" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + delete: + operationId: deleteVersion + summary: Deletes API versions + responses: + "204": + description: no content + head: + operationId: headers + summary: headers + responses: + "200": + description: no content + +``` +
diff --git a/docs/queries/openapi-queries/151331e2-11f4-4bb6-bd35-9a005e695087.md b/docs/queries/openapi-queries/151331e2-11f4-4bb6-bd35-9a005e695087.md new file mode 100644 index 00000000000..857b33af163 --- /dev/null +++ b/docs/queries/openapi-queries/151331e2-11f4-4bb6-bd35-9a005e695087.md @@ -0,0 +1,251 @@ +--- +title: Components Object Fixed Field Key Improperly Named +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 151331e2-11f4-4bb6-bd35-9a005e695087 +- **Query name:** Components Object Fixed Field Key Improperly Named +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/components_object_fixed_field_key_improperly_named) + +### Description +Components object fixed fields (schemas, responses, parameters, examples, requestBodies, headers, securitySchemes, links, and callbacks) should use keys that match the following REGEX: `^[a-zA-Z0-9\.\-_]+$`
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="45" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "General Error": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="27" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + General Error: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` diff --git a/docs/queries/openapi-queries/181bd815-767e-4e95-a24d-bb3c87328e19.md b/docs/queries/openapi-queries/181bd815-767e-4e95-a24d-bb3c87328e19.md new file mode 100644 index 00000000000..4554a16df83 --- /dev/null +++ b/docs/queries/openapi-queries/181bd815-767e-4e95-a24d-bb3c87328e19.md @@ -0,0 +1,677 @@ +--- +title: Numeric Schema Without Minimum (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 181bd815-767e-4e95-a24d-bb3c87328e19 +- **Query name:** Numeric Schema Without Minimum (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/numeric_schema_without_minimum) + +### Description +Numeric schema (type set to 'integer' or 'number') should have 'minimum' defined.
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="58" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32" + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="27" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32" + } + }, + "required": [ + "petType" + ], + "type": "object" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="34" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="22" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + required: + - petType + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="23" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "maximum": 50 + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="20" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + responses: + "200": + description: 200 response + schema: + discriminator: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + maximum: 50 + required: + - petType + type: object + operationId: listVersionsv2 + summary: List API versions + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 0 + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 0 + } + }, + "required": [ + "petType" + ], + "type": "object" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 0 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 0 + required: + - petType + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "maximum": 50, + "minimum": 0 + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + responses: + "200": + description: 200 response + schema: + discriminator: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + maximum: 50 + minimum: 0 + required: + - petType + type: object + operationId: listVersionsv2 + summary: List API versions + +``` +
diff --git a/docs/queries/openapi-queries/1908a8ee-927d-4166-8f18-241152170cc1.md b/docs/queries/openapi-queries/1908a8ee-927d-4166-8f18-241152170cc1.md new file mode 100644 index 00000000000..1b0eb8be6fc --- /dev/null +++ b/docs/queries/openapi-queries/1908a8ee-927d-4166-8f18-241152170cc1.md @@ -0,0 +1,315 @@ +--- +title: Success Response Code Undefined for Patch Operation (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1908a8ee-927d-4166-8f18-241152170cc1 +- **Query name:** Success Response Code Undefined for Patch Operation (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/success_response_code_undefined_patch_operation) + +### Description +Patch should define at least one success response (200, 201, 202 or 204)
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "patch": { + "operationId": "updateItem", + "summary": "Updated item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="24" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "204": { + "description": "Item deleted successfully" + }, + "default": { + "description": "Error" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + patch: + operationId: updateItem + summary: Updated item + responses: + default: + description: Error + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="18" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + "204": + description: Item deleted successfully + default: + description: Error + patch: + operationId: updateItem + summary: Update item + responses: + default: + description: Error + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="24" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "204": { + "description": "Item deleted successfully" + }, + "default": { + "description": "Error" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="18" +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + "204": + description: Item deleted successfully + default: + description: Error + patch: + operationId: updateItem + summary: Update item + responses: + default: + description: Error + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "default": { + "description": "Error" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "204": { + "description": "Item updated successfully" + }, + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + default: + description: Error + patch: + operationId: updateItem + summary: Update item + responses: + "204": + description: Item updated successfully + default: + description: Error + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "default": { + "description": "Error" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "204": { + "description": "Item updated successfully" + }, + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + default: + description: Error + patch: + operationId: updateItem + summary: Update item + responses: + "204": + description: Item updated successfully + default: + description: Error + +``` +
diff --git a/docs/queries/openapi-queries/1a1aea94-745b-40a7-b860-0702ea6ee636.md b/docs/queries/openapi-queries/1a1aea94-745b-40a7-b860-0702ea6ee636.md new file mode 100644 index 00000000000..9150aadd1b9 --- /dev/null +++ b/docs/queries/openapi-queries/1a1aea94-745b-40a7-b860-0702ea6ee636.md @@ -0,0 +1,539 @@ +--- +title: Schema Object With Circular Ref (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1a1aea94-745b-40a7-b860-0702ea6ee636 +- **Query name:** Schema Object With Circular Ref (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/schema_object_with_circular_ref) + +### Description +Schema Object should not reference it self in 'allOf', 'oneOf', 'anyOf' and 'not' properties
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="70" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "ErrorModel": { + "type": "object", + "required": [ + "message", + "code" + ], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + } + }, + "ExtendedErrorModel": { + "allOf": [ + { + "$ref": "#/components/schemas/ExtendedErrorModel" + }, + { + "type": "object", + "required": [ + "rootCause" + ], + "properties": { + "rootCause": { + "type": "string" + } + } + } + ] + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="46" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "ErrorModel": { + "type": "object", + "required": [ + "message", + "code" + ], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + } + }, + "ExtendedErrorModel": { + "allOf": [ + { + "$ref": "#/definitions/ExtendedErrorModel" + }, + { + "type": "object", + "required": [ + "rootCause" + ], + "properties": { + "rootCause": { + "type": "string" + } + } + } + ] + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="45" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + ErrorModel: + type: object + required: + - message + - code + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + ExtendedErrorModel: + allOf: + - $ref: "#/components/schemas/ExtendedErrorModel" + - type: object + required: + - rootCause + properties: + rootCause: + type: string + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="32" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + ErrorModel: + type: object + required: + - message + - code + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + ExtendedErrorModel: + allOf: + - "$ref": "#/definitions/ExtendedErrorModel" + - type: object + required: + - rootCause + properties: + rootCause: + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "ErrorModel": { + "type": "object", + "required": [ + "message", + "code" + ], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + } + }, + "ExtendedErrorModel": { + "allOf": [ + { + "$ref": "#/components/schemas/ErrorModel" + }, + { + "type": "object", + "required": [ + "rootCause" + ], + "properties": { + "rootCause": { + "type": "string" + } + } + } + ] + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "ErrorModel": { + "type": "object", + "required": [ + "message", + "code" + ], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + } + }, + "ExtendedErrorModel": { + "allOf": [ + { + "$ref": "#/definitions/ErrorModel" + }, + { + "type": "object", + "required": [ + "rootCause" + ], + "properties": { + "rootCause": { + "type": "string" + } + } + } + ] + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + ErrorModel: + type: object + required: + - message + - code + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + ExtendedErrorModel: + allOf: + - "$ref": "#/components/schemas/ErrorModel" + - type: object + required: + - rootCause + properties: + rootCause: + type: string + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + ErrorModel: + type: object + required: + - message + - code + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + ExtendedErrorModel: + allOf: + - "$ref": "#/definitions/ErrorModel" + - type: object + required: + - rootCause + properties: + rootCause: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/1bc3205c-0d60-44e6-84f3-44fbf4dac5b3.md b/docs/queries/openapi-queries/1bc3205c-0d60-44e6-84f3-44fbf4dac5b3.md new file mode 100644 index 00000000000..50fcd4a233c --- /dev/null +++ b/docs/queries/openapi-queries/1bc3205c-0d60-44e6-84f3-44fbf4dac5b3.md @@ -0,0 +1,248 @@ +--- +title: Security Scheme Using Oauth 1.0 +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1bc3205c-0d60-44e6-84f3-44fbf4dac5b3 +- **Query name:** Security Scheme Using Oauth 1.0 +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/security_schemes_using_oauth) + +### Description +Oauth 1.0 is deprecated, OAuth2 should be used instead
+[Documentation](https://swagger.io/specification/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="55" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "http", + "scheme": "oauth" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="31" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: http + scheme: oauth + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "authorizationCode": { + "tokenUrl": "https://example.com/api/oauth/token", + "authorizationUrl": "http://example.org/api/oauth/dialog", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + flows: + authorizationCode: + tokenUrl: https://example.com/api/oauth/token + authorizationUrl: http://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` diff --git a/docs/queries/openapi-queries/20a482d5-c5d9-4a7a-b7a4-60d0805047b4.md b/docs/queries/openapi-queries/20a482d5-c5d9-4a7a-b7a4-60d0805047b4.md new file mode 100644 index 00000000000..479672fb624 --- /dev/null +++ b/docs/queries/openapi-queries/20a482d5-c5d9-4a7a-b7a4-60d0805047b4.md @@ -0,0 +1,337 @@ +--- +title: Security Operation Field Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 20a482d5-c5d9-4a7a-b7a4-60d0805047b4 +- **Query name:** Security Operation Field Undefined +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/security_operation_field_undefined) + +### Description +Security operation field should be defined in '#/components/securitySchemes'
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="14" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="14" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "regularSecurity": { + "type": "http", + "scheme": "basic" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - petstore_auth: + - write:pets + - read:pets + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="11" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - petstore_auth: + - write:pets + - read:pets + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + regularSecurity: + type: http + scheme: basic + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "regularSecurity": { + "type": "http", + "scheme": "basic" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "implicit": { + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + }, + "authorizationUrl": "http://example.org/api/oauth/dialog" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - petstore_auth: + - write:pets + - read:pets + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + regularSecurity: + type: http + scheme: basic + petstore_auth: + type: oauth2 + flows: + implicit: + authorizationUrl: http://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` diff --git a/docs/queries/openapi-queries/20cb3159-b219-496b-8dac-54ae3ab2021a.md b/docs/queries/openapi-queries/20cb3159-b219-496b-8dac-54ae3ab2021a.md new file mode 100644 index 00000000000..2f408b2c0c1 --- /dev/null +++ b/docs/queries/openapi-queries/20cb3159-b219-496b-8dac-54ae3ab2021a.md @@ -0,0 +1,660 @@ +--- +title: Non-Array Schema With Items (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 20cb3159-b219-496b-8dac-54ae3ab2021a +- **Query name:** Non-Array Schema With Items (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/non_array_schema_with_items) + +### Description +Non-Array Schema should not have 'items' defined
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="52" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "items": { + "type": "string" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "name" + ] + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="24" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "items": { + "type": "string" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="29" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + items: + type: string + properties: + code: + type: string + format: int32 + message: + type: string + required: + - name + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="17" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + items: + type: string + properties: + code: + type: string + format: int32 + message: + type: string + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="44" +{ + "swagger": "2.0", + "info": { + "version": "1.0", + "title": "Example", + "description": "A sample API specification" + }, + "paths": { + "/users": { + "get": { + "description": "Returns all users from database", + "operationId": "findUsers", + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "users response", + "schema": { + "type": "array", + "items": { + "$ref": "#/definitions/User" + } + } + } + } + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string", + "items": { + "type": "string" + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="32" +swagger: '2.0' +info: + version: '1.0' + title: Example + description: A sample API specification +paths: + "/users": + get: + description: Returns all users from database + operationId: findUsers + produces: + - application/json + responses: + '200': + description: users response + schema: + type: array + items: + "$ref": "#/definitions/User" +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + items: + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "array", + "items": { + "type": "string" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "name" + ] + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "type": "string" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: array + items: + type: string + properties: + code: + type: string + format: int32 + message: + type: string + required: + - name + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: array + items: + type: string + properties: + code: + type: string + format: int32 + message: + type: string + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "version": "1.0", + "title": "Example", + "description": "A sample API specification" + }, + "paths": { + "/users": { + "get": { + "description": "Returns all users from database", + "operationId": "findUsers", + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "users response", + "schema": { + "type": "array", + "items": { + "$ref": "#/definitions/User" + } + } + } + } + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: '2.0' +info: + version: '1.0' + title: Example + description: A sample API specification +paths: + "/users": + get: + description: Returns all users from database + operationId: findUsers + produces: + - application/json + responses: + '200': + description: users response + schema: + type: array + items: + "$ref": "#/definitions/User" +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/221015a8-aa2a-43f5-b00b-ad7d2b1d47a8.md b/docs/queries/openapi-queries/221015a8-aa2a-43f5-b00b-ad7d2b1d47a8.md new file mode 100644 index 00000000000..94f6151bcc7 --- /dev/null +++ b/docs/queries/openapi-queries/221015a8-aa2a-43f5-b00b-ad7d2b1d47a8.md @@ -0,0 +1,152 @@ +--- +title: Security Definitions Using Basic Auth +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 221015a8-aa2a-43f5-b00b-ad7d2b1d47a8 +- **Query name:** Security Definitions Using Basic Auth +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/security_definitions_using_basic_auth) + +### Description +Security Definition Object should not use basic authentication
+[Documentation](https://swagger.io/specification/v2/#securitySchemeObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="25" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "basic", + "description": "For more information, see https://api.my.company.com/docs/oauth" + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="17" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + oAuth2AuthCodeNeg2: + type: basic + description: For more information, see https://api.my.company.com/docs/oauth + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "accessCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: accessCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` diff --git a/docs/queries/openapi-queries/237402e2-c2f0-46c9-9cf5-286160cf7bfc.md b/docs/queries/openapi-queries/237402e2-c2f0-46c9-9cf5-286160cf7bfc.md new file mode 100644 index 00000000000..463563728b6 --- /dev/null +++ b/docs/queries/openapi-queries/237402e2-c2f0-46c9-9cf5-286160cf7bfc.md @@ -0,0 +1,389 @@ +--- +title: Path Is Ambiguous (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 237402e2-c2f0-46c9-9cf5-286160cf7bfc +- **Query name:** Path Is Ambiguous (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/path_ambiguous) + +### Description +All path should be unique, if has more than one operation, all operations should be part of same Path Object
+[Documentation](https://swagger.io/specification/#path-item-object) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="19 6" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/users/{id}": + get: + parameters: + - in: path + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + "/users/{ids}": + get: + parameters: + - in: path + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + +``` +```json title="Postitive test num. 2 - json file" hl_lines="8 29" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + }, + "/users/{ids}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10 21" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/users/{id}": + get: + parameters: + - in: path + name: id + required: true + description: The user ID + type: string + responses: + "200": + description: 200 response + "/users/{ids}": + get: + parameters: + - in: path + name: id + required: true + description: The user ID + type: string + responses: + "200": + description: 200 response + +``` +
Postitive test num. 4 - json file + +```json hl_lines="13 31" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "type": "string" + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + }, + "/users/{ids}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "type": "string" + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/users/{id}": + get: + parameters: + - in: path + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + "/user/{id}": + get: + parameters: + - in: path + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + }, + "/user/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/users/{id}": + get: + parameters: + - in: path + name: id + required: true + description: The user ID + type: string + responses: + "200": + description: 200 response + "/user/{id}": + get: + parameters: + - in: path + name: id + required: true + description: The user ID + type: string + responses: + "200": + description: 200 response + +``` +
Negative test num. 4 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "type": "string" + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + }, + "/user/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "type": "string" + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
diff --git a/docs/queries/openapi-queries/23a9e2d9-8738-4556-a71c-2802b6ffa022.md b/docs/queries/openapi-queries/23a9e2d9-8738-4556-a71c-2802b6ffa022.md new file mode 100644 index 00000000000..b185ceecc7f --- /dev/null +++ b/docs/queries/openapi-queries/23a9e2d9-8738-4556-a71c-2802b6ffa022.md @@ -0,0 +1,415 @@ +--- +title: Undefined Scope 'securityScheme' On Global 'security' Field +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 23a9e2d9-8738-4556-a71c-2802b6ffa022 +- **Query name:** Undefined Scope 'securityScheme' On Global 'security' Field +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/undefined_security_scope_global_security) + +### Description +Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker
+[Documentation](https://swagger.io/specification/#oauth-flow-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="24" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "security": { + "oAuth2AuthCodeNeg2": [ + "read:api", + "error:api" + ] + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis", + "admin:api": "admin scope" + } + }, + "password": { + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "write your apis" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="25" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "security": [ + { + "oAuth2AuthCodeNeg2": [ + "error:api", + "write:api" + ] + } + ], + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis", + "admin:api": "admin scope" + } + }, + "password": { + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "write your apis" + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="16" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: +security: + oAuth2AuthCodeNeg2: + - read:api + - error:api +components: + securitySchemes: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis + admin:api: admin scope + password: + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: write your apis + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="16" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: +security: +- oAuth2AuthCodeNeg2: + - error:api + - write:api +components: + securitySchemes: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis + admin:api: admin scope + password: + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: write your apis + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "security": [ + { + "oAuth2AuthCodeNeg2": [ + "read:api", + "write:api" + ] + } + ], + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis", + "admin:api": "admin scope" + } + }, + "password": { + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "write your apis" + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "security": { + "oAuth2AuthCodeNeg2": [ + "read:api", + "write:api" + ] + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis", + "admin:api": "admin scope" + } + }, + "password": { + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "write your apis" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: +security: +- oAuth2AuthCodeNeg2: + - read:api + - write:api +components: + securitySchemes: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis + admin:api: admin scope + password: + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: write your apis + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: +security: + oAuth2AuthCodeNeg2: + - read:api + - write:api +components: + securitySchemes: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis + admin:api: admin scope + password: + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: write your apis + +``` +
diff --git a/docs/queries/openapi-queries/2596545e-1757-4ff7-a15a-8a9a180a42f3.md b/docs/queries/openapi-queries/2596545e-1757-4ff7-a15a-8a9a180a42f3.md new file mode 100644 index 00000000000..5699a5200e3 --- /dev/null +++ b/docs/queries/openapi-queries/2596545e-1757-4ff7-a15a-8a9a180a42f3.md @@ -0,0 +1,231 @@ +--- +title: Parameter Object With Incorrect Ref (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2596545e-1757-4ff7-a15a-8a9a180a42f3 +- **Query name:** Parameter Object With Incorrect Ref (v2) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/parameter_object_incorrect_ref) + +### Description +Parameter Object reference must always point to '#/parameters'
+[Documentation](https://swagger.io/specification/v2/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="22" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "A list of users", + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "parameters": [ + { + "$ref": "#/definitions/User" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="16" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: A list of users + schema: + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/definitions/User" +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "A list of users", + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: A list of users + schema: + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` diff --git a/docs/queries/openapi-queries/26f06397-36d8-4ce7-b993-17711261d777.md b/docs/queries/openapi-queries/26f06397-36d8-4ce7-b993-17711261d777.md new file mode 100644 index 00000000000..a7f26530ef2 --- /dev/null +++ b/docs/queries/openapi-queries/26f06397-36d8-4ce7-b993-17711261d777.md @@ -0,0 +1,285 @@ +--- +title: Invalid Content Type For Multiple Files Upload +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 26f06397-36d8-4ce7-b993-17711261d777 +- **Query name:** Invalid Content Type For Multiple Files Upload +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/invalid_content_type_for_multiple_files_upload) + +### Description +Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)
+[Documentation](https://swagger.io/docs/specification/describing-request-body/file-upload/) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="16" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "filename": { + "type": "array", + "items": { + "type": "string", + "format": "binary" + } + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="16" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "email": "user@gmail.com" + } + }, + "components": { + "requestBodies": { + "CreateCustomer": { + "description": "Create a new customer", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "filename": { + "type": "array", + "items": { + "type": "string", + "format": "binary" + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="13" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + email: "user@gmail.com" +paths: + "/": + get: + requestBody: + content: + application/json: + schema: + type: object + properties: + filename: + type: array + items: + type: string + format: binary + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="13" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + email: "user@gmail.com" +components: + requestBodies: + CreateCustomer: + description: Create a new customer + content: + application/json: + schema: + type: object + properties: + filename: + type: array + items: + type: string + format: binary + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "requestBody": { + "content": { + "multipart/form-data": { + "schema": { + "type": "object", + "properties": { + "filename": { + "type": "array", + "items": { + "type": "string", + "format": "binary" + } + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "email": "user@gmail.com" + } + }, + "components": { + "requestBodies": { + "CreateCustomer": { + "description": "Create a new customer", + "content": { + "multipart/form-data": { + "schema": { + "type": "object", + "properties": { + "filename": { + "type": "array", + "items": { + "type": "string", + "format": "binary" + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + email: "user@gmail.com" +paths: + "/": + get: + requestBody: + content: + multipart/form-data: + schema: + type: object + properties: + filename: + type: array + items: + type: string + format: binary + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + email: "user@gmail.com" +components: + requestBodies: + CreateCustomer: + description: Create a new customer + content: + multipart/form-data: + schema: + type: object + properties: + filename: + type: array + items: + type: string + format: binary + +``` +
diff --git a/docs/queries/openapi-queries/274f910a-0665-4f08-b66d-7058fe927dba.md b/docs/queries/openapi-queries/274f910a-0665-4f08-b66d-7058fe927dba.md new file mode 100644 index 00000000000..53c94e7ed60 --- /dev/null +++ b/docs/queries/openapi-queries/274f910a-0665-4f08-b66d-7058fe927dba.md @@ -0,0 +1,165 @@ +--- +title: Invalid OAuth2 Token URL (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 274f910a-0665-4f08-b66d-7058fe927dba +- **Query name:** Invalid OAuth2 Token URL (v2) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/invalid_oauth2_token_url) + +### Description +OAuth2 security definition flow requires a valid URL in the tokenUrl field
+[Documentation](https://swagger.io/specification/v2/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="22" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + license: + name: "Apache 2.0" + url: "https://www.apache.org/licenses/LICENSE-2.0.html" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + oAuth2AuthCodeNeg3: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: accessCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: http://example.com#@evil.com/ + scopes: + read:api: read your apis + +``` +```json title="Postitive test num. 2 - json file" hl_lines="30" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "license": { + "name": "Apache 2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0.html" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg3": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "accessCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "http://example.com#@evil.com/", + "scopes": { + "read:api": "read your apis" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + license: + name: "Apache 2.0" + url: "https://www.apache.org/licenses/LICENSE-2.0.html" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + oAuth2AuthCodeNeg3: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: accessCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis + +``` +```json title="Negative test num. 2 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "license": { + "name": "Apache 2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0.html" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg3": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "accessCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis" + } + } + } +} + +``` diff --git a/docs/queries/openapi-queries/281b8071-6226-4a43-911d-fec246d422c2.md b/docs/queries/openapi-queries/281b8071-6226-4a43-911d-fec246d422c2.md new file mode 100644 index 00000000000..e5e0c9394bf --- /dev/null +++ b/docs/queries/openapi-queries/281b8071-6226-4a43-911d-fec246d422c2.md @@ -0,0 +1,338 @@ +--- +title: API Key Exposed In Operation Security (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 281b8071-6226-4a43-911d-fec246d422c2 +- **Query name:** API Key Exposed In Operation Security (v3) +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/api_key_exposed_in_operation_security) + +### Description +API Keys should not be transported over network
+[Documentation](https://swagger.io/specification/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="16 14 15" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/pets": { + "post": { + "description": "Creates a new pet in the store", + "operationId": "addPet", + "security": [ + { + "apiKey1": [], + "apiKey2": [], + "apiKey3": [] + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "components": { + "securitySchemes": { + "apiKey1": { + "type": "apiKey", + "name": "X-API-Key", + "in": "header" + }, + "apiKey2": { + "type": "apiKey", + "name": "X-API-Key", + "in": "cookie" + }, + "apiKey3": { + "type": "apiKey", + "name": "X-API-Key", + "in": "query" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11 12 13" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + /pets: + post: + description: Creates a new pet in the store + operationId: addPet + security: + - apiKey1: [] + apiKey2: [] + apiKey3: [] + responses: + "200": + description: 200 response +components: + securitySchemes: + apiKey1: + type: apiKey + name: X-API-Key + in: header + apiKey2: + type: apiKey + name: X-API-Key + in: cookie + apiKey3: + type: apiKey + name: X-API-Key + in: query + +``` +```json title="Postitive test num. 3 - json file" hl_lines="14 15" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/pets": { + "post": { + "description": "Creates a new pet in the store", + "operationId": "addPet", + "security": [ + { + "apiKey1": [], + "apiKey3": [] + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "apiKey1": { + "type": "apiKey", + "name": "X-API-Key", + "in": "header" + }, + "apiKey3": { + "type": "apiKey", + "name": "X-API-Key", + "in": "query" + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="11 12" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + /pets: + post: + description: Creates a new pet in the store + operationId: addPet + security: + - apiKey1: [] + apiKey3: [] + responses: + "200": + description: 200 response +securityDefinitions: + apiKey1: + type: apiKey + name: X-API-Key + in: header + apiKey3: + type: apiKey + name: X-API-Key + in: query + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "version": "1.0.0", + "title": "Simple API overview" + }, + "paths": { + "/pets": { + "post": { + "description": "Creates a new pet in the store", + "operationId": "addPet", + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "components": { + "securitySchemes": { + "OAuth2": { + "type": "oauth2", + "flows": { + "authorizationCode": { + "scopes": { + "write": "modify objects in your account", + "read": "read objects in your account" + }, + "authorizationUrl": "https://example.com/oauth/authorize", + "tokenUrl": "https://example.com/oauth/token" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + /pets: + post: + description: Creates a new pet in the store + operationId: addPet + security: + - OAuth2: + - write + - read + responses: + "200": + description: 200 response +components: + securitySchemes: + OAuth2: + type: oauth2 + flows: + authorizationCode: + scopes: + write: modify objects in your account + read: read objects in your account + authorizationUrl: https://example.com/oauth/authorize + tokenUrl: https://example.com/oauth/token + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "version": "1.0.0", + "title": "Simple API overview" + }, + "paths": { + "/pets": { + "post": { + "description": "Creates a new pet in the store", + "operationId": "addPet", + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "OAuth2": { + "type": "oauth2", + "flow": "accessCode", + "authorizationUrl": "https://example.com/oauth/authorize", + "tokenUrl": "https://example.com/oauth/token", + "scopes": { + "read": "Grants read access", + "write": "Grants write access" + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + /pets: + post: + description: Creates a new pet in the store + operationId: addPet + security: + - OAuth2: + - write + - read + responses: + "200": + description: 200 response +securityDefinitions: + OAuth2: + type: oauth2 + flow: accessCode + authorizationUrl: https://example.com/oauth/authorize + tokenUrl: https://example.com/oauth/token + scopes: + read: Grants read access + write: Grants write access + +``` +
diff --git a/docs/queries/openapi-queries/2bd608ae-8a1f-457f-b710-c237883cb313.md b/docs/queries/openapi-queries/2bd608ae-8a1f-457f-b710-c237883cb313.md new file mode 100644 index 00000000000..86fd4874f16 --- /dev/null +++ b/docs/queries/openapi-queries/2bd608ae-8a1f-457f-b710-c237883cb313.md @@ -0,0 +1,710 @@ +--- +title: Schema Has A Required Property Undefined (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2bd608ae-8a1f-457f-b710-c237883cb313 +- **Query name:** Schema Has A Required Property Undefined (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/schema_required_property_undefined) + +### Description +Schema Object should not be have a required property that is not defined on properties
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="50" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + } + }, + "required": [ + "code", + "message" + ] + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="22" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + } + }, + "required": [ + "code", + "message" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="31" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: integer + format: int32 + required: + - code + - message + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="19" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: integer + format: int32 + required: + - code + - message + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="20" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + } + }, + "required": [ + "code", + "message" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="17" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + required: + - code + - message + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 6 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } +} + +``` +
diff --git a/docs/queries/openapi-queries/2cf35b40-ded3-43d6-9633-c8dcc8bcc822.md b/docs/queries/openapi-queries/2cf35b40-ded3-43d6-9633-c8dcc8bcc822.md new file mode 100644 index 00000000000..2f2e54e13e5 --- /dev/null +++ b/docs/queries/openapi-queries/2cf35b40-ded3-43d6-9633-c8dcc8bcc822.md @@ -0,0 +1,318 @@ +--- +title: Operation Example Mismatch Produces MimeType +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2cf35b40-ded3-43d6-9633-c8dcc8bcc822 +- **Query name:** Operation Example Mismatch Produces MimeType +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/operation_example_mismatch_produces_mediatype) + +### Description +Example should match one of MimeTypes on 'produces'. It is important to know that, if a 'produces' is declared on operation it will override global 'produces'
+[Documentation](https://swagger.io/specification/v2/#exampleObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="34" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "OK", + "examples": { + "application/json": { + "id": 38, + "title": "Versions" + }, + "text/csv": "id,title 38,Versions" + } + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="27" +--- +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: integer + operationId: listVersionsv2 + summary: List API versions + produces: + - application/json + responses: + '200': + description: OK + examples: + application/json: + id: 38 + title: Versions + text/csv: id,title 38,Versions +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "produces": [ + "application/json", + "text/csv" + ], + "responses": { + "200": { + "description": "OK", + "examples": { + "application/json": { + "id": 38, + "title": "Versions" + }, + "text/csv": "id,title 38,Versions" + } + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "OK", + "examples": { + "application/json": { + "id": 38, + "title": "Versions" + }, + "text/csv": "id,title 38,Versions" + } + } + } + } + } + }, + "produces": [ + "application/json", + "text/csv" + ], + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: integer + operationId: listVersionsv2 + summary: List API versions + produces: + - application/json + - text/csv + responses: + '200': + description: OK + examples: + application/json: + id: 38 + title: Versions + text/csv: id,title 38,Versions +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer + +``` +
Negative test num. 4 - yaml file + +```yaml +--- +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: integer + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: OK + examples: + application/json: + id: 38 + title: Versions + text/csv: id,title 38,Versions +produces: +- application/json +- text/csv +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer + +``` +
diff --git a/docs/queries/openapi-queries/2d6646f4-2946-420f-8c14-3232d49ae0cb.md b/docs/queries/openapi-queries/2d6646f4-2946-420f-8c14-3232d49ae0cb.md new file mode 100644 index 00000000000..15ab777b8e7 --- /dev/null +++ b/docs/queries/openapi-queries/2d6646f4-2946-420f-8c14-3232d49ae0cb.md @@ -0,0 +1,549 @@ +--- +title: Header Object With Incorrect Ref +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2d6646f4-2946-420f-8c14-3232d49ae0cb +- **Query name:** Header Object With Incorrect Ref +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/header_object_with_incorrect_ref) + +### Description +Header Object reference must always point to '#/components/headers'
+[Documentation](https://swagger.io/specification/#responses-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="73" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "responses": { + "ResponseExample": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "encoding": { + "code": { + "headers": { + "X-Rate-Limit-Limit": { + "$ref": "#components/h" + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "50": { + "description": "500 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + }, + "6xx": { + "description": "[600-699] response", + "headers": { + "X-Rate-Limit-Limit": { + "$ref": "#components/h" + } + }, + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="45" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + responses: + ResponseExample: + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + headers: + X-Rate-Limit-Limit: + $ref: "#components/h" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="29" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "50": + description: Server error response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + "6xx": + description: "[600-699] response" + headers: + X-Rate-Limit-Limit: + $ref: "#components/h" + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "responses": { + "ResponseExample": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "encoding": { + "code": { + "headers": { + "X-Rate-Limit-Limit": { + "$ref": "#/components/headers/" + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "50": { + "description": "500 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + }, + "6xx": { + "description": "[600-699] response", + "headers": { + "X-Rate-Limit-Limit": { + "$ref": "#/components/headers/" + } + }, + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + responses: + ResponseExample: + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + headers: + X-Rate-Limit-Limit: + $ref: "#/components/headers/" + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "50": + description: Server error response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + "6xx": + description: "[600-699] response" + headers: + X-Rate-Limit-Limit: + $ref: "#/components/headers/" + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
diff --git a/docs/queries/openapi-queries/2d8c175a-6d90-412b-8b0e-e034ea49a1fe.md b/docs/queries/openapi-queries/2d8c175a-6d90-412b-8b0e-e034ea49a1fe.md new file mode 100644 index 00000000000..e15c490a925 --- /dev/null +++ b/docs/queries/openapi-queries/2d8c175a-6d90-412b-8b0e-e034ea49a1fe.md @@ -0,0 +1,260 @@ +--- +title: Global Server Object Uses HTTP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2d8c175a-6d90-412b-8b0e-e034ea49a1fe +- **Query name:** Global Server Object Uses HTTP +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/global_server_uses_http) + +### Description +Global server object URL should use 'https' protocol instead of 'http'
+[Documentation](https://swagger.io/specification/#server-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="13" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "servers": [ + { + "url": "https://development.gigantic-server.com/v1", + "description": "Development server" + }, + { + "url": "http://staging.gigantic-server.com/v1", + "description": "Staging server" + } + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +servers: + - url: https://development.gigantic-server.com/v1 + description: Development server + - url: http://staging.gigantic-server.com/v1 + description: Staging server +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="1" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: [] + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "servers": [ + { + "url": "https://development.gigantic-server.com/v1", + "description": "Development server" + }, + { + "url": "https://staging.gigantic-server.com/v1", + "description": "Staging server" + }, + { + "url": "https://api.gigantic-server.com/v1", + "description": "Production server" + } + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security":[ + { + "exampleSecurity": [] + } + ], + "components": { + "exampleSecurity": { + "type": "https" + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +--- +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +servers: + - url: https://development.gigantic-server.com/v1 + description: Development server + - url: https://staging.gigantic-server.com/v1 + description: Staging server + - url: https://api.gigantic-server.com/v1 + description: Production server +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] +components: + exampleSecurity: + type: https +# trigger validation + +``` diff --git a/docs/queries/openapi-queries/2da46be4-4317-4650-9285-56d7103c4f93.md b/docs/queries/openapi-queries/2da46be4-4317-4650-9285-56d7103c4f93.md new file mode 100644 index 00000000000..7d4d3050613 --- /dev/null +++ b/docs/queries/openapi-queries/2da46be4-4317-4650-9285-56d7103c4f93.md @@ -0,0 +1,180 @@ +--- +title: Global Security Using Password Flow +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2da46be4-4317-4650-9285-56d7103c4f93 +- **Query name:** Global Security Using Password Flow +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/global_security_using_password_flow) + +### Description +Security should not use 'password' Flow in OAuth2 authentication
+[Documentation](https://swagger.io/specification/v2/#securityRequirementObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="33" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "password", + "tokenUrl": "https://api.my.company.com/oauth/token" + } + }, + "security": [ + { + "oAuth2AuthCodeNeg2": [ + "write", + "read" + ] + } + ] +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="22" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: password + tokenUrl: https://api.my.company.com/oauth/token +security: + - oAuth2AuthCodeNeg2: + - write + - read + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "accessCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + }, + "security": [ + { + "oAuth2AuthCodeNeg2": [ + "write", + "read" + ] + } + ] +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: accessCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: modify apis in your account + read:api: read your apis +security: + - oAuth2AuthCodeNeg2: + - write + - read + +``` diff --git a/docs/queries/openapi-queries/2e275f16-b627-4d3f-ae73-a6153a23ae8f.md b/docs/queries/openapi-queries/2e275f16-b627-4d3f-ae73-a6153a23ae8f.md new file mode 100644 index 00000000000..310161566e1 --- /dev/null +++ b/docs/queries/openapi-queries/2e275f16-b627-4d3f-ae73-a6153a23ae8f.md @@ -0,0 +1,167 @@ +--- +title: Parameter JSON Reference Does Not Exists (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2e275f16-b627-4d3f-ae73-a6153a23ae8f +- **Query name:** Parameter JSON Reference Does Not Exists (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/json_reference_does_not_exists_parameter) + +### Description +Parameter reference should exists on components field
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="19" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/Success" + } + }, + "parameters": [ + { + "$ref": "#/components/parameters/wrongParameter" + } + ] + } + } + }, + "components": { + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/Success" + parameters: + - "$ref": "#/components/parameters/wrongParameter" +components: + parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/Success" + } + }, + "parameters": [ + { + "$ref": "#/components/parameters/limitParam" + } + ] + } + } + }, + "components": { + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/Success" + parameters: + - "$ref": "#/components/parameters/limitParam" +components: + parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer + +``` diff --git a/docs/queries/openapi-queries/2e44e632-d617-43cb-b294-6bfe72a08938.md b/docs/queries/openapi-queries/2e44e632-d617-43cb-b294-6bfe72a08938.md new file mode 100644 index 00000000000..61e10fa9168 --- /dev/null +++ b/docs/queries/openapi-queries/2e44e632-d617-43cb-b294-6bfe72a08938.md @@ -0,0 +1,180 @@ +--- +title: Operation Using Password Flow +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2e44e632-d617-43cb-b294-6bfe72a08938 +- **Query name:** Operation Using Password Flow +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/operation_using_password_flow) + +### Description +Operation Object should not use 'password' Flow in OAuth2 authentication
+[Documentation](https://swagger.io/specification/v2/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="22" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "security": [ + { + "oAuth2AuthCodeNeg2": [ + "write", + "read" + ] + } + ] + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "password", + "tokenUrl": "https://api.my.company.com/oauth/token" + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="16" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + security: + - oAuth2AuthCodeNeg2: + - write + - read +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: password + tokenUrl: https://api.my.company.com/oauth/token + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "security": [ + { + "oAuth2AuthCodeNeg2": [ + "write", + "read" + ] + } + ] + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "accessCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + security: + - oAuth2AuthCodeNeg2: + - write + - read +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: accessCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` diff --git a/docs/queries/openapi-queries/2e9b6612-8f69-42e0-a5b8-ed17739c2f3a.md b/docs/queries/openapi-queries/2e9b6612-8f69-42e0-a5b8-ed17739c2f3a.md new file mode 100644 index 00000000000..661a85bf79f --- /dev/null +++ b/docs/queries/openapi-queries/2e9b6612-8f69-42e0-a5b8-ed17739c2f3a.md @@ -0,0 +1,801 @@ +--- +title: Object Using Enum With Keyword (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2e9b6612-8f69-42e0-a5b8-ed17739c2f3a +- **Query name:** Object Using Enum With Keyword (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/object_using_enum_with_keyword) + +### Description +Schema Object properties should not contain 'enum' and schema keywords
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="42" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": {}, + "components": { + "schemas": { + "Pet": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "name": { + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "name", + "petType" + ] + }, + "Cat": { + "description": "A representation of a cat. Note that `Cat` will be used as the discriminator value.", + "allOf": [ + { + "$ref": "#/components/schemas/Pet" + }, + { + "type": "object", + "properties": { + "huntingSkill": { + "type": "string", + "description": "The measured skill for hunting", + "default": "lazy", + "enum": [ + "clueless", + "lazy", + "adventurous", + "aggressive" + ], + "minLength": 4 + } + }, + "required": [ + "huntingSkill" + ] + } + ] + }, + "Dog": { + "description": "A representation of a dog. Note that `Dog` will be used as the discriminator value.", + "allOf": [ + { + "$ref": "#/components/schemas/Pet" + }, + { + "type": "object", + "properties": { + "packSize": { + "type": "integer", + "format": "int32", + "description": "the size of the pack the dog is from", + "default": 0, + "minimum": 0 + } + }, + "required": [ + "packSize" + ] + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="32" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: {} +components: + schemas: + Pet: + type: object + discriminator: + propertyName: petType + properties: + name: + type: string + petType: + type: string + required: + - name + - petType + Cat: + description: + A representation of a cat. Note that `Cat` will be used as the + discriminator value. + allOf: + - "$ref": "#/components/schemas/Pet" + - type: object + properties: + huntingSkill: + type: string + description: The measured skill for hunting + default: lazy + enum: + - clueless + - lazy + - adventurous + - aggressive + minLength: 4 + required: + - huntingSkill + Dog: + description: + A representation of a dog. Note that `Dog` will be used as the + discriminator value. + allOf: + - "$ref": "#/components/schemas/Pet" + - type: object + properties: + packSize: + type: integer + format: int32 + description: the size of the pack the dog is from + default: 0 + minimum: 0 + required: + - packSize + +``` +```json title="Postitive test num. 3 - json file" hl_lines="39" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": {}, + "definitions": { + "Pet": { + "type": "object", + "discriminator": "petType", + "properties": { + "name": { + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "name", + "petType" + ] + }, + "Cat": { + "description": "A representation of a cat. Note that `Cat` will be used as the discriminator value.", + "allOf": [ + { + "$ref": "#/definitions/Pet" + }, + { + "type": "object", + "properties": { + "huntingSkill": { + "type": "string", + "description": "The measured skill for hunting", + "default": "lazy", + "enum": [ + "clueless", + "lazy", + "adventurous", + "aggressive" + ], + "minLength": 4 + } + }, + "required": [ + "huntingSkill" + ] + } + ] + }, + "Dog": { + "description": "A representation of a dog. Note that `Dog` will be used as the discriminator value.", + "allOf": [ + { + "$ref": "#/definitions/Pet" + }, + { + "properties": { + "packSize": { + "type": "integer", + "format": "int32", + "description": "the size of the pack the dog is from", + "default": 0, + "minimum": 0 + } + }, + "required": [ + "packSize" + ], + "type": "object" + } + ] + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="29" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: {} +definitions: + Pet: + type: object + discriminator: petType + properties: + name: + type: string + petType: + type: string + required: + - name + - petType + Cat: + description: A representation of a cat. Note that `Cat` will be used as the + discriminator value. + allOf: + - "$ref": "#/definitions/Pet" + - type: object + properties: + huntingSkill: + type: string + description: The measured skill for hunting + default: lazy + enum: + - clueless + - lazy + - adventurous + - aggressive + minLength: 4 + required: + - huntingSkill + Dog: + description: A representation of a dog. Note that `Dog` will be used as the + discriminator value. + allOf: + - "$ref": "#/definitions/Pet" + - type: object + properties: + packSize: + type: integer + format: int32 + description: the size of the pack the dog is from + default: 0 + minimum: 0 + required: + - packSize + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="21" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "in": "body", + "name": "offset", + "schema": { + "properties": { + "huntingSkill": { + "default": "lazy", + "enum": [ + "clueless", + "lazy", + "adventurous", + "aggressive" + ], + "minLength": 4, + "type": "string", + "description": "The measured skill for hunting" + } + }, + "type": "object" + } + } + ], + "operationId": "op_id3", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="22" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: op_id3 + responses: + "200": + description: 200 response + parameters: + - in: body + name: offset + schema: + type: object + properties: + huntingSkill: + type: string + description: The measured skill for hunting + default: lazy + enum: + - clueless + - lazy + - adventurous + - aggressive + minLength: 4 + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": {}, + "components": { + "schemas": { + "Pet": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "name": { + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "name", + "petType" + ] + }, + "Cat": { + "description": "A representation of a cat. Note that `Cat` will be used as the discriminator value.", + "allOf": [ + { + "$ref": "#/components/schemas/Pet" + }, + { + "type": "object", + "properties": { + "huntingSkill": { + "type": "string", + "description": "The measured skill for hunting", + "default": "lazy", + "enum": [ + "clueless", + "lazy", + "adventurous", + "aggressive" + ] + } + }, + "required": [ + "huntingSkill" + ] + } + ] + }, + "Dog": { + "description": "A representation of a dog. Note that `Dog` will be used as the discriminator value.", + "allOf": [ + { + "$ref": "#/components/schemas/Pet" + }, + { + "type": "object", + "properties": { + "packSize": { + "type": "integer", + "format": "int32", + "description": "the size of the pack the dog is from", + "default": 0, + "minimum": 0 + } + }, + "required": [ + "packSize" + ] + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: {} +components: + schemas: + Pet: + type: object + discriminator: + propertyName: petType + properties: + name: + type: string + petType: + type: string + required: + - name + - petType + Cat: + description: + A representation of a cat. Note that `Cat` will be used as the + discriminator value. + allOf: + - "$ref": "#/components/schemas/Pet" + - type: object + properties: + huntingSkill: + type: string + description: The measured skill for hunting + default: lazy + enum: + - clueless + - lazy + - adventurous + - aggressive + required: + - huntingSkill + Dog: + description: + A representation of a dog. Note that `Dog` will be used as the + discriminator value. + allOf: + - "$ref": "#/components/schemas/Pet" + - type: object + properties: + packSize: + type: integer + format: int32 + description: the size of the pack the dog is from + default: 0 + minimum: 0 + required: + - packSize + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": {}, + "definitions": { + "Pet": { + "type": "object", + "discriminator": "petType", + "properties": { + "name": { + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "name", + "petType" + ] + }, + "Cat": { + "description": "A representation of a cat. Note that `Cat` will be used as the discriminator value.", + "allOf": [ + { + "$ref": "#/definitions/Pet" + }, + { + "type": "object", + "properties": { + "huntingSkill": { + "type": "string", + "description": "The measured skill for hunting", + "default": "lazy", + "enum": [ + "clueless", + "lazy", + "adventurous", + "aggressive" + ] + } + }, + "required": [ + "huntingSkill" + ] + } + ] + }, + "Dog": { + "description": "A representation of a dog. Note that `Dog` will be used as the discriminator value.", + "allOf": [ + { + "$ref": "#/definitions/Pet" + }, + { + "type": "object", + "properties": { + "packSize": { + "type": "integer", + "format": "int32", + "description": "the size of the pack the dog is from", + "default": 0, + "minimum": 0 + } + }, + "required": [ + "packSize" + ] + } + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: {} +definitions: + Pet: + type: object + discriminator: petType + properties: + name: + type: string + petType: + type: string + required: + - name + - petType + Cat: + description: A representation of a cat. Note that `Cat` will be used as the + discriminator value. + allOf: + - "$ref": "#/definitions/Pet" + - type: object + properties: + huntingSkill: + type: string + description: The measured skill for hunting + default: lazy + enum: + - clueless + - lazy + - adventurous + - aggressive + required: + - huntingSkill + Dog: + description: A representation of a dog. Note that `Dog` will be used as the + discriminator value. + allOf: + - "$ref": "#/definitions/Pet" + - type: object + properties: + packSize: + type: integer + format: int32 + description: the size of the pack the dog is from + default: 0 + minimum: 0 + required: + - packSize + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "in": "body", + "name": "offset", + "schema": { + "properties": { + "huntingSkill": { + "type": "string", + "description": "The measured skill for hunting", + "default": "lazy", + "enum": [ + "clueless", + "lazy", + "adventurous", + "aggressive" + ] + } + }, + "type": "object" + } + } + ], + "operationId": "op_id3", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: op_id3 + responses: + "200": + description: 200 response + parameters: + - in: body + name: offset + schema: + type: object + properties: + huntingSkill: + type: string + description: The measured skill for hunting + default: lazy + enum: + - clueless + - lazy + - adventurous + - aggressive + +``` +
diff --git a/docs/queries/openapi-queries/2ea04bef-c769-409e-9179-ee3a50b5c0ac.md b/docs/queries/openapi-queries/2ea04bef-c769-409e-9179-ee3a50b5c0ac.md new file mode 100644 index 00000000000..8b14caa3af8 --- /dev/null +++ b/docs/queries/openapi-queries/2ea04bef-c769-409e-9179-ee3a50b5c0ac.md @@ -0,0 +1,681 @@ +--- +title: Numeric Schema Without Maximum (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2ea04bef-c769-409e-9179-ee3a50b5c0ac +- **Query name:** Numeric Schema Without Maximum (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/numeric_schema_without_maximum) + +### Description +Numeric schema (type set to 'integer' or 'number') should have 'maximum' defined.
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="58" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 0 + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="27" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 0 + } + }, + "required": [ + "petType" + ], + "type": "object" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="34" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 0 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="22" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 0 + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="23" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 0 + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="20" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + responses: + "200": + description: 200 response + schema: + discriminator: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 0 + required: + - petType + type: object + operationId: listVersionsv2 + summary: List API versions + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 0, + "maximum": 50 + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 0, + "maximum": 50 + } + }, + "required": [ + "petType" + ], + "type": "object" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 0 + maximum: 50 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 0 + maximum: 50 + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 0, + "maximum": 50 + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + responses: + "200": + description: 200 response + schema: + discriminator: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 0 + maximum: 50 + required: + - petType + type: object + operationId: listVersionsv2 + summary: List API versions + +``` +
diff --git a/docs/queries/openapi-queries/31dd6fc0-f274-493b-9614-e063086c19fc.md b/docs/queries/openapi-queries/31dd6fc0-f274-493b-9614-e063086c19fc.md new file mode 100644 index 00000000000..2b005f128b0 --- /dev/null +++ b/docs/queries/openapi-queries/31dd6fc0-f274-493b-9614-e063086c19fc.md @@ -0,0 +1,564 @@ +--- +title: Parameter Object With Schema And Content +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 31dd6fc0-f274-493b-9614-e063086c19fc +- **Query name:** Parameter Object With Schema And Content +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/parameter_object_schema_content) + +### Description +A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="73 43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "integer" + }, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + }, + "content": { + "application/json": { + "schema": { + "type": "integer" + } + } + } + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 45" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: true + schema: + type: integer + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + /users/{id}: + get: + parameters: + - in: path + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + content: + application/json: + schema: + type: integer + +``` +```json title="Postitive test num. 3 - json file" hl_lines="20" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "components": { + "parameters": { + "skipParam": { + "name": "skip", + "in": "query", + "description": "number of items to skip", + "required": true, + "schema": { + "type": "integer", + "format": "int32" + } + }, + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer", + "format": "int32" + }, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "$ref": "#/components/parameters/limitParam" + } + ] + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="16" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + parameters: + skipParam: + name: skip + in: query + description: number of items to skip + required: true + schema: + type: integer + format: int32 + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer + format: int32 + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - $ref: "#components/parameters/limitParam" + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: path + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: true + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/332cf2ad-380d-4b90-b436-46f8e635cf38.md b/docs/queries/openapi-queries/332cf2ad-380d-4b90-b436-46f8e635cf38.md new file mode 100644 index 00000000000..bd00345e710 --- /dev/null +++ b/docs/queries/openapi-queries/332cf2ad-380d-4b90-b436-46f8e635cf38.md @@ -0,0 +1,297 @@ +--- +title: Invalid Contact URL (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 332cf2ad-380d-4b90-b436-46f8e635cf38 +- **Query name:** Invalid Contact URL (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/invalid_contact_url) + +### Description +Contact Object URL should be a valid URL
+[Documentation](https://swagger.io/specification/#contact-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="8" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + url: "/" + email: "user@gmail.com" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Postitive test num. 3 - json file" hl_lines="8" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="7" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + url: "/" + email: "user@gmail.com" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + url: "https://www.google.com/" + email: "user@gmail.com" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + url: "https://www.google.com/" + email: "user@gmail.com" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` +
diff --git a/docs/queries/openapi-queries/33d96c65-977d-4c33-943f-440baca49185.md b/docs/queries/openapi-queries/33d96c65-977d-4c33-943f-440baca49185.md new file mode 100644 index 00000000000..6823c374499 --- /dev/null +++ b/docs/queries/openapi-queries/33d96c65-977d-4c33-943f-440baca49185.md @@ -0,0 +1,179 @@ +--- +title: Invalid OAuth2 Authorization URL (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 33d96c65-977d-4c33-943f-440baca49185 +- **Query name:** Invalid OAuth2 Authorization URL (v2) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/invalid_oauth_authorization_url) + +### Description +The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL
+[Documentation](https://swagger.io/specification/v2/#securitySchemeObject) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="19 23" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + license: + name: "Apache 2.0" + url: "https://www.apache.org/licenses/LICENSE-2.0.html" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + api_key: + type: oauth2 + authorizationUrl: https://api.invalid.comp@#any.com/oauth/authorize + flow: accessCode + petstore_auth: + type: oauth2 + authorizationUrl: https://api.invalid.comp@#any.com/oauth/authorize + flow: implicit + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` +```json title="Postitive test num. 2 - json file" hl_lines="32 27" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "license": { + "name": "Apache 2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0.html" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "api_key": { + "type": "oauth2", + "authorizationUrl": "https://api.invalid.comp@#any.com/oauth/authorize", + "flow": "accessCode" + }, + "petstore_auth": { + "type": "oauth2", + "authorizationUrl": "https://api.invalid.comp@#any.com/oauth/authorize", + "flow": "implicit", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + license: + name: "Apache 2.0" + url: "https://www.apache.org/licenses/LICENSE-2.0.html" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + api_key: + type: oauth2 + authorizationUrl: http://swagger.io/api/oauth/apikey + flow: accessCode + petstore_auth: + type: oauth2 + authorizationUrl: http://swagger.io/api/oauth/dialog + flow: implicit + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` +```json title="Negative test num. 2 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "license": { + "name": "Apache 2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0.html" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "api_key": { + "type": "oauth2", + "authorizationUrl": "http://swagger.io/api/oauth/apikey", + "flow": "accessCode" + }, + "petstore_auth": { + "type": "oauth2", + "authorizationUrl": "http://swagger.io/api/oauth/dialog", + "flow": "implicit", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } +} + +``` diff --git a/docs/queries/openapi-queries/37140f7f-724a-4c87-a536-e9cee1d61533.md b/docs/queries/openapi-queries/37140f7f-724a-4c87-a536-e9cee1d61533.md new file mode 100644 index 00000000000..bed066a7367 --- /dev/null +++ b/docs/queries/openapi-queries/37140f7f-724a-4c87-a536-e9cee1d61533.md @@ -0,0 +1,395 @@ +--- +title: Security Requirement Object With Wrong Scopes +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 37140f7f-724a-4c87-a536-e9cee1d61533 +- **Query name:** Security Requirement Object With Wrong Scopes +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/security_requirement_object_with_wrong_scopes) + +### Description +Security Requirement Object should only have scopes defined for security schemes of type 'oauth2' and 'openIdConnect'
+[Documentation](https://swagger.io/specification/#security-requirement-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="9" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "security": [ + { + "api_key": [ + "write:api", + "read:api" + ] + }, + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ], + "paths": {}, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "implicit": { + "authorizationUrl": "http://example.org/api/oauth/dialog", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +security: + - api_key: + - write:pets + - read:pets + - petstore_auth: + - write:pets + - read:pets +paths: {} +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + flows: + implicit: + authorizationUrl: http://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` +```json title="Postitive test num. 3 - json file" hl_lines="28" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/pets": { + "get": { + "description": "Returns all pets from the system that the user has access to", + "responses": { + "200": { + "description": "A list of pets.", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/pet" + } + } + } + } + } + }, + "security": [ + { + "api_key": [ + "write:pets", + "read:pets" + ] + }, + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ] + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "implicit": { + "authorizationUrl": "http://example.org/api/oauth/dialog", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="19" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/pets": + get: + description: Returns all pets from the system that the user has access to + responses: + "200": + description: A list of pets. + content: + application/json: + schema: + type: array + items: + "$ref": "#/components/schemas/pet" + security: + - api_key: + - write:pets + - read:pets + - petstore_auth: + - write:pets + - read:pets +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + flows: + implicit: + authorizationUrl: http://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "security": [ + { + "api_key": [] + }, + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ], + "paths": {}, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "implicit": { + "authorizationUrl": "http://example.org/api/oauth/dialog", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +security: + - api_key: [] + - petstore_auth: + - write:pets + - read:pets +paths: {} +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + flows: + implicit: + authorizationUrl: http://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/pets": { + "get": { + "description": "Returns all pets from the system that the user has access to", + "responses": { + "200": { + "description": "A list of pets.", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/pet" + } + } + } + } + } + }, + "security": [ + { + "api_key": [] + }, + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ] + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "implicit": { + "authorizationUrl": "http://example.org/api/oauth/dialog", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/pets": + get: + description: Returns all pets from the system that the user has access to + responses: + "200": + description: A list of pets. + content: + application/json: + schema: + type: array + items: + "$ref": "#/components/schemas/pet" + security: + - api_key: [] + - petstore_auth: + - write:pets + - read:pets +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + flows: + implicit: + authorizationUrl: http://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` +
diff --git a/docs/queries/openapi-queries/376c9390-7e9e-4cb8-a067-fd31c05451fd.md b/docs/queries/openapi-queries/376c9390-7e9e-4cb8-a067-fd31c05451fd.md new file mode 100644 index 00000000000..b271de42327 --- /dev/null +++ b/docs/queries/openapi-queries/376c9390-7e9e-4cb8-a067-fd31c05451fd.md @@ -0,0 +1,232 @@ +--- +title: Header JSON Reference Does Not Exists +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 376c9390-7e9e-4cb8-a067-fd31c05451fd +- **Query name:** Header JSON Reference Does Not Exists +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/json_reference_does_not_exists_header) + +### Description +Header reference should exists on components field
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="25" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "success", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/MyObject" + } + }, + "headers": { + "X-Pages": { + "$ref": "#/components/headers/wPages" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "headers": { + "xPages": { + "schema": { + "type": "integer", + "description": "number of pages" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: success + content: + application/json: + schema: + type: array + items: + "$ref": "#/components/schemas/MyObject" + headers: + X-Pages: + "$ref": "#/components/headers/wPages" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + headers: + xPages: + schema: + type: integer + description: number of pages + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "success", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/MyObject" + } + }, + "headers": { + "X-Pages": { + "$ref": "#/components/headers/xPages" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "headers": { + "xPages": { + "schema": { + "type": "integer", + "description": "number of pages" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +--- +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: success + content: + application/json: + schema: + type: array + items: + "$ref": "#/components/schemas/MyObject" + headers: + X-Pages: + "$ref": "#/components/headers/xPages" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + headers: + xPages: + schema: + type: integer + description: number of pages + +``` diff --git a/docs/queries/openapi-queries/3847280c-9193-40bc-8009-76168e822ce2.md b/docs/queries/openapi-queries/3847280c-9193-40bc-8009-76168e822ce2.md new file mode 100644 index 00000000000..adf1a8d735e --- /dev/null +++ b/docs/queries/openapi-queries/3847280c-9193-40bc-8009-76168e822ce2.md @@ -0,0 +1,173 @@ +--- +title: Undefined Scope 'securityDefinition' On 'security' Field On Operations +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3847280c-9193-40bc-8009-76168e822ce2 +- **Query name:** Undefined Scope 'securityDefinition' On 'security' Field On Operations +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/undefined_security_scope_security_operations) + +### Description +Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker
+[Documentation](https://swagger.io/specification/v2/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + /: + get: + operationId: listVersionsv2 + summary: List API versions + security: + - oAuth2AuthCodeNeg2: + - read:api + - error:api + responses: + "200": + description: Success +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: authorizationCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis + +``` +```json title="Postitive test num. 2 - json file" hl_lines="14" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "oAuth2AuthCodeNeg2": [ + "read:api", + "error:api" + ] + } + ], + "responses": { + "200": { + "description": "Success" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "authorizationCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + /: + get: + operationId: listVersionsv2 + summary: List API versions + security: + - oAuth2AuthCodeNeg2: + - read:api + responses: + "200": + description: Success +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: authorizationCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis + +``` +```json title="Negative test num. 2 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "oAuth2AuthCodeNeg2": [ + "read:api" + ] + } + ], + "responses": { + "200": { + "description": "Success" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "authorizationCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis" + } + } + } +} + +``` diff --git a/docs/queries/openapi-queries/3979b0a4-532c-4ea7-86e4-34c090eaa4f2.md b/docs/queries/openapi-queries/3979b0a4-532c-4ea7-86e4-34c090eaa4f2.md new file mode 100644 index 00000000000..887e15c0e23 --- /dev/null +++ b/docs/queries/openapi-queries/3979b0a4-532c-4ea7-86e4-34c090eaa4f2.md @@ -0,0 +1,261 @@ +--- +title: OAuth2 With Password Flow +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3979b0a4-532c-4ea7-86e4-34c090eaa4f2 +- **Query name:** OAuth2 With Password Flow +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/oauth2_with_password_flow) + +### Description +OAuth2 password flow insecurely exposes the credentials of the resource owner to the client
+[Documentation](https://swagger.io/specification/#oauth-flows-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="58" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "password": { + "tokenUrl": "https://example.com/api/oauth/token", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="34" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + flows: + password: + tokenUrl: https://example.com/api/oauth/token + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "authorizationCode": { + "tokenUrl": "https://example.com/api/oauth/token", + "authorizationUrl": "http://example.org/api/oauth/dialog", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + flows: + authorizationCode: + tokenUrl: https://example.com/api/oauth/token + authorizationUrl: http://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` diff --git a/docs/queries/openapi-queries/39cb32f2-3a42-4af0-8037-82a7a9654b6c.md b/docs/queries/openapi-queries/39cb32f2-3a42-4af0-8037-82a7a9654b6c.md new file mode 100644 index 00000000000..fe6c54f3e35 --- /dev/null +++ b/docs/queries/openapi-queries/39cb32f2-3a42-4af0-8037-82a7a9654b6c.md @@ -0,0 +1,261 @@ +--- +title: OAuth2 With Implicit Flow +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 39cb32f2-3a42-4af0-8037-82a7a9654b6c +- **Query name:** OAuth2 With Implicit Flow +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/oauth2_with_implicit_flow) + +### Description +OAuth2 implicit flow is vulnerable to access token leakage and access token replay
+[Documentation](https://swagger.io/specification/#oauth-flows-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="58" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "implicit": { + "authorizationUrl": "http://example.org/api/oauth/dialog", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="34" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + flows: + implicit: + authorizationUrl: http://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "authorizationCode": { + "tokenUrl": "https://example.com/api/oauth/token", + "authorizationUrl": "http://example.org/api/oauth/dialog", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + flows: + authorizationCode: + tokenUrl: https://example.com/api/oauth/token + authorizationUrl: http://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` diff --git a/docs/queries/openapi-queries/3a01790c-ebee-4da6-8fd3-e78657383b75.md b/docs/queries/openapi-queries/3a01790c-ebee-4da6-8fd3-e78657383b75.md new file mode 100644 index 00000000000..5bc0b3aec77 --- /dev/null +++ b/docs/queries/openapi-queries/3a01790c-ebee-4da6-8fd3-e78657383b75.md @@ -0,0 +1,395 @@ +--- +title: Schema with 'additionalProperties' set as Boolean +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3a01790c-ebee-4da6-8fd3-e78657383b75 +- **Query name:** Schema with 'additionalProperties' set as Boolean +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/schema_with_additional_properties_set_as_boolean) + +### Description +The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it
+[Documentation](https://swagger.io/specification/v2/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="28" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "required": [ + "name" + ], + "additionalProperties": false + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="22" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + name: + type: string + tag: + type: string + required: + - name + additionalProperties: false +definitions: + User: + type: object + properties: + name: + type: string + tag: + type: string + required: + - name + +``` +```json title="Postitive test num. 3 - json file" hl_lines="51" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "required": [ + "name" + ], + "additionalProperties": { + "$ref": "#/definitions/User" + } + } + } + } + } + } + }, + "definitions": { + "User": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "required": [ + "name" + ], + "additionalProperties": false + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="34" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + name: + type: string + tag: + type: string + required: + - name + additionalProperties: + $ref: "#/definitions/User" +definitions: + User: + type: object + properties: + name: + type: string + tag: + type: string + required: + - name + additionalProperties: false + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "required": [ + "name" + ], + "additionalProperties": { + "$ref": "#/definitions/User" + } + } + } + } + } + } + }, + "definitions": { + "User": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "required": [ + "name" + ] + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + name: + type: string + tag: + type: string + required: + - name + additionalProperties: + $ref: "#/definitions/User" +definitions: + User: + type: object + properties: + name: + type: string + tag: + type: string + required: + - name + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "required": [ + "name" + ], + "additionalProperties": { + "$ref": "#/definitions/User" + } + } + } + } + } + } + }, + "definitions": { + "User": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "required": [ + "name" + ], + "additionalProperties": { + "type": "string" + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + name: + type: string + tag: + type: string + required: + - name + additionalProperties: + $ref: "#/definitions/User" +definitions: + User: + type: object + properties: + name: + type: string + tag: + type: string + required: + - name + additionalProperties: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/3b066059-f411-4554-ac8d-96f32bff90da.md b/docs/queries/openapi-queries/3b066059-f411-4554-ac8d-96f32bff90da.md new file mode 100644 index 00000000000..a012dfa4986 --- /dev/null +++ b/docs/queries/openapi-queries/3b066059-f411-4554-ac8d-96f32bff90da.md @@ -0,0 +1,231 @@ +--- +title: Success Response Code Undefined for Head Operation (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3b066059-f411-4554-ac8d-96f32bff90da +- **Query name:** Success Response Code Undefined for Head Operation (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/success_response_code_undefined_head_operation) + +### Description +Head should define at least one success response (200 or 202)
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "head": { + "operationId": "headItem", + "summary": "Head item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + head: + operationId: headItem + summary: Head item + responses: + default: + description: Error + +``` +```json title="Postitive test num. 3 - json file" hl_lines="12" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "head": { + "operationId": "headItem", + "summary": "Head item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="10" +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + head: + operationId: headItem + summary: Head item + responses: + default: + description: Error + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "head": { + "operationId": "headItem", + "summary": "Head item", + "responses": { + "200": { + "description": "success" + }, + "default": { + "description": "Success" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + head: + operationId: headItem + summary: Head item + responses: + "200": + description: success + default: + description: Success + patch: + operationId: updateItem + summary: Update item + responses: + default: + description: Error + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "head": { + "operationId": "headItem", + "summary": "Head item", + "responses": { + "200": { + "description": "success" + }, + "default": { + "description": "Success" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + head: + operationId: headItem + summary: Head item + responses: + "200": + description: success + default: + description: Success + patch: + operationId: updateItem + summary: Update item + responses: + default: + description: Error + +``` +
diff --git a/docs/queries/openapi-queries/3b497874-ae59-46dd-8d72-1868a3b8f150.md b/docs/queries/openapi-queries/3b497874-ae59-46dd-8d72-1868a3b8f150.md new file mode 100644 index 00000000000..c8d22c6d79e --- /dev/null +++ b/docs/queries/openapi-queries/3b497874-ae59-46dd-8d72-1868a3b8f150.md @@ -0,0 +1,315 @@ +--- +title: Success Response Code Undefined for Delete Operation (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3b497874-ae59-46dd-8d72-1868a3b8f150 +- **Query name:** Success Response Code Undefined for Delete Operation (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/success_response_code_undefined_delete_operation) + +### Description +Delete should define at least one success response (200, 201, 202 or 204)
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "default": { + "description": "Error" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "204": { + "description": "Item updated successfully" + }, + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + default: + description: Error + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + default: + description: Error + patch: + operationId: updateItem + summary: Update item + responses: + "204": + description: Item updated successfully + default: + description: Error + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="12" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "default": { + "description": "Error" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "204": { + "description": "Item updated successfully" + }, + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="10" +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + default: + description: Error + patch: + operationId: updateItem + summary: Update item + responses: + "204": + description: Item updated successfully + default: + description: Error + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "204": { + "description": "Item deleted successfully" + }, + "default": { + "description": "Error" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + "204": + description: Item deleted successfully + default: + description: Error + patch: + operationId: updateItem + summary: Update item + responses: + default: + description: Error + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "204": { + "description": "Item deleted successfully" + }, + "default": { + "description": "Error" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + "204": + description: Item deleted successfully + default: + description: Error + patch: + operationId: updateItem + summary: Update item + responses: + default: + description: Error + +``` +
diff --git a/docs/queries/openapi-queries/3b615f00-c443-4ba9-acc4-7c308716917d.md b/docs/queries/openapi-queries/3b615f00-c443-4ba9-acc4-7c308716917d.md new file mode 100644 index 00000000000..181e8bb6573 --- /dev/null +++ b/docs/queries/openapi-queries/3b615f00-c443-4ba9-acc4-7c308716917d.md @@ -0,0 +1,447 @@ +--- +title: Unknown Prefix (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3b615f00-c443-4ba9-acc4-7c308716917d +- **Query name:** Unknown Prefix (v2) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/unknown_prefix) + +### Description +The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'
+[Documentation](https://swagger.io/specification/v2/#swagger-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "produces": [ + "aplication/json" + ], + "responses": { + "200": { + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="38" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "produces": [ + "aplication/json" + ], + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + produces: + - aplication/json + responses: + '200': + schema: + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="24" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + schema: + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer +produces: +- aplication/json +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "produces": [ + "application/json" + ], + "responses": { + "200": { + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "produces": [ + "application/json" + ], + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + produces: + - application/json + responses: + '200': + schema: + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + schema: + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer +produces: +- application/json +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/3ba0cca1-b815-47bf-ac62-1e584eb64a05.md b/docs/queries/openapi-queries/3ba0cca1-b815-47bf-ac62-1e584eb64a05.md new file mode 100644 index 00000000000..730ecaee1a6 --- /dev/null +++ b/docs/queries/openapi-queries/3ba0cca1-b815-47bf-ac62-1e584eb64a05.md @@ -0,0 +1,345 @@ +--- +title: Invalid OAuth2 Token URL (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3ba0cca1-b815-47bf-ac62-1e584eb64a05 +- **Query name:** Invalid OAuth2 Token URL (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/invalid_oauth2_token_url) + +### Description +OAuth2 security scheme flow requires a valid URL in the tokenUrl field
+[Documentation](https://swagger.io/specification/#oauth-flow-object) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="23" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: +components: + securitySchemes: + oAuth2AuthCodePos1: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: http://example.com#@evil.com/ + scopes: + read:api: read your apis + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + securitySchemes: + oAuth2AuthCodePos2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + password: + tokenUrl: inval`id + scopes: + read:api: read your apis +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="22" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: +components: + securitySchemes: + oAuth2AuthCodePos3: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + clientCredentials: + tokenUrl: httxps//|api + scopes: + read:api: read your apis + +``` +
Postitive test num. 4 - json file + +```json hl_lines="31" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodePos1": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "http://example.com#@evil.com/", + "scopes": { + "read:api": "read your apis" + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="14" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodePos2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "password": { + "tokenUrl": "inval`id", + "scopes": { + "read:api": "read your apis" + } + } + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="30" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodePos3": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "clientCredentials": { + "tokenUrl": "httxps//|api", + "scopes": { + "read:api": "read your apis" + } + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: +components: + securitySchemes: + oAuth2AuthCodeNeg1: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: http://localhost.com:8080 + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: +components: + securitySchemes: + oAuth2AuthCodeNeg3: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis + +``` diff --git a/docs/queries/openapi-queries/3d7d7b6c-fb0a-475e-8a28-c125e30d15f0.md b/docs/queries/openapi-queries/3d7d7b6c-fb0a-475e-8a28-c125e30d15f0.md new file mode 100644 index 00000000000..02cc806306c --- /dev/null +++ b/docs/queries/openapi-queries/3d7d7b6c-fb0a-475e-8a28-c125e30d15f0.md @@ -0,0 +1,268 @@ +--- +title: Host With Invalid Pattern +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3d7d7b6c-fb0a-475e-8a28-c125e30d15f0 +- **Query name:** Host With Invalid Pattern +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/host_with_invalid_pattern) + +### Description +Host field should be an IP or a valid host name
+[Documentation](https://swagger.io/specification/v2/#swagger-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="7" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "host": "kics.io/test", + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +--- +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +host: kics.io/test +paths: + "/": + get: + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: integer + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "host": "127.0.0.1:8080", + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "host": "kics.io", + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +host: 127.0.0.1 +paths: + "/": + get: + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: integer + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +host: kics.io +paths: + "/": + get: + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: integer + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer + +``` +
diff --git a/docs/queries/openapi-queries/3fb03214-25d4-4bd4-867c-c2d8d708a483.md b/docs/queries/openapi-queries/3fb03214-25d4-4bd4-867c-c2d8d708a483.md new file mode 100644 index 00000000000..bce71cc4612 --- /dev/null +++ b/docs/queries/openapi-queries/3fb03214-25d4-4bd4-867c-c2d8d708a483.md @@ -0,0 +1,684 @@ +--- +title: Properties Missing Required Property (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3fb03214-25d4-4bd4-867c-c2d8d708a483 +- **Query name:** Properties Missing Required Property (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/properties_missing_required_property) + +### Description +Schema Object should have all required properties defined
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="56" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "type": "object", + "properties": { + "code": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "age": { + "type": "integer" + } + } + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "allowReserved": true + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="38" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - links: + - href: http://127.0.0.1:8774/v2/ + rel: self + status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 +components: + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + code: + type: object + required: + - name + properties: + age: + type: integer + encoding: + code: + contentType: image/png, image/jpeg + allowReserved: true + +``` +```json title="Postitive test num. 3 - json file" hl_lines="54" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "query", + "description": "ID of the API the version", + "required": true, + "allowReserved": true, + "schema": { + "type": "object", + "properties": { + "code": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "age": { + "type": "integer" + } + } + } + } + } + } + ] + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="37" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: query + description: ID of the API the version + required: true + allowReserved: true + schema: + type: object + properties: + code: + type: object + required: + - name + properties: + age: + type: integer + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="27" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "MyObject": { + "type": "object", + "properties": { + "code": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "age": { + "type": "integer" + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="20" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + MyObject: + type: object + properties: + code: + type: object + required: + - name + properties: + age: + type: integer + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "type": "object", + "properties": { + "code": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "age": { + "type": "integer" + } + } + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "allowReserved": true + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - links: + - href: http://127.0.0.1:8774/v2/ + rel: self + status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 +components: + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + code: + type: object + required: + - name + properties: + name: + type: string + age: + type: integer + encoding: + code: + contentType: image/png, image/jpeg + allowReserved: true + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "query", + "description": "ID of the API the version", + "required": true, + "allowReserved": true, + "schema": { + "type": "object", + "properties": { + "code": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "age": { + "type": "integer" + } + } + } + } + } + } + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: query + description: ID of the API the version + required: true + allowReserved: true + schema: + type: object + properties: + code: + type: object + required: + - name + properties: + name: + type: string + age: + type: integer + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "MyObject": { + "type": "object", + "properties": { + "code": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + }, + "age": { + "type": "integer" + } + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + MyObject: + type: object + properties: + code: + type: object + required: + - name + properties: + name: + type: string + age: + type: integer + +``` +
diff --git a/docs/queries/openapi-queries/40d3df21-c170-4dbe-9c02-4289b51f994f.md b/docs/queries/openapi-queries/40d3df21-c170-4dbe-9c02-4289b51f994f.md new file mode 100644 index 00000000000..2e076a1ec38 --- /dev/null +++ b/docs/queries/openapi-queries/40d3df21-c170-4dbe-9c02-4289b51f994f.md @@ -0,0 +1,715 @@ +--- +title: Schema Discriminator Mismatch Defined Properties (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 40d3df21-c170-4dbe-9c02-4289b51f994f +- **Query name:** Schema Discriminator Mismatch Defined Properties (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/schema_discriminator_mismatch_defined_properties) + +### Description +Schema discriminator values should match defined properties.
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="53" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="25" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="32" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="18" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="28" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "GeneralError": { + "type": "object", + "discriminator": "petType", + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="16" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + GeneralError: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="25" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "required": [ + "petType" + ], + "type": "object", + "discriminator": "petType", + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + } + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="15" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "petType" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + petType: + type: string + required: + - petType + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + petType: + type: string + required: + - petType + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] + +``` +
+
Negative test num. 5 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + GeneralError: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + petType: + type: string + required: + - petType + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + petType: + type: string + required: + - petType + +``` +
diff --git a/docs/queries/openapi-queries/40e1d1bf-11a9-4f63-a3a2-a8b84c602839.md b/docs/queries/openapi-queries/40e1d1bf-11a9-4f63-a3a2-a8b84c602839.md new file mode 100644 index 00000000000..d19f1b19353 --- /dev/null +++ b/docs/queries/openapi-queries/40e1d1bf-11a9-4f63-a3a2-a8b84c602839.md @@ -0,0 +1,251 @@ +--- +title: API Key Exposed In Global Security Scheme +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 40e1d1bf-11a9-4f63-a3a2-a8b84c602839 +- **Query name:** API Key Exposed In Global Security Scheme +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/api_key_exposed_in_global_security_scheme) + +### Description +API Keys should not be transported over network
+[Documentation](https://swagger.io/specification/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="57 52 62" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "apiKey2": [], + "apiKey3": [], + "apiKey1": [] + } + ], + "components": { + "securitySchemes": { + "apiKey1": { + "type": "apiKey", + "name": "X-API-Key", + "in": "header" + }, + "apiKey2": { + "type": "apiKey", + "name": "X-API-Key", + "in": "cookie" + }, + "apiKey3": { + "name": "X-API-Key", + "in": "query", + "type": "apiKey" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="35 39 31" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - apiKey1: [] + apiKey2: [] + apiKey3: [] +components: + securitySchemes: + apiKey1: + type: apiKey + name: X-API-Key + in: header + apiKey2: + type: apiKey + name: X-API-Key + in: cookie + apiKey3: + type: apiKey + name: X-API-Key + in: query + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ], + "components": { + "securitySchemes": { + "exampleSecurity": { + "type": "http", + "scheme": "basic" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + OAuth2: + type: oauth2 + flows: + authorizationCode: + scopes: + write: modify objects in your account + read: read objects in your account + authorizationUrl: https://example.com/oauth/authorize + tokenUrl: https://example.com/oauth/token +security: + - OAuth2: + - write + - read + +``` diff --git a/docs/queries/openapi-queries/4190dda7-af03-4cf0-a128-70ac1661ca09.md b/docs/queries/openapi-queries/4190dda7-af03-4cf0-a128-70ac1661ca09.md new file mode 100644 index 00000000000..def4c33d12a --- /dev/null +++ b/docs/queries/openapi-queries/4190dda7-af03-4cf0-a128-70ac1661ca09.md @@ -0,0 +1,515 @@ +--- +title: Property 'allowReserved' of Encoding Object Ignored +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4190dda7-af03-4cf0-a128-70ac1661ca09 +- **Query name:** Property 'allowReserved' of Encoding Object Ignored +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/property_allow_reserved_encoding_object_ignored) + +### Description +Property 'allowReserved' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.
+[Documentation](https://swagger.io/specification/#encoding-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="49" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/data": { + "schema": { + "type": "object", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "allowReserved": true + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + }, + "schema": { + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object", + "discriminator": { + "propertyName": "petType" + } + } + } + } + } + }, + "requestBody": { + "content": { + "multipart/form-data": { + "schema": { + "type": "string", + "format": "binary", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "allowReserved": true + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="31" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + type: object + properties: + code: + type: string + format: binary + examples: + tshirt: + $ref: "#/components/examples/tshirt" + encoding: + code: + contentType: image/png, image/jpeg + allowReserved: true + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="30" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + requestBody: + content: + multipart/form-data: + schema: + type: string + format: binary + properties: + code: + type: string + format: binary + encoding: + code: + contentType: image/png, image/jpeg + allowReserved: true + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "type": "object", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "allowReserved": true + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + }, + "schema": { + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object", + "discriminator": { + "propertyName": "petType" + } + } + } + } + } + }, + "requestBody": { + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "type": "string", + "format": "binary", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "allowReserved": true + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + code: + type: string + format: binary + examples: + tshirt: + $ref: "#/components/examples/tshirt" + encoding: + code: + contentType: image/png, image/jpeg + allowReserved: true + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: string + format: binary + properties: + code: + type: string + format: binary + encoding: + code: + contentType: image/png, image/jpeg + allowReserved: true + +``` +
diff --git a/docs/queries/openapi-queries/429b2106-ba37-43ba-9727-7f699cc611e1.md b/docs/queries/openapi-queries/429b2106-ba37-43ba-9727-7f699cc611e1.md new file mode 100644 index 00000000000..96ae81f1196 --- /dev/null +++ b/docs/queries/openapi-queries/429b2106-ba37-43ba-9727-7f699cc611e1.md @@ -0,0 +1,331 @@ +--- +title: Unknown Property (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 429b2106-ba37-43ba-9727-7f699cc611e1 +- **Query name:** Unknown Property (v2) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/unknown_property) + +### Description +All properties defined in OpenAPI objects should be known
+[Documentation](https://swagger.io/specification/v2/) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="40 20" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "responses": { + "200": { + "description": "OK" + } + }, + "operationId": "listVersionsv2" + }, + "parameters": [ + { + "descripption": "ID of pet to use", + "required": true, + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "csv", + "name": "id", + "in": "path" + } + ] + } + }, + "definitions": { + "ErrorModel": { + "type": "object", + "required": [ + "message", + "code" + ], + "propppperties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="25 7" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "nameee": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "taggs": [ + { + "name": "pets" + } + ] +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="16 28" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: OK + parameters: + - name: id + in: path + descripption: ID of pet to use + required: true + type: array + items: + type: string + collectionFormat: csv +definitions: + ErrorModel: + type: object + required: + - message + - code + propppperties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="17 6" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + nameee: "contact" + url: "https://www.google.com/" + email: "user@gmail.com" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +taggs: + - name: pets + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "responses": { + "200": { + "description": "OK" + } + }, + "operationId": "listVersionsv2" + }, + "parameters": [ + { + "description": "ID of pet to use", + "required": true, + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "csv", + "name": "id", + "in": "path" + } + ] + } + }, + "definitions": { + "ErrorModel": { + "type": "object", + "required": [ + "message", + "code" + ], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "tags": [ + { + "name": "pets" + } + ] +} + +``` +```yaml title="Negative test num. 3 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: OK + parameters: + - name: id + in: path + description: ID of pet to use + required: true + type: array + items: + type: string + collectionFormat: csv +definitions: + ErrorModel: + type: object + required: + - message + - code + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + url: "https://www.google.com/" + email: "user@gmail.com" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +tags: + - name: pets + +``` +
diff --git a/docs/queries/openapi-queries/462d6a1d-fed9-4d75-bb9e-3de902f35e6e.md b/docs/queries/openapi-queries/462d6a1d-fed9-4d75-bb9e-3de902f35e6e.md new file mode 100644 index 00000000000..d8d3c8e217f --- /dev/null +++ b/docs/queries/openapi-queries/462d6a1d-fed9-4d75-bb9e-3de902f35e6e.md @@ -0,0 +1,403 @@ +--- +title: Undefined Scope 'securityScheme' On 'security' Field On Operations +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 462d6a1d-fed9-4d75-bb9e-3de902f35e6e +- **Query name:** Undefined Scope 'securityScheme' On 'security' Field On Operations +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/undefined_security_scope_security_operations) + +### Description +Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker
+[Documentation](https://swagger.io/specification/#oauth-flow-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="13" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": { + "oAuth2AuthCodeNeg2": [ + "read:api", + "error:api" + ] + }, + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis", + "admin:api": "admin scope" + } + }, + "password": { + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "write your apis" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="14" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "oAuth2AuthCodeNeg2": [ + "error:api", + "write:api" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis", + "admin:api": "admin scope" + } + }, + "password": { + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "write your apis" + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="11" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + oAuth2AuthCodeNeg2: + - read:api + - error:api + responses: + '200': + description: 200 response + content: + application/json: +components: + securitySchemes: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis + admin:api: admin scope + password: + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: write your apis + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="11" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - oAuth2AuthCodeNeg2: + - error:api + - write:api + responses: + '200': + description: 200 response + content: + application/json: +components: + securitySchemes: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis + admin:api: admin scope + password: + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: write your apis + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "oAuth2AuthCodeNeg2": [ + "read:api", + "write:api" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis", + "admin:api": "admin scope" + } + }, + "password": { + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "write your apis" + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": { + "oAuth2AuthCodeNeg2": [ + "read:api", + "write:api" + ] + }, + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis", + "admin:api": "admin scope" + } + }, + "password": { + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "write your apis" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - oAuth2AuthCodeNeg2: + - read:api + responses: + '200': + description: 200 response + content: + application/json: +components: + securitySchemes: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - oAuth2AuthCodeNeg2: + - read:api + responses: + '200': + description: 200 response + content: + application/json: +components: + securitySchemes: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis + +``` +
diff --git a/docs/queries/openapi-queries/46facedc-f243-4108-ab33-583b807d50b0.md b/docs/queries/openapi-queries/46facedc-f243-4108-ab33-583b807d50b0.md new file mode 100644 index 00000000000..67e5d1f6dd6 --- /dev/null +++ b/docs/queries/openapi-queries/46facedc-f243-4108-ab33-583b807d50b0.md @@ -0,0 +1,480 @@ +--- +title: Parameter Object With Undefined Type +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 46facedc-f243-4108-ab33-583b807d50b0 +- **Query name:** Parameter Object With Undefined Type +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/parameter_object_undefined_type) + +### Description +A Parameter Object must contain either a 'schema' property, or a 'content' property
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="43 55" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID" + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="40 26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: true + - name: name + in: path + description: Name of the API version + required: true + schema: + type: string + /users/{id}: + get: + parameters: + - in: path + name: id + required: true + description: The user ID + +``` +```json title="Postitive test num. 3 - json file" hl_lines="10" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "components": { + "parameters": { + "idParam": { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "$ref": "#components/parameters/idParam" + } + ] + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="8" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + parameters: + idParam: + name: id + in: path + description: ID of the API version + required: true + nameParam: + in: path + description: Name of the API version + required: true + schema: + type: string +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - $ref: "#components/parameters/idParam" + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: path + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: true + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd.md b/docs/queries/openapi-queries/48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd.md new file mode 100644 index 00000000000..9409e30ce4c --- /dev/null +++ b/docs/queries/openapi-queries/48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd.md @@ -0,0 +1,261 @@ +--- +title: Operation Without Successful HTTP Status Code (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 48e9e1fe-cf79-45b5-93e6-8b55ae5dadfd +- **Query name:** Operation Without Successful HTTP Status Code (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/operation_without_successful_http_status_code) + +### Description +Operation Object should have at least one successful HTTP status code defined
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "300": { + "description": "300 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "300": + description: 300 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Postitive test num. 3 - json file" hl_lines="12" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "300": { + "description": "300 response" + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="10" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "300": + description: 300 response + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` +
diff --git a/docs/queries/openapi-queries/4a1f3d75-ab73-41b2-83e7-06a93dc3a75a.md b/docs/queries/openapi-queries/4a1f3d75-ab73-41b2-83e7-06a93dc3a75a.md new file mode 100644 index 00000000000..b7a8d4bdfb1 --- /dev/null +++ b/docs/queries/openapi-queries/4a1f3d75-ab73-41b2-83e7-06a93dc3a75a.md @@ -0,0 +1,396 @@ +--- +title: Implicit Flow in OAuth2 (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4a1f3d75-ab73-41b2-83e7-06a93dc3a75a +- **Query name:** Implicit Flow in OAuth2 (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/implicit_flow_oauth2) + +### Description +There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated
+[Documentation](https://swagger.io/specification/#oauth-flow-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="29" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCode": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "implicit": { + "authorizationUrl": "https://api.invalid.company.com/oauth/authorize", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="37" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCode": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + }, + "implicit": { + "authorizationUrl": "https://api.invalid.company.com/oauth/authorize", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": null + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCode": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } + }, + "oAuth2AuthCode2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "implicit": { + "authorizationUrl": "https://api.invalid.company.com/oauth/authorize", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="21" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: +components: + securitySchemes: + oAuth2AuthCode: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + implicit: + authorizationUrl: https://api.invalid.company.com/oauth/authorize + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="27" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: +components: + securitySchemes: + oAuth2AuthCode: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: modify apis in your account + read:api: read your apis + implicit: + authorizationUrl: https://api.invalid.company.com/oauth/authorize + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="31" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: +components: + securitySchemes: + oAuth2AuthCode: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: modify apis in your account + read:api: read your apis + oAuth2AuthCode2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + implicit: + authorizationUrl: https://api.invalid.company.com/oauth/authorize + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` diff --git a/docs/queries/openapi-queries/4bcbcd52-3028-469f-bc14-02c7dbba2df2.md b/docs/queries/openapi-queries/4bcbcd52-3028-469f-bc14-02c7dbba2df2.md new file mode 100644 index 00000000000..0b9adfd8791 --- /dev/null +++ b/docs/queries/openapi-queries/4bcbcd52-3028-469f-bc14-02c7dbba2df2.md @@ -0,0 +1,639 @@ +--- +title: Property 'allowEmptyValue' Improperly Defined (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4bcbcd52-3028-469f-bc14-02c7dbba2df2 +- **Query name:** Property 'allowEmptyValue' Improperly Defined (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/property_allow_empty_value_improperly_defined) + +### Description +Property 'allowEmptyValue' should be only defined for query parameters and formData parameters
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="43 59" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "allowEmptyValue": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "allowEmptyValue": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 37" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: true + allowEmptyValue: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: path + name: id + required: true + allowEmptyValue: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + +``` +```json title="Postitive test num. 3 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "allowEmptyValue": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: true + allowEmptyValue: true + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="20" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "parameters": [ + { + "name": "metadata", + "in": "path", + "required": true, + "type": "boolean", + "allowEmptyValue": true + } + ] + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="15" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - in: path + name: metadata + required: true + type: boolean + allowEmptyValue: true + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "query", + "description": "ID of the API the version", + "required": true, + "allowEmptyValue": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "query", + "name": "id", + "required": true, + "allowEmptyValue": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: query + description: ID of the API version + required: true + allowEmptyValue: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: query + name: id + required: true + allowEmptyValue: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "query", + "description": "ID of the API the version", + "required": true, + "allowEmptyValue": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: query + description: ID of the API version + required: true + allowEmptyValue: true + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "parameters": [ + { + "name": "metadata", + "in": "query", + "required": true, + "type": "boolean", + "allowEmptyValue": true + } + ] + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - in: query + name: metadata + required: true + type: boolean + allowEmptyValue: true + +``` +
diff --git a/docs/queries/openapi-queries/4cac7ace-b0fb-477d-830d-65395d9109d9.md b/docs/queries/openapi-queries/4cac7ace-b0fb-477d-830d-65395d9109d9.md new file mode 100644 index 00000000000..071bb20ef8f --- /dev/null +++ b/docs/queries/openapi-queries/4cac7ace-b0fb-477d-830d-65395d9109d9.md @@ -0,0 +1,558 @@ +--- +title: Schema Object Incorrect Ref (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4cac7ace-b0fb-477d-830d-65395d9109d9 +- **Query name:** Schema Object Incorrect Ref (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/schema_object_incorrect_ref) + +### Description +Schema Object reference must always point to '#/components/schemas'
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="76" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemads/GeneralError" + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="16" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemads/GeneralError" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="46" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemads/GeneralError" + examples: + tshirt: + $ref: "#/components/examples/tshirt" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="16" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + $ref: "#/components/schemads/GeneralError" + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + examples: + tshirt: + $ref: "#/components/examples/tshirt" + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + $ref: "#/components/schemas/GeneralError" + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` +
diff --git a/docs/queries/openapi-queries/4cd8de87-b595-48b6-ab3c-1904567135ab.md b/docs/queries/openapi-queries/4cd8de87-b595-48b6-ab3c-1904567135ab.md new file mode 100644 index 00000000000..16462bc7cc2 --- /dev/null +++ b/docs/queries/openapi-queries/4cd8de87-b595-48b6-ab3c-1904567135ab.md @@ -0,0 +1,471 @@ +--- +title: Encoding Header 'Content-Type' Improperly Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4cd8de87-b595-48b6-ab3c-1904567135ab +- **Query name:** Encoding Header 'Content-Type' Improperly Defined +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/encoding_header_content_type_improperly_defined) + +### Description +Encoding Map Key should not define a 'Content-Type' in the 'headers' field. If so, it will be ignored.
+[Documentation](https://swagger.io/specification/#media-type-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="70" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "responses": { + "ResponseExample": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "encoding": { + "profileImage": { + "headers": { + "Content-Type": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="36" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + } + }, + "encoding": { + "profileImage": { + "headers": { + "Content-Type": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="42" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + responses: + ResponseExample: + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + profileImage: + headers: + Content-Type: + contentType: image/png, image/jpeg + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + profileImage: + headers: + Content-Type: + contentType: image/png, image/jpeg + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "responses": { + "ResponseExample": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + responses: + ResponseExample: + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + +``` +
diff --git a/docs/queries/openapi-queries/500ce696-d501-41dd-86eb-eceb011a386f.md b/docs/queries/openapi-queries/500ce696-d501-41dd-86eb-eceb011a386f.md new file mode 100644 index 00000000000..5e33d0ee7ef --- /dev/null +++ b/docs/queries/openapi-queries/500ce696-d501-41dd-86eb-eceb011a386f.md @@ -0,0 +1,677 @@ +--- +title: Schema Object is Empty (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 500ce696-d501-41dd-86eb-eceb011a386f +- **Query name:** Schema Object is Empty (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/schema_object_empty) + +### Description +The Schema Object should not be empty to avoid accepting any JSON values
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="50" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": {} + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="22" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": {}, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="27" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: {} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="15" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: {} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="20" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": {} + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="13" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: {} + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="26" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "GeneralError": {} + } +} + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="14" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + GeneralError: {} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "discriminator": "petType", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` +
+
Negative test num. 7 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "GeneralError": { + "type": "object", + "discriminator": "petType", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + } +} + +``` +
+
Negative test num. 8 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + GeneralError: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` +
diff --git a/docs/queries/openapi-queries/50de3b5b-6465-4e06-a9b0-b4c2ba34326b.md b/docs/queries/openapi-queries/50de3b5b-6465-4e06-a9b0-b4c2ba34326b.md new file mode 100644 index 00000000000..28ae7b7bf80 --- /dev/null +++ b/docs/queries/openapi-queries/50de3b5b-6465-4e06-a9b0-b4c2ba34326b.md @@ -0,0 +1,559 @@ +--- +title: Header Object Without Schema +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 50de3b5b-6465-4e06-a9b0-b4c2ba34326b +- **Query name:** Header Object Without Schema +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/header_object_without_schema) + +### Description +The header object should have schema defined
+[Documentation](https://swagger.io/specification/#header-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="72" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "responses": { + "ResponseExample": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "encoding": { + "code": { + "headers": { + "X-Rate-Limit-Limit": { + "description": "The number of allowed requests in the current period" + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="42" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "50": { + "description": "500 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + }, + "6xx": { + "description": "[600-699] response", + "headers": { + "X-Rate-Limit-Limit": { + "description": "The number of allowed requests in the current period" + } + }, + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="44" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + responses: + ResponseExample: + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="28" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "50": + description: Server error response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + "6xx": + description: "[600-699] response" + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "responses": { + "ResponseExample": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "encoding": { + "code": { + "headers": { + "X-Rate-Limit-Limit": { + "description": "The number of allowed requests in the current period", + "schema": { + "type": "integer" + } + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "50": { + "description": "500 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + }, + "6xx": { + "description": "[600-699] response", + "headers": { + "X-Rate-Limit-Limit": { + "description": "The number of allowed requests in the current period", + "schema": { + "type": "integer" + } + } + }, + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + responses: + ResponseExample: + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + schema: + type: integer + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "50": + description: Server error response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + "6xx": + description: "[600-699] response" + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + schema: + type: integer + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
diff --git a/docs/queries/openapi-queries/52c0d841-60d6-4a81-88dd-c35fef36d315.md b/docs/queries/openapi-queries/52c0d841-60d6-4a81-88dd-c35fef36d315.md new file mode 100644 index 00000000000..b8c9fb4fdbb --- /dev/null +++ b/docs/queries/openapi-queries/52c0d841-60d6-4a81-88dd-c35fef36d315.md @@ -0,0 +1,344 @@ +--- +title: Invalid OAuth2 Authorization URL (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 52c0d841-60d6-4a81-88dd-c35fef36d315 +- **Query name:** Invalid OAuth2 Authorization URL (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/invalid_oauth_authorization_url) + +### Description +The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL
+[Documentation](https://swagger.io/specification/#oauth-flow-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="50" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.invalid.company.com#@evil.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="50" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "implicit": { + "authorizationUrl": "https://api.invalid.company.com#@evil.com/oauth/authorize", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="32" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.invalid.comp@#any.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="32" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + implicit: + authorizationUrl: https://api.invalid.comp@#any.com/oauth/authorize + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +--- +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flows: + authorizationCode: + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` diff --git a/docs/queries/openapi-queries/543e38f4-1eee-479e-8eb0-15257013aa0a.md b/docs/queries/openapi-queries/543e38f4-1eee-479e-8eb0-15257013aa0a.md new file mode 100644 index 00000000000..1cefa69dfb1 --- /dev/null +++ b/docs/queries/openapi-queries/543e38f4-1eee-479e-8eb0-15257013aa0a.md @@ -0,0 +1,817 @@ +--- +title: Global security field has an empty object (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 543e38f4-1eee-479e-8eb0-15257013aa0a +- **Query name:** Global security field has an empty object (v3) +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/security_empty_object_definition) + +### Description +Global security definition must not have empty objects
+[Documentation](https://swagger.io/specification/#security-requirement-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + {} + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + {}, + { + "exampleSecurity": [] + } + ], + "components": { + "exampleSecurity": { + "type": "http", + "scheme": "basic" + } + } +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "exampleSecurity": [] + }, + {} + ], + "components": { + "exampleSecurity": { + "type": "http", + "scheme": "basic" + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": {} +} + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="25" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: +- {} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="25" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: +- {} +- exampleSecurity: [] +components: + exampleSecurity: + type: http + scheme: basic + +``` +
+
Postitive test num. 7 - yaml file + +```yaml hl_lines="25" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: +- exampleSecurity: [] +- {} +components: + exampleSecurity: + type: http + scheme: basic + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="25" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: {} + +``` +
+
Postitive test num. 9 - yaml file + +```yaml hl_lines="38" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] + - {} + +``` +
+
Postitive test num. 10 - json file + +```json hl_lines="60" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "security": [ + { + "exampleSecurity": [] + }, + {} + ] +} + +``` +
+
Postitive test num. 11 - yaml file + +```yaml hl_lines="38" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: {} + +``` +
+
Postitive test num. 12 - json file + +```json hl_lines="60" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "security": {} +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security":[ + { + "exampleSecurity": [] + } + ], + "components": { + "exampleSecurity": { + "type": "http", + "scheme": "basic" + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: +- exampleSecurity: [] +components: + exampleSecurity: + type: http + scheme: basic + +``` +```yaml title="Negative test num. 3 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] + +``` +
Negative test num. 4 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ] +} + +``` +
diff --git a/docs/queries/openapi-queries/561710b1-b845-4562-95ce-2397a05ccef4.md b/docs/queries/openapi-queries/561710b1-b845-4562-95ce-2397a05ccef4.md new file mode 100644 index 00000000000..d606d741f2e --- /dev/null +++ b/docs/queries/openapi-queries/561710b1-b845-4562-95ce-2397a05ccef4.md @@ -0,0 +1,700 @@ +--- +title: Template Path With No Corresponding Path Parameter (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 561710b1-b845-4562-95ce-2397a05ccef4 +- **Query name:** Template Path With No Corresponding Path Parameter (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/template_path_parameter_with_no_corresponding_path_parameter) + +### Description +The template path must have a corresponding path parameter for a given operation
+[Documentation](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#pathTemplating) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + /users/{test-id}: + get: + parameters: + - in: header + name: test-id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: Authorization + in: header + description: ID of the API version + required: true + schema: + type: integer + +``` +```json title="Postitive test num. 2 - json file" hl_lines="58" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "Authorization", + "in": "header", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{blabla}": { + "get": { + "parameters": [ + { + "in": "header", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="40 34" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: Authorization + in: header + description: ID of the API version + required: true + schema: + type: integer + /people/{id}: + get: + parameters: {} + responses: + "200": + description: 200 response + /users/{id}: + get: + parameters: {} + responses: + "200": + description: 200 response + +``` +
Postitive test num. 4 - json file + +```json hl_lines="65 55" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "required": true, + "schema": { + "type": "integer" + }, + "name": "Authorization", + "in": "header", + "description": "ID of the API version" + } + ] + }, + "/people/{id}": { + "get": { + "parameters": {}, + "responses": { + "200": { + "description": "200 response" + } + } + } + }, + "/users/{id}": { + "get": { + "parameters": {}, + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="14" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + /users/{test-id}: + get: + parameters: + - in: header + name: test-id + required: true + description: The user ID + type: string + responses: + "200": + description: 200 response + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: Authorization + in: header + description: ID of the API version + required: true + type: string + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="38" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "parameters": [ + { + "name": "Authorization", + "in": "header", + "description": "ID of the API version", + "required": true, + "type": "string" + } + ] + }, + "/users/{blabla}": { + "get": { + "parameters": [ + { + "in": "header", + "name": "id", + "required": true, + "description": "The user ID", + "type": "string" + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
+
Postitive test num. 7 - yaml file + +```yaml hl_lines="25 31" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: Authorization + in: header + description: ID of the API version + required: true + type: string + /people/{id}: + get: + parameters: {} + responses: + "200": + description: 200 response + /users/{id}: + get: + parameters: {} + responses: + "200": + description: 200 response + +``` +
+
Postitive test num. 8 - json file + +```json hl_lines="35 45" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "parameters": [ + { + "required": true, + "name": "Authorization", + "in": "header", + "description": "ID of the API version", + "type": "string" + } + ] + }, + "/people/{id}": { + "get": { + "parameters": {}, + "responses": { + "200": { + "description": "200 response" + } + } + } + }, + "/users/{id}": { + "get": { + "parameters": {}, + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: Authorization + in: header + description: ID of the API version + required: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: path + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "Authorization", + "in": "header", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: Authorization + in: header + description: ID of the API version + required: true + type: string + /users/{id}: + get: + parameters: + - in: path + name: id + required: true + description: The user ID + type: string + responses: + "200": + description: 200 response + +``` +
Negative test num. 4 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "parameters": [ + { + "name": "Authorization", + "in": "header", + "description": "ID of the API version", + "required": true, + "type": "string" + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "type": "string" + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
diff --git a/docs/queries/openapi-queries/58f06434-a88c-4f74-826c-db7e10cc7def.md b/docs/queries/openapi-queries/58f06434-a88c-4f74-826c-db7e10cc7def.md new file mode 100644 index 00000000000..25f8424d18b --- /dev/null +++ b/docs/queries/openapi-queries/58f06434-a88c-4f74-826c-db7e10cc7def.md @@ -0,0 +1,507 @@ +--- +title: Request Body Object With Incorrect Media Type +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 58f06434-a88c-4f74-826c-db7e10cc7def +- **Query name:** Request Body Object With Incorrect Media Type +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/request_body_object_with_incorrect_media_type) + +### Description +The field 'content' of the request body object should be set to 'multipart' or 'application/x-www-form-urlencoded' when field 'encoding' is set.
+[Documentation](https://swagger.io/specification/#media-type-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="64" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + }, + "schema": { + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object", + "discriminator": { + "propertyName": "petType" + } + } + } + } + } + }, + "requestBody": { + "content": { + "application/octet-stream": { + "schema": { + "type": "string", + "format": "binary", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="41" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + application/json: + schema: + type: object + properties: + code: + type: string + format: binary + examples: + tshirt: + $ref: "#/components/examples/tshirt" + encoding: + code: + contentType: image/png, image/jpeg + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="30" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + requestBody: + content: + application/octet-stream: + schema: + type: string + format: binary + properties: + code: + type: string + format: binary + encoding: + code: + contentType: image/png, image/jpeg + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/data": { + "schema": { + "type": "object", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + }, + "schema": { + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object", + "discriminator": { + "propertyName": "petType" + } + } + } + } + } + }, + "requestBody": { + "content": { + "multipart/form-data": { + "schema": { + "type": "string", + "format": "binary", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + type: object + properties: + code: + type: string + format: binary + examples: + tshirt: + $ref: "#/components/examples/tshirt" + encoding: + code: + contentType: image/png, image/jpeg + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + requestBody: + content: + multipart/form-data: + schema: + type: string + format: binary + properties: + code: + type: string + format: binary + encoding: + code: + contentType: image/png, image/jpeg + +``` +
diff --git a/docs/queries/openapi-queries/5915c20f-dffa-4cee-b5d4-f457ddc0151a.md b/docs/queries/openapi-queries/5915c20f-dffa-4cee-b5d4-f457ddc0151a.md new file mode 100644 index 00000000000..7b9fc559934 --- /dev/null +++ b/docs/queries/openapi-queries/5915c20f-dffa-4cee-b5d4-f457ddc0151a.md @@ -0,0 +1,208 @@ +--- +title: Empty Array +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5915c20f-dffa-4cee-b5d4-f457ddc0151a +- **Query name:** Empty Array +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/empty_array) + +### Description +All array fields should not be empty
+[Documentation](https://swagger.io/specification/) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [] +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="25" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: [] + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "scope1", + "scope2" + ] + } + ], + "components": { + "securitySchemes": [ + { + "exampleSecurity": { + "type": "http", + "scheme": "basic" + } + } + ] + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - OAuth2: + - scope1 + - scope2 +components: + securitySchemes: + - exampleSecurity: + type: http + scheme: basic + +``` diff --git a/docs/queries/openapi-queries/59c2f769-7cc2-49c8-a3de-4e211135cfab.md b/docs/queries/openapi-queries/59c2f769-7cc2-49c8-a3de-4e211135cfab.md new file mode 100644 index 00000000000..c742b9d1797 --- /dev/null +++ b/docs/queries/openapi-queries/59c2f769-7cc2-49c8-a3de-4e211135cfab.md @@ -0,0 +1,624 @@ +--- +title: Property 'allowEmptyValue' Ignored +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 59c2f769-7cc2-49c8-a3de-4e211135cfab +- **Query name:** Property 'allowEmptyValue' Ignored +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/property_allow_empty_value_ignored) + +### Description +Property 'allowEmptyValue' is ignored in the following cases: {"sytle": "simple", "explode": false}, {"sytle": "simple", "explode": true}, {"sytle": "spaceDelimited", "explode": false}, {"sytle": "pipeDelimited", "explode": false}, and {"sytle": "deepObject", "explode": true}
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="47" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API version", + "required": true, + "allowEmptyValue": true, + "schema": { + "type": "integer" + } + } + ] + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: true + allowEmptyValue: true + schema: + type: integer + +``` +```json title="Postitive test num. 3 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "parameters": [ + { + "required": true, + "allowEmptyValue": true, + "schema": { + "type": "integer" + }, + "name": "id", + "in": "query", + "style": "deepObject", + "explode": true, + "description": "ID of the API version" + } + ], + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="32" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: query + style: deepObject + explode: true + description: ID of the API version + required: true + allowEmptyValue: true + schema: + type: integer + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="16" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "parameters": [ + { + "name": "id", + "in": "query", + "style": "spaceDelimited", + "description": "ID of the API version", + "required": true, + "allowEmptyValue": true, + "schema": { + "type": "integer" + } + } + ], + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="31" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: query + style: spaceDelimited + description: ID of the API version + required: true + allowEmptyValue: true + schema: + type: integer + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "in": "path", + "style": "label", + "description": "ID of the API version", + "required": true, + "allowEmptyValue": true, + "schema": { + "type": "integer" + } + } + ] + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + style: label + description: ID of the API version + required: true + allowEmptyValue: true + schema: + type: integer + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "parameters": [ + { + "required": true, + "allowEmptyValue": true, + "schema": { + "type": "integer" + }, + "name": "id", + "in": "query", + "style": "deepObject", + "explode": false, + "description": "ID of the API version" + } + ], + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: query + style: deepObject + explode: false + description: ID of the API version + required: true + allowEmptyValue: true + schema: + type: integer + +``` +
+
Negative test num. 5 - json file + +```json +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "parameters": [ + { + "name": "id", + "in": "query", + "style": "spaceDelimited", + "explode": false, + "description": "ID of the API version", + "required": true, + "allowEmptyValue": false, + "schema": { + "type": "integer" + } + } + ], + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: query + style: spaceDelimited + explode: false + description: ID of the API version + required: true + allowEmptyValue: false + schema: + type: integer + +``` +
diff --git a/docs/queries/openapi-queries/5aea1d7e-b834-4749-b143-2c7ec3bd5922.md b/docs/queries/openapi-queries/5aea1d7e-b834-4749-b143-2c7ec3bd5922.md new file mode 100644 index 00000000000..ab0444ad571 --- /dev/null +++ b/docs/queries/openapi-queries/5aea1d7e-b834-4749-b143-2c7ec3bd5922.md @@ -0,0 +1,358 @@ +--- +title: Invalid Tag External Documentation URL (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5aea1d7e-b834-4749-b143-2c7ec3bd5922 +- **Query name:** Invalid Tag External Documentation URL (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/invalid_tag_external_documentation_url) + +### Description +Tag External Documentation URL should be a valid URL
+[Documentation](https://swagger.io/specification/#external-documentation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="57 53" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "tags": [ + { + "externalDocs": { + "url": "/" + }, + "name": "pets", + "description": "Everything about your Pets" + }, + { + "name": "store", + "description": "Access to Petstore orders", + "externalDocs": { + "url": "/" + } + } + ] +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 30" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +tags: + - name: pets + description: Everything about your Pets + externalDocs: + url: / + - name: store + description: Access to Petstore orders + externalDocs: + url: / + +``` +```json title="Postitive test num. 3 - json file" hl_lines="34 30" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "tags": [ + { + "externalDocs": { + "url": "/" + }, + "name": "pets", + "description": "Everything about your Pets" + }, + { + "name": "store", + "description": "Access to Petstore orders", + "externalDocs": { + "url": "/" + } + } + ] +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="18 22" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +tags: + - name: pets + description: Everything about your Pets + externalDocs: + url: / + - name: store + description: Access to Petstore orders + externalDocs: + url: / + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "tags": [ + { + "externalDocs": { + "url": "http://docs.my-api.com/pet-operations.htm" + }, + "name": "pets", + "description": "Everything about your Pets" + }, + { + "name": "store", + "description": "Access to Petstore orders", + "externalDocs": { + "url": "http://docs.my-api.com/store-orders.htm" + } + } + ] +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +tags: + - name: pets + description: Everything about your Pets + externalDocs: + url: http://docs.my-api.com/pet-operations.htm + - name: store + description: Access to Petstore orders + externalDocs: + url: http://docs.my-api.com/store-orders.htm + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "tags": [ + { + "externalDocs": { + "url": "http://docs.my-api.com/pet-operations.htm" + }, + "name": "pets", + "description": "Everything about your Pets" + }, + { + "name": "store", + "description": "Access to Petstore orders", + "externalDocs": { + "url": "http://docs.my-api.com/store-orders.htm" + } + } + ] +} + +``` diff --git a/docs/queries/openapi-queries/5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275.md b/docs/queries/openapi-queries/5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275.md new file mode 100644 index 00000000000..158580dbbd8 --- /dev/null +++ b/docs/queries/openapi-queries/5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275.md @@ -0,0 +1,137 @@ +--- +title: Object Without Required Property (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275 +- **Query name:** Object Without Required Property (v2) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/object_without_required_property) + +### Description +OpenAPI Object should contain all of its required fields
+[Documentation](https://swagger.io/specification/v2/) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="3 20" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="2 13" +swagger: "2.0" +info: + title: Simple API Overview +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "type": "string" + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + type: string + +``` diff --git a/docs/queries/openapi-queries/5ea61624-3733-4a3a-8ca4-b96fec9c5aeb.md b/docs/queries/openapi-queries/5ea61624-3733-4a3a-8ca4-b96fec9c5aeb.md new file mode 100644 index 00000000000..1944e1d4556 --- /dev/null +++ b/docs/queries/openapi-queries/5ea61624-3733-4a3a-8ca4-b96fec9c5aeb.md @@ -0,0 +1,315 @@ +--- +title: Invalid Operation External Documentation URL (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5ea61624-3733-4a3a-8ca4-b96fec9c5aeb +- **Query name:** Invalid Operation External Documentation URL (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/invalid_operation_external_documentation_url) + +### Description +Operation External Documentation URL should be a valid URL
+[Documentation](https://swagger.io/specification/#external-documentation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="18" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "externalDocs": { + "url": "/" + }, + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + externalDocs: + url: / + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] +components: + exampleSecurity: + type: http + scheme: basic + +``` +```json title="Postitive test num. 3 - json file" hl_lines="18" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "externalDocs": { + "url": "/" + }, + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="15" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + externalDocs: + url: / + responses: + "200": + description: 200 response + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "externalDocs": { + "url": "http://docs.my-api.com/store-orders.htm" + }, + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + externalDocs: + url: http://docs.my-api.com/store-orders.htm + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "externalDocs": { + "url": "http://docs.my-api.com/store-orders.htm" + }, + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + externalDocs: + url: http://docs.my-api.com/store-orders.htm + responses: + "200": + description: 200 response + +``` +
diff --git a/docs/queries/openapi-queries/60b5f56b-66ff-4e1c-9b62-5753e16825bc.md b/docs/queries/openapi-queries/60b5f56b-66ff-4e1c-9b62-5753e16825bc.md new file mode 100644 index 00000000000..258ccaf052d --- /dev/null +++ b/docs/queries/openapi-queries/60b5f56b-66ff-4e1c-9b62-5753e16825bc.md @@ -0,0 +1,325 @@ +--- +title: Success Response Code Undefined for Put Operation (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 60b5f56b-66ff-4e1c-9b62-5753e16825bc +- **Query name:** Success Response Code Undefined for Put Operation (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/success_response_code_undefined_put_operation) + +### Description +Put should define at least one success response (200, 201, 202 or 204)
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "put": { + "operationId": "updateItem", + "summary": "Updated item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="24" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "204": { + "description": "Item deleted successfully" + }, + "default": { + "description": "Error" + } + } + }, + "put": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + put: + operationId: updateItem + summary: Updated item + responses: + default: + description: Error + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="18" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + "204": + description: Item deleted successfully + default: + description: Error + put: + operationId: updateItem + summary: Update item + responses: + default: + description: Error + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="24" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "204": { + "description": "Item deleted successfully" + }, + "default": { + "description": "Error" + } + } + }, + "put": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="18" +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + "204": + description: Item deleted successfully + default: + description: Error + put: + operationId: updateItem + summary: Update item + responses: + default: + description: Error + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "default": { + "description": "Error" + } + } + }, + "put": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "201": { + "description": "Item created successfully" + }, + "204": { + "description": "Item updated successfully" + }, + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + default: + description: Error + put: + operationId: updateItem + summary: Update item + responses: + "201": + description: Item created successfully + "204": + description: Item updated successfully + default: + description: Error + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "default": { + "description": "Error" + } + } + }, + "put": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "201": { + "description": "Item created successfully" + }, + "204": { + "description": "Item updated successfully" + }, + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + default: + description: Error + put: + operationId: updateItem + summary: Update item + responses: + "201": + description: Item created successfully + "204": + description: Item updated successfully + default: + description: Error + +``` +
diff --git a/docs/queries/openapi-queries/60fb6621-9f02-473b-9424-ba9a825747d3.md b/docs/queries/openapi-queries/60fb6621-9f02-473b-9424-ba9a825747d3.md new file mode 100644 index 00000000000..7885dcab25b --- /dev/null +++ b/docs/queries/openapi-queries/60fb6621-9f02-473b-9424-ba9a825747d3.md @@ -0,0 +1,807 @@ +--- +title: Link Object With Both 'operationId' And 'operationRef' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 60fb6621-9f02-473b-9424-ba9a825747d3 +- **Query name:** Link Object With Both 'operationId' And 'operationRef' +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/link_object_with_both_operation_id_and_operation_ref) + +### Description +Link object 'OperationId' should not have both 'operationId' and 'operationRef' defined since they are mutually exclusive.
+[Documentation](https://swagger.io/specification/#link-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="70" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + } + } + } + } + }, + "/users/{userid}/address": { + "parameters": [ + { + "name": "userid", + "in": "path", + "required": true, + "description": "the user identifier, as userId", + "schema": { + "type": "string" + } + } + ], + "get": { + "operationId": "getUserAddress", + "responses": { + "200": { + "description": "the user's address" + } + } + } + } + }, + "components": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + }, + "links": { + "address": { + "operationId": "getUserAddress", + "operationRef": "/", + "parameters": { + "userId": "$request.path.id" + } + } + } + } + }, + "schemas": { + "Pet": { + "$ref": "../models/pet.yaml" + }, + "User": { + "$ref": "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="27" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "format": "uuid", + "type": "string" + } + } + } + } + }, + "links": { + "address": { + "operationId": "getUserAddress", + "operationRef": "/", + "parameters": { + "userId": "$request.path.id" + } + } + } + } + } + } + }, + "/users/{userid}/address": { + "parameters": [ + { + "name": "userid", + "in": "path", + "required": true, + "description": "the user identifier, as userId", + "schema": { + "type": "string" + } + } + ], + "get": { + "operationId": "getUserAddress", + "responses": { + "200": { + "description": "the user's address" + } + } + } + } + } +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="67" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + } + } + } + } + }, + "/users/{userid}/address": { + "parameters": [ + { + "name": "userid", + "in": "path", + "required": true, + "description": "the user identifier, as userId", + "schema": { + "type": "string" + } + } + ], + "get": { + "operationId": "getUserAddress", + "responses": { + "200": { + "description": "the user's address" + } + } + } + } + }, + "components": { + "schemas": { + "Pet": { + "$ref": "../models/pet.yaml" + }, + "User": { + "$ref": "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + } + }, + "responses": { + "GenericError": { + "$ref": "../template-api.yaml#/components/responses/GenericError" + } + }, + "links": { + "address": { + "operationId": "getUserAddress", + "operationRef": "/", + "parameters": { + "userId": "$request.path.id" + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="50" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + "/users/{userid}/address": + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + operationId: getUserAddress + responses: + "200": + description: the user's address +components: + schemas: + Pet: + $ref: "../models/pet.yaml" + User: + $ref: "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + links: + address: + operationId: getUserAddress + operationRef: / + parameters: + userId: $request.path.id + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="20" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + links: + address: + operationId: getUserAddress + operationRef: / + parameters: + userId: $request.path.id + "/users/{userid}/address": + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + operationId: getUserAddress + responses: + "200": + description: the user's address + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="42" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + "/users/{userid}/address": + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + operationId: getUserAddress + responses: + "200": + description: the user's address +components: + schemas: + Pet: + $ref: "../models/pet.yaml" + User: + $ref: "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + responses: + GenericError: + $ref: "../template-api.yaml#/components/responses/GenericError" + links: + address: + operationId: getUserAddress + operationRef: / + parameters: + userId: $request.path.id + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + } + } + } + } + }, + "/users/{userid}/address": { + "parameters": [ + { + "name": "userid", + "in": "path", + "required": true, + "description": "the user identifier, as userId", + "schema": { + "type": "string" + } + } + ], + "get": { + "operationId": "getUserAddress", + "responses": { + "200": { + "description": "the user's address" + } + } + } + } + }, + "components": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + }, + "links": { + "address": { + "operationId": "getUserAddress", + "parameters": { + "userId": "$request.path.id" + } + } + } + } + }, + "schemas": { + "Pet": { + "$ref": "../models/pet.yaml" + }, + "User": { + "$ref": "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "format": "uuid", + "type": "string" + } + } + } + } + }, + "links": { + "address": { + "operationId": "getUserAddress", + "parameters": { + "userId": "$request.path.id" + } + } + } + } + } + } + }, + "/users/{userid}/address": { + "parameters": [ + { + "name": "userid", + "in": "path", + "required": true, + "description": "the user identifier, as userId", + "schema": { + "type": "string" + } + } + ], + "get": { + "operationId": "getUserAddress", + "responses": { + "200": { + "description": "the user's address" + } + } + } + } + } +} + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + } + } + } + } + }, + "/users/{userid}/address": { + "parameters": [ + { + "name": "userid", + "in": "path", + "required": true, + "description": "the user identifier, as userId", + "schema": { + "type": "string" + } + } + ], + "get": { + "operationId": "getUserAddress", + "responses": { + "200": { + "description": "the user's address" + } + } + } + } + }, + "components": { + "schemas": { + "Pet": { + "$ref": "../models/pet.yaml" + }, + "User": { + "$ref": "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + } + }, + "responses": { + "GenericError": { + "$ref": "../template-api.yaml#/components/responses/GenericError" + } + }, + "links": { + "address": { + "operationId": "getUserAddress", + "parameters": { + "userId": "$request.path.id" + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + "/users/{userid}/address": + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + operationId: getUserAddress + responses: + "200": + description: the user's address +components: + schemas: + Pet: + $ref: "../models/pet.yaml" + User: + $ref: "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + links: + address: + operationId: getUserAddress + parameters: + userId: $request.path.id + +``` +
+
Negative test num. 5 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + links: + address: + operationId: getUserAddress + parameters: + userId: $request.path.id + "/users/{userid}/address": + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + operationId: getUserAddress + responses: + "200": + description: the user's address + +``` +
+
Negative test num. 6 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + "/users/{userid}/address": + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + operationId: getUserAddress + responses: + "200": + description: the user's address +components: + schemas: + Pet: + $ref: "../models/pet.yaml" + User: + $ref: "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + responses: + GenericError: + $ref: "../template-api.yaml#/components/responses/GenericError" + links: + address: + operationId: getUserAddress + parameters: + userId: $request.path.id + +``` +
diff --git a/docs/queries/openapi-queries/663c442d-f918-4f62-b096-0bf5dcbeb655.md b/docs/queries/openapi-queries/663c442d-f918-4f62-b096-0bf5dcbeb655.md new file mode 100644 index 00000000000..40a9ac4c8c4 --- /dev/null +++ b/docs/queries/openapi-queries/663c442d-f918-4f62-b096-0bf5dcbeb655.md @@ -0,0 +1,763 @@ +--- +title: Security Field On Operations Has An Empty Array (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 663c442d-f918-4f62-b096-0bf5dcbeb655 +- **Query name:** Security Field On Operations Has An Empty Array (v3) +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/security_operations_empty_array) + +### Description +Security object for operations, if defined, must define a security scheme, otherwise it should be considered an error
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "read" + ] + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="51" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "OAuth2": [ + "admin" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "patch": { + "operationId": "validateVersionsPathv2", + "summary": "Validate operation", + "security": [], + "responses": { + "204": { + "description": "204 response" + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "read" + ] + } + ] +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="51" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "OAuth2": [ + "admin" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "patch": { + "operationId": "validateVersionsPathv2", + "summary": "Validate operation", + "security": [], + "responses": { + "204": { + "description": "204 response" + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "read" + ] + } + ] +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="53" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "OAuth2": [ + "admin" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + }, + "/apis": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "read" + ] + } + ] +} + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: [] + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: +- OAuth2: + - read + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="31" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - OAuth2: + - admin + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + patch: + operationId: validateVersionsPathv2 + summary: Validate operation + security: [] + responses: + '204': + description: 204 response +security: +- OAuth2: + - read + +``` +
+
Postitive test num. 7 - yaml file + +```yaml hl_lines="31" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - OAuth2: + - admin + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + patch: + operationId: validateVersionsPathv2 + summary: Validate operation + security: [] + responses: + '204': + description: 204 response +security: +- OAuth2: + - read + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="32" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - OAuth2: + - admin + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + "/apis": + get: + operationId: listVersionsv2 + summary: List API versions + security: [] + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: +- OAuth2: + - read + +``` +
+
Postitive test num. 9 - yaml file + +```yaml hl_lines="14" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: [] + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message + +``` +
+
Postitive test num. 10 - json file + +```json hl_lines="17" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [], + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "OAuth2": [ + "write" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "read" + ] + } + ] +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - OAuth2: + - write + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - OAuth2: + - read + +``` +```yaml title="Negative test num. 3 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - OAuth2: + - write + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message + +``` +
Negative test num. 4 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "OAuth2": [ + "write" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } + } + } + } +} + +``` +
diff --git a/docs/queries/openapi-queries/68e5fcac-390c-4939-a373-6074b7be7c71.md b/docs/queries/openapi-queries/68e5fcac-390c-4939-a373-6074b7be7c71.md new file mode 100644 index 00000000000..7b79b5228c7 --- /dev/null +++ b/docs/queries/openapi-queries/68e5fcac-390c-4939-a373-6074b7be7c71.md @@ -0,0 +1,248 @@ +--- +title: Security Scheme Using HTTP Basic +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 68e5fcac-390c-4939-a373-6074b7be7c71 +- **Query name:** Security Scheme Using HTTP Basic +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/security_scheme_using_http_basic) + +### Description +Security Scheme HTTP should not be using basic authentication
+[Documentation](https://swagger.io/specification/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="57" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "http", + "scheme": "basic" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="33" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: http + scheme: basic + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://example.com/api/oauth/dialog", + "tokenUrl": "https://example.com/api/oauth/token", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + flows: + authorizationCode: + authorizationUrl: https://example.com/api/oauth/dialog + tokenUrl: https://example.com/api/oauth/token + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` diff --git a/docs/queries/openapi-queries/6952a7e0-6e48-4285-bbc1-27c64e60f888.md b/docs/queries/openapi-queries/6952a7e0-6e48-4285-bbc1-27c64e60f888.md new file mode 100644 index 00000000000..61b3af73302 --- /dev/null +++ b/docs/queries/openapi-queries/6952a7e0-6e48-4285-bbc1-27c64e60f888.md @@ -0,0 +1,689 @@ +--- +title: Invalid Schema External Documentation URL (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6952a7e0-6e48-4285-bbc1-27c64e60f888 +- **Query name:** Invalid Schema External Documentation URL (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/invalid_schema_external_documentation_url) + +### Description +Schema External Documentation URL should be a valid URL
+[Documentation](https://swagger.io/specification/#external-documentation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="61" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "User": { + "type": "object", + "properties": { + "id": { + "type": "integer" + }, + "name": { + "type": "string" + } + }, + "externalDocs": { + "url": "/" + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="24" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "externalDocs": { + "url": "/" + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="35" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + User: + type: object + properties: + id: + type: integer + name: + type: string + externalDocs: + url: / + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="17" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + externalDocs: + url: / + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="22" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "externalDocs": { + "url": "/" + } + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="15" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + externalDocs: + url: / + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="37" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "User": { + "type": "object", + "properties": { + "id": { + "type": "integer" + }, + "name": { + "type": "string" + } + }, + "externalDocs": { + "url": "/" + } + } + } +} + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="22" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + User: + type: object + properties: + id: + type: integer + name: + type: string + externalDocs: + url: / + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "User": { + "type": "object", + "properties": { + "id": { + "type": "integer" + }, + "name": { + "type": "string" + } + }, + "externalDocs": { + "url": "http://docs.my-api.com/store-orders.htm" + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "externalDocs": { + "url": "http://docs.my-api.com/store-orders.htm" + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + User: + type: object + properties: + id: + type: integer + name: + type: string + externalDocs: + url: http://docs.my-api.com/store-orders.htm + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + externalDocs: + url: http://docs.my-api.com/store-orders.htm + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "externalDocs": { + "url": "http://docs.my-api.com/store-orders.htm" + } + } + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + externalDocs: + url: http://docs.my-api.com/store-orders.htm + +``` +
+
Negative test num. 7 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "User": { + "type": "object", + "properties": { + "id": { + "type": "integer" + }, + "name": { + "type": "string" + } + }, + "externalDocs": { + "url": "http://docs.my-api.com/store-orders.htm" + } + } + } +} + +``` +
+
Negative test num. 8 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + User: + type: object + properties: + id: + type: integer + name: + type: string + externalDocs: + url: http://docs.my-api.com/store-orders.htm + +``` +
diff --git a/docs/queries/openapi-queries/698a464e-bb3e-4ba8-ab5e-e6599b7644a0.md b/docs/queries/openapi-queries/698a464e-bb3e-4ba8-ab5e-e6599b7644a0.md new file mode 100644 index 00000000000..2e0784c3e70 --- /dev/null +++ b/docs/queries/openapi-queries/698a464e-bb3e-4ba8-ab5e-e6599b7644a0.md @@ -0,0 +1,160 @@ +--- +title: Components Parameter Definition Is Unused +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 698a464e-bb3e-4ba8-ab5e-e6599b7644a0 +- **Query name:** Components Parameter Definition Is Unused +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/components_parameter_definition_unused) + +### Description +Components parameters definitions should be referenced or removed from Open API definition
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="22" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/Success" + } + } + } + } + }, + "components": { + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/Success" +components: + parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/Success" + } + }, + "parameters": [ + { + "$ref": "#/components/parameters/limitParam" + } + ] + } + } + }, + "components": { + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/Success" + parameters: + - "$ref": "#/components/parameters/limitParam" +components: + parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer + +``` diff --git a/docs/queries/openapi-queries/6998389e-66b2-473d-8d05-c8d71ac4d04d.md b/docs/queries/openapi-queries/6998389e-66b2-473d-8d05-c8d71ac4d04d.md new file mode 100644 index 00000000000..7437d50e2f1 --- /dev/null +++ b/docs/queries/openapi-queries/6998389e-66b2-473d-8d05-c8d71ac4d04d.md @@ -0,0 +1,631 @@ +--- +title: Array Without Maximum Number of Items (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6998389e-66b2-473d-8d05-c8d71ac4d04d +- **Query name:** Array Without Maximum Number of Items (v3) +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/array_without_maximum_number_items) + +### Description +Array schema should have the field 'maxItems' set
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="56" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="28" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="32" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + properties: + code: + type: string + format: int32 + message: + type: array + items: + type: string + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="20" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + properties: + code: + type: string + format: int32 + message: + type: array + items: + type: string + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="31" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "parameters": [ + { + "schema": { + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "name": "id", + "in": "body", + "description": "ID of pet to use", + "required": true + } + ] + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="23" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: id + in: body + description: ID of pet to use + required: true + schema: + properties: + code: + type: string + format: int32 + message: + type: array + items: + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "array", + "maxItems": 5, + "items": { + "type": "string" + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "array", + "maxItems": 5, + "items": { + "type": "string" + } + } + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + properties: + code: + type: string + format: int32 + message: + type: array + maxItems: 5 + items: + type: string + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + properties: + code: + type: string + format: int32 + message: + type: array + maxItems: 5 + items: + type: string + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "parameters": [ + { + "schema": { + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "array", + "maxItems": 5, + "items": { + "type": "string" + } + } + } + }, + "name": "id", + "in": "body", + "description": "ID of pet to use", + "required": true + } + ] + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: id + in: body + description: ID of pet to use + required: true + schema: + properties: + code: + type: string + format: int32 + message: + type: array + maxItems: 5 + items: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/69d7aefd-149d-47b8-8d89-1c2181a8067b.md b/docs/queries/openapi-queries/69d7aefd-149d-47b8-8d89-1c2181a8067b.md new file mode 100644 index 00000000000..5e98c3defba --- /dev/null +++ b/docs/queries/openapi-queries/69d7aefd-149d-47b8-8d89-1c2181a8067b.md @@ -0,0 +1,495 @@ +--- +title: Path Parameter With No Corresponding Template Path (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 69d7aefd-149d-47b8-8d89-1c2181a8067b +- **Query name:** Path Parameter With No Corresponding Template Path (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/path_parameter_with_no_corresponding_template_path) + +### Description +The path parameter must have a corresponding template path for a given operation
+[Documentation](https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#pathTemplating) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + /users/: + get: + parameters: + - in: header + name: test-id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + "/yada/foo": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - in: path + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + +``` +```json title="Postitive test num. 2 - json file" hl_lines="24" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/users/": { + "get": { + "parameters": [ + { + "in": "header", + "name": "test-id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ] + } + }, + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="29" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.c +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + /people/foo: + get: + parameters: + - name: id + in: path + description: ID of pet to use + required: true + type: array + items: + type: string + collectionFormat: csv + +``` +
Postitive test num. 4 - json file + +```json hl_lines="47" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + }, + "/people/foo": { + "get": { + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of pet to use", + "required": true, + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "csv" + } + ] + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: Authorization + in: header + description: ID of the API version + required: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: path + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "Authorization", + "in": "header", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.c +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + /people/{id}: + get: + parameters: + - name: id + in: path + description: ID of pet to use + required: true + type: array + items: + type: string + collectionFormat: csv + +``` +
Negative test num. 4 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + }, + "/people/{id}": { + "get": { + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of pet to use", + "required": true, + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "csv" + } + ] + } + } + } +} + +``` +
diff --git a/docs/queries/openapi-queries/6a2c219f-da5e-4745-941e-5ea8cde23356.md b/docs/queries/openapi-queries/6a2c219f-da5e-4745-941e-5ea8cde23356.md new file mode 100644 index 00000000000..5f78c1d58f3 --- /dev/null +++ b/docs/queries/openapi-queries/6a2c219f-da5e-4745-941e-5ea8cde23356.md @@ -0,0 +1,225 @@ +--- +title: Example JSON Reference Does Not Exists +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6a2c219f-da5e-4745-941e-5ea8cde23356 +- **Query name:** Example JSON Reference Does Not Exists +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/json_reference_does_not_exists_example) + +### Description +Example reference should exists on components field
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="22" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + }, + "examples": { + "objectExample": { + "$ref": "#/components/examples/wrongExample" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "examples": { + "objectExample": { + "value": { + "id": "1", + "name": "new object" + }, + "summary": "A sample object" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: Success + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + examples: + objectExample: + "$ref": "#/components/examples/wrongExample" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + examples: + objectExample: + value: + id: '1' + name: new object + summary: A sample object + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + }, + "examples": { + "objectExample": { + "$ref": "#/components/examples/objectExample" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "examples": { + "objectExample": { + "value": { + "id": "1", + "name": "new object" + }, + "summary": "A sample object" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: Success + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + examples: + objectExample: + "$ref": "#/components/examples/objectExample" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + examples: + objectExample: + value: + id: '1' + name: new object + summary: A sample object + +``` diff --git a/docs/queries/openapi-queries/6b76f589-9713-44ab-97f5-59a3dba1a285.md b/docs/queries/openapi-queries/6b76f589-9713-44ab-97f5-59a3dba1a285.md new file mode 100644 index 00000000000..6f220c7660c --- /dev/null +++ b/docs/queries/openapi-queries/6b76f589-9713-44ab-97f5-59a3dba1a285.md @@ -0,0 +1,200 @@ +--- +title: Components Request Body Definition Is Unused +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6b76f589-9713-44ab-97f5-59a3dba1a285 +- **Query name:** Components Request Body Definition Is Unused +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/components_request_body_definition_unused) + +### Description +Components request bodies definitions should be referenced or removed from Open API definition
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="35" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "requestBodies": { + "MyObjectBody": { + "description": "A JSON object containing my object information", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="23" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/MyObject" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + requestBodies: + MyObjectBody: + description: A JSON object containing my object information + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + } + }, + "requestBody": { + "$ref": "#/components/requestBodies/MyObjectBody" + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "requestBodies": { + "MyObjectBody": { + "description": "A JSON object containing my object information", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/MyObject" + requestBody: + "$ref": "#/components/requestBodies/MyObjectBody" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + requestBodies: + MyObjectBody: + description: A JSON object containing my object information + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + +``` diff --git a/docs/queries/openapi-queries/6c35d2c6-09f2-4e5c-a094-e0e91327071d.md b/docs/queries/openapi-queries/6c35d2c6-09f2-4e5c-a094-e0e91327071d.md new file mode 100644 index 00000000000..08d3272df02 --- /dev/null +++ b/docs/queries/openapi-queries/6c35d2c6-09f2-4e5c-a094-e0e91327071d.md @@ -0,0 +1,617 @@ +--- +title: Response Code Missing (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6c35d2c6-09f2-4e5c-a094-e0e91327071d +- **Query name:** Response Code Missing (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/response_code_missing) + +### Description +500, 429 and 400 responses should be defined for all operations, except head operation. 415 response should be defined for the post, put, and patch operations. 404 response should be defined for the get, put, head, delete operations. 200 response should be defined for options operation. 401 and 403 response should be defined for all operations when the security field is defined.
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12 21" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "put": { + "operationId": "putItem", + "summary": "Put item", + "responses": { + "default": { + "description": "Error" + } + } + }, + "options": { + "operationId": "optionsItem", + "summary": "Options item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + }, + "components": { + "schemas": { + "Error": { + "type": "object", + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "put": { + "operationId": "putItem", + "summary": "Put item", + "responses": { + "500": { + "description": "500 response" + }, + "429": { + "description": "429 response" + }, + "400": { + "description": "400 response" + }, + "404": { + "description": "404 response" + }, + "415": { + "description": "415 response" + } + } + } + } + }, + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ], + "components": { + "schemas": { + "Error": { + "type": "object", + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="16 10" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + put: + operationId: putItem + summary: Put item + responses: + default: + description: Error + options: + operationId: optionsItem + summary: Options item + responses: + default: + description: Error +components: + schemas: + Error: + type: object + properties: + code: + type: string + message: + type: string + required: + - code + - message + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + put: + operationId: putItem + summary: Put item + responses: + "500": + description: 500 response + "429": + description: 429 response + "400": + description: 400 response + "404": + description: 404 response + "415": + description: 415 response +components: + schemas: + Error: + type: object + properties: + code: + type: string + message: + type: string + required: + - code + - message +security: + - petstore_auth: + - write:pets + - read:pets + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="12" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "put": { + "operationId": "putItem", + "summary": "Put item", + "responses": { + "500": { + "description": "500 response" + }, + "429": { + "description": "429 response" + }, + "400": { + "description": "400 response" + }, + "404": { + "description": "404 response" + }, + "415": { + "description": "415 response" + } + } + } + } + }, + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ] +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="10" +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + put: + operationId: putItem + summary: Put item + responses: + "500": + description: 500 response + "429": + description: 429 response + "400": + description: 400 response + "404": + description: 404 response + "415": + description: 415 response +security: + - petstore_auth: + - write:pets + - read:pets + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "put": { + "operationId": "putItem", + "summary": "Put item", + "responses": { + "500": { + "description": "500 response" + }, + "429": { + "description": "429 response" + }, + "400": { + "description": "400 response" + }, + "404": { + "description": "404 response" + }, + "415": { + "description": "415 response" + } + } + }, + "options": { + "operationId": "optionsItem", + "summary": "Options item", + "responses": { + "200": { + "description": "200 response" + }, + "500": { + "description": "500 response" + }, + "429": { + "description": "429 response" + }, + "400": { + "description": "400 response" + } + } + } + } + }, + "components": { + "schemas": { + "Error": { + "type": "object", + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "put": { + "operationId": "putItem", + "summary": "Put item", + "responses": { + "500": { + "description": "500 response" + }, + "429": { + "description": "429 response" + }, + "400": { + "description": "400 response" + }, + "404": { + "description": "404 response" + }, + "415": { + "description": "415 response" + }, + "401": { + "description": "401 response" + }, + "403": { + "description": "403 response" + } + } + } + } + }, + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ], + "components": { + "schemas": { + "Error": { + "type": "object", + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + put: + operationId: putItem + summary: Put item + responses: + "500": + description: 500 response + "429": + description: 429 response + "400": + description: 400 response + "404": + description: 404 response + "415": + description: 415 response + options: + operationId: optionsItem + summary: Options item + responses: + "200": + description: 200 response + "500": + description: 500 response + "429": + description: 429 response + "400": + description: 400 response + +components: + schemas: + Error: + type: object + properties: + code: + type: string + message: + type: string + required: + - code + - message + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + put: + operationId: putItem + summary: Put item + responses: + "500": + description: 500 response + "429": + description: 429 response + "400": + description: 400 response + "404": + description: 404 response + "415": + description: 415 response + "401": + description: 401 response + "403": + description: 403 response +components: + schemas: + Error: + type: object + properties: + code: + type: string + message: + type: string + required: + - code + - message +security: + - petstore_auth: + - write:pets + - read:pets + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "put": { + "operationId": "putItem", + "summary": "Put item", + "responses": { + "500": { + "description": "500 response" + }, + "429": { + "description": "429 response" + }, + "400": { + "description": "400 response" + }, + "404": { + "description": "404 response" + }, + "415": { + "description": "415 response" + }, + "401": { + "description": "401 response" + }, + "403": { + "description": "403 response" + } + } + } + } + }, + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ] +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + put: + operationId: putItem + summary: Put item + responses: + "500": + description: 500 response + "429": + description: 429 response + "400": + description: 400 response + "404": + description: 404 response + "415": + description: 415 response + "401": + description: 401 response + "403": + description: 403 response +security: + - petstore_auth: + - write:pets + - read:pets + +``` +
diff --git a/docs/queries/openapi-queries/6d2e0790-cc3d-4c74-b973-d4e8b09f4455.md b/docs/queries/openapi-queries/6d2e0790-cc3d-4c74-b973-d4e8b09f4455.md new file mode 100644 index 00000000000..1c34cbb31d5 --- /dev/null +++ b/docs/queries/openapi-queries/6d2e0790-cc3d-4c74-b973-d4e8b09f4455.md @@ -0,0 +1,211 @@ +--- +title: Global Schema Definition Not Being Used +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6d2e0790-cc3d-4c74-b973-d4e8b09f4455 +- **Query name:** Global Schema Definition Not Being Used +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/unused_schema_definition) + +### Description +All global schemas definitions should be in use
+[Documentation](https://swagger.io/specification/v2/#definitionsObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="44" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "category", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "$ref": "#/definitions/Category" + } + } + ] + } + } + }, + "definitions": { + "Category": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + }, + "Tag": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="29" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: category + in: body + description: max records to return + required: true + schema: + $ref: "#/definitions/Category" +definitions: + Category: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + Tag: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "category", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "$ref": "#/definitions/Category" + } + } + ] + } + } + }, + "definitions": { + "Category": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: category + in: body + description: max records to return + required: true + schema: + $ref: "#/definitions/Category" +definitions: + Category: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + +``` diff --git a/docs/queries/openapi-queries/72d259ca-9741-48dd-9f62-eb11f2936b37.md b/docs/queries/openapi-queries/72d259ca-9741-48dd-9f62-eb11f2936b37.md new file mode 100644 index 00000000000..485ec29c68c --- /dev/null +++ b/docs/queries/openapi-queries/72d259ca-9741-48dd-9f62-eb11f2936b37.md @@ -0,0 +1,663 @@ +--- +title: Header Parameter Named as 'Content-Type' (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 72d259ca-9741-48dd-9f62-eb11f2936b37 +- **Query name:** Header Parameter Named as 'Content-Type' (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/header_parameter_named_as_content_type) + +### Description +The header Parameter should not be named as 'Content-Type'. If so, it will be ignored.
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="58 43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "Content-Type", + "in": "header", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "header", + "name": "Content-Type", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 36" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: Content-Type + in: header + description: ID of the API version + required: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: header + name: Content-Type + required: true + description: The user ID + schema: + type: integer + minimum: 1 + +``` +```json title="Postitive test num. 3 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "Content-Type", + "in": "header", + "description": "ID of the API the version", + "required": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: Content-Type + in: header + description: ID of the API version + required: true + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="11 38" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "parameters": [ + { + "name": "Content-Type", + "in": "header", + "description": "ID of the API version", + "required": true, + "type": "array", + "items": { + "type": "string" + } + } + ], + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "type": "array", + "items": { + "type": "string" + }, + "name": "Content-Type", + "in": "header", + "description": "ID of the API version", + "required": true + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="14 23" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: Content-Type + in: header + description: ID of the API version + required: true + type: array + items: + type: string +parameters: + limitParam: + name: Content-Type + in: header + description: ID of the API version + required: true + type: array + items: + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "query", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "header", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: header + description: ID of the API version + required: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: header + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "header", + "description": "ID of the API the version", + "required": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: header + description: ID of the API version + required: true + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "parameters": [ + { + "name": "id", + "in": "header", + "description": "ID of the API version", + "required": true, + "type": "array", + "items": { + "type": "string" + } + } + ], + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "type": "array", + "items": { + "type": "string" + }, + "name": "id2", + "in": "header", + "description": "ID of the API version", + "required": true + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: id + in: header + description: ID of the API version + required: true + type: array + items: + type: string +parameters: + limitParam: + name: id2 + in: header + description: ID of the API version + required: true + type: array + items: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/73c3bc54-3cc6-4c0a-b30a-e19f2abfc951.md b/docs/queries/openapi-queries/73c3bc54-3cc6-4c0a-b30a-e19f2abfc951.md new file mode 100644 index 00000000000..438a0802ecd --- /dev/null +++ b/docs/queries/openapi-queries/73c3bc54-3cc6-4c0a-b30a-e19f2abfc951.md @@ -0,0 +1,173 @@ +--- +title: Non Body Parameter Without Schema +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 73c3bc54-3cc6-4c0a-b30a-e19f2abfc951 +- **Query name:** Non Body Parameter Without Schema +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/non_body_parameter_with_schema) + +### Description +The Body Parameter Object should have the attribute 'schema' defined
+[Documentation](https://swagger.io/specification/v2/#parameterObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="16 37" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "operationId": "listVersionsV2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "path", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 13" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + parameters: + - name: limit2 + in: query + description: max records to return + required: true + schema: + type: integer + operationId: listVersionsV2 + summary: List API versions + responses: + '200': + description: 200 response +parameters: + limitParam: + name: limit + in: path + description: max records to return + required: true + schema: + type: integer + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "query", + "description": "max records to return", + "required": true + } + ], + "operationId": "listVersionsV2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "path", + "description": "max records to return", + "required": true + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + parameters: + - name: limit2 + in: query + description: max records to return + required: true + operationId: listVersionsV2 + summary: List API versions + responses: + '200': + description: 200 response +parameters: + limitParam: + name: limit + in: path + description: max records to return + required: true + +``` diff --git a/docs/queries/openapi-queries/750b40be-4bac-4f59-bdc4-1ca0e6c3450e.md b/docs/queries/openapi-queries/750b40be-4bac-4f59-bdc4-1ca0e6c3450e.md new file mode 100644 index 00000000000..15a3894bf0e --- /dev/null +++ b/docs/queries/openapi-queries/750b40be-4bac-4f59-bdc4-1ca0e6c3450e.md @@ -0,0 +1,267 @@ +--- +title: Property Not Unique +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 750b40be-4bac-4f59-bdc4-1ca0e6c3450e +- **Query name:** Property Not Unique +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/property_not_unique) + +### Description +Every defined property must be unique throughout the whole API
+[Documentation](https://swagger.io/specification/v2/#schemaObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="33 54 57 27 60 30" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "basePath": "/api", + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "address": { + "$ref": "#/definitions/Address" + }, + "age": { + "type": "integer", + "format": "int32" + } + } + } + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + }, + "properties": { + "name": { + "type": "string" + }, + "address": { + "$ref": "#/definitions/Address" + }, + "age": { + "type": "integer", + "format": "int32" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="38 40 42 22 24 26" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +basePath: "/api" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object + properties: + name: + type: string + address: + $ref: "#/definitions/Address" + age: + type: integer + format: int32 +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: object + properties: + name: + type: string + address: + $ref: "#/definitions/Address" + age: + type: integer + format: int32 + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "basePath": "/api", + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "address": { + "$ref": "#/definitions/Address" + }, + "age": { + "type": "integer", + "format": "int32" + } + } + } + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + }, + "properties": { + "name_2": { + "type": "string" + }, + "address_2": { + "$ref": "#/definitions/Address" + }, + "age_2": { + "type": "integer", + "format": "int32" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +basePath: "/api" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object + properties: + name: + type: string + address: + $ref: "#/definitions/Address" + age: + type: integer + format: int32 +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: object + properties: + name_2: + type: string + address_2: + $ref: "#/definitions/Address" + age_2: + type: integer + format: int32 + +``` diff --git a/docs/queries/openapi-queries/750f6448-27c0-49f8-a153-b81735c1e19c.md b/docs/queries/openapi-queries/750f6448-27c0-49f8-a153-b81735c1e19c.md new file mode 100644 index 00000000000..d375fda4842 --- /dev/null +++ b/docs/queries/openapi-queries/750f6448-27c0-49f8-a153-b81735c1e19c.md @@ -0,0 +1,207 @@ +--- +title: Multi 'collectionformat' Not Valid For 'in' Parameter +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 750f6448-27c0-49f8-a153-b81735c1e19c +- **Query name:** Multi 'collectionformat' Not Valid For 'in' Parameter +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/multi_collectionformat_not_valid_in_parameter) + +### Description +When 'collectionformat' is defined as 'multi', 'in' field must be 'query' or 'formData'
+[Documentation](https://swagger.io/specification/v2/#parameterObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="37 13" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "path", + "description": "max records to return", + "required": true, + "type": "array", + "items": { + "type": "integer", + "format": "int64" + }, + "collectionFormat": "multi" + } + ], + "operationId": "listVersionsV2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "path", + "description": "max records to return", + "required": true, + "type": "array", + "items": { + "type": "integer", + "format": "int64" + }, + "collectionFormat": "multi" + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10 26" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + parameters: + - name: limit2 + in: path + description: max records to return + required: true + type: array + items: + type: integer + format: int64 + collectionFormat: multi + operationId: listVersionsV2 + summary: List API versions + responses: + '200': + description: 200 response +parameters: + limitParam: + name: limit + in: path + description: max records to return + required: true + type: array + items: + type: integer + format: int64 + collectionFormat: multi + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "query", + "description": "max records to return", + "required": true, + "type": "array", + "items": { + "type": "integer", + "format": "int64" + }, + "collectionFormat": "multi" + } + ], + "operationId": "listVersionsV2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "path", + "description": "max records to return", + "required": true, + "type": "array", + "items": { + "type": "integer", + "format": "int64" + }, + "collectionFormat": "csv" + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + parameters: + - name: limit2 + in: query + description: max records to return + required: true + type: array + items: + type: integer + format: int64 + collectionFormat: multi + operationId: listVersionsV2 + summary: List API versions + responses: + '200': + description: 200 response +parameters: + limitParam: + name: limit + in: path + description: max records to return + required: true + type: array + items: + type: integer + format: int64 + collectionFormat: csv + +``` diff --git a/docs/queries/openapi-queries/77276d82-4f45-4cf1-8e2b-4d345b936228.md b/docs/queries/openapi-queries/77276d82-4f45-4cf1-8e2b-4d345b936228.md new file mode 100644 index 00000000000..bee05bbc5cd --- /dev/null +++ b/docs/queries/openapi-queries/77276d82-4f45-4cf1-8e2b-4d345b936228.md @@ -0,0 +1,250 @@ +--- +title: Global Security Scheme Using Basic Authentication +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 77276d82-4f45-4cf1-8e2b-4d345b936228 +- **Query name:** Global Security Scheme Using Basic Authentication +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/global_security_scheme_using_basic_authentication) + +### Description +A security scheme is allowing basic authentication credentials to be transported over network
+[Documentation](https://swagger.io/specification/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="51" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple KICS API", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersions", + "summary": "List versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "servers": [ + { + "url": "http://kicsapi.server.com/", + "description": "API server" + } + ], + "components": { + "securitySchemes": { + "regularSecurity": { + "type": "http", + "scheme": "basic" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="30" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersions + summary: List versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +servers: + - url: http://kicsapi.server.com/ + description: API server +components: + securitySchemes: + regularSecurity: + type: http + scheme: basic + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple KICS API", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersions", + "summary": "List versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "servers": [ + { + "url": "https://kicsapi.server.com/", + "description": "API server" + } + ], + "components": { + "securitySchemes": { + "OAuth2": { + "type": "oauth2", + "flows": { + "authorizationCode": { + "scopes": { + "write": "modify objects", + "read": "read objects" + }, + "authorizationUrl": "https://kicsapi.com/oauth/authorize", + "tokenUrl": "https://kicsapi.com/oauth/token" + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ] +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple KICS API + version: 1.0.0 +paths: + "/": + get: + operationId: listVersions + summary: List versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +servers: + - url: https://kicsapi.server.com/ + description: API server +components: + securitySchemes: + OAuth2: + type: oauth2 + flows: + authorizationCode: + scopes: + write: modify objects in your account + read: read objects in your account + authorizationUrl: https://kicsauthenticator.com/oauth/authorize + tokenUrl: https://kicsauthenticator.com/oauth/token +security: + - OAuth2: + - write + - read + +``` diff --git a/docs/queries/openapi-queries/773116aa-2e6d-416f-bd85-f0301cc05d76.md b/docs/queries/openapi-queries/773116aa-2e6d-416f-bd85-f0301cc05d76.md new file mode 100644 index 00000000000..7c807243c93 --- /dev/null +++ b/docs/queries/openapi-queries/773116aa-2e6d-416f-bd85-f0301cc05d76.md @@ -0,0 +1,156 @@ +--- +title: Security Definitions Allows Password Flow +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 773116aa-2e6d-416f-bd85-f0301cc05d76 +- **Query name:** Security Definitions Allows Password Flow +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/security_definitions_allows_password_flow) + +### Description +Security Definition Object should not allow 'password' Flow in OAuth2 authentication
+[Documentation](https://swagger.io/specification/v2/#securitySchemeObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="27" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "password", + "tokenUrl": "https://api.my.company.com/oauth/token" + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: password + tokenUrl: https://api.my.company.com/oauth/token + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "accessCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: accessCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` diff --git a/docs/queries/openapi-queries/7a01dfbd-da62-4165-aed7-71349ad42ab4.md b/docs/queries/openapi-queries/7a01dfbd-da62-4165-aed7-71349ad42ab4.md new file mode 100644 index 00000000000..6e8e5b5ebe5 --- /dev/null +++ b/docs/queries/openapi-queries/7a01dfbd-da62-4165-aed7-71349ad42ab4.md @@ -0,0 +1,209 @@ +--- +title: Response JSON Reference Does Not Exists (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7a01dfbd-da62-4165-aed7-71349ad42ab4 +- **Query name:** Response JSON Reference Does Not Exists (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/json_reference_does_not_exists_response) + +### Description +Response reference should exists on components field
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="14" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "404": { + "$ref": "#/components/responses/NotRight" + } + } + } + } + }, + "components": { + "schemas": { + "Error": { + "type": "object", + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + }, + "required": [ + "code", + "message" + ] + } + } + }, + "responses": { + "NotFound": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Error" + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '404': + "$ref": "#/components/responses/NotRight" +components: + schemas: + Error: + type: object + properties: + code: + type: string + message: + type: string + required: + - code + - message + responses: + NotFound: + description: Resource not found + content: + application/json: + schema: + "$ref": "#/components/schemas/Error" + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "404": { + "$ref": "#/components/responses/NotFound" + } + } + } + } + }, + "components": { + "schemas": { + "Error": { + "type": "object", + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + }, + "required": [ + "code", + "message" + ] + } + } + }, + "responses": { + "NotFound": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Error" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '404': + "$ref": "#/components/responses/NotFound" +components: + schemas: + Error: + type: object + properties: + code: + type: string + message: + type: string + required: + - code + - message + responses: + NotFound: + description: Resource not found + content: + application/json: + schema: + "$ref": "#/components/schemas/Error" + +``` diff --git a/docs/queries/openapi-queries/7f203940-39c4-4ea7-91ee-7aba16bca9e2.md b/docs/queries/openapi-queries/7f203940-39c4-4ea7-91ee-7aba16bca9e2.md new file mode 100644 index 00000000000..ddb4f7327ac --- /dev/null +++ b/docs/queries/openapi-queries/7f203940-39c4-4ea7-91ee-7aba16bca9e2.md @@ -0,0 +1,505 @@ +--- +title: Property 'allowReserved' Improperly Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7f203940-39c4-4ea7-91ee-7aba16bca9e2 +- **Query name:** Property 'allowReserved' Improperly Defined +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/property_allow_reserved_improperly_defined) + +### Description +Property 'allowReserved' should be only defined for query parameters
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="43 59" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "allowReserved": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "allowReserved": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 37" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: true + allowReserved: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: path + name: id + required: true + allowReserved: true + description: The user ID + schema: + type: integer + minimum: 1 + +``` +```json title="Postitive test num. 3 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "allowReserved": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of the API version + required: true + allowReserved: true + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "query", + "description": "ID of the API the version", + "required": true, + "allowReserved": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "query", + "name": "id", + "required": true, + "allowReserved": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: query + description: ID of the API version + required: true + allowReserved: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: query + name: id + required: true + allowReserved: true + description: The user ID + schema: + type: integer + minimum: 1 + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "query", + "description": "ID of the API the version", + "required": true, + "allowReserved": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: query + description: ID of the API version + required: true + allowReserved: true + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a.md b/docs/queries/openapi-queries/7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a.md new file mode 100644 index 00000000000..3a0f825ad61 --- /dev/null +++ b/docs/queries/openapi-queries/7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a.md @@ -0,0 +1,201 @@ +--- +title: File Parameter With Wrong Consumes Property +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7f91992f-b4c8-43bf-9bf9-fae9ecdb6e3a +- **Query name:** File Parameter With Wrong Consumes Property +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/file_parameter_with_wrong_consumes_property) + +### Description +Operations file parameters consumes must be 'multipart/form-data', 'application/x-www-form-urlencoded' or both
+[Documentation](https://swagger.io/specification/v2/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "parameters": [ + { + "name": "File", + "type": "file", + "in": "formData" + } + ], + "consumes": [ + "application/json" + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + parameters: + - name: File + type: file + in: formData + consumes: + - application/json + responses: + '200': + description: 200 response +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "parameters": [ + { + "name": "File", + "type": "file", + "in": "formData" + } + ], + "consumes": [ + "multipart/form-data" + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + parameters: + - name: File + type: file + in: formData + consumes: + - multipart/form-data + responses: + '200': + description: 200 response +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` diff --git a/docs/queries/openapi-queries/801f0c6a-a834-4467-89c6-ddecffb46b5a.md b/docs/queries/openapi-queries/801f0c6a-a834-4467-89c6-ddecffb46b5a.md new file mode 100644 index 00000000000..0f9e7b26f6b --- /dev/null +++ b/docs/queries/openapi-queries/801f0c6a-a834-4467-89c6-ddecffb46b5a.md @@ -0,0 +1,215 @@ +--- +title: Link JSON Reference Does Not Exists +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 801f0c6a-a834-4467-89c6-ddecffb46b5a +- **Query name:** Link JSON Reference Does Not Exists +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/json_reference_does_not_exists_link) + +### Description +Link reference should exists on components field
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="26" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "success", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/MyObject" + } + } + } + }, + "links": { + "$ref": "#/components/links/APIWrongRepository" + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "links": { + "APIRepository": { + "operationId": "listVersionsv2" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="20" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: success + content: + application/json: + schema: + type: array + items: + "$ref": "#/components/schemas/MyObject" + links: + "$ref": "#/components/links/APIWrongRepository" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + links: + APIRepository: + operationId: listVersionsv2 + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "success", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/MyObject" + } + } + } + }, + "links": { + "$ref": "#/components/links/APIRepository" + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "links": { + "APIRepository": { + "operationId": "listVersionsv2" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: success + content: + application/json: + schema: + type: array + items: + "$ref": "#/components/schemas/MyObject" + links: + "$ref": "#/components/links/APIRepository" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + links: + APIRepository: + operationId: listVersionsv2 + +``` diff --git a/docs/queries/openapi-queries/815021c8-a50c-46d9-b192-24f71072c400.md b/docs/queries/openapi-queries/815021c8-a50c-46d9-b192-24f71072c400.md new file mode 100644 index 00000000000..6729889534f --- /dev/null +++ b/docs/queries/openapi-queries/815021c8-a50c-46d9-b192-24f71072c400.md @@ -0,0 +1,188 @@ +--- +title: Paths Object is Empty (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 815021c8-a50c-46d9-b192-24f71072c400 +- **Query name:** Paths Object is Empty (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/paths_object_empty) + +### Description +Paths object may be empty due to ACL constraints, meaning they are not exposed
+[Documentation](https://swagger.io/specification/#paths-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="7" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": {} +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="7" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": {} +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="5" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: {} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="5" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: {} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` +
diff --git a/docs/queries/openapi-queries/84c826c9-1893-4b34-8cdd-db97645b4bf3.md b/docs/queries/openapi-queries/84c826c9-1893-4b34-8cdd-db97645b4bf3.md new file mode 100644 index 00000000000..f875fe53354 --- /dev/null +++ b/docs/queries/openapi-queries/84c826c9-1893-4b34-8cdd-db97645b4bf3.md @@ -0,0 +1,215 @@ +--- +title: Path Without Operation (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 84c826c9-1893-4b34-8cdd-db97645b4bf3 +- **Query name:** Path Without Operation (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/path_without_operation) + +### Description +Path object should have at least one operation object defined
+[Documentation](https://swagger.io/specification/#path-item-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="8" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": {} + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": {} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="8" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": {} + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="6" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": {} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "servers": [ + { + "url": "https://development.gigantic-server.com/v1", + "description": "Development server" + }, + { + "url": "https://staging.gigantic-server.com/v1", + "description": "Staging server" + }, + { + "url": "https://api.gigantic-server.com/v1", + "description": "Production server" + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + servers: + - url: https://development.gigantic-server.com/v1 + description: Development server + - url: https://staging.gigantic-server.com/v1 + description: Staging server + - url: https://api.gigantic-server.com/v1 + description: Production server + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` +
diff --git a/docs/queries/openapi-queries/86b1fa30-9790-4980-994d-a27e0f6f27c1.md b/docs/queries/openapi-queries/86b1fa30-9790-4980-994d-a27e0f6f27c1.md new file mode 100644 index 00000000000..457744f3ba4 --- /dev/null +++ b/docs/queries/openapi-queries/86b1fa30-9790-4980-994d-a27e0f6f27c1.md @@ -0,0 +1,257 @@ +--- +title: Cleartext Credentials With Basic Authentication For Operation +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 86b1fa30-9790-4980-994d-a27e0f6f27c1 +- **Query name:** Cleartext Credentials With Basic Authentication For Operation +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/cleartext_credentials_with_basic_auth_for_operation) + +### Description +Cleartext credentials over unencrypted channel should not be accepted for the operation
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="28" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "components": { + "securitySchemes": { + "regularSecurity": { + "type": "http", + "scheme": "basic" + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersions", + "summary": "List versions", + "servers": [ + { + "url": "http://myapi.com/", + "description": "server URL" + } + ], + "security": [ + { + "regularSecurity": [] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + securitySchemes: + regularSecurity: + type: http + scheme: basic +paths: + "/": + get: + operationId: listVersions + summary: List versions + servers: + - url: http://myapi.com/ + description: server URL + security: + - regularSecurity: [] + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "components": { + "securitySchemes": { + "OAuth2": { + "type": "oauth2", + "flows": { + "authorizationCode": { + "scopes": { + "write": "modify objects", + "read": "read objects" + }, + "authorizationUrl": "https://myapi.com/oauth/authorize", + "tokenUrl": "https://myapi.com/oauth/token" + } + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersions", + "summary": "List versions", + "servers": [ + { + "url": "http://myapi.com/", + "description": "server URL" + } + ], + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + securitySchemes: + OAuth2: + type: oauth2 + flows: + authorizationCode: + scopes: + write: modify objects + read: read objects + authorizationUrl: https://myapi.com/oauth/authorize + tokenUrl: https://myapi.com/oauth/token +paths: + "/": + get: + operationId: listVersions + summary: List versions + servers: + - url: http://myapi.com/ + description: server URL + security: + - OAuth2: + - write + - read + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` diff --git a/docs/queries/openapi-queries/86e3702f-c868-44b2-b61d-ea5316c18110.md b/docs/queries/openapi-queries/86e3702f-c868-44b2-b61d-ea5316c18110.md new file mode 100644 index 00000000000..4ad8128b6a7 --- /dev/null +++ b/docs/queries/openapi-queries/86e3702f-c868-44b2-b61d-ea5316c18110.md @@ -0,0 +1,377 @@ +--- +title: Default Response Undefined On Operations (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 86e3702f-c868-44b2-b61d-ea5316c18110 +- **Query name:** Default Response Undefined On Operations (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/default_response_undefined_operations) + +### Description +Operations responses should have a default response defined
+[Documentation](https://swagger.io/specification/#responses-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "patch": { + "operationId": "updateItem", + "summary": "Updated item", + "responses": { + "204": { + "description": "Item deleted successfully" + } + } + } + } + }, + "components": { + "schemas": { + "Error": { + "type": "object", + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="12 21" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "204": { + "description": "Item deleted successfully" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "204": { + "description": "Item updated successfully" + } + } + } + } + }, + "components": { + "schemas": { + "Error": { + "type": "object", + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + patch: + operationId: updateItem + summary: Updated item + responses: + '204': + description: Item deleted successfully +components: + schemas: + Error: + type: object + properties: + code: + type: string + message: + type: string + required: + - code + - message + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="16 10" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + '204': + description: Item deleted successfully + patch: + operationId: updateItem + summary: Update item + responses: + '204': + description: Item updated successfully +components: + schemas: + Error: + type: object + properties: + code: + type: string + message: + type: string + required: + - code + - message + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="12 21" +{ + "swagger": "20", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "204": { + "description": "Item deleted successfully" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "204": { + "description": "Item updated successfully" + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="16 10" +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + "204": + description: Item deleted successfully + patch: + operationId: updateItem + summary: Update item + responses: + "204": + description: Item updated successfully + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "204": { + "description": "Item deleted successfully" + }, + "default": { + "description": "Error" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "204": { + "description": "Item updated successfully" + }, + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + "204": + description: Item deleted successfully + default: + description: Error + patch: + operationId: updateItem + summary: Update item + responses: + "204": + description: Item updated successfully + default: + description: Error + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "204": { + "description": "Item deleted successfully" + }, + "default": { + "description": "Error" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "204": { + "description": "Item updated successfully" + }, + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + "204": + description: Item deleted successfully + default: + description: Error + patch: + operationId: updateItem + summary: Update item + responses: + "204": + description: Item updated successfully + default: + description: Error + +``` +
diff --git a/docs/queries/openapi-queries/881a6e71-c2a7-4fe2-b9c3-dfcf08895331.md b/docs/queries/openapi-queries/881a6e71-c2a7-4fe2-b9c3-dfcf08895331.md new file mode 100644 index 00000000000..c6fcc27dd79 --- /dev/null +++ b/docs/queries/openapi-queries/881a6e71-c2a7-4fe2-b9c3-dfcf08895331.md @@ -0,0 +1,1026 @@ +--- +title: Example Not Compliant With Schema Type (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 881a6e71-c2a7-4fe2-b9c3-dfcf08895331 +- **Query name:** Example Not Compliant With Schema Type (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/example_not_compliant_with_schema_type) + +### Description +Examples values and fields should be compliant with the schema type
+[Documentation](https://swagger.io/specification/#example-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="21" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + }, + "examples": { + "object": { + "$ref": "#/components/examples/objectExample" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "examples": { + "objectExample": { + "value": { + "id": 1, + "name": "new object" + }, + "summary": "A sample object" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="18" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: Success + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + examples: + object: + "$ref": "#/components/examples/objectExample" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + examples: + objectExample: + value: + id: 1 + name: new object + summary: A sample object + +``` +```json title="Postitive test num. 3 - json file" hl_lines="24" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/my_schema" + }, + "examples": { + "foo": { + "value": "this is a string" + }, + "foo_2": { + "value": true + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "my_schema": { + "type": "string" + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ] +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="20" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + $ref: "#/components/schemas/my_schema" + examples: + foo: + value: "this is a string" + foo_2: + value: true +components: + schemas: + my_schema: + type: string +security: + - exampleSecurity: [] + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="34 20" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/my_schema" + }, + "example": true + } + } + }, + "400": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "type": "integer" + } + }, + "example": [ + 1, + 2, + "3", + 4 + ] + } + } + } + } + } + } + }, + "components": { + "schemas": { + "my_schema": { + "type": "string" + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ] +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="17 26" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + "$ref": "#/components/schemas/my_schema" + example: true + "400": + description: 200 response + content: + application/json: + schema: + type: array + items: + type: integer + example: + - 1 + - 2 + - "3" + - 4 +components: + schemas: + my_schema: + type: string +security: + - exampleSecurity: [] + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="24" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "type": "string" + } + }, + "examples": { + "foo": { + "value": [ + true, + "test2", + "test3" + ] + } + } + } + } + } + } + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ] +} + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="20" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: array + items: + type: string + examples: + foo: + value: + - true + - "test2" + - "test3" +security: + - exampleSecurity: [] + +``` +
+
Postitive test num. 9 - json file + +```json hl_lines="25" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "string", + "example": 132 + } + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "string" + } + } + } +} + +``` +
+
Postitive test num. 10 - yaml file + +```yaml hl_lines="20" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: string + example: 132 + +``` +
+
Postitive test num. 11 - json file + +```json hl_lines="44" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "number", + "example": 132 + } + } + ] + } + } + }, + "definitions": { + "Tag": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + }, + "example": { + "name": "Puma", + "id": "1" + } + } + } +} + +``` +
+
Postitive test num. 12 - yaml file + +```yaml hl_lines="30" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: number + example: 132 +definitions: + Tag: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + example: + name: "Puma" + id: "1" + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + }, + "examples": { + "object": { + "$ref": "#/components/examples/objectExample" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "examples": { + "objectExample": { + "value": { + "id": "1", + "name": "new object" + }, + "summary": "A sample object" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: Success + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + examples: + object: + "$ref": "#/components/examples/objectExample" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + examples: + objectExample: + value: + id: "1" + name: new object + summary: A sample object + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/my_schema" + }, + "examples": { + "foo": { + "value": "this is a string" + }, + "foo_2": { + "value": "true" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "my_schema": { + "type": "string" + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ] +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + $ref: "#/components/schemas/my_schema" + examples: + foo: + value: "this is a string" + foo_2: + value: "true" +components: + schemas: + my_schema: + type: string +security: + - exampleSecurity: [] + +``` +
+
Negative test num. 5 - json file + +```json +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/my_schema" + }, + "example": "true" + } + } + } + } + } + } + }, + "components": { + "schemas": { + "my_schema": { + "type": "string" + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ] +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + $ref: "#/components/schemas/my_schema" + example: "true" +components: + schemas: + my_schema: + type: string +security: + - exampleSecurity: [] + +``` +
+
Negative test num. 7 - json file + +```json +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "type": "string" + } + }, + "examples": { + "foo": { + "value": [ + "true", + "test2", + "test3" + ] + } + } + } + } + } + } + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ] +} + +``` +
+
Negative test num. 8 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: array + items: + type: string + examples: + foo: + value: + - "true" + - "test2" + - "test3" +security: + - exampleSecurity: [] + +``` +
+
Negative test num. 9 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: number + example: 132 + +``` +
+
Negative test num. 10 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "number", + "example": 132 + } + } + ] + } + } + }, + "definitions": { + "Tag": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + }, + "example": { + "name": "Puma", + "id": 1 + } + } + } +} + +``` +
+
Negative test num. 11 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: number + example: 132 +definitions: + Tag: + type: object + properties: + id: + type: integer + format: int64 + name: + type: string + example: + name: "Puma" + id: 1 + +``` +
diff --git a/docs/queries/openapi-queries/8aee4754-970d-4c5f-8142-a49dfe388b1a.md b/docs/queries/openapi-queries/8aee4754-970d-4c5f-8142-a49dfe388b1a.md new file mode 100644 index 00000000000..feb5a893bff --- /dev/null +++ b/docs/queries/openapi-queries/8aee4754-970d-4c5f-8142-a49dfe388b1a.md @@ -0,0 +1,367 @@ +--- +title: Server Object Variable Not Used +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8aee4754-970d-4c5f-8142-a49dfe388b1a +- **Query name:** Server Object Variable Not Used +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/server_object_variable_not_used) + +### Description +Every defined Server Variable Object should be used in a Service URL.
+[Documentation](https://swagger.io/specification/#server-variable-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="38" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + }, + "links": { + "address": { + "server": { + "url": "https://development.{server}.com/{base}", + "variables": { + "base": { + "default": "v2" + }, + "server": { + "default": "gigant-server" + }, + "another": { + "default": "another" + } + } + } + } + } + } + }, + "operationId": "listVersionsv2" + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="35" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + }, + "type": "object" + } + } + } + } + }, + "servers": [ + { + "url": "https://development.gigant-server.com/v2", + "description": "Development server", + "variables": { + "base": { + "default": "v2" + } + } + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="30" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + links: + address: + server: + url: https://development.{server}.com/{base} + variables: + base: + default: v2 + server: + default: gigant-server + another: + default: another + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="25" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + servers: + - url: https://development.gigant-server.com/v2 + description: Development server + variables: + base: + default: v2 + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + }, + "links": { + "address": { + "server": { + "url": "https://development.{server}.com/{base}", + "variables": { + "base": { + "default": "v2" + }, + "server": { + "default": "gigant-server" + } + } + } + } + } + } + }, + "operationId": "listVersionsv2" + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + }, + "type": "object" + } + } + } + } + }, + "servers": [ + { + "url": "https://development.{server}.com/{base}", + "description": "Development server", + "variables": { + "base": { + "default": "v2" + }, + "server": { + "default": "gigant-server" + } + } + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + links: + address: + server: + url: https://development.{server}.com/{base} + variables: + base: + default: v2 + server: + default: gigant-server + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + servers: + - url: https://development.{server}.com/{base} + description: Development server + variables: + base: + default: v2 + server: + default: gigant-server + +``` +
diff --git a/docs/queries/openapi-queries/8af270ce-298b-4405-9922-82a10aee7a4f.md b/docs/queries/openapi-queries/8af270ce-298b-4405-9922-82a10aee7a4f.md new file mode 100644 index 00000000000..fe951817c03 --- /dev/null +++ b/docs/queries/openapi-queries/8af270ce-298b-4405-9922-82a10aee7a4f.md @@ -0,0 +1,285 @@ +--- +title: Global Security Field Is Undefined (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8af270ce-298b-4405-9922-82a10aee7a4f +- **Query name:** Global Security Field Is Undefined (v3) +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/global_security_field_undefined) + +### Description +Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes
+[Documentation](https://swagger.io/specification/#security-requirement-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="2" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="1" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Postitive test num. 3 - json file" hl_lines="2" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="1" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ] +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - petstore_auth: + - write:pets + - read:pets + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ] +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +security: + - petstore_auth: + - write:pets + - read:pets + +``` +
diff --git a/docs/queries/openapi-queries/8bfed1c6-2d59-4924-bc7f-9b9d793ed0df.md b/docs/queries/openapi-queries/8bfed1c6-2d59-4924-bc7f-9b9d793ed0df.md new file mode 100644 index 00000000000..3b0533e569a --- /dev/null +++ b/docs/queries/openapi-queries/8bfed1c6-2d59-4924-bc7f-9b9d793ed0df.md @@ -0,0 +1,633 @@ +--- +title: Parameter Object Content With Multiple Entries +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8bfed1c6-2d59-4924-bc7f-9b9d793ed0df +- **Query name:** Parameter Object Content With Multiple Entries +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/parameter_object_content_with_multiple_entries) + +### Description +The map content property of the parameter object should only contain one entry
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="11 78" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "parameters": [ + { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example", + "externalValue": "http://foo.bar/examples/user-example.json" + } + } + }, + "application/xml": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example in XML", + "externalValue": "http://foo.bar/examples/user-example.xml" + } + } + } + }, + "name": "id", + "in": "path", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "rel": "self", + "href": "http://127.0.0.1:8774/v2/" + } + ], + "status": "CURRENT" + } + ] + } + } + } + } + }, + "description": "200 response" + } + }, + "operationId": "listVersionsv2" + } + }, + "/user/{id}": { + "parameters": [ + { + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + }, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example", + "externalValue": "http://foo.bar/examples/user-example.json" + } + } + }, + "application/xml": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example in XML", + "externalValue": "http://foo.bar/examples/user-example.xml" + } + } + } + }, + "name": "id", + "in": "path" + } + ] + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="44" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "parameters": { + "idParam": { + "name": "id", + "in": "path", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "int" + }, + "content": { + "application/xml": { + "examples": { + "user": { + "externalValue": "http://foo.bar/examples/user-example.xml", + "summary": "User Example in XML" + } + }, + "schema": { + "$ref": "#/components/schemas/User" + } + }, + "application/json": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "externalValue": "http://foo.bar/examples/user-example.json", + "summary": "User Example" + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="48 10" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + parameters: + - name: id + in: path + description: ID of the API version + required: true + schema: + type: integer + content: + "application/json": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: "http://foo.bar/examples/user-example.json" + "application/xml": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example in XML + externalValue: "http://foo.bar/examples/user-example.xml" + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + /user/{id}: + parameters: + - name: id + in: path + description: ID of the API version + required: true + schema: + type: integer + content: + "application/json": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: "http://foo.bar/examples/user-example.json" + "application/xml": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example in XML + externalValue: "http://foo.bar/examples/user-example.xml" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + parameters: + idParam: + name: id + in: path + description: ID of the API version + required: true + schema: + type: int + content: + "application/json": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: "http://foo.bar/examples/user-example.json" + "application/xml": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example in XML + externalValue: "http://foo.bar/examples/user-example.xml" + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "parameters": [ + { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example", + "externalValue": "http://foo.bar/examples/user-example.json" + } + } + } + }, + "name": "id", + "in": "path", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "rel": "self", + "href": "http://127.0.0.1:8774/v2/" + } + ], + "status": "CURRENT" + } + ] + } + } + } + } + }, + "description": "200 response" + } + }, + "operationId": "listVersionsv2" + } + }, + "/user/{id}": { + "parameters": [ + { + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + }, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example", + "externalValue": "http://foo.bar/examples/user-example.json" + } + } + } + }, + "name": "id", + "in": "path" + } + ] + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "parameters": { + "idParam": { + "name": "id", + "in": "path", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "int" + }, + "content": { + "application/xml": { + "examples": { + "user": { + "externalValue": "http://foo.bar/examples/user-example.xml", + "summary": "User Example in XML" + } + }, + "schema": { + "$ref": "#/components/schemas/User" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + parameters: + - name: id + in: path + description: ID of the API version + required: true + schema: + type: integer + content: + "application/json": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: "http://foo.bar/examples/user-example.json" + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + /user/{id}: + parameters: + - name: id + in: path + description: ID of the API version + required: true + schema: + type: integer + content: + "application/json": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: "http://foo.bar/examples/user-example.json" + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + parameters: + idParam: + name: id + in: path + description: ID of the API version + required: true + schema: + type: int + content: + "application/json": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: "http://foo.bar/examples/user-example.json" + +``` +
diff --git a/docs/queries/openapi-queries/8c81d6c0-716b-49ec-afa5-2d62da4e3f3c.md b/docs/queries/openapi-queries/8c81d6c0-716b-49ec-afa5-2d62da4e3f3c.md new file mode 100644 index 00000000000..c93649c85cb --- /dev/null +++ b/docs/queries/openapi-queries/8c81d6c0-716b-49ec-afa5-2d62da4e3f3c.md @@ -0,0 +1,803 @@ +--- +title: String Schema with Broad Pattern (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8c81d6c0-716b-49ec-afa5-2d62da4e3f3c +- **Query name:** String Schema with Broad Pattern (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/string_schema_with_broad_pattern) + +### Description +String schema should restrict the pattern
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="61" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "maxLength": "15", + "format": "int32", + "pattern": ".*" + }, + "message": { + "type": "string", + "maxLength": "15", + "pattern": "^[0-9a-z]{15}$" + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="30" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "maxLength": "15", + "format": "int32", + "pattern": ".*" + }, + "message": { + "type": "string", + "maxLength": "15", + "pattern": "^[0-9a-z]{15}$" + } + }, + "required": [ + "petType" + ], + "type": "object" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="37" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + maxLength: 15 + format: int32 + pattern: .* + message: + type: string + maxLength: 15 + pattern: ^[0-9a-z]{15}$ + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + examples: + tshirt: + $ref: "#/components/examples/tshirt" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="25" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + maxLength: 15 + format: int32 + pattern: .* + message: + type: string + maxLength: 15 + pattern: ^[0-9a-z]{15}$ + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="26" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + maxLength: 15 + pattern: .* + required: + - code + - message + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="30" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string", + "maxLength": 15, + "pattern": ".*" + } + }, + "required": [ + "code", + "message" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "maxLength": "15", + "format": "int32", + "pattern": "^[0-9a-z]{15}$" + }, + "message": { + "type": "string", + "maxLength": "15", + "pattern": "^[0-9a-z]{15}$" + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "maxLength": "15", + "format": "int32", + "pattern": "^[0-9a-z]{15}$" + }, + "message": { + "type": "string", + "maxLength": "15", + "pattern": "^[0-9a-z]{15}$" + } + }, + "required": [ + "petType" + ], + "type": "object" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + maxLength: 15 + format: int32 + pattern: ^[0-9a-z]{15}$ + message: + type: string + maxLength: 15 + pattern: ^[0-9a-z]{15}$ + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + examples: + tshirt: + $ref: "#/components/examples/tshirt" + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + maxLength: 15 + format: int32 + pattern: ^[0-9a-z]{15}$ + message: + type: string + maxLength: 15 + pattern: ^[0-9a-z]{15}$ + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + maxLength: 15 + pattern: ^[0-9a-z]{15}$ + required: + - code + - message + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 6 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string", + "maxLength": 15, + "pattern": "^[0-9a-z]{15}$" + } + }, + "required": [ + "code", + "message" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } +} + +``` +
diff --git a/docs/queries/openapi-queries/8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md b/docs/queries/openapi-queries/8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md new file mode 100644 index 00000000000..e65409ad820 --- /dev/null +++ b/docs/queries/openapi-queries/8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85.md @@ -0,0 +1,712 @@ +--- +title: Maximum Length Undefined (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85 +- **Query name:** Maximum Length Undefined (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/maximum_length_undefined) + +### Description +String schema should have 'maxLength' defined.
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="58 62" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="27 31" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ], + "type": "object" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="34 37" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="25 22" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="27 23" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="19 22" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: petType + additionalProperties: false + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "maxLength": 15, + "format": "int32" + }, + "message": { + "type": "string", + "maxLength": 15 + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32", + "maxLength": 15 + }, + "message": { + "type": "string", + "maxLength": 15 + } + }, + "required": [ + "petType" + ], + "type": "object" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + maxLength: 15 + format: int32 + message: + type: string + maxLength: 15 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + format: int32 + maxLength: 15 + message: + type: string + maxLength: 15 + required: + - petType + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + format: int32 + maxLength: 15 + message: + type: string + maxLength: 15 + required: + - petType + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32", + "maxLength": 15 + }, + "message": { + "type": "string", + "maxLength": 15 + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: petType + additionalProperties: false + properties: + code: + type: string + format: int32 + maxLength: 15 + message: + type: string + maxLength: 15 + required: + - petType + +``` +
diff --git a/docs/queries/openapi-queries/8c84f75e-5048-4926-a4cb-33e7b3431300.md b/docs/queries/openapi-queries/8c84f75e-5048-4926-a4cb-33e7b3431300.md new file mode 100644 index 00000000000..7b10d27193b --- /dev/null +++ b/docs/queries/openapi-queries/8c84f75e-5048-4926-a4cb-33e7b3431300.md @@ -0,0 +1,679 @@ +--- +title: Header Parameter Named as 'Authorization' (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8c84f75e-5048-4926-a4cb-33e7b3431300 +- **Query name:** Header Parameter Named as 'Authorization' (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/header_parameter_named_as_authorization) + +### Description +The header Parameter should not be named as 'Authorization'. If so, it will be ignored.
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="58 43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "Authorization", + "in": "header", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "header", + "name": "Authorization", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 36" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: Authorization + in: header + description: ID of the API version + required: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: header + name: Authorization + required: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + +``` +```json title="Postitive test num. 3 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "Authorization", + "in": "header", + "description": "ID of the API the version", + "required": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: Authorization + in: header + description: ID of the API version + required: true + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="11 38" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "parameters": [ + { + "name": "Authorization", + "in": "header", + "description": "ID of the API version", + "required": true, + "type": "array", + "items": { + "type": "string" + } + } + ], + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "type": "array", + "items": { + "type": "string" + }, + "name": "Authorization", + "in": "header", + "description": "ID of the API version", + "required": true + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="14 23" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: Authorization + in: header + description: ID of the API version + required: true + type: array + items: + type: string +parameters: + limitParam: + name: Authorization + in: header + description: ID of the API version + required: true + type: array + items: + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "query", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "header", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: header + description: ID of the API version + required: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: header + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "header", + "description": "ID of the API the version", + "required": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: header + description: ID of the API version + required: true + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "parameters": [ + { + "name": "id", + "in": "header", + "description": "ID of the API version", + "required": true, + "type": "array", + "items": { + "type": "string" + } + } + ], + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "type": "array", + "items": { + "type": "string" + }, + "name": "id2", + "in": "header", + "description": "ID of the API version", + "required": true + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: id + in: header + description: ID of the API version + required: true + type: array + items: + type: string +parameters: + limitParam: + name: id2 + in: header + description: ID of the API version + required: true + type: array + items: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/8d0921d6-4131-461f-a253-99e873f8f77e.md b/docs/queries/openapi-queries/8d0921d6-4131-461f-a253-99e873f8f77e.md new file mode 100644 index 00000000000..78892a4a6be --- /dev/null +++ b/docs/queries/openapi-queries/8d0921d6-4131-461f-a253-99e873f8f77e.md @@ -0,0 +1,349 @@ +--- +title: Server URL Uses Undefined Variables +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8d0921d6-4131-461f-a253-99e873f8f77e +- **Query name:** Server URL Uses Undefined Variables +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/server_url_uses_undefined_variables) + +### Description +Any variable used in the Service URL should be defined in the Service Object through 'variables'.
+[Documentation](https://swagger.io/specification/#server-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="30" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + }, + "links": { + "address": { + "server": { + "url": "https://development.{server}.com/{base}" + } + } + } + } + }, + "operationId": "listVersionsv2" + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="32" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + }, + "type": "object" + } + } + } + } + }, + "servers": [ + { + "url": "https://development.{server}.com/{base}", + "description": "Development server", + "variables": { + "base": { + "default": "v2" + } + } + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="24" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + links: + address: + server: + url: https://development.{server}.com/{base} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="22" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + servers: + - url: https://development.{server}.com/{base} + description: Development server + variables: + base: + default: v2 + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + }, + "links": { + "address": { + "server": { + "url": "https://development.{server}.com/{base}", + "variables": { + "base": { + "default": "v2" + }, + "server": { + "default": "gigant-server" + } + } + } + } + } + } + }, + "operationId": "listVersionsv2" + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + }, + "type": "object" + } + } + } + } + }, + "servers": [ + { + "url": "https://development.{server}.com/{base}", + "description": "Development server", + "variables": { + "base": { + "default": "v2" + }, + "server": { + "default": "gigant-server" + } + } + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + links: + address: + server: + url: https://development.{server}.com/{base} + variables: + base: + default: v2 + server: + default: gigant-server + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + servers: + - url: https://development.{server}.com/{base} + description: Development server + variables: + base: + default: v2 + server: + default: gigant-server + +``` +
diff --git a/docs/queries/openapi-queries/8db5544e-4874-4baa-9322-e9f75a2d219e.md b/docs/queries/openapi-queries/8db5544e-4874-4baa-9322-e9f75a2d219e.md new file mode 100644 index 00000000000..8aa0a2bc067 --- /dev/null +++ b/docs/queries/openapi-queries/8db5544e-4874-4baa-9322-e9f75a2d219e.md @@ -0,0 +1,361 @@ +--- +title: Field 'securityScheme' On Components Is Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8db5544e-4874-4baa-9322-e9f75a2d219e +- **Query name:** Field 'securityScheme' On Components Is Undefined +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/security_scheme_undefined) + +### Description +Components' securityScheme field must have a valid scheme
+[Documentation](https://swagger.io/specification/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="2" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": {} +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="44" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": {} + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="1" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="25" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: {} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: {} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ], + "components": { + "securitySchemes": { + "exampleSecurity": { + "type": "http", + "scheme": "basic" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: +- exampleSecurity: [] +components: + securitySchemes: + exampleSecurity: + type: http + scheme: basic + +``` diff --git a/docs/queries/openapi-queries/8fe1846f-52cc-4413-ace9-1933d7d23672.md b/docs/queries/openapi-queries/8fe1846f-52cc-4413-ace9-1933d7d23672.md new file mode 100644 index 00000000000..9e8d7d67cb3 --- /dev/null +++ b/docs/queries/openapi-queries/8fe1846f-52cc-4413-ace9-1933d7d23672.md @@ -0,0 +1,771 @@ +--- +title: Parameter Object Without Schema +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8fe1846f-52cc-4413-ace9-1933d7d23672 +- **Query name:** Parameter Object Without Schema +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/parameter_object_without_schema) + +### Description +The Parameter Object should have the attribute 'schema' defined
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="64 11" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "parameters": [ + { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example", + "externalValue": "http://foo.bar/examples/user-example.json" + } + } + } + }, + "name": "id", + "in": "path", + "description": "ID of the API version", + "required": true + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "rel": "self", + "href": "http://127.0.0.1:8774/v2/" + } + ], + "status": "CURRENT" + } + ] + } + } + } + } + }, + "description": "200 response" + } + }, + "operationId": "listVersionsv2" + } + }, + "/user/": { + "parameters": [ + { + "description": "ID of the API version", + "required": true, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example", + "externalValue": "http://foo.bar/examples/user-example.json" + } + } + } + }, + "name": "id", + "in": "path" + } + ] + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="44" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "parameters": { + "idParam": { + "name": "id", + "in": "path", + "description": "ID of the API version", + "required": true, + "content": { + "application/xml": { + "examples": { + "user": { + "externalValue": "http://foo.bar/examples/user-example.xml", + "summary": "User Example in XML" + } + }, + "schema": { + "$ref": "#/components/schemas/User" + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10 39" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + parameters: + - name: id + in: path + description: ID of the API version + required: true + content: + "application/json": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: "http://foo.bar/examples/user-example.json" + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + /user/: + parameters: + - name: id + in: path + description: ID of the API version + required: true + content: + "application/json": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: "http://foo.bar/examples/user-example.json" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + parameters: + idParam: + name: id + in: path + description: ID of the API version + required: true + content: + "application/json": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: "http://foo.bar/examples/user-example.json" + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "parameters": [ + { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example", + "externalValue": "http://foo.bar/examples/user-example.json" + } + } + } + }, + "name": "id", + "in": "path", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "rel": "self", + "href": "http://127.0.0.1:8774/v2/" + } + ], + "status": "CURRENT" + } + ] + } + } + } + } + }, + "description": "200 response" + } + }, + "operationId": "listVersionsv2" + } + }, + "/user/{id}": { + "parameters": [ + { + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + }, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example", + "externalValue": "http://foo.bar/examples/user-example.json" + } + } + } + }, + "name": "id", + "in": "path" + } + ] + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "parameters": { + "idParam": { + "name": "id", + "in": "path", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "int" + }, + "content": { + "application/xml": { + "examples": { + "user": { + "externalValue": "http://foo.bar/examples/user-example.xml", + "summary": "User Example in XML" + } + }, + "schema": { + "$ref": "#/components/schemas/User" + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "parameters": [ + { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example", + "externalValue": "http://foo.bar/examples/user-example.json" + } + } + } + }, + "name": "id", + "in": "path", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + } + }, + { + "$ref": "#/components/parameters/idParam" + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "rel": "self", + "href": "http://127.0.0.1:8774/v2/" + } + ], + "status": "CURRENT" + } + ] + } + } + } + } + }, + "description": "200 response" + } + }, + "operationId": "listVersionsv2" + } + }, + "/user/{id}": { + "parameters": [ + { + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + }, + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/User" + }, + "examples": { + "user": { + "summary": "User Example", + "externalValue": "http://foo.bar/examples/user-example.json" + } + } + } + }, + "name": "id", + "in": "path" + } + ] + } + }, + "components": { + "parameters": { + "idParam": { + "name": "id", + "in": "path", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "int" + }, + "content": { + "application/xml": { + "examples": { + "user": { + "externalValue": "http://foo.bar/examples/user-example.xml", + "summary": "User Example in XML" + } + }, + "schema": { + "$ref": "#/components/schemas/User" + } + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + parameters: + - name: id + in: path + description: ID of the API version + required: true + schema: + type: integer + content: + "application/json": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: "http://foo.bar/examples/user-example.json" + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + /user/{id}: + parameters: + - name: id + in: path + description: ID of the API version + required: true + schema: + type: integer + content: + "application/json": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: "http://foo.bar/examples/user-example.json" + +``` +
+
Negative test num. 5 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + parameters: + idParam: + name: id + in: path + description: ID of the API version + required: true + schema: + type: int + content: + "application/json": + schema: + $ref: "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: "http://foo.bar/examples/user-example.json" + +``` +
+
Negative test num. 6 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + summary: List API versions + parameters: + - content: + application/json: + schema: + "$ref": "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: http://foo.bar/examples/user-example.json + name: id + in: path + description: ID of the API version + required: true + schema: + type: integer + - "$ref": "#/components/parameters/idParam" + responses: + '200': + content: + application/json: + examples: + foo: + value: + versions: + - updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - rel: self + href: http://127.0.0.1:8774/v2/ + status: CURRENT + description: 200 response + operationId: listVersionsv2 + "/user/{id}": + parameters: + - description: ID of the API version + required: true + schema: + type: integer + content: + application/json: + schema: + "$ref": "#/components/schemas/User" + examples: + user: + summary: User Example + externalValue: http://foo.bar/examples/user-example.json + name: id + in: path +components: + parameters: + idParam: + name: id + in: path + description: ID of the API version + required: true + schema: + type: int + content: + application/xml: + examples: + user: + externalValue: http://foo.bar/examples/user-example.xml + summary: User Example in XML + schema: + "$ref": "#/components/schemas/User" + +``` +
diff --git a/docs/queries/openapi-queries/9239c289-9e4c-4d92-8be1-9d506057c971.md b/docs/queries/openapi-queries/9239c289-9e4c-4d92-8be1-9d506057c971.md new file mode 100644 index 00000000000..b5920fd9e39 --- /dev/null +++ b/docs/queries/openapi-queries/9239c289-9e4c-4d92-8be1-9d506057c971.md @@ -0,0 +1,289 @@ +--- +title: Invalid License URL (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9239c289-9e4c-4d92-8be1-9d506057c971 +- **Query name:** Invalid License URL (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/invalid_license_url) + +### Description +License Object URL should be a valid URL
+[Documentation](https://swagger.io/specification/#license-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="8" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "license": { + "name": "Apache 2.0", + "url": "https://www.apache.org/licenses/ LICENSE-2.0.html" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + license: + name: "Apache 2.0" + url: "https://www.apache.org/licenses/ LICENSE-2.0.html" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Postitive test num. 3 - json file" hl_lines="8" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "license": { + "name": "Apache 2.0", + "url": "https://www.apache.org/licenses/ LICENSE-2.0.html" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="7" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + license: + name: "Apache 2.0" + url: "https://www.apache.org/licenses/ LICENSE-2.0.html" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "license": { + "name": "Apache 2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0.html" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + license: + name: "Apache 2.0" + url: "https://www.apache.org/licenses/LICENSE-2.0.html" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "license": { + "name": "Apache 2.0", + "url": "https://www.apache.org/licenses/LICENSE-2.0.html" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + license: + name: "Apache 2.0" + url: "https://www.apache.org/licenses/LICENSE-2.0.html" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` +
diff --git a/docs/queries/openapi-queries/962fa01e-b791-4dcc-b04a-4a3e7389be5e.md b/docs/queries/openapi-queries/962fa01e-b791-4dcc-b04a-4a3e7389be5e.md new file mode 100644 index 00000000000..31f2d33c53d --- /dev/null +++ b/docs/queries/openapi-queries/962fa01e-b791-4dcc-b04a-4a3e7389be5e.md @@ -0,0 +1,175 @@ +--- +title: Components Schema Definition Is Unused +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 962fa01e-b791-4dcc-b04a-4a3e7389be5e +- **Query name:** Components Schema Definition Is Unused +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/components_schema_definition_unused) + +### Description +Components schemas definitions should be referenced or removed from Open API definition
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="33" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + }, + "MyObject2": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="22" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/MyObject" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + MyObject2: + type: object + properties: + id: + type: string + name: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/MyObject" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + +``` diff --git a/docs/queries/openapi-queries/9670f240-7b4d-4955-bd93-edaa9fa38b58.md b/docs/queries/openapi-queries/9670f240-7b4d-4955-bd93-edaa9fa38b58.md new file mode 100644 index 00000000000..894d2ac016b --- /dev/null +++ b/docs/queries/openapi-queries/9670f240-7b4d-4955-bd93-edaa9fa38b58.md @@ -0,0 +1,221 @@ +--- +title: Path Server Object Uses HTTP (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9670f240-7b4d-4955-bd93-edaa9fa38b58 +- **Query name:** Path Server Object Uses HTTP (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/path_server_uses_http) + +### Description +The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection
+[Documentation](https://swagger.io/specification/#server-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="18" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "servers": [ + { + "url": "https://development.gigantic-server.com/v1", + "description": "Development server" + }, + { + "url": "http://staging.gigantic-server.com/v1", + "description": "Staging server" + }, + { + "url": "https://api.gigantic-server.com/v1", + "description": "Production server" + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + servers: + - url: https://development.gigantic-server.com/v1 + description: Development server + - url: https://staging.gigantic-server.com/v1 + description: Staging server + - url: http://api.gigantic-server.com/v1 + description: Production server + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "servers": [ + { + "url": "https://development.gigantic-server.com/v1", + "description": "Development server" + }, + { + "url": "https://staging.gigantic-server.com/v1", + "description": "Staging server" + }, + { + "url": "https://api.gigantic-server.com/v1", + "description": "Production server" + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + servers: + - url: https://development.gigantic-server.com/v1 + description: Development server + - url: https://staging.gigantic-server.com/v1 + description: Staging server + - url: https://api.gigantic-server.com/v1 + description: Production server + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` diff --git a/docs/queries/openapi-queries/96729c6b-7400-4d9e-9807-17f00cdde4d2.md b/docs/queries/openapi-queries/96729c6b-7400-4d9e-9807-17f00cdde4d2.md new file mode 100644 index 00000000000..f5078518d37 --- /dev/null +++ b/docs/queries/openapi-queries/96729c6b-7400-4d9e-9807-17f00cdde4d2.md @@ -0,0 +1,558 @@ +--- +title: No Global And Operation Security Defined (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 96729c6b-7400-4d9e-9807-17f00cdde4d2 +- **Query name:** No Global And Operation Security Defined (v3) +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/no_global_and_operation_security_defined) + +### Description +All paths should have security scheme, if it is omitted, global security field should be defined
+[Documentation](https://swagger.io/specification/#security-requirement-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="9" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="46" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "exampleSecurity": [] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "patch": { + "operationId": "validateVersionsPathv2", + "summary": "Validate operation", + "responses": { + "204": { + "description": "204 response" + } + } + } + } + }, + "components": { + "exampleSecurity": { + "type": "http", + "scheme": "basic" + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="7" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="27" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - exampleSecurity: [] + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + patch: + operationId: validateVersionsPathv2 + summary: Validate operation + responses: + '204': + description: 204 response +components: + exampleSecurity: + type: http + scheme: basic + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="7" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + $ref: "#/definitions/User" + +``` +
+
Postitive test num. 6 - json file + +```json hl_lines="9" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "$ref": "#/definitions/User" + } + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security":[ + { + "exampleSecurity": [] + } + ], + "components": { + "exampleSecurity": { + "type": "http", + "scheme": "basic" + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "exampleSecurity": [] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "exampleSecurity": { + "type": "http", + "scheme": "basic" + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: +- exampleSecurity: [] +components: + exampleSecurity: + type: http + scheme: basic + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - exampleSecurity: [] + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + exampleSecurity: + type: http + scheme: basic + +``` +
+
Negative test num. 5 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + $ref: "#/definitions/User" +security: + - exampleSecurity: [] + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - exampleSecurity: [] + responses: + "200": + description: 200 response + schema: + $ref: "#/definitions/User" + +``` +
+
Negative test num. 7 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "$ref": "#/definitions/User" + } + } + } + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ] +} + +``` +
+
Negative test num. 8 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "exampleSecurity": [] + } + ], + "responses": { + "200": { + "description": "200 response", + "schema": { + "$ref": "#/definitions/User" + } + } + } + } + } + } +} + +``` +
diff --git a/docs/queries/openapi-queries/96beb800-566f-49a9-a0ea-dbdf4bc80429.md b/docs/queries/openapi-queries/96beb800-566f-49a9-a0ea-dbdf4bc80429.md new file mode 100644 index 00000000000..a35501133f1 --- /dev/null +++ b/docs/queries/openapi-queries/96beb800-566f-49a9-a0ea-dbdf4bc80429.md @@ -0,0 +1,327 @@ +--- +title: JSON '$ref' alongside other properties (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 96beb800-566f-49a9-a0ea-dbdf4bc80429 +- **Query name:** JSON '$ref' alongside other properties (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/json_ref_alongside_properties) + +### Description +Each field on Open API specification which accepts '$ref', infers that field is using a reference object, which has only '$ref' key
+[Documentation](https://swagger.io/specification/#reference-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="17" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "integer", + "$ref": "#/components/schemas/MyObject" + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: integer + "$ref": "#/components/schemas/MyObject" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + +``` +```json title="Postitive test num. 3 - json file" hl_lines="13" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "$ref": "#/definitions/User", + "description": "schema" + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + }, + "definitions": { + "User": { + "properties": { + "id": { + "type": "integer" + }, + "name": { + "type": "string" + } + }, + "required": [ + "id", + "name" + ] + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="13" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + $ref: "#/definitions/User" + description: schema +definitions: + User: + properties: + id: + type: integer + name: + type: string + required: + - id + - name + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + }, + "definitions": { + "User": { + "properties": { + "id": { + "type": "integer" + }, + "name": { + "type": "string" + } + }, + "required": [ + "id", + "name" + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + $ref: "#/definitions/User" +definitions: + User: + properties: + id: + type: integer + name: + type: string + required: + - id + - name + +``` +
diff --git a/docs/queries/openapi-queries/98295b32-ec09-4b5b-89a9-39853197f914.md b/docs/queries/openapi-queries/98295b32-ec09-4b5b-89a9-39853197f914.md new file mode 100644 index 00000000000..67b722ce9b5 --- /dev/null +++ b/docs/queries/openapi-queries/98295b32-ec09-4b5b-89a9-39853197f914.md @@ -0,0 +1,228 @@ +--- +title: Schema JSON Reference Does Not Exists (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 98295b32-ec09-4b5b-89a9-39853197f914 +- **Query name:** Schema JSON Reference Does Not Exists (v2) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/json_reference_does_not_exists_schema) + +### Description +Schema reference should exists on definitions field
+[Documentation](https://swagger.io/specification/v2/#definitionsObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="15" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "schema": { + "$ref": "#/definitions/Use" + } + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +--- +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + schema: + "$ref": "#/definitions/Use" + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + schema: + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` diff --git a/docs/queries/openapi-queries/990eaf09-d6f1-4c3c-b174-a517b1de8917.md b/docs/queries/openapi-queries/990eaf09-d6f1-4c3c-b174-a517b1de8917.md new file mode 100644 index 00000000000..1199bb13dcf --- /dev/null +++ b/docs/queries/openapi-queries/990eaf09-d6f1-4c3c-b174-a517b1de8917.md @@ -0,0 +1,372 @@ +--- +title: Responses Object Is Empty (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 990eaf09-d6f1-4c3c-b174-a517b1de8917 +- **Query name:** Responses Object Is Empty (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/responses_object_is_empty) + +### Description +Responses Object should not be empty
+[Documentation](https://swagger.io/specification/#responses-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": {} + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="21" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "components": { + "responses": {} + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="14" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +components: + responses: + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="12" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": {} + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="10" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + }, + "3xx": { + "description": "[300-399] response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "components": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + "3xx": + description: "[300-399] response" + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` +
diff --git a/docs/queries/openapi-queries/9aa6e95c-d964-4239-a3a8-9f37a3c5a31f.md b/docs/queries/openapi-queries/9aa6e95c-d964-4239-a3a8-9f37a3c5a31f.md new file mode 100644 index 00000000000..ec1f182d80b --- /dev/null +++ b/docs/queries/openapi-queries/9aa6e95c-d964-4239-a3a8-9f37a3c5a31f.md @@ -0,0 +1,169 @@ +--- +title: Undefined Scope 'securityDefinition' On Global 'security' Field +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9aa6e95c-d964-4239-a3a8-9f37a3c5a31f +- **Query name:** Undefined Scope 'securityDefinition' On Global 'security' Field +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/undefined_security_scope_global_security) + +### Description +Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker
+[Documentation](https://swagger.io/specification/v2/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="23" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + /: + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: Success +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: authorizationCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis +security: + oAuth2AuthCodeNeg2: + - read:api + - error:api + +``` +```json title="Postitive test num. 2 - json file" hl_lines="33" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "authorizationCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis" + } + } + }, + "security": { + "oAuth2AuthCodeNeg2": [ + "read:api", + "error:api" + ] + } +} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + /: + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: Success +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: authorizationCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + read:api: read your apis +security: + oAuth2AuthCodeNeg2: + - read:api + +``` +```json title="Negative test num. 2 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "authorizationCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "read:api": "read your apis" + } + } + }, + "security": { + "oAuth2AuthCodeNeg2": [ + "read:api" + ] + } +} + +``` diff --git a/docs/queries/openapi-queries/9c238c97-1991-4c0b-9c7d-6c7912e1dc7c.md b/docs/queries/openapi-queries/9c238c97-1991-4c0b-9c7d-6c7912e1dc7c.md new file mode 100644 index 00000000000..faea2be0683 --- /dev/null +++ b/docs/queries/openapi-queries/9c238c97-1991-4c0b-9c7d-6c7912e1dc7c.md @@ -0,0 +1,408 @@ +--- +title: Cleartext API Key In Global Security (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9c238c97-1991-4c0b-9c7d-6c7912e1dc7c +- **Query name:** Cleartext API Key In Global Security (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/cleartext_api_key_in_global_security) + +### Description +API Keys should not be sent as cleartext over an unencrypted channel
+[Documentation](https://swagger.io/specification/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="45 46 47" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "apiKey2": [], + "apiKey3": [], + "apiKey1": [] + } + ], + "components": { + "securitySchemes": { + "apiKey1": { + "type": "apiKey", + "name": "X-API-Key", + "in": "header" + }, + "apiKey2": { + "type": "apiKey", + "name": "X-API-Key", + "in": "cookie" + }, + "apiKey3": { + "name": "X-API-Key", + "in": "query", + "type": "apiKey" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 27 28" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - apiKey1: [] + apiKey2: [] + apiKey3: [] +components: + securitySchemes: + apiKey1: + type: apiKey + name: X-API-Key + in: header + apiKey2: + type: apiKey + name: X-API-Key + in: cookie + apiKey3: + type: apiKey + name: X-API-Key + in: query + +``` +```json title="Postitive test num. 3 - json file" hl_lines="22 23" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "security": [ + { + "apiKey3": [], + "apiKey1": [] + } + ], + "securityDefinitions": { + "apiKey1": { + "type": "apiKey", + "name": "X-API-Key", + "in": "header" + }, + "apiKey3": { + "type": "apiKey", + "name": "X-API-Key", + "in": "query" + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="14 15" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +security: + - apiKey1: [] + apiKey3: [] +securityDefinitions: + apiKey1: + type: apiKey + name: X-API-Key + in: header + apiKey3: + type: apiKey + name: X-API-Key + in: query + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "OAuth2": { + "type": "oauth2", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://example.com/oauth/authorize", + "tokenUrl": "https://example.com/oauth/token", + "scopes": { + "write": "modify objects in your account", + "read": "read objects in your account" + } + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ] +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + OAuth2: + type: oauth2 + flows: + authorizationCode: + scopes: + write: modify objects in your account + read: read objects in your account + authorizationUrl: https://example.com/oauth/authorize + tokenUrl: https://example.com/oauth/token +security: + - OAuth2: + - write + - read + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ], + "securityDefinitions": { + "OAuth2": { + "type": "oauth2", + "flow": "accessCode", + "authorizationUrl": "https://example.com/oauth/authorize", + "tokenUrl": "https://example.com/oauth/token", + "scopes": { + "read": "Grants read access", + "write": "Grants write access" + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + OAuth2: + type: oauth2 + flow: accessCode + authorizationUrl: https://example.com/oauth/authorize + tokenUrl: https://example.com/oauth/token + scopes: + read: Grants read access + write: Grants write access +security: + - OAuth2: + - write + - read + +``` +
diff --git a/docs/queries/openapi-queries/9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae.md b/docs/queries/openapi-queries/9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae.md new file mode 100644 index 00000000000..1349b56abaf --- /dev/null +++ b/docs/queries/openapi-queries/9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae.md @@ -0,0 +1,227 @@ +--- +title: Components Response Definition Is Unused +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9c3ea128-7e9a-4b4c-8a32-75ad17a2d3ae +- **Query name:** Components Response Definition Is Unused +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/components_response_definition_unused) + +### Description +Components responses definitions should be referenced or removed from Open API definition
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="50" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + }, + "components": { + "schemas": { + "Error": { + "type": "object", + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + }, + "required": [ + "code", + "message" + ] + } + }, + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "responses": { + "NotFound": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Error" + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="33" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/MyObject" +components: + schemas: + Error: + type: object + properties: + code: + type: string + message: + type: string + required: + - code + - message + MyObject: + type: object + properties: + id: + type: string + name: + type: string + responses: + NotFound: + description: Resource not found + content: + application/json: + schema: + "$ref": "#/components/schemas/Error" + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "404": { + "$ref": "#/components/responses/NotFound" + } + } + } + } + }, + "components": { + "schemas": { + "Error": { + "type": "object", + "properties": { + "code": { + "type": "string" + }, + "message": { + "type": "string" + }, + "required": [ + "code", + "message" + ] + } + } + }, + "responses": { + "NotFound": { + "description": "Resource not found", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Error" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '404': + "$ref": "#/components/responses/NotFound" +components: + schemas: + Error: + type: object + properties: + code: + type: string + message: + type: string + required: + - code + - message + responses: + NotFound: + description: Resource not found + content: + application/json: + schema: + "$ref": "#/components/schemas/Error" + +``` diff --git a/docs/queries/openapi-queries/9d967a2b-9d64-41a6-abea-dfc4960299bd.md b/docs/queries/openapi-queries/9d967a2b-9d64-41a6-abea-dfc4960299bd.md new file mode 100644 index 00000000000..ea26ddc78c2 --- /dev/null +++ b/docs/queries/openapi-queries/9d967a2b-9d64-41a6-abea-dfc4960299bd.md @@ -0,0 +1,659 @@ +--- +title: JSON Object Schema Without Properties (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9d967a2b-9d64-41a6-abea-dfc4960299bd +- **Query name:** JSON Object Schema Without Properties (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/json_object_schema_without_properties) + +### Description +Schema of the JSON object should have properties defined and 'additionalProperties' set to false.
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="67" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="16" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "discriminator": { + "propertyName": "petType" + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="40" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="16" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + $ref: "#/components/schemas/GeneralError" + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + required: + - petType + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="16" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "$ref": "#/definitions/GeneralError" + } + } + } + } + } + }, + "definitions": { + "GeneralError": { + "type": "object", + "discriminator": "petType", + "required": [ + "petType" + ] + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="14" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + $ref: "#/definitions/GeneralError" +definitions: + GeneralError: + type: object + discriminator: petType + required: + - petType + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + $ref: "#/components/schemas/GeneralError" + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "$ref": "#/definitions/GeneralError" + } + } + } + } + } + }, + "definitions": { + "GeneralError": { + "type": "object", + "discriminator": "petType", + "required": [ + "petType" + ], + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + $ref: "#/definitions/GeneralError" +definitions: + GeneralError: + type: object + discriminator: petType + required: + - petType + properties: + code: + type: string + format: int32 + message: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/9f88c88d-824d-4d9a-b985-e22977046042.md b/docs/queries/openapi-queries/9f88c88d-824d-4d9a-b985-e22977046042.md new file mode 100644 index 00000000000..f04c1fdf5d0 --- /dev/null +++ b/docs/queries/openapi-queries/9f88c88d-824d-4d9a-b985-e22977046042.md @@ -0,0 +1,412 @@ +--- +title: Additional Properties Too Permissive +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9f88c88d-824d-4d9a-b985-e22977046042 +- **Query name:** Additional Properties Too Permissive +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/additional_properties_too_permissive) + +### Description +Objects should not accept 'additionalProperties' if it is possible
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="24" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "schema": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "true" + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "oneOf": [ + { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "true" + }, + { + "type": "string", + "additionalProperties": "false" + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + schema: + type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'true' +components: + schemas: + MyObject: + oneOf: + - type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'true' + - type: string + additionalProperties: 'false' + +``` +```json title="Postitive test num. 3 - json file" hl_lines="34" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "schema": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "false" + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "oneOf": [ + { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "true" + }, + { + "type": "string", + "additionalProperties": "true" + } + ] + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="23" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + schema: + type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'false' +components: + schemas: + MyObject: + oneOf: + - type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'true' + - type: string + additionalProperties: 'true' + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="14" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "schema": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "oneOf": [ + { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "true" + }, + { + "type": "string", + "additionalProperties": "false" + } + ] + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="12" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + schema: + type: object + properties: + id: + type: string + name: + type: string +components: + schemas: + MyObject: + oneOf: + - type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'true' + - type: string + additionalProperties: 'false' + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "schema": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "false" + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "oneOf": [ + { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "true" + }, + { + "type": "string", + "additionalProperties": "false" + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + schema: + type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'false' +components: + schemas: + MyObject: + oneOf: + - type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'true' + - type: string + additionalProperties: 'false' + +``` diff --git a/docs/queries/openapi-queries/a0bf7382-5d5a-4224-924c-3db8466026c9.md b/docs/queries/openapi-queries/a0bf7382-5d5a-4224-924c-3db8466026c9.md new file mode 100644 index 00000000000..fa08bec2246 --- /dev/null +++ b/docs/queries/openapi-queries/a0bf7382-5d5a-4224-924c-3db8466026c9.md @@ -0,0 +1,315 @@ +--- +title: Server URL Not Absolute +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a0bf7382-5d5a-4224-924c-3db8466026c9 +- **Query name:** Server URL Not Absolute +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/server_url_not_absolute) + +### Description +The Server URL should be an absolute URL
+[Documentation](https://swagger.io/specification/#server-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="30" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + }, + "links": { + "address": { + "server": { + "url": "/development.gigantic-server.com/v1" + } + } + } + } + }, + "operationId": "listVersionsv2" + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="32" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + }, + "type": "object" + } + } + } + } + }, + "servers": [ + { + "url": "/development.gigantic-server.com/v1", + "description": "Development server" + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="24" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + links: + address: + server: + url: /development.gigantic-server.com/v1 + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="22" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + servers: + - url: /development.gigantic-server.com/v1 + description: Development server + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + }, + "links": { + "address": { + "server": { + "url": "https://development.gigantic-server.com/v1" + } + } + } + } + }, + "operationId": "listVersionsv2" + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + }, + "type": "object" + } + } + } + } + }, + "servers": [ + { + "url": "https://development.gigantic-server.com/v1", + "description": "Development server" + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + links: + address: + server: + url: https://development.gigantic-server.com/v1 + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: # the unique user id + type: string + format: uuid + servers: + - url: https://development.gigantic-server.com/v1 + description: Development server + +``` +
diff --git a/docs/queries/openapi-queries/a19c3bbd-c056-40d7-9e1c-eeb0634e320d.md b/docs/queries/openapi-queries/a19c3bbd-c056-40d7-9e1c-eeb0634e320d.md new file mode 100644 index 00000000000..beda970c309 --- /dev/null +++ b/docs/queries/openapi-queries/a19c3bbd-c056-40d7-9e1c-eeb0634e320d.md @@ -0,0 +1,342 @@ +--- +title: Additional Properties Too Restrictive +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a19c3bbd-c056-40d7-9e1c-eeb0634e320d +- **Query name:** Additional Properties Too Restrictive +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/additional_properties_too_restrective) + +### Description +Objects should accept 'additionalProperties' if it is allOf or an object with anyOf or oneOf
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="41" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "schema": { + "allOf": [ + { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "true" + }, + { + "type": "string" + } + ] + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "oneOf": [ + { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "false" + }, + { + "type": "string", + "additionalProperties": "false" + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="25" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + schema: + allOf: + - type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'true' + - type: string +components: + schemas: + MyObject: + oneOf: + - type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'false' + - type: string + additionalProperties: 'false' + +``` +```json title="Postitive test num. 3 - json file" hl_lines="15" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "schema": { + "allOf": [ + { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "false" + }, + { + "type": "string" + } + ] + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "oneOf": [ + { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "true" + }, + { + "type": "string", + "additionalProperties": "false" + } + ] + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="13" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + schema: + allOf: + - type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'false' + - type: string +components: + schemas: + MyObject: + oneOf: + - type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'true' + - type: string + additionalProperties: 'false' + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "schema": { + "allOf": [ + { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "true" + }, + { + "type": "string" + } + ] + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "oneOf": [ + { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "additionalProperties": "true" + }, + { + "type": "string", + "additionalProperties": "false" + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + schema: + allOf: + - type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'true' + - type: string +components: + schemas: + MyObject: + oneOf: + - type: object + properties: + id: + type: string + name: + type: string + additionalProperties: 'true' + - type: string + additionalProperties: 'false' + +``` diff --git a/docs/queries/openapi-queries/a4247b11-890b-45df-bf42-350a7a3af9be.md b/docs/queries/openapi-queries/a4247b11-890b-45df-bf42-350a7a3af9be.md new file mode 100644 index 00000000000..87e20b490dc --- /dev/null +++ b/docs/queries/openapi-queries/a4247b11-890b-45df-bf42-350a7a3af9be.md @@ -0,0 +1,248 @@ +--- +title: Security Scheme Using HTTP Digest +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a4247b11-890b-45df-bf42-350a7a3af9be +- **Query name:** Security Scheme Using HTTP Digest +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/security_scheme_using_http_digest) + +### Description +Security Scheme HTTP should not be using digest authentication
+[Documentation](https://swagger.io/specification/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="57" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "http", + "scheme": "digest" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="33" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: http + scheme: digest + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://example.com/api/oauth/dialog", + "tokenUrl": "https://example.com/api/oauth/token", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + flows: + authorizationCode: + authorizationUrl: https://example.com/api/oauth/dialog + tokenUrl: https://example.com/api/oauth/token + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` diff --git a/docs/queries/openapi-queries/a46928f1-43d7-4671-94e0-2dd99746f389.md b/docs/queries/openapi-queries/a46928f1-43d7-4671-94e0-2dd99746f389.md new file mode 100644 index 00000000000..19f94355050 --- /dev/null +++ b/docs/queries/openapi-queries/a46928f1-43d7-4671-94e0-2dd99746f389.md @@ -0,0 +1,119 @@ +--- +title: Schemes Uses HTTP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a46928f1-43d7-4671-94e0-2dd99746f389 +- **Query name:** Schemes Uses HTTP +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/schemes_uses_http copy) + +### Description +Schemes should use 'https' protocol instead of 'http'. Scheme using 'http' allows for clear text credentials
+[Documentation](https://swagger.io/specification/v2/#swaggerObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="13" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "schemes": [ + "http" + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + schemes: + - http + responses: + "200": + description: 200 response + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "schemes": [ + "https" + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + schemes: + - https + responses: + "200": + description: 200 response + +``` diff --git a/docs/queries/openapi-queries/a4dd69b8-49fa-45d2-a060-c76655405b05.md b/docs/queries/openapi-queries/a4dd69b8-49fa-45d2-a060-c76655405b05.md new file mode 100644 index 00000000000..6399f012b39 --- /dev/null +++ b/docs/queries/openapi-queries/a4dd69b8-49fa-45d2-a060-c76655405b05.md @@ -0,0 +1,515 @@ +--- +title: Property 'explode' of Encoding Object Ignored +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a4dd69b8-49fa-45d2-a060-c76655405b05 +- **Query name:** Property 'explode' of Encoding Object Ignored +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/property_explode_encoding_object_ignored) + +### Description +Property 'explode' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.
+[Documentation](https://swagger.io/specification/#encoding-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="49" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/data": { + "schema": { + "type": "object", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "explode": true + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + }, + "schema": { + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object", + "discriminator": { + "propertyName": "petType" + } + } + } + } + } + }, + "requestBody": { + "content": { + "multipart/form-data": { + "schema": { + "type": "string", + "format": "binary", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "explode": true + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="31" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + type: object + properties: + code: + type: string + format: binary + examples: + tshirt: + $ref: "#/components/examples/tshirt" + encoding: + code: + contentType: image/png, image/jpeg + explode: true + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="30" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + requestBody: + content: + multipart/form-data: + schema: + type: string + format: binary + properties: + code: + type: string + format: binary + encoding: + code: + contentType: image/png, image/jpeg + explode: true + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "type": "object", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "explode": true + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + }, + "schema": { + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object", + "discriminator": { + "propertyName": "petType" + } + } + } + } + } + }, + "requestBody": { + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "type": "string", + "format": "binary", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "explode": true + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + code: + type: string + format: binary + examples: + tshirt: + $ref: "#/components/examples/tshirt" + encoding: + code: + contentType: image/png, image/jpeg + explode: true + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: string + format: binary + properties: + code: + type: string + format: binary + encoding: + code: + contentType: image/png, image/jpeg + explode: true + +``` +
diff --git a/docs/queries/openapi-queries/a5375be3-521c-43bb-9eab-e2432e368ee4.md b/docs/queries/openapi-queries/a5375be3-521c-43bb-9eab-e2432e368ee4.md new file mode 100644 index 00000000000..58a1b5d8c55 --- /dev/null +++ b/docs/queries/openapi-queries/a5375be3-521c-43bb-9eab-e2432e368ee4.md @@ -0,0 +1,459 @@ +--- +title: Unknown Prefix (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a5375be3-521c-43bb-9eab-e2432e368ee4 +- **Query name:** Unknown Prefix (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/unknown_prefix) + +### Description +The media type prefix should be set as 'application', 'audio', 'font', 'example', 'image', 'message', 'model', 'multipart', 'text' or 'video'
+[Documentation](https://swagger.io/specification/#media-type-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="53" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "responses": { + "ResponseExample": { + "description": "200 response", + "content": { + "applicasdsadtion/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "encoding": { + "profileImage": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="19" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "ddddd/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + } + }, + "encoding": { + "profileImage": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="30" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + responses: + ResponseExample: + description: 200 response + content: + sssssss/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + profileImage: + contentType: image/png, image/jpeg + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="14" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + applicatisdsdsdon/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + profileImage: + contentType: image/png, image/jpeg + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "responses": { + "ResponseExample": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + responses: + ResponseExample: + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + +``` +
diff --git a/docs/queries/openapi-queries/a599b0d1-ff89-4cb8-9ece-9951854c06f6.md b/docs/queries/openapi-queries/a599b0d1-ff89-4cb8-9ece-9951854c06f6.md new file mode 100644 index 00000000000..8116c8ee657 --- /dev/null +++ b/docs/queries/openapi-queries/a599b0d1-ff89-4cb8-9ece-9951854c06f6.md @@ -0,0 +1,391 @@ +--- +title: Security Requirement Not Defined In Security Definition +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a599b0d1-ff89-4cb8-9ece-9951854c06f6 +- **Query name:** Security Requirement Not Defined In Security Definition +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/security_requirement_not_defined_in_security_definition) + +### Description +All security requirement objects must be defined in 'securityDefinitions'
+[Documentation](https://swagger.io/specification/v2/#securityRequirementObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="33" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + } + } + ] + } + } + }, + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ], + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object +security: + - petstore_auth: + - write:pets + - read:pets +securityDefinitions: + api_key: + type: apiKey + name: api_key + in: header + +``` +```json title="Postitive test num. 3 - json file" hl_lines="30" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + } + } + ], + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ] + } + } + }, + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="21" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object + security: + - petstore_auth: + - write:pets + - read:pets +securityDefinitions: + api_key: + type: apiKey + name: api_key + in: header + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + } + } + ] + } + } + }, + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ], + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "authorizationUrl": "http://swagger.io/api/oauth/dialog", + "flow": "implicit", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object +security: + - petstore_auth: + - write:pets + - read:pets +securityDefinitions: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + authorizationUrl: http://swagger.io/api/oauth/dialog + flow: implicit + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + } + } + ], + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ] + } + } + }, + "securityDefinitions": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "authorizationUrl": "http://swagger.io/api/oauth/dialog", + "flow": "implicit", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object + security: + - petstore_auth: + - write:pets + - read:pets +securityDefinitions: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + authorizationUrl: http://swagger.io/api/oauth/dialog + flow: implicit + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` +
diff --git a/docs/queries/openapi-queries/a6847dc6-f4ea-45ac-a81f-93291ae6c573.md b/docs/queries/openapi-queries/a6847dc6-f4ea-45ac-a81f-93291ae6c573.md new file mode 100644 index 00000000000..4ec124d3481 --- /dev/null +++ b/docs/queries/openapi-queries/a6847dc6-f4ea-45ac-a81f-93291ae6c573.md @@ -0,0 +1,119 @@ +--- +title: Path Scheme Accepts HTTP (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a6847dc6-f4ea-45ac-a81f-93291ae6c573 +- **Query name:** Path Scheme Accepts HTTP (v2) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/path_scheme_accepts_http) + +### Description +The Scheme list of Operation Object should only allow 'HTTPS' protocol to ensure an encrypted connection
+[Documentation](https://swagger.io/specification/v2/#operationObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="13" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "schemes": [ + "http" + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="11" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + schemes: + - http + responses: + "200": + description: 200 response + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "schemes": [ + "https" + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + schemes: + - https + responses: + "200": + description: 200 response + +``` diff --git a/docs/queries/openapi-queries/a68da022-e95a-4bc2-97d3-481e0bd6d446.md b/docs/queries/openapi-queries/a68da022-e95a-4bc2-97d3-481e0bd6d446.md new file mode 100644 index 00000000000..f99723a02f0 --- /dev/null +++ b/docs/queries/openapi-queries/a68da022-e95a-4bc2-97d3-481e0bd6d446.md @@ -0,0 +1,223 @@ +--- +title: Components Header Definition Is Unused +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a68da022-e95a-4bc2-97d3-481e0bd6d446 +- **Query name:** Components Header Definition Is Unused +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/components_header_definition_unused) + +### Description +Components headers definitions should be referenced or removed from Open API definition
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="45" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "success", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "headers": { + "xPages": { + "schema": { + "type": "integer", + "description": "number of pages" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="29" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: success + content: + application/json: + schema: + type: array + items: + "$ref": "#/components/schemas/MyObject" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + headers: + xPages: + schema: + type: integer + description: number of pages + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "success", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/MyObject" + } + }, + "headers": { + "X-Pages": { + "$ref": "#/components/headers/xPages" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "headers": { + "xPages": { + "schema": { + "type": "integer", + "description": "number of pages" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: success + content: + application/json: + schema: + type: array + items: + "$ref": "#/components/schemas/MyObject" + headers: + X-Pages: + "$ref": "#/components/headers/xPages" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + headers: + xPages: + schema: + type: integer + description: number of pages + +``` diff --git a/docs/queries/openapi-queries/a8e859da-4a43-4e7f-94b8-25d6e3bf8e90.md b/docs/queries/openapi-queries/a8e859da-4a43-4e7f-94b8-25d6e3bf8e90.md new file mode 100644 index 00000000000..73a4eb818f7 --- /dev/null +++ b/docs/queries/openapi-queries/a8e859da-4a43-4e7f-94b8-25d6e3bf8e90.md @@ -0,0 +1,640 @@ +--- +title: Items Undefined (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a8e859da-4a43-4e7f-94b8-25d6e3bf8e90 +- **Query name:** Items Undefined (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/items_undefined) + +### Description +Schema/Parameter items should be defined when the schema/parameter is set to an array.
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="50" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "array", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "name" + ] + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="22" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "array", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="27" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: array + properties: + code: + type: string + format: int32 + message: + type: string + required: + - name + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="15" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: array + properties: + code: + type: string + format: int32 + message: + type: string + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="19" + { + "swagger": "2.0", + "info": { + "version": "1.0", + "title": "Example", + "description": "A sample API specification" + }, + "paths": { + "/users": { + "get": { + "description": "Returns all users from database", + "operationId": "findUsers", + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "users response", + "schema": { + "type": "array" + } + } + } + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } + } + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="16" +swagger: '2.0' +info: + version: '1.0' + title: Example + description: A sample API specification +paths: + "/users": + get: + description: Returns all users from database + operationId: findUsers + produces: + - application/json + responses: + '200': + description: users response + schema: + type: array +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "array", + "items": { + "type": "string" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "name" + ] + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "type": "string" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: array + items: + type: string + properties: + code: + type: string + format: int32 + message: + type: string + required: + - name + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: array + items: + type: string + properties: + code: + type: string + format: int32 + message: + type: string + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - json file + +```json + { + "swagger": "2.0", + "info": { + "version": "1.0", + "title": "Example", + "description": "A sample API specification" + }, + "paths": { + "/users": { + "get": { + "description": "Returns all users from database", + "operationId": "findUsers", + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "users response", + "schema": { + "type": "array", + "items": { + "$ref": "#/definitions/User" + } + } + } + } + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } + } + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: '2.0' +info: + version: '1.0' + title: Example + description: A sample API specification +paths: + "/users": + get: + description: Returns all users from database + operationId: findUsers + produces: + - application/json + responses: + '200': + description: users response + schema: + type: array + items: + "$ref": "#/definitions/User" +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/a9228976-10cf-4b5f-b902-9e962aad037a.md b/docs/queries/openapi-queries/a9228976-10cf-4b5f-b902-9e962aad037a.md new file mode 100644 index 00000000000..d82db942e75 --- /dev/null +++ b/docs/queries/openapi-queries/a9228976-10cf-4b5f-b902-9e962aad037a.md @@ -0,0 +1,860 @@ +--- +title: Type Has Invalid Keyword (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a9228976-10cf-4b5f-b902-9e962aad037a +- **Query name:** Type Has Invalid Keyword (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/type_has_invalid_keyword) + +### Description +Schema Object define type should not use a keyword of another type
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="52" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + }, + "examples": { + "objectExample": { + "$ref": "#/components/examples/objectExample" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "type": "integer", + "minimum": 1 + }, + "name": { + "type": "string", + "minLength": 3 + }, + "phones": { + "type": "array", + "items": { + "type": "number", + "pattern": "\\(\\d{3}\\) ?\\d{3}-\\d{4}" + }, + "minItems": 1 + } + } + } + }, + "examples": { + "objectExample": { + "value": { + "id": "1", + "name": "new object" + }, + "summary": "A sample object" + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="42" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + }, + "examples": { + "objectExample": { + "$ref": "#/components/examples/objectExample" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "type": "integer", + "minLength": 1 + }, + "name": { + "type": "string", + "minLength": 3 + }, + "phones": { + "type": "array", + "items": { + "type": "string", + "pattern": "\\(\\d{3}\\) ?\\d{3}-\\d{4}" + }, + "minItems": 1 + } + } + } + }, + "examples": { + "objectExample": { + "value": { + "id": "1", + "name": "new object" + }, + "summary": "A sample object" + } + } + } +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="46" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + }, + "examples": { + "objectExample": { + "$ref": "#/components/examples/objectExample" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "type": "integer" + }, + "name": { + "type": "string", + "minLength": 3, + "required": true + }, + "phones": { + "type": "array", + "items": { + "type": "string", + "pattern": "\\(\\d{3}\\) ?\\d{3}-\\d{4}" + }, + "minItems": 1 + } + } + } + }, + "examples": { + "objectExample": { + "value": { + "id": "1", + "name": "new object" + }, + "summary": "A sample object" + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="37" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: Success + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + examples: + objectExample: + "$ref": "#/components/examples/objectExample" +components: + schemas: + MyObject: + type: object + required: + - id + properties: + id: + type: integer + minimum: 1 + name: + type: string + minLength: 3 + phones: + type: array + items: + type: number + pattern: "\\(\\d{3}\\) ?\\d{3}-\\d{4}" + minItems: 1 + examples: + objectExample: + value: + id: '1' + name: new object + summary: A sample object + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="29" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: Success + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + examples: + objectExample: + "$ref": "#/components/examples/objectExample" +components: + schemas: + MyObject: + type: object + required: + - id + properties: + id: + type: integer + minLength: 1 + name: + type: string + minLength: 3 + phones: + type: array + items: + type: string + pattern: "\\(\\d{3}\\) ?\\d{3}-\\d{4}" + minItems: 1 + examples: + objectExample: + value: + id: '1' + name: new object + summary: A sample object + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="37" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + /: + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: Success + content: + application/json: + schema: + $ref: "#/components/schemas/MyObject" + examples: + objectExample: + $ref: "#/components/examples/objectExample" +components: + schemas: + MyObject: + type: object + required: + - id + properties: + id: + type: integer + minimum: 1 + name: + type: string + minLength: 3 + phones: + type: array + items: + type: number + pattern: '\(\d{3}\) ?\d{3}-\d{4}' + minItems: 1 + examples: + objectExample: + value: + id: "1" + name: new object + summary: A sample object + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="41 55" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "Success" + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + }, + "parameters": [ + { + "name": "id", + "in": "body", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "type": "integer", + "minimum": 1 + }, + "name": { + "type": "string", + "minLength": 3 + }, + "phones": { + "items": { + "type": "number", + "pattern": "\\(\\d{3}\\) ?\\d{3}-\\d{4}" + }, + "minItems": 1, + "type": "array" + } + } + } + }, + { + "name": "start_date", + "in": "query", + "type": "string", + "format": "date", + "description": "The start date for the report. Must be used together with `end_date`. This parameter is incompatible with `rdate`.\n", + "maximum": 8, + "minLength": 6 + } + ] + } + } +} + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="33 42" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + /: + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: Success + parameters: + - name: id + in: body + description: ID of pet to use + required: true + schema: + type: object + required: + - id + properties: + id: + type: integer + minimum: 1 + name: + type: string + minLength: 3 + phones: + type: array + items: + type: number + pattern: '\(\d{3}\) ?\d{3}-\d{4}' + minItems: 1 + - name: start_date + in: query + type: string + format: date + description: > + The start date for the report. Must be used together with `end_date`. + This parameter is incompatible with `rdate`. + maximum: 8 + minLength: 6 + +``` +
+
Postitive test num. 9 - json file + +```json hl_lines="19" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success", + "headers": { + "X-Rate-Limit-Limit": { + "description": "The number of allowed requests in the current period", + "type": "integer", + "minLength": 3 + } + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 10 - yaml file + +```yaml hl_lines="17" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + /: + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: Success + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + type: integer + minLength: 3 + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + }, + "examples": { + "objectExample": { + "$ref": "#/components/examples/objectExample" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "type": "integer", + "minimum": 1 + }, + "name": { + "type": "string", + "minLength": 3 + }, + "phones": { + "type": "array", + "items": { + "type": "string", + "pattern": "\\(\\d{3}\\) ?\\d{3}-\\d{4}" + }, + "minItems": 1 + } + } + } + }, + "examples": { + "objectExample": { + "value": { + "id": "1", + "name": "new object" + }, + "summary": "A sample object" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +--- +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: Success + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + examples: + objectExample: + "$ref": "#/components/examples/objectExample" +components: + schemas: + MyObject: + type: object + required: + - id + properties: + id: + type: integer + minimum: 1 + name: + type: string + minLength: 3 + phones: + type: array + items: + type: string + pattern: "\\(\\d{3}\\) ?\\d{3}-\\d{4}" + minItems: 1 + examples: + objectExample: + value: + id: '1' + name: new object + summary: A sample object + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "Success" + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + }, + "parameters": [ + { + "name": "id", + "in": "body", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "object", + "required": [ + "id" + ], + "properties": { + "id": { + "type": "integer", + "minimum": 1 + }, + "name": { + "type": "string", + "minLength": 3 + }, + "phones": { + "type": "array", + "items": { + "type": "string", + "pattern": "\\(\\d{3}\\) ?\\d{3}-\\d{4}" + }, + "minItems": 1 + } + } + } + }, + { + "name": "start_date", + "in": "query", + "type": "string", + "format": "date", + "description": "The start date for the report. Must be used together with `end_date`. This parameter is incompatible with `rdate`.\n", + "maxLength": 8, + "minLength": 6 + } + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + /: + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: Success + parameters: + - name: id + in: body + description: ID of pet to use + required: true + schema: + type: object + required: + - id + properties: + id: + type: integer + minimum: 1 + name: + type: string + minLength: 3 + phones: + type: array + items: + type: string + pattern: "\\(\\d{3}\\) ?\\d{3}-\\d{4}" + minItems: 1 + - name: start_date + in: query + type: string + format: date + description: > + The start date for the report. Must be used together with `end_date`. + This parameter is incompatible with `rdate`. + maxLength: 8 + minLength: 6 + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success", + "headers": { + "X-Rate-Limit-Limit": { + "description": "The number of allowed requests in the current period", + "type": "integer", + "minimum": 3 + } + } + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + /: + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: Success + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + type: integer + minimum: 3 + +``` +
diff --git a/docs/queries/openapi-queries/a92be1d5-d762-484a-86d6-8cd0907ba100.md b/docs/queries/openapi-queries/a92be1d5-d762-484a-86d6-8cd0907ba100.md new file mode 100644 index 00000000000..5fd66ccc739 --- /dev/null +++ b/docs/queries/openapi-queries/a92be1d5-d762-484a-86d6-8cd0907ba100.md @@ -0,0 +1,719 @@ +--- +title: Response on operations that should have a body has undefined schema (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a92be1d5-d762-484a-86d6-8cd0907ba100 +- **Query name:** Response on operations that should have a body has undefined schema (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/response_operations_body_schema_undefined) + +### Description +If a response is not head or its code is not 204 or 304, it should have a schema defined
+[Documentation](https://swagger.io/docs/specification/describing-responses/) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="18" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "delete": { + "operationId": "deleteVersion", + "summary": "Deletes API versions", + "responses": { + "204": { + "description": "no content" + } + } + } + } + }, + "components": { + "schemas": { + "ApiVersion": { + "type": "object", + "discriminator": { + "propertyName": "ApiVersion" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "version": { + "type": "string" + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="21" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": {} + } + } + } + }, + "delete": { + "operationId": "deleteVersion", + "summary": "Deletes API versions", + "responses": { + "204": { + "description": "no content" + } + } + } + } + }, + "components": { + "schemas": { + "ApiVersion": { + "type": "object", + "discriminator": { + "propertyName": "ApiVersion" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "version": { + "type": "string" + } + } + } + } + } +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="21 22" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/pdf": {}, + "application/json": {} + } + } + } + }, + "post": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ApiVersion" + } + } + } + } + } + }, + "delete": { + "operationId": "deleteVersion", + "summary": "Deletes API versions", + "responses": { + "204": { + "description": "no content" + } + } + } + } + }, + "components": { + "schemas": { + "ApiVersion": { + "type": "object", + "discriminator": { + "propertyName": "ApiVersion" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "version": { + "type": "string" + } + } + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="20" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": {} + } + } + }, + "delete": { + "operationId": "deleteVersion", + "summary": "Deletes API versions", + "responses": { + "204": { + "description": "no content" + } + } + } + } + }, + "components": { + "schemas": { + "ApiVersion": { + "type": "object", + "discriminator": { + "propertyName": "ApiVersion" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "version": { + "type": "string" + } + } + } + } + } +} + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="15" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + delete: + operationId: deleteVersion + summary: Deletes API versions + responses: + "204": + description: no content +components: + schemas: + ApiVersion: + type: object + discriminator: + propertyName: ApiVersion + properties: + code: + type: integer + format: int32 + version: + type: string + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="18" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: {} + delete: + operationId: deleteVersion + summary: Deletes API versions + responses: + "204": + description: no content +components: + schemas: + ApiVersion: + type: object + discriminator: + propertyName: ApiVersion + properties: + code: + type: integer + format: int32 + version: + type: string + +``` +
+
Postitive test num. 7 - yaml file + +```yaml hl_lines="18 19" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/pdf: {} + application/json: {} + post: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + "$ref": "#/components/schemas/ApiVersion" + delete: + operationId: deleteVersion + summary: Deletes API versions + responses: + "204": + description: no content +components: + schemas: + ApiVersion: + type: object + discriminator: + propertyName: ApiVersion + properties: + code: + type: integer + format: int32 + version: + type: string + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="17" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: {} + delete: + operationId: deleteVersion + summary: Deletes API versions + responses: + "204": + description: no content +components: + schemas: + ApiVersion: + type: object + discriminator: + propertyName: ApiVersion + properties: + code: + type: integer + format: int32 + version: + type: string + +``` +
+
Postitive test num. 9 - json file + +```json hl_lines="18" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "delete": { + "operationId": "deleteVersion", + "summary": "Deletes API versions", + "responses": { + "204": { + "description": "no content" + } + } + } + } + } +} + +``` +
+
Postitive test num. 10 - yaml file + +```yaml hl_lines="15" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + delete: + operationId: deleteVersion + summary: Deletes API versions + responses: + "204": + description: no content + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ApiVersion" + } + } + } + } + } + }, + "delete": { + "operationId": "deleteVersion", + "summary": "Deletes API versions", + "responses": { + "204": { + "description": "no content" + } + } + } + } + }, + "components": { + "schemas": { + "ApiVersion": { + "type": "object", + "discriminator": { + "propertyName": "ApiVersion" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "version": { + "type": "string" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + "$ref": "#/components/schemas/ApiVersion" + delete: + operationId: deleteVersion + summary: Deletes API versions + responses: + "204": + description: no content +components: + schemas: + ApiVersion: + type: object + discriminator: + propertyName: ApiVersion + properties: + code: + type: integer + format: int32 + version: + type: string + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "discriminator": "ApiVersion", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "version": { + "type": "string" + } + } + } + } + } + }, + "delete": { + "operationId": "deleteVersion", + "summary": "Deletes API versions", + "responses": { + "204": { + "description": "no content" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: ApiVersion + properties: + code: + type: integer + format: int32 + version: + type: string + delete: + operationId: deleteVersion + summary: Deletes API versions + responses: + "204": + description: no content + +``` +
diff --git a/docs/queries/openapi-queries/a96bbc06-8cde-4295-ad3c-ee343a7f658e.md b/docs/queries/openapi-queries/a96bbc06-8cde-4295-ad3c-ee343a7f658e.md new file mode 100644 index 00000000000..2dea582ed0e --- /dev/null +++ b/docs/queries/openapi-queries/a96bbc06-8cde-4295-ad3c-ee343a7f658e.md @@ -0,0 +1,684 @@ +--- +title: Default Invalid (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a96bbc06-8cde-4295-ad3c-ee343a7f658e +- **Query name:** Default Invalid (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/default_invalid) + +### Description +The field 'default' of Schema Object should be consistent with the schema's type
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="21" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "integer", + "format": "int32", + "description": "the size of the pack the dog is from", + "default": "a", + "minimum": 0 + } + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="22" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "number", + "minimum": 0, + "exclusiveMinimum": true, + "maximum": 50, + "default": "a" + } + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="18" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "default": [ + { + "message": "hello", + "code": 200 + } + ], + "type": "object", + "required": [ + "message", + "code" + ], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + } + } + } + } + } + } + } + } + } +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="18" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "default": { + "a": "b" + }, + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="19" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: integer + format: int32 + description: the size of the pack the dog is from + default: "a" + minimum: 0 + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="20" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: number + minimum: 0 + exclusiveMinimum: true + maximum: 50 + default: "a" + +``` +
+
Postitive test num. 7 - yaml file + +```yaml hl_lines="27" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + required: + - message + - code + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + default: + - { "message": "hello", "code": 200 } + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="19" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: array + items: + type: string + default: { "a": "b" } + +``` +
+
Postitive test num. 9 - json file + +```json hl_lines="16" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "default": { + "a": "b" + }, + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 10 - yaml file + +```yaml hl_lines="17" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: array + items: + type: string + default: { "a": "b" } + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "integer", + "format": "int32", + "description": "the size of the pack the dog is from", + "default": 1, + "minimum": 0 + } + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "number", + "minimum": 0, + "exclusiveMinimum": true, + "maximum": 50, + "default": 5 + } + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "message", + "code" + ], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + }, + "default": { + "message": "hello", + "code": 200 + } + } + } + } + } + } + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "type": "string" + }, + "default": [ + "a" + ] + } + } + } + } + } + } + } + } +} + +``` +
+
Negative test num. 5 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: integer + format: int32 + description: the size of the pack the dog is from + default: 1 + minimum: 0 + +``` +
+
Negative test num. 6 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: number + minimum: 0 + exclusiveMinimum: true + maximum: 50 + default: 5 + +``` +
+
Negative test num. 7 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + required: + - message + - code + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + default: { "message": "hello", "code": 200 } + +``` +
+
Negative test num. 8 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: array + items: + type: string + default: + - a + +``` +
+
Negative test num. 9 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "array", + "items": { + "type": "string" + }, + "default": [ + "a" + ] + } + } + } + } + } + } +} + +``` +
+
Negative test num. 10 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: array + items: + type: string + default: + - a + +``` +
diff --git a/docs/queries/openapi-queries/ab1263c2-81df-46f0-9f2c-0b62fdb68419.md b/docs/queries/openapi-queries/ab1263c2-81df-46f0-9f2c-0b62fdb68419.md new file mode 100644 index 00000000000..a9f5b90ed31 --- /dev/null +++ b/docs/queries/openapi-queries/ab1263c2-81df-46f0-9f2c-0b62fdb68419.md @@ -0,0 +1,337 @@ +--- +title: Security Field Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ab1263c2-81df-46f0-9f2c-0b62fdb68419 +- **Query name:** Security Field Undefined +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/security_field_undefined) + +### Description +Security field should be defined in '#/components/securitySchemes'
+[Documentation](https://swagger.io/specification/#security-requirement-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="45" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="45" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ], + "components": { + "securitySchemes": { + "regularSecurity": { + "type": "http", + "scheme": "basic" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - petstore_auth: + - write:pets + - read:pets + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - petstore_auth: + - write:pets + - read:pets +components: + securitySchemes: + regularSecurity: + type: http + scheme: basic + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ], + "components": { + "securitySchemes": { + "regularSecurity": { + "type": "http", + "scheme": "basic" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "implicit": { + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + }, + "authorizationUrl": "http://example.org/api/oauth/dialog" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - petstore_auth: + - write:pets + - read:pets +components: + securitySchemes: + regularSecurity: + type: http + scheme: basic + petstore_auth: + type: oauth2 + flows: + implicit: + authorizationUrl: http://example.org/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` diff --git a/docs/queries/openapi-queries/ab2af219-cd08-4233-b5a1-a788aac88b51.md b/docs/queries/openapi-queries/ab2af219-cd08-4233-b5a1-a788aac88b51.md new file mode 100644 index 00000000000..c5780fe6603 --- /dev/null +++ b/docs/queries/openapi-queries/ab2af219-cd08-4233-b5a1-a788aac88b51.md @@ -0,0 +1,909 @@ +--- +title: Property Defining Minimum Greater Than Maximum (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ab2af219-cd08-4233-b5a1-a788aac88b51 +- **Query name:** Property Defining Minimum Greater Than Maximum (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/property_defining_maximum_not_greater_than_minimum) + +### Description +Property defining minimum has greater value than maximum defined
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="52" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 3, + "maximum": 1 + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="24" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 10, + "maximum": 2 + } + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="33" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 3 + maximum: 1 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="21" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 10 + maximum: 2 + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="33" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + minLength: 20 + maxLength: 15 + format: int32 + message: + type: string + maxLength: 15 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="32" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + properties: + code: + type: string + format: int32 + message: + type: array + minItems: 10 + maxItems: 5 + items: + type: string + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="25" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "GeneralError": { + "type": "object", + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 10, + "maximum": 5 + } + }, + "required": [ + "petType" + ] + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 0, + "maximum": 50 + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 1, + "maximum": 10 + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 1 + maximum: 3 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 1 + maximum: 10 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
+
Negative test num. 5 - json file + +```json +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 1, + "maximum": 10 + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + minLength: 1 + maxLength: 15 + format: int32 + message: + type: string + maxLength: 15 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
+
Negative test num. 7 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + properties: + code: + type: string + format: int32 + message: + type: array + minItems: 10 + maxItems: 300 + items: + type: string + +``` +
+
Negative test num. 8 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "GeneralError": { + "type": "object", + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 0, + "maximum": 50 + } + }, + "required": [ + "petType" + ] + } + } +} + +``` +
diff --git a/docs/queries/openapi-queries/ae13a37d-943b-47a7-a970-83c8598bcca3.md b/docs/queries/openapi-queries/ae13a37d-943b-47a7-a970-83c8598bcca3.md new file mode 100644 index 00000000000..1e0aa80b656 --- /dev/null +++ b/docs/queries/openapi-queries/ae13a37d-943b-47a7-a970-83c8598bcca3.md @@ -0,0 +1,447 @@ +--- +title: Path Template is Empty (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ae13a37d-943b-47a7-a970-83c8598bcca3 +- **Query name:** Path Template is Empty (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/path_template_empty) + +### Description +All path templates should not be empty
+[Documentation](https://swagger.io/specification/#paths-object) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="32" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: Authorization + in: header + description: ID of the API version + required: true + schema: + type: integer + /users/{}: + get: + parameters: + - in: path + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + +``` +```json title="Postitive test num. 2 - json file" hl_lines="53" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "Authorization", + "in": "header", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/users/{}": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + ErrorModel: + type: object + required: + - message + - code + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + +``` +
Postitive test num. 4 - json file + +```json hl_lines="13" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/users/{}": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "ErrorModel": { + "type": "object", + "required": [ + "message", + "code" + ], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: Authorization + in: header + description: ID of the API version + required: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: path + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "Authorization", + "in": "header", + "description": "ID of the API version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "path", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/users/{id}": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + ErrorModel: + type: object + required: + - message + - code + properties: + message: + type: string + code: + type: integer + minimum: 100 + maximum: 600 + +``` +
Negative test num. 4 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/users/{id}": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "ErrorModel": { + "type": "object", + "required": [ + "message", + "code" + ], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "integer", + "minimum": 100, + "maximum": 600 + } + } + } + } +} + +``` +
diff --git a/docs/queries/openapi-queries/aecee30b-8ea1-4776-a99c-d6d600f0862f.md b/docs/queries/openapi-queries/aecee30b-8ea1-4776-a99c-d6d600f0862f.md new file mode 100644 index 00000000000..2e2f214e8a9 --- /dev/null +++ b/docs/queries/openapi-queries/aecee30b-8ea1-4776-a99c-d6d600f0862f.md @@ -0,0 +1,408 @@ +--- +title: API Key Exposed In Global Security (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** aecee30b-8ea1-4776-a99c-d6d600f0862f +- **Query name:** API Key Exposed In Global Security (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/api_key_exposed_in_global_security) + +### Description +API Keys should not be transported over network
+[Documentation](https://swagger.io/specification/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="45 46 47" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "apiKey2": [], + "apiKey3": [], + "apiKey1": [] + } + ], + "components": { + "securitySchemes": { + "apiKey1": { + "type": "apiKey", + "name": "X-API-Key", + "in": "header" + }, + "apiKey2": { + "type": "apiKey", + "name": "X-API-Key", + "in": "cookie" + }, + "apiKey3": { + "name": "X-API-Key", + "in": "query", + "type": "apiKey" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 27 28" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - apiKey1: [] + apiKey2: [] + apiKey3: [] +components: + securitySchemes: + apiKey1: + type: apiKey + name: X-API-Key + in: header + apiKey2: + type: apiKey + name: X-API-Key + in: cookie + apiKey3: + type: apiKey + name: X-API-Key + in: query + +``` +```json title="Postitive test num. 3 - json file" hl_lines="22 23" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "security": [ + { + "apiKey3": [], + "apiKey1": [] + } + ], + "securityDefinitions": { + "apiKey1": { + "type": "apiKey", + "name": "X-API-Key", + "in": "header" + }, + "apiKey3": { + "in": "query", + "type": "apiKey", + "name": "X-API-Key" + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="14 15" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +security: + - apiKey1: [] + apiKey3: [] +securityDefinitions: + apiKey1: + type: apiKey + name: X-API-Key + in: header + apiKey3: + type: apiKey + name: X-API-Key + in: query + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ], + "components": { + "securitySchemes": { + "OAuth2": { + "type": "oauth2", + "flows": { + "authorizationCode": { + "scopes": { + "read": "read objects in your account", + "write": "modify objects in your account" + }, + "authorizationUrl": "https://example.com/oauth/authorize", + "tokenUrl": "https://example.com/oauth/token" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + OAuth2: + type: oauth2 + flows: + authorizationCode: + scopes: + write: modify objects in your account + read: read objects in your account + authorizationUrl: https://example.com/oauth/authorize + tokenUrl: https://example.com/oauth/token +security: + - OAuth2: + - write + - read + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "OAuth2": { + "type": "oauth2", + "flow": "accessCode", + "authorizationUrl": "https://example.com/oauth/authorize", + "tokenUrl": "https://example.com/oauth/token", + "scopes": { + "read": "Grants read access", + "write": "Grants write access" + } + } + }, + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ] +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + OAuth2: + type: oauth2 + flow: accessCode + authorizationUrl: https://example.com/oauth/authorize + tokenUrl: https://example.com/oauth/token + scopes: + read: Grants read access + write: Grants write access +security: + - OAuth2: + - write + - read + +``` +
diff --git a/docs/queries/openapi-queries/b05bb927-2df5-43cc-8d7b-6825c0e71625.md b/docs/queries/openapi-queries/b05bb927-2df5-43cc-8d7b-6825c0e71625.md new file mode 100644 index 00000000000..db02bb76f12 --- /dev/null +++ b/docs/queries/openapi-queries/b05bb927-2df5-43cc-8d7b-6825c0e71625.md @@ -0,0 +1,217 @@ +--- +title: Components Example Definition Is Unused +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b05bb927-2df5-43cc-8d7b-6825c0e71625 +- **Query name:** Components Example Definition Is Unused +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/components_example_definition_unused) + +### Description +Components examples definitions should be referenced or removed from Open API definition
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="42" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "examples": { + "objectExample": { + "value": { + "id": "1", + "name": "new object" + }, + "summary": "A sample object" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="27" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: Success + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + examples: + objectExample: + value: + id: '1' + name: new object + summary: A sample object + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "Success", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + }, + "examples": { + "objectExample": { + "$ref": "#/components/examples/objectExample" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "examples": { + "objectExample": { + "value": { + "id": "1", + "name": "new object" + }, + "summary": "A sample object" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: Success + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + examples: + objectExample: + "$ref": "#/components/examples/objectExample" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + examples: + objectExample: + value: + id: '1' + name: new object + summary: A sample object + +``` diff --git a/docs/queries/openapi-queries/b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7.md b/docs/queries/openapi-queries/b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7.md new file mode 100644 index 00000000000..f4b3548cc05 --- /dev/null +++ b/docs/queries/openapi-queries/b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7.md @@ -0,0 +1,297 @@ +--- +title: Invalid Contact Email (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7 +- **Query name:** Invalid Contact Email (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/invalid_contact_email) + +### Description +Contact Object Email should be a valid email
+[Documentation](https://swagger.io/specification/#contact-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="9" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + url: "https://www.google.com/" + email: "user@gmail.c" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Postitive test num. 3 - json file" hl_lines="9" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="8" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + url: "https://www.google.com/" + email: "user@gmail.c" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + url: "https://www.google.com/" + email: "user@gmail.com" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: "contact" + url: "https://www.google.com/" + email: "user@gmail.com" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` +
diff --git a/docs/queries/openapi-queries/b2d9dbf6-539c-4374-a1fd-210ddf5563a8.md b/docs/queries/openapi-queries/b2d9dbf6-539c-4374-a1fd-210ddf5563a8.md new file mode 100644 index 00000000000..7db7cf141a8 --- /dev/null +++ b/docs/queries/openapi-queries/b2d9dbf6-539c-4374-a1fd-210ddf5563a8.md @@ -0,0 +1,301 @@ +--- +title: Invalid Global External Documentation URL (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b2d9dbf6-539c-4374-a1fd-210ddf5563a8 +- **Query name:** Invalid Global External Documentation URL (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/invalid_global_external_documentation_url) + +### Description +Global External Documentation URL should be a valid URL
+[Documentation](https://swagger.io/specification/#external-documentation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="49" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "externalDocs": { + "url": "/" + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +externalDocs: + url: / + +``` +```json title="Postitive test num. 3 - json file" hl_lines="26" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "externalDocs": { + "url": "/" + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="14" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +externalDocs: + url: / + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "externalDocs": { + "url": "http://docs.my-api.com/store-orders.htm" + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +externalDocs: + url: http://docs.my-api.com/store-orders.htm + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "externalDocs": { + "url": "http://docs.my-api.com/store-orders.htm" + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +externalDocs: + url: http://docs.my-api.com/store-orders.htm + +``` +
diff --git a/docs/queries/openapi-queries/b2f275be-7d64-4064-b418-be6b431363a7.md b/docs/queries/openapi-queries/b2f275be-7d64-4064-b418-be6b431363a7.md new file mode 100644 index 00000000000..92d83b2f4dc --- /dev/null +++ b/docs/queries/openapi-queries/b2f275be-7d64-4064-b418-be6b431363a7.md @@ -0,0 +1,231 @@ +--- +title: Success Response Code Undefined for Get Operation (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b2f275be-7d64-4064-b418-be6b431363a7 +- **Query name:** Success Response Code Undefined for Get Operation (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/success_response_code_undefined_get_operation) + +### Description +Get should define at least one success response (200 or 202)
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "get": { + "operationId": "getItem", + "summary": "Get item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10" +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + get: + operationId: getItem + summary: Get item + responses: + default: + description: Error + +``` +```json title="Postitive test num. 3 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "get": { + "operationId": "getItem", + "summary": "Get item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + get: + operationId: getItem + summary: Get item + responses: + default: + description: Error + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "get": { + "operationId": "getItem", + "summary": "Get item", + "responses": { + "200": { + "description": "success" + }, + "default": { + "description": "Success" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + get: + operationId: getItem + summary: Get item + responses: + "200": + description: success + default: + description: Success + patch: + operationId: updateItem + summary: Update item + responses: + default: + description: Error + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "get": { + "operationId": "getItem", + "summary": "Get item", + "responses": { + "200": { + "description": "success" + }, + "default": { + "description": "Success" + } + } + }, + "patch": { + "operationId": "updateItem", + "summary": "Update item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + get: + operationId: getItem + summary: Get item + responses: + "200": + description: success + default: + description: Success + patch: + operationId: updateItem + summary: Update item + responses: + default: + description: Error + +``` +
diff --git a/docs/queries/openapi-queries/b30981fa-a12e-49c7-a5bb-eeafb61d0f0f.md b/docs/queries/openapi-queries/b30981fa-a12e-49c7-a5bb-eeafb61d0f0f.md new file mode 100644 index 00000000000..a0ff7d3ef0b --- /dev/null +++ b/docs/queries/openapi-queries/b30981fa-a12e-49c7-a5bb-eeafb61d0f0f.md @@ -0,0 +1,161 @@ +--- +title: Global Parameter Definition Not Being Used +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b30981fa-a12e-49c7-a5bb-eeafb61d0f0f +- **Query name:** Global Parameter Definition Not Being Used +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/unused_parameter_definition) + +### Description +All global parameters definitions should be in use
+[Documentation](https://swagger.io/specification/v2/#parametersDefinitionsObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="26" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParame" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "string" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="16" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - "$ref": "#/parameters/limitParame" +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "string" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: string + +``` diff --git a/docs/queries/openapi-queries/b3871dd8-9333-4d6c-bd52-67eb898b71ab.md b/docs/queries/openapi-queries/b3871dd8-9333-4d6c-bd52-67eb898b71ab.md new file mode 100644 index 00000000000..785e2636f5f --- /dev/null +++ b/docs/queries/openapi-queries/b3871dd8-9333-4d6c-bd52-67eb898b71ab.md @@ -0,0 +1,200 @@ +--- +title: Response Object With Incorrect Ref (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b3871dd8-9333-4d6c-bd52-67eb898b71ab +- **Query name:** Response Object With Incorrect Ref (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/response_object_incorrect_ref) + +### Description +Response Object reference must always point to '#/components/responses'
+[Documentation](https://swagger.io/specification/#responses-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="44" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "components": { + "responses": { + "Success": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/Success" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="27" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + Success: + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + $ref: "#/components/schemas/Success" + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "components": { + "responses": { + "Success": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/responses/Success" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + responses: + Success: + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + $ref: "#/components/responses/Success" + +``` diff --git a/docs/queries/openapi-queries/b4803607-ed72-4d60-99e2-3fa6edf471c6.md b/docs/queries/openapi-queries/b4803607-ed72-4d60-99e2-3fa6edf471c6.md new file mode 100644 index 00000000000..acec6e18cee --- /dev/null +++ b/docs/queries/openapi-queries/b4803607-ed72-4d60-99e2-3fa6edf471c6.md @@ -0,0 +1,187 @@ +--- +title: BasePath With Wrong Format +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b4803607-ed72-4d60-99e2-3fa6edf471c6 +- **Query name:** BasePath With Wrong Format +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/basepath_with_wrong_format) + +### Description +The 'basePath' value format must match the pattern '^/'
+[Documentation](https://swagger.io/specification/v2/#schema) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="7" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "basePath": "api/incorrect", + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + } + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="5" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +basePath: "api/incorrect" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: object + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "basePath": "/api", + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + } + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +basePath: "/api" +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: object + +``` diff --git a/docs/queries/openapi-queries/b481d46c-9c61-480f-86d9-af07146dc4a4.md b/docs/queries/openapi-queries/b481d46c-9c61-480f-86d9-af07146dc4a4.md new file mode 100644 index 00000000000..a1a1376e310 --- /dev/null +++ b/docs/queries/openapi-queries/b481d46c-9c61-480f-86d9-af07146dc4a4.md @@ -0,0 +1,769 @@ +--- +title: Schema Discriminator Not Required (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b481d46c-9c61-480f-86d9-af07146dc4a4 +- **Query name:** Schema Discriminator Not Required (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/schema_discriminator_not_required) + +### Description +The discriminator property in the Schema Object should be a required property
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="53" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "name" + ] + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="25" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "petType": { + "type": "string" + } + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="32" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + petType: + type: string + required: + - name + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="18" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + petType: + type: string + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="35" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "GeneralError": { + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "discriminator": "petType" + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="16" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + GeneralError: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + petType: + type: string + required: + - name + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="16" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "properties": { + "code": { + "format": "int32", + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "type": "object" + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="15" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + petType: + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "petType" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + petType: + type: string + required: + - petType + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + petType: + type: string + required: + - petType + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "GeneralError": { + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "petType" + ], + "type": "object", + "discriminator": "petType" + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + GeneralError: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + petType: + type: string + required: + - petType + +``` +
+
Negative test num. 7 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "properties": { + "code": { + "format": "int32", + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "type": "object", + "required": [ + "petType" + ] + } + } + } + } + } + } +} + +``` +
+
Negative test num. 8 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + required: + - petType + +``` +
diff --git a/docs/queries/openapi-queries/b90033cf-ad9f-4fb9-acd1-1b9d6d278c87.md b/docs/queries/openapi-queries/b90033cf-ad9f-4fb9-acd1-1b9d6d278c87.md new file mode 100644 index 00000000000..85eeea7e2be --- /dev/null +++ b/docs/queries/openapi-queries/b90033cf-ad9f-4fb9-acd1-1b9d6d278c87.md @@ -0,0 +1,175 @@ +--- +title: Multiple Body Parameters In The Same Operation +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b90033cf-ad9f-4fb9-acd1-1b9d6d278c87 +- **Query name:** Multiple Body Parameters In The Same Operation +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/multi_body_parameters_same_operation) + +### Description +Only one body parameter is allowed on operation's parameters type field
+[Documentation](https://swagger.io/specification/v2/#parameterObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="10" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + }, + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "string" + } + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + parameters: + - name: limit + in: body + description: max records to return + required: true + schema: + type: integer + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: string + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + }, + { + "name": "pageCount", + "in": "query", + "description": "records per page", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + parameters: + - name: limit + in: body + description: max records to return + required: true + schema: + type: integer + - name: pageCount + in: query + description: records per page + required: true + schema: + type: integer + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + +``` diff --git a/docs/queries/openapi-queries/b9db8a10-020c-49ca-88c6-780e5fdb4328.md b/docs/queries/openapi-queries/b9db8a10-020c-49ca-88c6-780e5fdb4328.md new file mode 100644 index 00000000000..4fb7feafba5 --- /dev/null +++ b/docs/queries/openapi-queries/b9db8a10-020c-49ca-88c6-780e5fdb4328.md @@ -0,0 +1,461 @@ +--- +title: Link Object Incorrect Ref +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b9db8a10-020c-49ca-88c6-780e5fdb4328 +- **Query name:** Link Object Incorrect Ref +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/link_object_incorrect_ref) + +### Description +Link object reference must always point to '#/components/links'
+[Documentation](https://swagger.io/specification/#link-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="52" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "Pet": { + "$ref": "../models/pet.yaml" + }, + "User": { + "$ref": "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + } + }, + "responses": { + "NotFound": { + "description": "The specified resource was not found", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Error" + } + } + }, + "links": { + "l": { + "$ref": "#components/linfks/address" + } + } + } + }, + "links": { + "address": { + "operationId": "getUssssserAddress", + "parameters": { + "userId": "$request.path.id" + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="27" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + }, + "links": { + "l": { + "$ref": "#components/linfks/address" + } + }, + "description": "the user being returned" + } + } + } + } + }, + "components": { + "responses": { + "GenericError": { + "$ref": "../template-api.yaml#/components/responses/GenericError" + } + }, + "links": { + "address": { + "operationId": "getUssssserAddress", + "parameters": { + "userId": "$request.path.id" + } + } + }, + "schemas": { + "Pet": { + "$ref": "../models/pet.yaml" + }, + "User": { + "$ref": "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="34" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid +components: + schemas: + Pet: + $ref: "../models/pet.yaml" + User: + $ref: "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + responses: + NotFound: + description: The specified resource was not found + content: + application/json: + schema: + $ref: "#/components/schemas/Error" + links: + l: + $ref: "#components/linfks/address" + links: + address: + operationId: getUssssserAddress + parameters: + userId: $request.path.id + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="21" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + links: + l: + $ref: "#components/linfks/address" +components: + schemas: + Pet: + $ref: "../models/pet.yaml" + User: + $ref: "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + responses: + GenericError: + $ref: "../template-api.yaml#/components/responses/GenericError" + links: + address: + operationId: getUssssserAddress + parameters: + userId: $request.path.id + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "Pet": { + "$ref": "../models/pet.yaml" + }, + "User": { + "$ref": "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + } + }, + "responses": { + "NotFound": { + "description": "The specified resource was not found", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Error" + } + } + }, + "links": { + "l": { + "$ref": "#/components/links/address" + } + } + } + }, + "links": { + "address": { + "operationId": "getUssssserAddress", + "parameters": { + "userId": "$request.path.id" + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + }, + "links": { + "l": { + "$ref": "#/components/links/address" + } + }, + "description": "the user being returned" + } + } + } + } + }, + "components": { + "responses": { + "GenericError": { + "$ref": "../template-api.yaml#/components/responses/GenericError" + } + }, + "links": { + "address": { + "operationId": "getUssssserAddress", + "parameters": { + "userId": "$request.path.id" + } + } + }, + "schemas": { + "Pet": { + "$ref": "../models/pet.yaml" + }, + "User": { + "$ref": "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid +components: + schemas: + Pet: + $ref: "../models/pet.yaml" + User: + $ref: "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + responses: + NotFound: + description: The specified resource was not found + content: + application/json: + schema: + $ref: "#/components/schemas/Error" + links: + l: + $ref: "#/components/links/address" + links: + address: + operationId: getUssssserAddress + parameters: + userId: $request.path.id + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + links: + l: + $ref: "#/components/links/address" +components: + schemas: + Pet: + $ref: "../models/pet.yaml" + User: + $ref: "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + responses: + GenericError: + $ref: "../template-api.yaml#/components/responses/GenericError" + links: + address: + operationId: getUssssserAddress + parameters: + userId: $request.path.id + +``` +
diff --git a/docs/queries/openapi-queries/ba066cda-e808-450d-92b6-f29109754d45.md b/docs/queries/openapi-queries/ba066cda-e808-450d-92b6-f29109754d45.md new file mode 100644 index 00000000000..ed832b44ebd --- /dev/null +++ b/docs/queries/openapi-queries/ba066cda-e808-450d-92b6-f29109754d45.md @@ -0,0 +1,181 @@ +--- +title: Callback Object With Incorrect Ref +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ba066cda-e808-450d-92b6-f29109754d45 +- **Query name:** Callback Object With Incorrect Ref +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/callback_object_incorrect_ref) + +### Description +Callback Object reference must always point to '#/components/callbacks'
+[Documentation](https://swagger.io/specification/#callback-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="19" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/Success" + } + }, + "callbacks": { + "myEvent": { + "$ref": "#/components/callbaccgcks/inProgress" + } + } + } + } + }, + "components": { + "callbacks": { + "inProgress": { + "{$request.body#/inProgressUrl}": { + "post": { + "requestBody": { + "$ref": "#/components/requestBodies/callbackMessage1" + }, + "responses": { + "200": { + "description": "OK" + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + $ref: "#/components/schemas/Success" + callbacks: + myEvent: + $ref: "#/components/callbaccgcks/inProgress" +components: + callbacks: + inProgress: + "{$request.body#/inProgressUrl}": + post: + requestBody: + $ref: "#/components/requestBodies/callbackMessage1" + responses: + "200": + description: OK + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/Success" + } + }, + "callbacks": { + "myEvent": { + "$ref": "#/components/callbacks/inProgress" + } + } + } + } + }, + "components": { + "callbacks": { + "inProgress": { + "{$request.body#/inProgressUrl}": { + "post": { + "requestBody": { + "$ref": "#/components/requestBodies/callbackMessage1" + }, + "responses": { + "200": { + "description": "OK" + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + $ref: "#/components/schemas/Success" + callbacks: + myEvent: + $ref: "#/components/callbacks/inProgress" +components: + callbacks: + inProgress: + "{$request.body#/inProgressUrl}": + post: + requestBody: + $ref: "#/components/requestBodies/callbackMessage1" + responses: + "200": + description: OK + +``` diff --git a/docs/queries/openapi-queries/ba239cb9-f342-4c20-812d-7b5a2aa6969e.md b/docs/queries/openapi-queries/ba239cb9-f342-4c20-812d-7b5a2aa6969e.md new file mode 100644 index 00000000000..17fecdde9cb --- /dev/null +++ b/docs/queries/openapi-queries/ba239cb9-f342-4c20-812d-7b5a2aa6969e.md @@ -0,0 +1,180 @@ +--- +title: Non OAuth2 Security Requirement Defining OAuth2 Scopes +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ba239cb9-f342-4c20-812d-7b5a2aa6969e +- **Query name:** Non OAuth2 Security Requirement Defining OAuth2 Scopes +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/non_oauth2_security_requirement_defining_oauth2_scopes) + +### Description +If the security scheme is not of type 'oauth2', the array value must be empty
+[Documentation](https://swagger.io/specification/v2/#securityRequirementObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="33" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + } + } + ] + } + } + }, + "security": [ + { + "petstore_auth": [ + "write:pets", + "read:pets" + ] + } + ], + "securityDefinitions": { + "petstore_auth": { + "type": "basic" + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="21" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object +security: + - petstore_auth: + - write:pets + - read:pets +securityDefinitions: + petstore_auth: + type: basic + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + } + } + ] + } + } + }, + "security": [ + { + "petstore_auth": [] + } + ], + "securityDefinitions": { + "petstore_auth": { + "type": "basic" + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object +security: + - petstore_auth: [] +securityDefinitions: + petstore_auth: + type: basic + +``` diff --git a/docs/queries/openapi-queries/baade968-7467-41e4-bf22-83ca222f5800.md b/docs/queries/openapi-queries/baade968-7467-41e4-bf22-83ca222f5800.md new file mode 100644 index 00000000000..c8017565ac0 --- /dev/null +++ b/docs/queries/openapi-queries/baade968-7467-41e4-bf22-83ca222f5800.md @@ -0,0 +1,766 @@ +--- +title: Security Field On Operations Has An Empty Object Definition (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** baade968-7467-41e4-bf22-83ca222f5800 +- **Query name:** Security Field On Operations Has An Empty Object Definition (v3) +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/security_operations_empty_object_definition) + +### Description +Security object for operations should not be empty object or has any empty object definition
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": {}, + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "read" + ] + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="51" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "OAuth2": [ + "admin" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "patch": { + "operationId": "validateVersionsPathv2", + "summary": "Validate operation", + "security": [ + {} + ], + "responses": { + "204": { + "description": "204 response" + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "read" + ] + } + ] +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="44" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "patch": { + "operationId": "validateVersionsPathv2", + "summary": "Validate operation", + "security": [ + { + "OAuth2": [ + "admin" + ] + }, + {} + ], + "responses": { + "204": { + "description": "204 response" + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "read" + ] + } + ] +} + +``` +
Postitive test num. 4 - json file + +```json hl_lines="53" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "OAuth2": [ + "admin" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + }, + "/apis": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": {}, + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "read" + ] + } + ] +} + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: {} + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: +- OAuth2: + - read + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="31" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - OAuth2: + - admin + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + patch: + operationId: validateVersionsPathv2 + summary: Validate operation + security: + - {} + responses: + '204': + description: 204 response +security: +- OAuth2: + - read + +``` +
+
Postitive test num. 7 - yaml file + +```yaml hl_lines="28" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + patch: + operationId: validateVersionsPathv2 + summary: Validate operation + security: + - OAuth2: + - admin + - {} + responses: + '204': + description: 204 response +security: +- OAuth2: + - read + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="32" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - OAuth2: + - admin + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + "/apis": + get: + operationId: listVersionsv2 + summary: List API versions + security: {} + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: +- OAuth2: + - read + +``` +
+
Postitive test num. 9 - yaml file + +```yaml hl_lines="14" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: {} + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message + +``` +
+
Postitive test num. 10 - json file + +```json hl_lines="17" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": {}, + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "OAuth2": [ + "write" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "OAuth2": [ + "read" + ] + } + ] +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - OAuth2: + - write + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: +- OAuth2: + - read + +``` +```yaml title="Negative test num. 3 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + security: + - OAuth2: + - write + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message + +``` +
Negative test num. 4 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "security": [ + { + "OAuth2": [ + "write" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + } + } + } + } + } + } +} + +``` +
diff --git a/docs/queries/openapi-queries/bac56e3c-1f71-4a74-8ae6-2fba07efcddb.md b/docs/queries/openapi-queries/bac56e3c-1f71-4a74-8ae6-2fba07efcddb.md new file mode 100644 index 00000000000..b1681e55373 --- /dev/null +++ b/docs/queries/openapi-queries/bac56e3c-1f71-4a74-8ae6-2fba07efcddb.md @@ -0,0 +1,331 @@ +--- +title: Example JSON Reference Outside Components Examples +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bac56e3c-1f71-4a74-8ae6-2fba07efcddb +- **Query name:** Example JSON Reference Outside Components Examples +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/example_json_reference_outside_components_examples) + +### Description +Reference to examples should point to #/components/examples
+[Documentation](https://swagger.io/specification/#reference-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="77" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "components": { + "securitySchemes": { + "regularSecurity": { + "type": "http", + "scheme": "basic" + } + }, + "schemas": { + "ErrorModel": { + "type": "object", + "properties": { + "code": { + "type": "string" + } + } + }, + "Address": { + "type": "object", + "properties": { + "street": { + "type": "string" + } + }, + "required": [ + "street" + ] + } + } + }, + "paths": { + "/": { + "post": { + "operationId": "updateAddress", + "summary": "updateAddress", + "servers": [ + { + "url": "http://kicsapi.com/", + "description": "server URL" + } + ], + "responses": { + "200": { + "description": "a pet to be returned", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Address" + } + } + } + }, + "default": { + "description": "Unexpected error", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorModel" + } + } + } + } + }, + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Address" + }, + "examples": { + "Address": { + "$ref": "#/components/schemas/Address" + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="51" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + securitySchemes: + regularSecurity: + type: http + scheme: basic + schemas: + ErrorModel: + type: object + properties: + code: + type: string + Address: + type: object + properties: + street: + type: string + required: + - street +paths: + "/": + post: + operationId: updateAddress + summary: updateAddress + servers: + - url: http://kicsapi.com/ + description: server URL + responses: + '200': + description: a pet to be returned + content: + application/json: + schema: + $ref: '#/components/schemas/Address' + default: + description: Unexpected error + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorModel' + requestBody: + content: + 'application/json': + schema: + $ref: '#/components/schemas/Address' + examples: + Address: + $ref: '#/components/schemas/Address' + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "components": { + "securitySchemes": { + "regularSecurity": { + "type": "http", + "scheme": "basic" + } + }, + "schemas": { + "ErrorModel": { + "type": "object", + "properties": { + "code": { + "type": "string" + } + } + }, + "Address": { + "type": "object", + "properties": { + "street": { + "type": "string" + } + }, + "required": [ + "street" + ] + } + }, + "examples": { + "Address": { + "summary": "user address", + "value": { + "street": "my street" + } + } + } + }, + "paths": { + "/": { + "post": { + "operationId": "updateAddress", + "summary": "updateAddress", + "servers": [ + { + "url": "http://kicsapi.com/", + "description": "server URL" + } + ], + "responses": { + "200": { + "description": "a pet to be returned", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Address" + } + } + } + }, + "default": { + "description": "Unexpected error", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/ErrorModel" + } + } + } + } + }, + "requestBody": { + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Address" + }, + "examples": { + "Address": { + "$ref": "#/components/examples/Address" + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + securitySchemes: + regularSecurity: + type: http + scheme: basic + schemas: + ErrorModel: + type: object + properties: + code: + type: string + Address: + type: object + properties: + street: + type: string + required: + - street + examples: + Address: + summary: user address + value: { "street": "my street" } +paths: + "/": + post: + operationId: updateAddress + summary: updateAddress + servers: + - url: http://kicsapi.com/ + description: server URL + responses: + '200': + description: a pet to be returned + content: + application/json: + schema: + $ref: '#/components/schemas/Address' + default: + description: Unexpected error + content: + application/json: + schema: + $ref: '#/components/schemas/ErrorModel' + requestBody: + content: + 'application/json': + schema: + $ref: '#/components/schemas/Address' + examples: + Address: + $ref: '#/components/examples/Address' + +``` diff --git a/docs/queries/openapi-queries/bccfa089-89e4-47e0-a0e5-185fe6902220.md b/docs/queries/openapi-queries/bccfa089-89e4-47e0-a0e5-185fe6902220.md new file mode 100644 index 00000000000..1db9fb8bdc5 --- /dev/null +++ b/docs/queries/openapi-queries/bccfa089-89e4-47e0-a0e5-185fe6902220.md @@ -0,0 +1,247 @@ +--- +title: Response Object With Incorrect Ref (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bccfa089-89e4-47e0-a0e5-185fe6902220 +- **Query name:** Response Object With Incorrect Ref (v2) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/response_object_incorrect_ref) + +### Description +Response Object reference must always point to '#/responses'
+[Documentation](https://swagger.io/specification/v2/#responses-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="14" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/definitions/User" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "responses": { + "Success": { + "description": "An array with users", + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/limitParam" +responses: + Success: + description: An array with users + schema: + "$ref": "#/definitions/User" +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/responses/Success" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "responses": { + "Success": { + "description": "An array with users", + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/responses/Success" + parameters: + - "$ref": "#/parameters/limitParam" +responses: + Success: + description: An array with users + schema: + "$ref": "#/definitions/User" +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` diff --git a/docs/queries/openapi-queries/be0e0df7-f3d9-42a1-9b6f-d425f94872c4.md b/docs/queries/openapi-queries/be0e0df7-f3d9-42a1-9b6f-d425f94872c4.md new file mode 100644 index 00000000000..eaf4491ecc8 --- /dev/null +++ b/docs/queries/openapi-queries/be0e0df7-f3d9-42a1-9b6f-d425f94872c4.md @@ -0,0 +1,638 @@ +--- +title: Array Items Has No Type (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** be0e0df7-f3d9-42a1-9b6f-d425f94872c4 +- **Query name:** Array Items Has No Type (v3) +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/array_items_has_no_type) + +### Description +Schema array items type should be defined
+[Documentation](https://swagger.io/docs/specification/data-models/data-types/#string) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="65" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + }, + "201": { + "description": "201 response", + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/components/schemas/MyObject" + }, + { + "type": "integer" + } + ] + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "quantity": { + "type": "integer", + "format": "int32" + }, + "percentage": { + "type": "number", + "format": "float" + }, + "result": { + "type": "number", + "format": "double" + } + } + }, + "MyIntArray": { + "type": "array", + "items": {} + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="22" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + }, + "201": { + "description": "201 response", + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "type": "array", + "items": { + "oneOf": [] + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "quantity": { + "type": "integer", + "format": "int32" + }, + "percentage": { + "type": "number", + "format": "float" + }, + "result": { + "type": "number", + "format": "double" + } + } + }, + "MyIntArray": { + "type": "array", + "items": { + "type": "integer" + } + } + } + } +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="21" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + }, + "201": { + "description": "201 response", + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "items": { + "oneOf": [ + { + "type": "integer" + }, + { + "format": "int32" + } + ] + }, + "type": "array" + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "quantity": { + "type": "integer", + "format": "int32" + }, + "percentage": { + "type": "number", + "format": "float" + }, + "result": { + "type": "number", + "format": "double" + } + } + }, + "MyIntArray": { + "type": "array", + "items": { + "type": "integer" + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="42" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + "$ref": "#/components/schemas/MyObject" + "201": + description: 201 response + content: + "application/x-www-form-urlencoded": + schema: + type: array + items: + oneOf: + - "$ref": "#/components/schemas/MyObject" + - type: integer +components: + schemas: + MyObject: + type: object + properties: + id: + type: integer + format: int64 + quantity: + type: integer + format: int32 + percentage: + type: number + format: float + result: + type: number + format: double + MyIntArray: + type: array + items: {} + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="19" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + "$ref": "#/components/schemas/MyObject" + "201": + description: 201 response + content: + "application/x-www-form-urlencoded": + schema: + type: array + items: + oneOf: [] +components: + schemas: + MyObject: + type: object + properties: + id: + type: integer + format: int64 + quantity: + type: integer + format: int32 + percentage: + type: number + format: float + result: + type: number + format: double + MyIntArray: + type: array + items: + type: integer + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="19" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + "$ref": "#/components/schemas/MyObject" + "201": + description: 201 response + content: + "application/x-www-form-urlencoded": + schema: + type: array + items: + oneOf: + - type: integer + - format: int32 +components: + schemas: + MyObject: + type: object + properties: + id: + type: integer + format: int64 + quantity: + type: integer + format: int32 + percentage: + type: number + format: float + result: + type: number + format: double + MyIntArray: + type: array + items: + type: integer + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="25" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "201": { + "description": "201 response" + } + }, + "parameters": [ + { + "name": "id", + "in": "body", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "array", + "items": {} + } + } + ] + } + } + } +} + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="20" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "201": + description: 201 response + parameters: + - name: id + in: body + description: ID of pet to use + required: true + schema: + type: array + items: {} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + }, + "201": { + "description": "201 response", + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "type": "array", + "items": { + "oneOf": [ + { + "$ref": "#/components/schemas/MyObject" + }, + { + "type": "integer" + } + ] + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "quantity": { + "type": "integer", + "format": "int32" + }, + "percentage": { + "type": "number", + "format": "float" + }, + "result": { + "type": "number", + "format": "double" + } + } + }, + "MyIntArray": { + "type": "array", + "items": { + "type": "integer" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + "$ref": "#/components/schemas/MyObject" + "201": + description: 201 response + content: + "application/x-www-form-urlencoded": + schema: + type: array + items: + oneOf: + - "$ref": "#/components/schemas/MyObject" + - type: integer +components: + schemas: + MyObject: + type: object + properties: + id: + type: integer + format: int64 + quantity: + type: integer + format: int32 + percentage: + type: number + format: float + result: + type: number + format: double + MyIntArray: + type: array + items: + type: integer + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "201": { + "description": "201 response" + } + }, + "parameters": [ + { + "name": "id", + "in": "body", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "string" + } + } + } + ] + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "201": + description: 201 response + parameters: + - name: id + in: body + description: ID of pet to use + required: true + schema: + type: array + items: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/be1d8733-3731-40c7-a845-734741c6871d.md b/docs/queries/openapi-queries/be1d8733-3731-40c7-a845-734741c6871d.md new file mode 100644 index 00000000000..b3c9ff2d743 --- /dev/null +++ b/docs/queries/openapi-queries/be1d8733-3731-40c7-a845-734741c6871d.md @@ -0,0 +1,224 @@ +--- +title: Constraining Enum Property +hide: + toc: true + navigation: true +--- + + + +- **Query id:** be1d8733-3731-40c7-a845-734741c6871d +- **Query name:** Constraining Enum Property +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/constraining_enum_property) + +### Description +There is a constraining keyword in a property which is already restricted by enum values
+[Documentation](https://swagger.io/specification/v2/#schemaObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="49 38" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "category", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "$ref": "#/definitions/Category" + } + } + ] + } + } + }, + "definitions": { + "Category": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64", + "minimum": 1, + "enum": [ + 2, + 3, + 4, + 5, + 6 + ] + }, + "name": { + "type": "string", + "maxLength": 10, + "enum": [ + "Foo", + "Bar" + ] + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="27 36" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + parameters: + - name: category + in: body + description: max records to return + required: true + schema: + "$ref": "#/definitions/Category" +definitions: + Category: + type: object + properties: + id: + type: integer + format: int64 + minimum: 1 + enum: + - 2 + - 3 + - 4 + - 5 + - 6 + name: + type: string + maxLength: 10 + enum: + - Foo + - Bar + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "category", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "$ref": "#/definitions/Category" + } + } + ] + } + } + }, + "definitions": { + "Category": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64", + "minimum": 1 + }, + "name": { + "type": "string", + "enum": [ + "Foo", + "Bar" + ] + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + parameters: + - name: category + in: body + description: max records to return + required: true + schema: + "$ref": "#/definitions/Category" +definitions: + Category: + type: object + properties: + id: + type: integer + format: int64 + minimum: 1 + name: + type: string + enum: + - Foo + - Bar + +``` diff --git a/docs/queries/openapi-queries/be3e170e-1572-461e-a8b6-d963def581ec.md b/docs/queries/openapi-queries/be3e170e-1572-461e-a8b6-d963def581ec.md new file mode 100644 index 00000000000..b57b2f5a4dc --- /dev/null +++ b/docs/queries/openapi-queries/be3e170e-1572-461e-a8b6-d963def581ec.md @@ -0,0 +1,226 @@ +--- +title: Operation Object Without 'produces' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** be3e170e-1572-461e-a8b6-d963def581ec +- **Query name:** Operation Object Without 'produces' +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/operation_object_without_produces) + +### Description +Operation Object should have 'produces' feild defined for 'GET'operation
+[Documentation](https://swagger.io/specification/v2/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="9" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/definitions/User" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="7" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "produces": [ + "application/json" + ], + "responses": { + "200": { + "$ref": "#/definitions/User" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + produces: + - application/json + responses: + "200": + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` diff --git a/docs/queries/openapi-queries/c19779a9-5774-4d2f-a3a1-a99831730375.md b/docs/queries/openapi-queries/c19779a9-5774-4d2f-a3a1-a99831730375.md new file mode 100644 index 00000000000..a3e2d9c3785 --- /dev/null +++ b/docs/queries/openapi-queries/c19779a9-5774-4d2f-a3a1-a99831730375.md @@ -0,0 +1,210 @@ +--- +title: Components Link Definition Is Unused +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c19779a9-5774-4d2f-a3a1-a99831730375 +- **Query name:** Components Link Definition Is Unused +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/components_link_definition_unused) + +### Description +Components links definitions should be referenced or removed from Open API definition
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="45" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "success", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "links": { + "APIRepository": { + "operationId": "listVersionsv2" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="29" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: success + content: + application/json: + schema: + type: array + items: + "$ref": "#/components/schemas/MyObject" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + links: + APIRepository: + operationId: listVersionsv2 + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "success", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "$ref": "#/components/schemas/MyObject" + } + } + } + }, + "links": { + "$ref": "#/components/links/APIRepository" + } + } + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "links": { + "APIRepository": { + "operationId": "listVersionsv2" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: success + content: + application/json: + schema: + type: array + items: + "$ref": "#/components/schemas/MyObject" + links: + "$ref": "#/components/links/APIRepository" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + links: + APIRepository: + operationId: listVersionsv2 + +``` diff --git a/docs/queries/openapi-queries/c254adc4-ef25-46e1-8270-b7944adb4198.md b/docs/queries/openapi-queries/c254adc4-ef25-46e1-8270-b7944adb4198.md new file mode 100644 index 00000000000..84c7e317173 --- /dev/null +++ b/docs/queries/openapi-queries/c254adc4-ef25-46e1-8270-b7944adb4198.md @@ -0,0 +1,325 @@ +--- +title: OperationId Not Unique (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c254adc4-ef25-46e1-8270-b7944adb4198 +- **Query name:** OperationId Not Unique (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/operation_id_not_unique) + +### Description +OperationId should be unique when defined
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="46 15" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://google.com", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "operation_id", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "post": { + "operationId": "operation_id", + "responses": { + "201": { + "description": "Created" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="8 25" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: op_id + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + post: + operationId: op_id + responses: + "201": + description: Created + +``` +```json title="Postitive test num. 3 - json file" hl_lines="23 15" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://google.com", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "operation_id", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "post": { + "operationId": "operation_id", + "responses": { + "201": { + "description": "Created" + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="8 13" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: op_id + responses: + "200": + description: 200 response + post: + operationId: op_id + responses: + "201": + description: Created + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://google.com", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "op_id1", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "post": { + "operationId": "op_id2", + "responses": { + "201": { + "description": "Created" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: op_id3 + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + post: + operationId: op_id4 + responses: + "201": + description: Created + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://google.com", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "op_id1", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "post": { + "operationId": "op_id2", + "responses": { + "201": { + "description": "Created" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: op_id3 + responses: + "200": + description: 200 response + post: + operationId: op_id4 + responses: + "201": + description: Created + +``` +
diff --git a/docs/queries/openapi-queries/c38d630d-a415-4e3e-bac2-65475979ba88.md b/docs/queries/openapi-queries/c38d630d-a415-4e3e-bac2-65475979ba88.md new file mode 100644 index 00000000000..672725fae43 --- /dev/null +++ b/docs/queries/openapi-queries/c38d630d-a415-4e3e-bac2-65475979ba88.md @@ -0,0 +1,193 @@ +--- +title: Body Parameter With Wrong Property +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c38d630d-a415-4e3e-bac2-65475979ba88 +- **Query name:** Body Parameter With Wrong Property +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/body_parameter_with_wrong_property) + +### Description +The Body Parameter Object should only have the following properties defined - 'name', 'in', 'description', 'required', and 'schema'
+[Documentation](https://swagger.io/specification/v2/#parameterObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="43 19" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "string" + }, + "desc": { + "type": "string" + } + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "string" + }, + "desc": { + "type": "string" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="20 30" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: string + desc: + type: string +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: string + desc: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: object + +``` diff --git a/docs/queries/openapi-queries/c3cab8c4-6c52-47a9-942b-c27f26fbd7d2.md b/docs/queries/openapi-queries/c3cab8c4-6c52-47a9-942b-c27f26fbd7d2.md new file mode 100644 index 00000000000..187f9938ebf --- /dev/null +++ b/docs/queries/openapi-queries/c3cab8c4-6c52-47a9-942b-c27f26fbd7d2.md @@ -0,0 +1,172 @@ +--- +title: Parameter File Type Not In 'formData' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c3cab8c4-6c52-47a9-942b-c27f26fbd7d2 +- **Query name:** Parameter File Type Not In 'formData' +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/parameter_file_type_not_in_formdata) + +### Description +The In field of Parameter Object must be 'formData' when type is 'file'
+[Documentation](https://swagger.io/specification/v2/#parameterObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12 31" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "query", + "description": "return a file with limit info", + "required": true, + "type": "file" + } + ], + "operationId": "listVersionsV2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "return a file with limit info", + "required": true, + "type": "file" + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="10 22" +--- +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + parameters: + - name: limit2 + in: query + description: return a file with limit info + required: true + type: file + operationId: listVersionsV2 + summary: List API versions + responses: + '200': + description: 200 response +parameters: + limitParam: + name: limit + in: query + description: return a file with limit info + required: true + type: file + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "formData", + "description": "return a file with limit info", + "required": true, + "type": "file" + } + ], + "operationId": "listVersionsV2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "formData", + "description": "return a file with limit info", + "required": true, + "type": "file" + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + parameters: + - name: limit2 + in: formData + description: return a file with limit info + required: true + type: file + operationId: listVersionsV2 + summary: List API versions + responses: + '200': + description: 200 response +parameters: + limitParam: + name: limit + in: formData + description: return a file with limit info + required: true + type: file + +``` diff --git a/docs/queries/openapi-queries/c5bb7461-aa57-470b-a714-3bc3d74f4669.md b/docs/queries/openapi-queries/c5bb7461-aa57-470b-a714-3bc3d74f4669.md new file mode 100644 index 00000000000..8315646143f --- /dev/null +++ b/docs/queries/openapi-queries/c5bb7461-aa57-470b-a714-3bc3d74f4669.md @@ -0,0 +1,801 @@ +--- +title: Link Object OperationId Does Not Target Operation Object +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c5bb7461-aa57-470b-a714-3bc3d74f4669 +- **Query name:** Link Object OperationId Does Not Target Operation Object +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/link_object_operation_id_does_not_target_an_operation_object) + +### Description +Link object 'OperationId' should target an existing operation object in the OpenAPI definition
+[Documentation](https://swagger.io/specification/#link-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="71" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + } + } + } + } + }, + "/users/{userid}/address": { + "parameters": [ + { + "name": "userid", + "in": "path", + "required": true, + "description": "the user identifier, as userId", + "schema": { + "type": "string" + } + } + ], + "get": { + "operationId": "getUserAddress", + "responses": { + "200": { + "description": "the user's address" + } + } + } + } + }, + "components": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + }, + "links": { + "address": { + "operationId": "getUser2Address", + "parameters": { + "userId": "$request.path.id" + } + } + } + } + }, + "schemas": { + "Pet": { + "$ref": "../models/pet.yaml" + }, + "User": { + "$ref": "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="28" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/test": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "format": "uuid", + "type": "string" + } + } + } + } + }, + "links": { + "address": { + "operationId": "getUserAddress", + "parameters": { + "userId": "$request.path.id" + } + } + } + } + } + } + }, + "/users/{userid}/address": { + "parameters": [ + { + "name": "userid", + "in": "path", + "required": true, + "description": "the user identifier, as userId", + "schema": { + "type": "string" + } + } + ], + "get": { + "operationId": "getUserwAddress", + "responses": { + "200": { + "description": "the user's address" + } + } + } + } + } +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="68" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + } + } + } + } + }, + "/users/{userid}/address": { + "parameters": [ + { + "name": "userid", + "in": "path", + "required": true, + "description": "the user identifier, as userId", + "schema": { + "type": "string" + } + } + ], + "get": { + "operationId": "getUserAddress", + "responses": { + "200": { + "description": "the user's address" + } + } + } + } + }, + "components": { + "schemas": { + "Pet": { + "$ref": "../models/pet.yaml" + }, + "User": { + "$ref": "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + } + }, + "responses": { + "GenericError": { + "$ref": "../template-api.yaml#/components/responses/GenericError" + } + }, + "links": { + "address": { + "operationId": "getUsewerAddress", + "parameters": { + "userId": "$request.path.id" + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="51" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + "/users/{userid}/address": + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + operationId: getUserAddress + responses: + "200": + description: the user's address +components: + schemas: + Pet: + $ref: "../models/pet.yaml" + User: + $ref: "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + links: + address: + operationId: getUserAsddress + parameters: + userId: $request.path.id + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="21" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/test": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + links: + address: + operationId: getUserAddress + parameters: + userId: $request.path.id + "/users/{userid}/address": + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + operationId: getUserAdsssdress + responses: + "200": + description: the user's address + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="43" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + "/users/{userid}/address": + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + operationId: getUserAddress + responses: + "200": + description: the user's address +components: + schemas: + Pet: + $ref: "../models/pet.yaml" + User: + $ref: "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + responses: + GenericError: + $ref: "../template-api.yaml#/components/responses/GenericError" + links: + address: + operationId: getUssssserAddress + parameters: + userId: $request.path.id + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + } + } + } + } + }, + "/users/{userid}/address": { + "parameters": [ + { + "name": "userid", + "in": "path", + "required": true, + "description": "the user identifier, as userId", + "schema": { + "type": "string" + } + } + ], + "get": { + "operationId": "getUserAddress", + "responses": { + "200": { + "description": "the user's address" + } + } + } + } + }, + "components": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + }, + "links": { + "address": { + "operationId": "getUserAddress", + "parameters": { + "userId": "$request.path.id" + } + } + } + } + }, + "schemas": { + "Pet": { + "$ref": "../models/pet.yaml" + }, + "User": { + "$ref": "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "format": "uuid", + "type": "string" + } + } + } + } + }, + "links": { + "address": { + "operationId": "getUserAddress", + "parameters": { + "userId": "$request.path.id" + } + } + } + } + } + } + }, + "/users/{userid}/address": { + "parameters": [ + { + "name": "userid", + "in": "path", + "required": true, + "description": "the user identifier, as userId", + "schema": { + "type": "string" + } + } + ], + "get": { + "operationId": "getUserAddress", + "responses": { + "200": { + "description": "the user's address" + } + } + } + } + } +} + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "the user being returned", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "uuid": { + "type": "string", + "format": "uuid" + } + } + } + } + } + } + } + } + }, + "/users/{userid}/address": { + "parameters": [ + { + "name": "userid", + "in": "path", + "required": true, + "description": "the user identifier, as userId", + "schema": { + "type": "string" + } + } + ], + "get": { + "operationId": "getUserAddress", + "responses": { + "200": { + "description": "the user's address" + } + } + } + } + }, + "components": { + "schemas": { + "Pet": { + "$ref": "../models/pet.yaml" + }, + "User": { + "$ref": "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + } + }, + "responses": { + "GenericError": { + "$ref": "../template-api.yaml#/components/responses/GenericError" + } + }, + "links": { + "address": { + "operationId": "getUserAddress", + "parameters": { + "userId": "$request.path.id" + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + "/users/{userid}/address": + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + operationId: getUserAddress + responses: + "200": + description: the user's address +components: + schemas: + Pet: + $ref: "../models/pet.yaml" + User: + $ref: "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + links: + address: + operationId: getUserAddress + parameters: + userId: $request.path.id + +``` +
+
Negative test num. 5 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + links: + address: + operationId: getUserAddress + parameters: + userId: $request.path.id + "/users/{userid}/address": + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + operationId: getUserAddress + responses: + "200": + description: the user's address + +``` +
+
Negative test num. 6 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + responses: + "200": + description: the user being returned + content: + application/json: + schema: + type: object + properties: + uuid: + type: string + format: uuid + "/users/{userid}/address": + parameters: + - name: userid + in: path + required: true + description: the user identifier, as userId + schema: + type: string + get: + operationId: getUserAddress + responses: + "200": + description: the user's address +components: + schemas: + Pet: + $ref: "../models/pet.yaml" + User: + $ref: "https://api.example.com/v2/openapi.yaml#/components/schemas/User" + responses: + GenericError: + $ref: "../template-api.yaml#/components/responses/GenericError" + links: + address: + operationId: getUserAddress + parameters: + userId: $request.path.id + +``` +
diff --git a/docs/queries/openapi-queries/c66ebeaa-676c-40dc-a3ff-3e49395dcd5e.md b/docs/queries/openapi-queries/c66ebeaa-676c-40dc-a3ff-3e49395dcd5e.md new file mode 100644 index 00000000000..2b01455d016 --- /dev/null +++ b/docs/queries/openapi-queries/c66ebeaa-676c-40dc-a3ff-3e49395dcd5e.md @@ -0,0 +1,266 @@ +--- +title: Servers Array Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c66ebeaa-676c-40dc-a3ff-3e49395dcd5e +- **Query name:** Servers Array Undefined +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/servers_undefined) + +### Description +The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.
+[Documentation](https://swagger.io/specification/#server-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="2" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "servers": [] +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="1" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="25" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +servers: [] + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "servers": [ + { + "url": "https://my.api.server.com/", + "description": "My API Server" + } + ] +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +servers: + url: https://my.api.server.com/ + description: My API server + +``` diff --git a/docs/queries/openapi-queries/ca02f4e8-d3ae-4832-b7db-bb037516d9e7.md b/docs/queries/openapi-queries/ca02f4e8-d3ae-4832-b7db-bb037516d9e7.md new file mode 100644 index 00000000000..40441c95394 --- /dev/null +++ b/docs/queries/openapi-queries/ca02f4e8-d3ae-4832-b7db-bb037516d9e7.md @@ -0,0 +1,205 @@ +--- +title: Request Body JSON Reference Does Not Exists +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ca02f4e8-d3ae-4832-b7db-bb037516d9e7 +- **Query name:** Request Body JSON Reference Does Not Exists +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/json_reference_does_not_exists_request_body) + +### Description +Request Body reference should exists on components field
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="18" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + } + }, + "requestBody": { + "$ref": "#/components/requestBodies/MyWrongObjectBody" + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "requestBodies": { + "MyObjectBody": { + "description": "A JSON object containing my object information", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/MyObject" + requestBody: + "$ref": "#/components/requestBodies/MyWrongObjectBody" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + requestBodies: + MyObjectBody: + description: A JSON object containing my object information + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + } + }, + "requestBody": { + "$ref": "#/components/requestBodies/MyObjectBody" + } + } + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + } + } + } + }, + "requestBodies": { + "MyObjectBody": { + "description": "A JSON object containing my object information", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/MyObject" + requestBody: + "$ref": "#/components/requestBodies/MyObjectBody" +components: + schemas: + MyObject: + type: object + properties: + id: + type: string + name: + type: string + requestBodies: + MyObjectBody: + description: A JSON object containing my object information + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + +``` diff --git a/docs/queries/openapi-queries/cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b.md b/docs/queries/openapi-queries/cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b.md new file mode 100644 index 00000000000..52807280102 --- /dev/null +++ b/docs/queries/openapi-queries/cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b.md @@ -0,0 +1,459 @@ +--- +title: Encoding Map Key Mismatch Schema Defined Properties +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cd7a52cf-8d7f-4cfe-bbeb-6306d23f576b +- **Query name:** Encoding Map Key Mismatch Schema Defined Properties +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/encoding_map_key_mismatch_schema_defined_properties) + +### Description +Encoding Map Key should be set in schema defined properties
+[Documentation](https://swagger.io/specification/#media-type-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="70" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "responses": { + "ResponseExample": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "encoding": { + "profileImage": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="36" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + } + }, + "encoding": { + "profileImage": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="42" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + responses: + ResponseExample: + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + profileImage: + contentType: image/png, image/jpeg + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + profileImage: + contentType: image/png, image/jpeg + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "responses": { + "ResponseExample": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object" + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + responses: + ResponseExample: + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + +``` +
diff --git a/docs/queries/openapi-queries/ceefb058-8065-418f-9c4c-584a78c7e104.md b/docs/queries/openapi-queries/ceefb058-8065-418f-9c4c-584a78c7e104.md new file mode 100644 index 00000000000..f677cf1812f --- /dev/null +++ b/docs/queries/openapi-queries/ceefb058-8065-418f-9c4c-584a78c7e104.md @@ -0,0 +1,171 @@ +--- +title: Operation Using Basic Auth +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ceefb058-8065-418f-9c4c-584a78c7e104 +- **Query name:** Operation Using Basic Auth +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/operation_using_basic_auth) + +### Description +Operation Object should not use basic authentication
+[Documentation](https://swagger.io/specification/v2/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="22" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "security": [ + { + "oAuth2AuthCodeNeg2": [] + } + ] + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "basic", + "description": "For more information, see https://api.my.company.com/docs/oauth" + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="16" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + security: + - oAuth2AuthCodeNeg2: [] +securityDefinitions: + oAuth2AuthCodeNeg2: + type: basic + description: For more information, see https://api.my.company.com/docs/oauth + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "security": [ + { + "oAuth2AuthCodeNeg2": [ + "write", + "read" + ] + } + ] + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "accessCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + security: + - oAuth2AuthCodeNeg2: + - write + - read +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: accessCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` diff --git a/docs/queries/openapi-queries/cf4a5f45-a27b-49df-843a-9911dbfe71d4.md b/docs/queries/openapi-queries/cf4a5f45-a27b-49df-843a-9911dbfe71d4.md new file mode 100644 index 00000000000..1ceba7590cc --- /dev/null +++ b/docs/queries/openapi-queries/cf4a5f45-a27b-49df-843a-9911dbfe71d4.md @@ -0,0 +1,213 @@ +--- +title: Invalid Media Type Value (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cf4a5f45-a27b-49df-843a-9911dbfe71d4 +- **Query name:** Invalid Media Type Value (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/invalid_media_type_value) + +### Description +The Media Type value should match the following format: /[+suffix][;parameters]
+[Documentation](https://swagger.io/specification/#media-type-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="28" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + }, + "requestBody": { + "content": { + "multipart/form- data": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="20" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + encoding: + code: + contentType: image/png, image/jpeg + requestBody: + content: + multipart/form- data: + encoding: + code: + contentType: image/png, image/jpeg + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + }, + "schema": { + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object", + "discriminator": { + "propertyName": "petType" + } + } + } + } + } + }, + "requestBody": { + "content": { + "multipart/form-data": { + "schema": { + "type": "string", + "format": "binary", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + requestBody: + content: + multipart/form-data: + schema: + type: string + format: binary + properties: + code: + type: string + format: binary + encoding: + code: + contentType: image/png, image/jpeg + +``` diff --git a/docs/queries/openapi-queries/d15db953-a553-4b8a-9a14-a3d62ea3d79d.md b/docs/queries/openapi-queries/d15db953-a553-4b8a-9a14-a3d62ea3d79d.md new file mode 100644 index 00000000000..70b8f9dc479 --- /dev/null +++ b/docs/queries/openapi-queries/d15db953-a553-4b8a-9a14-a3d62ea3d79d.md @@ -0,0 +1,173 @@ +--- +title: Components Callback Definition Is Unused +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d15db953-a553-4b8a-9a14-a3d62ea3d79d +- **Query name:** Components Callback Definition Is Unused +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/components_callback_definition_unused) + +### Description +Components callbacks definitions should be referenced or removed from Open API definition
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="22" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/Success" + } + } + } + } + }, + "components": { + "callbacks": { + "inProgress": { + "{$request.body#/inProgressUrl}": { + "post": { + "requestBody": { + "$ref": "#/components/requestBodies/callbackMessage1" + }, + "responses": { + "200": { + "description": "OK" + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/Success" +components: + callbacks: + inProgress: + "{$request.body#/inProgressUrl}": + post: + requestBody: + "$ref": "#/components/requestBodies/callbackMessage1" + responses: + '200': + description: OK + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/Success" + } + }, + "callbacks": { + "myEvent": { + "$ref": "#/components/callbacks/inProgress" + } + } + } + } + }, + "components": { + "callbacks": { + "inProgress": { + "{$request.body#/inProgressUrl}": { + "post": { + "requestBody": { + "$ref": "#/components/requestBodies/callbackMessage1" + }, + "responses": { + "200": { + "description": "OK" + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + $ref: "#/components/schemas/Success" + callbacks: + myEvent: + $ref: "#/components/callbacks/inProgress" +components: + callbacks: + inProgress: + "{$request.body#/inProgressUrl}": + post: + requestBody: + $ref: "#/components/requestBodies/callbackMessage1" + responses: + "200": + description: OK + +``` diff --git a/docs/queries/openapi-queries/d172a060-8569-4412-8045-3560ebd477e8.md b/docs/queries/openapi-queries/d172a060-8569-4412-8045-3560ebd477e8.md new file mode 100644 index 00000000000..cdb5613bf64 --- /dev/null +++ b/docs/queries/openapi-queries/d172a060-8569-4412-8045-3560ebd477e8.md @@ -0,0 +1,813 @@ +--- +title: Object Without Required Property (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d172a060-8569-4412-8045-3560ebd477e8 +- **Query name:** Object Without Required Property (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/object_without_required_property) + +### Description +OpenAPI Object should contain all of its required fields
+[Documentation](https://swagger.io/specification/) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="3" +{ + "openapi": "3.0.0", + "info": { + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "/", + "email": "user@gmail.com" + } + }, + "paths": {} +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="2" +openapi: 3.0.0 +info: + title: Simple API Overview + contact: + name: contact + url: "/" + email: user@gmail.com +paths: {} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="9 12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersions", + "summary": "List versions", + "servers": [ + { + "description": "server URL" + } + ], + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ] + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="10 7" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersions + summary: List versions + servers: + - description: server URL + security: + - OAuth2: + - write + - read + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="62 65 54" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersions", + "summary": "List versions", + "servers": [ + { + "url": "http://myapi.com/", + "description": "server URL" + } + ], + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "requestBody": { + "description": "A JSON object containing my object information" + } + } + } + }, + "components": { + "requestBodies": { + "MyObjectBody": { + "description": "A JSON object containing my object information" + }, + "MyObjectBody_2": { + "description": "A JSON object containing my object information" + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="32 36 38" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersions + summary: List versions + servers: + - url: http://myapi.com/ + description: server URL + security: + - OAuth2: + - write + - read + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + requestBody: + description: A JSON object containing my object information +components: + requestBodies: + MyObjectBody: + description: A JSON object containing my object information + MyObjectBody_2: + description: A JSON object containing my object information + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="72 27 53" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersions", + "summary": "List versions", + "servers": [ + { + "url": "http://myapi.com/", + "description": "server URL" + } + ], + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ], + "responses": { + "200": { + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "parameters": [ + { + "in": "path", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "string" + } + }, + "style": "simple" + } + ] + } + } + }, + "components": { + "parameters": { + "IdParam": { + "name": "id", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "string" + } + }, + "style": "simple" + } + } + } +} + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="18 42 31" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersions + summary: List versions + servers: + - url: http://myapi.com/ + description: server URL + security: + - OAuth2: + - write + - read + responses: + "200": + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - in: path + description: ID of pet to use + required: true + schema: + type: array + items: + type: string + style: simple +components: + parameters: + IdParam: + name: id + description: ID of pet to use + required: true + schema: + type: array + items: + type: string + style: simple + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "/", + "email": "user@gmail.com" + } + }, + "paths": {} +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: "/" + email: user@gmail.com +paths: {} + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersions", + "summary": "List versions", + "servers": [ + { + "url": "http://myapi.com/", + "description": "server URL" + } + ], + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersions + summary: List versions + servers: + - url: http://myapi.com/ + description: server URL + security: + - OAuth2: + - write + - read + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - json file + +```json +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersions", + "summary": "List versions", + "servers": [ + { + "url": "http://myapi.com/", + "description": "server URL" + } + ], + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "requestBody": { + "description": "A JSON object containing my object information", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "MyObjectBody": { + "description": "A JSON object containing my object information", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + } + } + } + }, + "MyObjectBody_2": { + "description": "A JSON object containing my object information", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/MyObject" + } + } + } + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersions + summary: List versions + servers: + - url: http://myapi.com/ + description: server URL + security: + - OAuth2: + - write + - read + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + requestBody: + description: A JSON object containing my object information + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" +components: + requestBodies: + MyObjectBody: + description: A JSON object containing my object information + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + MyObjectBody_2: + description: A JSON object containing my object information + content: + application/json: + schema: + "$ref": "#/components/schemas/MyObject" + +``` +
+
Negative test num. 7 - json file + +```json +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersions", + "summary": "List versions", + "servers": [ + { + "url": "http://myapi.com/", + "description": "server URL" + } + ], + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ], + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "string" + } + }, + "style": "simple" + } + ] + } + } + }, + "components": { + "parameters": { + "IdParam": { + "name": "id", + "in": "path", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "string" + } + }, + "style": "simple" + } + } + } +} + +``` +
+
Negative test num. 8 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersions + summary: List versions + servers: + - url: http://myapi.com/ + description: server URL + security: + - OAuth2: + - write + - read + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: path + description: ID of pet to use + required: true + schema: + type: array + items: + type: string + style: simple +components: + parameters: + IdParam: + name: id + in: path + description: ID of pet to use + required: true + schema: + type: array + items: + type: string + style: simple + +``` +
diff --git a/docs/queries/openapi-queries/d2361d58-361c-49f0-9e50-b957fd608b29.md b/docs/queries/openapi-queries/d2361d58-361c-49f0-9e50-b957fd608b29.md new file mode 100644 index 00000000000..ebbeef8a447 --- /dev/null +++ b/docs/queries/openapi-queries/d2361d58-361c-49f0-9e50-b957fd608b29.md @@ -0,0 +1,505 @@ +--- +title: Schema With Both ReadOnly And WriteOnly +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d2361d58-361c-49f0-9e50-b957fd608b29 +- **Query name:** Schema With Both ReadOnly And WriteOnly +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/schema_with_both_read_only_and_write_only) + +### Description +Schema should not have both 'writeOnly' and 'readOnly' set to true
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="50" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "array", + "items": { + "type": "string" + }, + "properties": { + "id": { + "type": "integer", + "writeOnly": "true", + "readOnly": "true" + }, + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "name" + ] + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="22" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "type": "string" + }, + "properties": { + "id": { + "type": "integer", + "writeOnly": "true", + "readOnly": "true" + }, + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="27" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: array + items: + type: string + properties: + id: + type: integer + readOnly: true + writeOnly: true + code: + type: string + format: int32 + message: + type: string + required: + - name + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="15" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: array + items: + type: string + properties: + id: + type: integer + readOnly: true + writeOnly: true + code: + type: string + format: int32 + message: + type: string + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "array", + "items": { + "type": "string" + }, + "properties": { + "id": { + "type": "integer", + "readOnly": "true" + }, + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "name" + ] + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "array", + "items": { + "type": "string" + }, + "properties": { + "id": { + "type": "integer", + "readOnly": "true" + }, + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: array + items: + type: string + properties: + id: + type: integer + readOnly: true + code: + type: string + format: int32 + message: + type: string + required: + - name + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: array + items: + type: string + properties: + id: + type: integer + readOnly: true + code: + type: string + format: int32 + message: + type: string + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
diff --git a/docs/queries/openapi-queries/d3ea644a-9a5c-4fee-941f-f8a6786c0470.md b/docs/queries/openapi-queries/d3ea644a-9a5c-4fee-941f-f8a6786c0470.md new file mode 100644 index 00000000000..2407b9df411 --- /dev/null +++ b/docs/queries/openapi-queries/d3ea644a-9a5c-4fee-941f-f8a6786c0470.md @@ -0,0 +1,523 @@ +--- +title: Property 'style' of Encoding Object Ignored +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d3ea644a-9a5c-4fee-941f-f8a6786c0470 +- **Query name:** Property 'style' of Encoding Object Ignored +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/property_type_encoding_object_ignored) + +### Description +Property 'style' of the encoding object should be defined when the media type of the request body is 'application/x-www-form-urlencoded'. If not, it will be ignored.
+[Documentation](https://swagger.io/specification/#encoding-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="49" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/data": { + "schema": { + "type": "object", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "allowReserved": true, + "style": "simple" + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + }, + "schema": { + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object", + "discriminator": { + "propertyName": "petType" + } + } + } + } + } + }, + "requestBody": { + "content": { + "multipart/data": { + "schema": { + "type": "string", + "format": "binary", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "allowReserved": true, + "style": "simple" + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="31" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/data: + schema: + type: object + properties: + code: + type: string + format: binary + examples: + tshirt: + $ref: "#/components/examples/tshirt" + encoding: + code: + contentType: image/png, image/jpeg + allowReserved: true + style: simple + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="30" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + requestBody: + content: + multipart/data: + schema: + type: string + format: binary + properties: + code: + type: string + format: binary + encoding: + code: + contentType: image/png, image/jpeg + allowReserved: true + style: simple + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "type": "object", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "allowReserved": true, + "style": "simple" + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + }, + "schema": { + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object", + "discriminator": { + "propertyName": "petType" + } + } + } + } + } + }, + "requestBody": { + "content": { + "application/x-www-form-urlencoded": { + "schema": { + "type": "string", + "format": "binary", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg", + "allowReserved": true, + "style": "simple" + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + application/x-www-form-urlencoded: + schema: + type: object + properties: + code: + type: string + format: binary + examples: + tshirt: + $ref: "#/components/examples/tshirt" + encoding: + code: + contentType: image/png, image/jpeg + allowReserved: true + style: simple + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + requestBody: + content: + application/x-www-form-urlencoded: + schema: + type: string + format: binary + properties: + code: + type: string + format: binary + encoding: + code: + contentType: image/png, image/jpeg + allowReserved: true + style: simple + +``` +
diff --git a/docs/queries/openapi-queries/d40f27e6-15fb-4b56-90f8-fc0ff0291c51.md b/docs/queries/openapi-queries/d40f27e6-15fb-4b56-90f8-fc0ff0291c51.md new file mode 100644 index 00000000000..064f7b8b0f0 --- /dev/null +++ b/docs/queries/openapi-queries/d40f27e6-15fb-4b56-90f8-fc0ff0291c51.md @@ -0,0 +1,266 @@ +--- +title: Parameter Object With Incorrect Ref (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d40f27e6-15fb-4b56-90f8-fc0ff0291c51 +- **Query name:** Parameter Object With Incorrect Ref (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/parameter_object_incorrect_ref) + +### Description +Parameter Object reference must always point to '#/components/parameters'
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="56 67 59" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "components": { + "parameters": { + "idParam": { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "int" + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "$ref": "#path/parameters/idParam" + }, + { + "$ref": "#components/schemas/idParam" + } + ] + }, + "/user/id": { + "get": { + "parameters": [ + { + "$ref": "#path/parameters/idParam" + } + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="41 42 46" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + parameters: + idParam: + name: id + in: path + description: ID of the API version + required: true + schema: + type: int + nameParam: + in: path + description: Name of the API version + required: true + schema: + type: string +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - $ref: "#path/parameters/idParam" + - $ref: "#components/schemas/idParam" + /user/id: + get: + parameters: + - $ref: "#path/parameters/idParam" + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "components": { + "parameters": { + "idParam": { + "name": "id", + "in": "path", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "int" + } + } + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "$ref": "#/components/parameters/idParam" + } + ] + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +components: + parameters: + idParam: + name: id + in: path + description: ID of the API version + required: true + schema: + type: int + nameParam: + in: path + description: Name of the API version + required: true + schema: + type: string +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - $ref: "#/components/parameters/idParam" + +``` diff --git a/docs/queries/openapi-queries/d47940ca-5970-45cc-bdd1-4d81398cee1f.md b/docs/queries/openapi-queries/d47940ca-5970-45cc-bdd1-4d81398cee1f.md new file mode 100644 index 00000000000..4cf2ecd4ea8 --- /dev/null +++ b/docs/queries/openapi-queries/d47940ca-5970-45cc-bdd1-4d81398cee1f.md @@ -0,0 +1,114 @@ +--- +title: Operation Summary Too Long +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d47940ca-5970-45cc-bdd1-4d81398cee1f +- **Query name:** Operation Summary Too Long +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/operation_summary_too_long) + +### Description +Operation summary should be short (less than 120 characters)
+[Documentation](https://swagger.io/specification/v2/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="11" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versionssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="9" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versionssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss + responses: + "200": + description: "200 response" + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "produces": [ + "application/json" + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + produces: + - application/json + responses: + "200": + description: 200 response + +``` diff --git a/docs/queries/openapi-queries/d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd.md b/docs/queries/openapi-queries/d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd.md new file mode 100644 index 00000000000..d834e43593d --- /dev/null +++ b/docs/queries/openapi-queries/d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd.md @@ -0,0 +1,527 @@ +--- +title: Header Response Name Is Invalid (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d4e43db5-54d8-4dda-b3c2-0dc6f31a46bd +- **Query name:** Header Response Name Is Invalid (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/header_response_name_is_invalid) + +### Description +The Header Response should not be named as 'Content-Type', 'Authorization' or 'Accept'. If so, it will be ignored.
+[Documentation](https://swagger.io/specification/#response-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="42" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "50": { + "description": "500 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + }, + "6xx": { + "description": "[600-699] response", + "headers": { + "Content-Type": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Pet" + } + } + } + }, + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="28" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "50": + description: Server error response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + "6xx": + description: "[600-699] response" + headers: + Content-Type: + application/json: + schema: + $ref: "#/components/schemas/Pet" + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Postitive test num. 3 - json file" hl_lines="32" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/responses/Success" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "responses": { + "Success": { + "description": "An array with users", + "schema": { + "$ref": "#/definitions/User" + }, + "headers": { + "Accept": { + "description": "When it is accepted", + "type": "string" + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="21" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/responses/Success" + parameters: + - "$ref": "#/parameters/limitParam" +responses: + Success: + description: An array with users + schema: + "$ref": "#/definitions/User" + headers: + Accept: + description: When it is accepted + type: string +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "50": { + "description": "500 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + }, + "6xx": { + "description": "[600-699] response", + "headers": { + "Pet": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/Pet" + } + } + } + }, + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "50": + description: Server error response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + "6xx": + description: "[600-699] response" + headers: + Pet: + application/json: + schema: + $ref: "#/components/schemas/Pet" + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/responses/Success" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "responses": { + "Success": { + "description": "An array with users", + "schema": { + "$ref": "#/definitions/User" + }, + "headers": { + "X-Rate-Limit-Limit": { + "description": "The number of allowed requests in the current period", + "type": "integer" + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/responses/Success" + parameters: + - "$ref": "#/parameters/limitParam" +responses: + Success: + description: An array with users + schema: + "$ref": "#/definitions/User" + headers: + X-Rate-Limit-Limit: + description: The number of allowed requests in the current period + type: integer +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/d674aea4-ba8b-454b-bb97-88a772ea33f0.md b/docs/queries/openapi-queries/d674aea4-ba8b-454b-bb97-88a772ea33f0.md new file mode 100644 index 00000000000..adfd2df8df0 --- /dev/null +++ b/docs/queries/openapi-queries/d674aea4-ba8b-454b-bb97-88a772ea33f0.md @@ -0,0 +1,424 @@ +--- +title: Global Security Field Has An Empty Array (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d674aea4-ba8b-454b-bb97-88a772ea33f0 +- **Query name:** Global Security Field Has An Empty Array (v3) +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/security_empty_array) + +### Description +Security object need to have defined rules in its array and rules should be defined on securityScheme
+[Documentation](https://swagger.io/specification/#security-requirement-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [] +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="25" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: [] + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="38" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: [] + +``` +
Postitive test num. 4 - json file + +```json hl_lines="60" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "security": [] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ], + "components": { + "securitySchemes": [ + { + "exampleSecurity": { + "type": "http", + "scheme": "basic" + } + } + ] + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: '2011-01-21T11:33:21Z' + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: +- exampleSecurity: [] +components: + securitySchemes: + - exampleSecurity: + type: http + scheme: basic + +``` +```yaml title="Negative test num. 3 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + properties: + code: + type: integer + format: int32 + message: + type: string + required: + - code + - message + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] + +``` +
Negative test num. 4 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "code", + "message" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ] +} + +``` +
diff --git a/docs/queries/openapi-queries/d86655c0-92f6-4ffc-b4d5-5b5775804c27.md b/docs/queries/openapi-queries/d86655c0-92f6-4ffc-b4d5-5b5775804c27.md new file mode 100644 index 00000000000..a188494a1c1 --- /dev/null +++ b/docs/queries/openapi-queries/d86655c0-92f6-4ffc-b4d5-5b5775804c27.md @@ -0,0 +1,428 @@ +--- +title: Responses With Wrong HTTP Status Code (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d86655c0-92f6-4ffc-b4d5-5b5775804c27 +- **Query name:** Responses With Wrong HTTP Status Code (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/responses_wrong_http_status_code) + +### Description +HTTP Responses status code should be in range of [200-599]
+[Documentation](https://swagger.io/specification/#responses-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="13 39" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "50": { + "description": "500 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + }, + "6xx": { + "description": "[600-699] response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="25 11" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "50": + description: Server error response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + "6xx": + description: "[600-699] response" + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +```json title="Postitive test num. 3 - json file" hl_lines="13 39" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "50": { + "description": "500 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + }, + "6xx": { + "description": "[600-699] response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="25 11" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "50": + description: Server error response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + 6xx: + description: "[600-699] response" + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + }, + "310": { + "description": "[300-399] response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + "310": + description: "[300-399] response" + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + # Definition of all error statuses + default: + description: Unexpected error + content: + application/json: + schema: + $ref: '#/components/schemas/Error' + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + }, + "310": { + "description": "[300-399] response" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + "310": + description: "[300-399] response" + +``` +
diff --git a/docs/queries/openapi-queries/d90d4e40-44c1-4125-87a0-e072c3e195b5.md b/docs/queries/openapi-queries/d90d4e40-44c1-4125-87a0-e072c3e195b5.md new file mode 100644 index 00000000000..49b5ce68596 --- /dev/null +++ b/docs/queries/openapi-queries/d90d4e40-44c1-4125-87a0-e072c3e195b5.md @@ -0,0 +1,338 @@ +--- +title: Cleartext API Key In Operation Security (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d90d4e40-44c1-4125-87a0-e072c3e195b5 +- **Query name:** Cleartext API Key In Operation Security (v3) +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/cleartext_api_key_in_operation_security) + +### Description +API Keys should not be sent as cleartext over an unencrypted channel
+[Documentation](https://swagger.io/specification/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="19 20 21" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/pets": { + "post": { + "description": "Creates a new pet in the store", + "responses": { + "200": { + "description": "200 response" + } + }, + "operationId": "addPet", + "security": [ + { + "apiKey1": [], + "apiKey2": [], + "apiKey3": [] + } + ] + } + } + }, + "components": { + "securitySchemes": { + "apiKey1": { + "type": "apiKey", + "name": "X-API-Key", + "in": "header" + }, + "apiKey2": { + "type": "apiKey", + "name": "X-API-Key", + "in": "cookie" + }, + "apiKey3": { + "type": "apiKey", + "name": "X-API-Key", + "in": "query" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="16 14 15" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + /pets: + post: + description: Creates a new pet in the store + responses: + "200": + description: 200 response + operationId: addPet + security: + - apiKey1: [] + apiKey2: [] + apiKey3: [] +components: + securitySchemes: + apiKey1: + type: apiKey + name: X-API-Key + in: header + apiKey2: + type: apiKey + name: X-API-Key + in: cookie + apiKey3: + type: apiKey + name: X-API-Key + in: query + +``` +```json title="Postitive test num. 3 - json file" hl_lines="19 20" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/pets": { + "post": { + "description": "Creates a new pet in the store", + "responses": { + "200": { + "description": "200 response" + } + }, + "operationId": "addPet", + "security": [ + { + "apiKey1": [], + "apiKey3": [] + } + ] + } + } + }, + "securityDefinitions": { + "apiKey1": { + "type": "apiKey", + "name": "X-API-Key", + "in": "header" + }, + "apiKey3": { + "type": "apiKey", + "name": "X-API-Key", + "in": "query" + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="14 15" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + /pets: + post: + description: Creates a new pet in the store + responses: + "200": + description: 200 response + operationId: addPet + security: + - apiKey1: [] + apiKey3: [] +securityDefinitions: + apiKey1: + type: apiKey + name: X-API-Key + in: header + apiKey3: + type: apiKey + name: X-API-Key + in: query + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "version": "1.0.0", + "title": "Simple API overview" + }, + "paths": { + "/pets": { + "post": { + "description": "Creates a new pet in the store", + "responses": { + "200": { + "description": "200 response" + } + }, + "operationId": "addPet", + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ] + } + } + }, + "components": { + "securitySchemes": { + "OAuth2": { + "type": "oauth2", + "flows": { + "authorizationCode": { + "scopes": { + "write": "modify objects in your account", + "read": "read objects in your account" + }, + "authorizationUrl": "https://example.com/oauth/authorize", + "tokenUrl": "https://example.com/oauth/token" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + /pets: + post: + description: Creates a new pet in the store + responses: + "200": + description: 200 response + operationId: addPet + security: + - OAuth2: + - write + - read +components: + securitySchemes: + OAuth2: + type: oauth2 + flows: + authorizationCode: + scopes: + write: modify objects in your account + read: read objects in your account + authorizationUrl: https://example.com/oauth/authorize + tokenUrl: https://example.com/oauth/token + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "version": "1.0.0", + "title": "Simple API overview" + }, + "paths": { + "/pets": { + "post": { + "description": "Creates a new pet in the store", + "responses": { + "200": { + "description": "200 response" + } + }, + "operationId": "addPet", + "security": [ + { + "OAuth2": [ + "write", + "read" + ] + } + ] + } + } + }, + "securityDefinitions": { + "OAuth2": { + "type": "oauth2", + "flow": "accessCode", + "authorizationUrl": "https://example.com/oauth/authorize", + "tokenUrl": "https://example.com/oauth/token", + "scopes": { + "read": "Grants read access", + "write": "Grants write access" + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + /pets: + post: + description: Creates a new pet in the store + responses: + "200": + description: 200 response + operationId: addPet + security: + - OAuth2: + - write + - read +securityDefinitions: + OAuth2: + type: oauth2 + flow: accessCode + authorizationUrl: https://example.com/oauth/authorize + tokenUrl: https://example.com/oauth/token + scopes: + read: Grants read access + write: Grants write access + +``` +
diff --git a/docs/queries/openapi-queries/d929c031-078f-4241-b802-e224656ad890.md b/docs/queries/openapi-queries/d929c031-078f-4241-b802-e224656ad890.md new file mode 100644 index 00000000000..306572c4fb1 --- /dev/null +++ b/docs/queries/openapi-queries/d929c031-078f-4241-b802-e224656ad890.md @@ -0,0 +1,507 @@ +--- +title: Invalid Format (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d929c031-078f-4241-b802-e224656ad890 +- **Query name:** Invalid Format (v3) +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/invalid_format) + +### Description +The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double
+[Documentation](https://swagger.io/docs/specification/data-models/data-types/) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="61 53 37" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/MyObject" + }, + "201": { + "description": "201 response" + } + } + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "object", + "properties": { + "myObject": { + "$ref": "#/components/schemas/MyObject" + }, + "length": { + "type": "integer", + "format": "float" + } + } + } + } + } + ] + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "double" + }, + "quantity": { + "type": "integer", + "format": "int32" + }, + "percentage": { + "type": "number", + "format": "int32" + }, + "result": { + "type": "number", + "format": "double" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="43 37 29" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + "$ref": "#/components/schemas/MyObject" + "201": + description: 201 response + parameters: + - name: id + in: path + description: ID of pet to use + required: true + schema: + type: array + items: + type: object + properties: + myObject: + "$ref": "#/components/schemas/MyObject" + length: + type: integer + format: float +components: + schemas: + MyObject: + type: object + properties: + id: + type: integer + format: double + quantity: + type: integer + format: int32 + percentage: + type: number + format: int32 + result: + type: number + format: double + +``` +```json title="Postitive test num. 3 - json file" hl_lines="42" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + }, + "201": { + "description": "201 response" + } + } + }, + "parameters": [ + { + "name": "id", + "in": "body", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "format": "double" + }, + "quantity": { + "type": "integer", + "format": "int32" + }, + "percentage": { + "type": "number", + "format": "int32" + }, + "result": { + "type": "number", + "format": "double" + } + } + } + } + }, + { + "name": "start_date", + "in": "query", + "type": "string", + "format": "int64", + "description": "The start date for the report. Must be used together with `end_date`. This parameter is incompatible with `rdate`.\n" + } + ] + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="33" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 202 response + "201": + description: 201 response + parameters: + - name: id + in: body + description: ID of pet to use + required: true + schema: + type: array + items: + type: object + properties: + id: + type: string + format: double + quantity: + type: integer + format: int32 + percentage: + type: number + format: int32 + result: + type: number + format: double + - name: start_date + in: query + type: string + format: int64 + description: > + The start date for the report. Must be used together with `end_date`. + This parameter is incompatible with `rdate`. + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "summary": "List API versions", + "responses": { + "201": { + "description": "201 response" + }, + "200": { + "$ref": "#/components/schemas/MyObject" + } + }, + "operationId": "listVersionsv2" + }, + "parameters": [ + { + "name": "id", + "in": "path", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "object", + "properties": { + "myObject": { + "$ref": "#/components/schemas/MyObject" + }, + "length": { + "type": "integer", + "format": "int32" + } + } + } + } + } + ] + } + }, + "components": { + "schemas": { + "MyObject": { + "type": "object", + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "quantity": { + "type": "integer", + "format": "int32" + }, + "percentage": { + "type": "number", + "format": "float" + }, + "result": { + "type": "number", + "format": "double" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + "$ref": "#/components/schemas/MyObject" + "201": + description: 201 response + parameters: + - name: id + in: path + description: ID of pet to use + required: true + schema: + type: array + items: + type: object + properties: + myObject: + "$ref": "#/components/schemas/MyObject" + length: + type: integer + format: int32 +components: + schemas: + MyObject: + type: object + properties: + id: + type: integer + format: int64 + quantity: + type: integer + format: int32 + percentage: + type: number + format: float + result: + type: number + format: double + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + }, + "201": { + "description": "201 response" + } + } + }, + "parameters": [ + { + "name": "id", + "in": "body", + "description": "ID of pet to use", + "required": true, + "schema": { + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "type": "string", + "format": "byte" + }, + "quantity": { + "type": "integer", + "format": "int32" + }, + "percentage": { + "type": "number", + "format": "float" + }, + "result": { + "type": "number", + "format": "double" + } + } + } + } + }, + { + "name": "start_date", + "in": "query", + "type": "string", + "format": "date", + "description": "The start date for the report. Must be used together with `end_date`. This parameter is incompatible with `rdate`.\n" + } + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 202 response + "201": + description: 201 response + parameters: + - name: id + in: body + description: ID of pet to use + required: true + schema: + type: array + items: + type: object + properties: + id: + type: string + format: byte + quantity: + type: integer + format: int32 + percentage: + type: number + format: float + result: + type: number + format: double + - name: start_date + in: query + type: string + format: date + description: > + The start date for the report. Must be used together with `end_date`. + This parameter is incompatible with `rdate`. + +``` +
diff --git a/docs/queries/openapi-queries/dadc2f36-1f5a-46c0-8289-75e626583123.md b/docs/queries/openapi-queries/dadc2f36-1f5a-46c0-8289-75e626583123.md new file mode 100644 index 00000000000..29971531f4c --- /dev/null +++ b/docs/queries/openapi-queries/dadc2f36-1f5a-46c0-8289-75e626583123.md @@ -0,0 +1,841 @@ +--- +title: Schema Discriminator Property Not String (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dadc2f36-1f5a-46c0-8289-75e626583123 +- **Query name:** Schema Discriminator Property Not String (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/schema_discriminator_property_not_string) + +### Description +Schema discriminator property should be a string
+[Documentation](https://swagger.io/specification/#discriminator-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="53" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + }, + "petType": { + "type": "integer" + } + }, + "required": [ + "petType" + ] + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="25" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + }, + "petType": { + "type": "integer" + } + }, + "required": [ + "petType" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="32" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + petType: + type: integer + required: + - petType + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="18" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + petType: + type: integer + required: + - petType + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="28" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "GeneralError": { + "type": "object", + "discriminator": "petType", + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + }, + "petType": { + "type": "integer" + } + }, + "required": [ + "petType" + ] + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="16" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + GeneralError: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + message: + type: string + petType: + type: integer + required: + - petType + +``` +
+
Postitive test num. 7 - json file + +```json hl_lines="22" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "discriminator": "petType", + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + }, + "petType": { + "type": "integer" + } + }, + "required": [ + "petType" + ] + } + } + } + } + } + } +} + +``` +
+
Postitive test num. 8 - yaml file + +```yaml hl_lines="15" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + message: + type: string + petType: + type: integer + required: + - petType + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "integer", + "format": "int32" + }, + "message": { + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "petType" + ] + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + petType: + type: string + required: + - petType + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + petType: + type: string + required: + - petType + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +security: + - exampleSecurity: [] + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "definitions": { + "GeneralError": { + "type": "object", + "discriminator": "petType", + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +definitions: + GeneralError: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + message: + type: string + petType: + type: string + required: + - petType + +``` +
+
Negative test num. 7 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "type": "object", + "discriminator": "petType", + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + }, + "petType": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + } + } + } + } + } +} + +``` +
+
Negative test num. 8 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: petType + properties: + code: + type: string + format: int32 + message: + type: string + petType: + type: string + required: + - petType + +``` +
diff --git a/docs/queries/openapi-queries/e2ffa504-d22a-4c94-b6c5-f661849d2db7.md b/docs/queries/openapi-queries/e2ffa504-d22a-4c94-b6c5-f661849d2db7.md new file mode 100644 index 00000000000..839485c2e92 --- /dev/null +++ b/docs/queries/openapi-queries/e2ffa504-d22a-4c94-b6c5-f661849d2db7.md @@ -0,0 +1,701 @@ +--- +title: JSON Object Schema Without Type (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e2ffa504-d22a-4c94-b6c5-f661849d2db7 +- **Query name:** JSON Object Schema Without Type (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/json_object_schema_without_type) + +### Description +Schema of the JSON object should have 'type' defined.
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="75" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="16" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "discriminator": { + "propertyName": "petType" + }, + "required": [ + "petType" + ] + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="45" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + discriminator: + propertyName: petType + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="16" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + $ref: "#/components/schemas/GeneralError" + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + discriminator: + propertyName: petType + required: + - petType + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="16" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "schema": { + "$ref": "#/definitions/GeneralError" + } + } + } + } + } + }, + "definitions": { + "GeneralError": { + "discriminator": "petType", + "required": [ + "petType" + ], + "properties": { + "message": { + "type": "string" + }, + "code": { + "type": "string", + "format": "int32" + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="14" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + $ref: "#/definitions/GeneralError" +definitions: + GeneralError: + discriminator: petType + required: + - petType + properties: + code: + type: string + format: int32 + message: + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "format": "int32" + }, + "message": { + "type": "string" + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + $ref: "#/components/schemas/GeneralError" + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + format: int32 + message: + type: string + required: + - petType + +``` +
+
Negative test num. 5 - json file + +```json +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "required": [ + "petType" + ] + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + $ref: "#/definitions/GeneralError" +definitions: + GeneralError: + type: object + discriminator: petType + required: + - petType + properties: + code: + type: string + format: int32 + message: + type: string + +``` +
diff --git a/docs/queries/openapi-queries/e3f026e8-fdb4-4d5a-bcfd-bd94452073fe.md b/docs/queries/openapi-queries/e3f026e8-fdb4-4d5a-bcfd-bd94452073fe.md new file mode 100644 index 00000000000..5b1cd05f1b2 --- /dev/null +++ b/docs/queries/openapi-queries/e3f026e8-fdb4-4d5a-bcfd-bd94452073fe.md @@ -0,0 +1,189 @@ +--- +title: Security Definitions Undefined or Empty +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e3f026e8-fdb4-4d5a-bcfd-bd94452073fe +- **Query name:** Security Definitions Undefined or Empty +- **Platform:** OpenAPI +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/security_definitions_undefined_or_empty) + +### Description +Security Definitions Object should be set and not empty
+[Documentation](https://swagger.io/specification/v2/#securityDefinitionsObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="2" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": {} +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="1" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: {} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="2" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="1" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "BasicAuth": { + "type": "basic" + }, + "ApiKeyAuth": { + "type": "apiKey", + "in": "header", + "name": "X-API-Key" + }, + "OAuth2": { + "type": "oauth2", + "flow": "accessCode", + "authorizationUrl": "https://example.com/oauth/authorize", + "tokenUrl": "https://example.com/oauth/token", + "scopes": { + "read": "Grants read access", + "write": "Grants write access", + "admin": "Grants read and write access to administrative information" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + BasicAuth: + type: basic + ApiKeyAuth: + type: apiKey + in: header + name: X-API-Key + OAuth2: + type: oauth2 + flow: accessCode + authorizationUrl: https://example.com/oauth/authorize + tokenUrl: https://example.com/oauth/token + scopes: + read: Grants read access + write: Grants write access + admin: Grants read and write access to administrative information + +``` diff --git a/docs/queries/openapi-queries/e9817ad8-a8c9-4038-8a2f-db0e6e7b284b.md b/docs/queries/openapi-queries/e9817ad8-a8c9-4038-8a2f-db0e6e7b284b.md new file mode 100644 index 00000000000..29dfd5a6eb5 --- /dev/null +++ b/docs/queries/openapi-queries/e9817ad8-a8c9-4038-8a2f-db0e6e7b284b.md @@ -0,0 +1,163 @@ +--- +title: Implicit Flow in OAuth2 (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e9817ad8-a8c9-4038-8a2f-db0e6e7b284b +- **Query name:** Implicit Flow in OAuth2 (v2) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/implicit_flow_oauth2) + +### Description +There is a 'securityDefinition' using implicit flow on OAuth2, which is deprecated
+[Documentation](https://swagger.io/specification/v2/#securitySchemeObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="27" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "implicit", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="19" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: implicit + authorizationUrl: https://api.my.company.com/oauth/authorize + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "accessCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: accessCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` diff --git a/docs/queries/openapi-queries/e9db5fb4-6a84-4abb-b4af-3b94fbdace6d.md b/docs/queries/openapi-queries/e9db5fb4-6a84-4abb-b4af-3b94fbdace6d.md new file mode 100644 index 00000000000..3febea30f06 --- /dev/null +++ b/docs/queries/openapi-queries/e9db5fb4-6a84-4abb-b4af-3b94fbdace6d.md @@ -0,0 +1,195 @@ +--- +title: Responses JSON Reference Does Not Exists (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e9db5fb4-6a84-4abb-b4af-3b94fbdace6d +- **Query name:** Responses JSON Reference Does Not Exists (v2) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/json_reference_does_not_exists_response) + +### Description +Responses reference should exist on responses definition field
+[Documentation](https://swagger.io/specification/v2/#responsesDefinitionsObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="14" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/responses/Succes" + } + } + } + } + }, + "responses": { + "Success": { + "description": "An array with users", + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="12" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/responses/Succes" +responses: + Success: + description: An array with users + schema: + "$ref": "#/definitions/User" +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/responses/Success" + } + } + } + } + }, + "responses": { + "Success": { + "description": "An array with users", + "schema": { + "$ref": "#/definitions/User" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/responses/Success" +responses: + Success: + description: An array with users + schema: + "$ref": "#/definitions/User" +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` diff --git a/docs/queries/openapi-queries/eb3f9744-d24e-4614-b1ff-2a9514eca21c.md b/docs/queries/openapi-queries/eb3f9744-d24e-4614-b1ff-2a9514eca21c.md new file mode 100644 index 00000000000..e59d54f0246 --- /dev/null +++ b/docs/queries/openapi-queries/eb3f9744-d24e-4614-b1ff-2a9514eca21c.md @@ -0,0 +1,198 @@ +--- +title: Operation Object Parameters With 'body' And 'formatData' locations +hide: + toc: true + navigation: true +--- + + + +- **Query id:** eb3f9744-d24e-4614-b1ff-2a9514eca21c +- **Query name:** Operation Object Parameters With 'body' And 'formatData' locations +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/operation_object_parameters_with_body_and_formatdata) + +### Description +Operation object parameters should not have both 'body' and 'formatData' locations
+[Documentation](https://swagger.io/specification/v2/#parameterObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="17" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + } + }, + { + "name": "minlimit", + "in": "formatData", + "description": "min records to return", + "required": true + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "formatData", + "description": "max records to return", + "required": true + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="13" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object + - name: minlimit + in: formatData + description: min records to return + required: true +parameters: + limitParam: + name: limit + in: formatData + description: max records to return + required: true + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "object" + } + }, + { + "name": "minlimit", + "in": "body", + "description": "min records to return", + "required": true, + "schema": { + "type": "object" + } + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "formatData", + "description": "max records to return", + "required": true + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object + - name: minlimit + in: body + description: min records to return + required: true + schema: + type: object +parameters: + limitParam: + name: limit + in: formatData + description: max records to return + required: true + +``` diff --git a/docs/queries/openapi-queries/ed48229d-d43e-4da7-b453-5f98d964a57a.md b/docs/queries/openapi-queries/ed48229d-d43e-4da7-b453-5f98d964a57a.md new file mode 100644 index 00000000000..78d8031d971 --- /dev/null +++ b/docs/queries/openapi-queries/ed48229d-d43e-4da7-b453-5f98d964a57a.md @@ -0,0 +1,173 @@ +--- +title: Body Parameter Without Schema +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ed48229d-d43e-4da7-b453-5f98d964a57a +- **Query name:** Body Parameter Without Schema +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/body_parameter_without_schema) + +### Description +The Body Parameter Object should have the attribute 'schema' defined
+[Documentation](https://swagger.io/specification/v2/#parameterObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12 30" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="20 14" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "parameters": [ + { + "name": "limit2", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "body", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit2 + in: body + description: max records to return + required: true + schema: + type: object +parameters: + limitParam: + name: limit + in: body + description: max records to return + required: true + schema: + type: object + +``` diff --git a/docs/queries/openapi-queries/f2702af5-6016-46cb-bbc8-84c766032095.md b/docs/queries/openapi-queries/f2702af5-6016-46cb-bbc8-84c766032095.md new file mode 100644 index 00000000000..ba1c703da6d --- /dev/null +++ b/docs/queries/openapi-queries/f2702af5-6016-46cb-bbc8-84c766032095.md @@ -0,0 +1,665 @@ +--- +title: Header Parameter Named as 'Accept' (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f2702af5-6016-46cb-bbc8-84c766032095 +- **Query name:** Header Parameter Named as 'Accept' (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/header_parameter_named_as_accept) + +### Description +The header Parameter should not be named as 'Accept'. If so, it will be ignored.
+[Documentation](https://swagger.io/specification/#parameter-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="58 43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "Accept", + "in": "header", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "parameters": [ + { + "in": "header", + "name": "Accept", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ], + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="26 36" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: Accept + in: header + description: ID of the API version + required: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: header + name: Accept + required: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + +``` +```json title="Postitive test num. 3 - json file" hl_lines="43" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "Accept", + "in": "header", + "description": "ID of the API the version", + "required": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="26" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: Accept + in: header + description: ID of the API version + required: true + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="11 38" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "parameters": [ + { + "name": "Accept", + "in": "header", + "description": "ID of the API version", + "required": true, + "type": "array", + "items": { + "type": "string" + } + } + ], + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "parameters": { + "limitParam": { + "type": "array", + "items": { + "type": "string" + }, + "name": "Accept", + "in": "header", + "description": "ID of the API version", + "required": true + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="21 14" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: Accept + in: header + description: ID of the API version + required: true + type: string +parameters: + limitParam: + name: Accept + in: header + description: ID of the API version + required: true + type: string + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "query", + "description": "ID of the API the version", + "required": true, + "schema": { + "type": "integer" + } + } + ] + }, + "/users/{id}": { + "get": { + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "in": "header", + "name": "id", + "required": true, + "description": "The user ID", + "schema": { + "type": "integer", + "minimum": 1 + } + } + ] + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: header + description: ID of the API version + required: true + schema: + type: integer + /users/{id}: + get: + parameters: + - in: header + name: id + required: true + description: The user ID + schema: + type: integer + minimum: 1 + responses: + "200": + description: 200 response + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + }, + "parameters": [ + { + "name": "id", + "in": "header", + "description": "ID of the API the version", + "required": true, + "content": { + "application/json": { + "schema": { + "type": "object", + "required": [ + "name" + ], + "properties": { + "name": { + "type": "string" + } + } + } + } + } + } + ] + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + parameters: + - name: id + in: header + description: ID of the API version + required: true + content: + application/json: + schema: + type: object + required: + - name + properties: + name: + type: string + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + }, + "parameters": [ + { + "name": "id", + "in": "header", + "description": "ID of the API the version", + "required": true, + "type": "string" + } + ] + } + }, + "parameters": { + "limitParam": { + "in": "header", + "description": "ID of the API version", + "required": true, + "type": "string", + "name": "id2" + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: id + in: header + description: ID of the API version + required: true + type: string +parameters: + limitParam: + name: id2 + in: header + description: ID of the API version + required: true + type: string + +``` +
diff --git a/docs/queries/openapi-queries/f29904c8-6041-4bca-b043-dfa0546b8079.md b/docs/queries/openapi-queries/f29904c8-6041-4bca-b043-dfa0546b8079.md new file mode 100644 index 00000000000..458ff698ea5 --- /dev/null +++ b/docs/queries/openapi-queries/f29904c8-6041-4bca-b043-dfa0546b8079.md @@ -0,0 +1,171 @@ +--- +title: Callback JSON Reference Does Not Exists +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f29904c8-6041-4bca-b043-dfa0546b8079 +- **Query name:** Callback JSON Reference Does Not Exists +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/json_reference_does_not_exists_callback) + +### Description +Callback reference should exists on components field
+[Documentation](https://swagger.io/specification/#components-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="19" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/Success" + } + }, + "callbacks": { + "myEvent": { + "$ref": "#/components/callbacks/inProgress" + } + } + } + } + }, + "components": { + "callbacks": { + "onProgress": { + "{$request.body#/onProgressUrl}": { + "delete": { + "responses": { + "204": { + "description": "Deleted" + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="15" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/Success" + callbacks: + myEvent: + "$ref": "#/components/callbacks/inProgress" +components: + callbacks: + onProgress: + "{$request.body#/onProgressUrl}": + delete: + responses: + '204': + description: Deleted + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/components/schemas/Success" + } + }, + "callbacks": { + "myEvent": { + "$ref": "#/components/callbacks/inProgress" + } + } + } + } + }, + "components": { + "callbacks": { + "inProgress": { + "{$request.body#/inProgressUrl}": { + "delete": { + "responses": { + "204": { + "description": "Deleted" + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/components/schemas/Success" + callbacks: + myEvent: + "$ref": "#/components/callbacks/inProgress" +components: + callbacks: + inProgress: + "{$request.body#/inProgressUrl}": + delete: + responses: + '204': + description: Deleted + +``` diff --git a/docs/queries/openapi-queries/f30ee711-0082-4480-85ab-31d922d9a2b2.md b/docs/queries/openapi-queries/f30ee711-0082-4480-85ab-31d922d9a2b2.md new file mode 100644 index 00000000000..07618e25137 --- /dev/null +++ b/docs/queries/openapi-queries/f30ee711-0082-4480-85ab-31d922d9a2b2.md @@ -0,0 +1,119 @@ +--- +title: Global Schemes Uses HTTP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f30ee711-0082-4480-85ab-31d922d9a2b2 +- **Query name:** Global Schemes Uses HTTP +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/global_schemes_uses_http) + +### Description +Global Schemes should use 'https' protocol instead of 'http'
+[Documentation](https://swagger.io/specification/v2/#swaggerObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="8" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "http" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="6" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - http +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + +``` diff --git a/docs/queries/openapi-queries/f368dd2d-9344-4146-a05b-7c6faa1269ad.md b/docs/queries/openapi-queries/f368dd2d-9344-4146-a05b-7c6faa1269ad.md new file mode 100644 index 00000000000..bea5120723f --- /dev/null +++ b/docs/queries/openapi-queries/f368dd2d-9344-4146-a05b-7c6faa1269ad.md @@ -0,0 +1,315 @@ +--- +title: Success Response Code Undefined for Post Operation (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f368dd2d-9344-4146-a05b-7c6faa1269ad +- **Query name:** Success Response Code Undefined for Post Operation (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/success_response_code_undefined_post_operation) + +### Description +Post should define at least one success response (200, 201, 202 or 204)
+[Documentation](https://swagger.io/specification/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="12" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "post": { + "operationId": "createItem", + "summary": "Create item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="24" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "204": { + "description": "Item deleted successfully" + }, + "default": { + "description": "Error" + } + } + }, + "post": { + "operationId": "createItem", + "summary": "Create item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="10" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + post: + operationId: createItem + summary: Create item + responses: + default: + description: Error + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="18" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + "204": + description: Item deleted successfully + default: + description: Error + post: + operationId: createItem + summary: Create item + responses: + default: + description: Error + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="24" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "204": { + "description": "Item deleted successfully" + }, + "default": { + "description": "Error" + } + } + }, + "post": { + "operationId": "createItem", + "summary": "Create item", + "responses": { + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="18" +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + "204": + description: Item deleted successfully + default: + description: Error + post: + operationId: createItem + summary: Create item + responses: + default: + description: Error + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "default": { + "description": "Error" + } + } + }, + "post": { + "operationId": "updateItem", + "summary": "Create item", + "responses": { + "200": { + "description": "OK" + }, + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + default: + description: Error + post: + operationId: updateItem + summary: Create item + responses: + "200": + description: OK + default: + description: Error + +``` +```json title="Negative test num. 3 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API", + "version": "1.0.0" + }, + "paths": { + "/item": { + "delete": { + "operationId": "deleteItem", + "summary": "Delete item", + "responses": { + "default": { + "description": "Error" + } + } + }, + "post": { + "operationId": "updateItem", + "summary": "Create item", + "responses": { + "200": { + "description": "OK" + }, + "default": { + "description": "Error" + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API + version: 1.0.0 +paths: + "/item": + delete: + operationId: deleteItem + summary: Delete item + responses: + default: + description: Error + post: + operationId: updateItem + summary: Create item + responses: + "200": + description: OK + default: + description: Error + +``` +
diff --git a/docs/queries/openapi-queries/f42dfe7e-787d-4478-a75e-a5f3d8a2269e.md b/docs/queries/openapi-queries/f42dfe7e-787d-4478-a75e-a5f3d8a2269e.md new file mode 100644 index 00000000000..fe762636983 --- /dev/null +++ b/docs/queries/openapi-queries/f42dfe7e-787d-4478-a75e-a5f3d8a2269e.md @@ -0,0 +1,182 @@ +--- +title: Operation Using Implicit Flow +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f42dfe7e-787d-4478-a75e-a5f3d8a2269e +- **Query name:** Operation Using Implicit Flow +- **Platform:** OpenAPI +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/operation_using_implicit_flow) + +### Description +Operation Object should not use implicit flow
+[Documentation](https://swagger.io/specification/v2/#operation-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="22" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "security": [ + { + "oAuth2AuthCodeNeg2": [] + } + ] + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "implicit", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="16" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + security: + - oAuth2AuthCodeNeg2: [] +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: implicit + authorizationUrl: https://api.my.company.com/oauth/authorize + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API overview", + "version": "1.0.0" + }, + "schemes": [ + "https" + ], + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "security": [ + { + "oAuth2AuthCodeNeg2": [ + "write", + "read" + ] + } + ] + } + } + }, + "securityDefinitions": { + "oAuth2AuthCodeNeg2": { + "type": "oauth2", + "description": "For more information, see https://api.my.company.com/docs/oauth", + "flow": "accessCode", + "authorizationUrl": "https://api.my.company.com/oauth/authorize", + "tokenUrl": "https://api.my.company.com/oauth/token", + "scopes": { + "write:api": "modify apis in your account", + "read:api": "read your apis" + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API overview + version: 1.0.0 +schemes: + - https +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + security: + - oAuth2AuthCodeNeg2: + - write + - read +securityDefinitions: + oAuth2AuthCodeNeg2: + type: oauth2 + description: For more information, see https://api.my.company.com/docs/oauth + flow: accessCode + authorizationUrl: https://api.my.company.com/oauth/authorize + tokenUrl: https://api.my.company.com/oauth/token + scopes: + write:api: modify apis in your account + read:api: read your apis + +``` diff --git a/docs/queries/openapi-queries/f525cc92-9050-4c41-a75c-890dc6f64449.md b/docs/queries/openapi-queries/f525cc92-9050-4c41-a75c-890dc6f64449.md new file mode 100644 index 00000000000..20c72320e22 --- /dev/null +++ b/docs/queries/openapi-queries/f525cc92-9050-4c41-a75c-890dc6f64449.md @@ -0,0 +1,248 @@ +--- +title: Security Scheme Using HTTP Negotiate +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f525cc92-9050-4c41-a75c-890dc6f64449 +- **Query name:** Security Scheme Using HTTP Negotiate +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/security_scheme_using_http_negotiate) + +### Description +Security Scheme HTTP should not be using negotiate authentication
+[Documentation](https://swagger.io/specification/#security-scheme-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="57" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "http", + "scheme": "negotiate" + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="33" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: http + scheme: negotiate + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.c" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "securitySchemes": { + "api_key": { + "type": "apiKey", + "name": "api_key", + "in": "header" + }, + "petstore_auth": { + "type": "oauth2", + "flows": { + "authorizationCode": { + "authorizationUrl": "https://example.com/api/oauth/dialog", + "tokenUrl": "https://example.com/api/oauth/token", + "scopes": { + "write:pets": "modify pets in your account", + "read:pets": "read your pets" + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + securitySchemes: + api_key: + type: apiKey + name: api_key + in: header + petstore_auth: + type: oauth2 + flows: + authorizationCode: + authorizationUrl: https://example.com/api/oauth/dialog + tokenUrl: https://example.com/api/oauth/token + scopes: + write:pets: modify pets in your account + read:pets: read your pets + +``` diff --git a/docs/queries/openapi-queries/f5b2e6af-76f5-496d-8482-8f898c5fdb4a.md b/docs/queries/openapi-queries/f5b2e6af-76f5-496d-8482-8f898c5fdb4a.md new file mode 100644 index 00000000000..eb793d50f40 --- /dev/null +++ b/docs/queries/openapi-queries/f5b2e6af-76f5-496d-8482-8f898c5fdb4a.md @@ -0,0 +1,281 @@ +--- +title: Parameters Name In Combination Not Unique (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f5b2e6af-76f5-496d-8482-8f898c5fdb4a +- **Query name:** Parameters Name In Combination Not Unique (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/parameters_name_in_not_unique) + +### Description +Parameters properties 'name' and 'in' should have unique combinations
+[Documentation](https://swagger.io/specification/#parameters-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="28 37" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "$ref": "#/components/parameters/limitJSONParam" + } + ] + } + } + }, + "components": { + "parameters": { + "limitJSONParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + }, + "otherJSONParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="25 18" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - "$ref": "#/components/parameters/limitParam" +components: + parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer + otherParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer + +``` +```json title="Postitive test num. 3 - json file" hl_lines="21" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "items": { + "type": "string" + }, + "collectionFormat": "csv", + "name": "limit", + "in": "path", + "description": "ID of pet to use", + "required": true, + "type": "array" + }, + { + "required": true, + "type": "array", + "items": { + "type": "string" + }, + "collectionFormat": "csv", + "name": "limit", + "in": "path", + "description": "ID of pet to use" + } + ], + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="14" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - name: limit + in: path + description: ID of pet to use + required: true + type: array + items: + type: string + collectionFormat: csv + - name: limit + in: path + description: ID of pet to use + required: true + type: array + items: + type: string + collectionFormat: csv + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + }, + "parameters": [ + { + "$ref": "#/components/parameters/negativeLimitParam" + } + ] + } + } + }, + "components": { + "parameters": { + "negativeLimitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + }, + "negativeOtherParam": { + "name": "other", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + parameters: + - "$ref": "#/components/parameters/negativeLimitParam" +components: + parameters: + negativeLimitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer + negativeOtherParam: + name: other + in: header + description: max records to return + required: true + schema: + type: integer + +``` diff --git a/docs/queries/openapi-queries/f79b9d26-e945-44e7-98a1-b93f0f7a68a0.md b/docs/queries/openapi-queries/f79b9d26-e945-44e7-98a1-b93f0f7a68a0.md new file mode 100644 index 00000000000..2d9a296c757 --- /dev/null +++ b/docs/queries/openapi-queries/f79b9d26-e945-44e7-98a1-b93f0f7a68a0.md @@ -0,0 +1,465 @@ +--- +title: Media Type Object Without Schema +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f79b9d26-e945-44e7-98a1-b93f0f7a68a0 +- **Query name:** Media Type Object Without Schema +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/media_type_object_without_schema) + +### Description +The Media Type Object should have the attribute 'schema' defined
+[Documentation](https://swagger.io/specification/#media-type-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="48 15" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/data": { + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="27 15" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + }, + "requestBody": { + "content": { + "multipart/form-data": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="13 30" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + examples: + tshirt: + $ref: "#/components/examples/tshirt" + encoding: + code: + contentType: image/png, image/jpeg + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="19 13" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + encoding: + code: + contentType: image/png, image/jpeg + requestBody: + content: + multipart/form-data: + encoding: + code: + contentType: image/png, image/jpeg + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ], + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0" + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/data": { + "schema": { + "type": "object", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "examples": { + "tshirt": { + "$ref": "#/components/examples/tshirt" + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + }, + "schema": { + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + }, + "type": "object", + "discriminator": { + "propertyName": "petType" + } + } + } + } + } + }, + "requestBody": { + "content": { + "multipart/form-data": { + "schema": { + "type": "string", + "format": "binary", + "properties": { + "code": { + "type": "string", + "format": "binary" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + properties: + code: + type: string + format: binary + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + type: object + properties: + code: + type: string + format: binary + examples: + tshirt: + $ref: "#/components/examples/tshirt" + encoding: + code: + contentType: image/png, image/jpeg + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + requestBody: + content: + multipart/form-data: + schema: + type: string + format: binary + properties: + code: + type: string + format: binary + encoding: + code: + contentType: image/png, image/jpeg + +``` +
diff --git a/docs/queries/openapi-queries/f985a7d2-d404-4a7f-9814-f645f791e46e.md b/docs/queries/openapi-queries/f985a7d2-d404-4a7f-9814-f645f791e46e.md new file mode 100644 index 00000000000..6eaf6e076b8 --- /dev/null +++ b/docs/queries/openapi-queries/f985a7d2-d404-4a7f-9814-f645f791e46e.md @@ -0,0 +1,137 @@ +--- +title: Invalid Media Type Value (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f985a7d2-d404-4a7f-9814-f645f791e46e +- **Query name:** Invalid Media Type Value (v2) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/invalid_media_type_value) + +### Description +The Media Type value should match the following format: /[+suffix][;parameters]
+[Documentation](https://swagger.io/specification/#media-type-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="16 11" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "produces": [ + "image/ png", + "image/gif", + "image/jpeg" + ], + "consumes": [ + "application/ x-www-form-urlencoded" + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="18 14" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + produces: + - image/ png + - image/gif + - image/jpeg + consumes: + - application/ x-www-form-urlencoded + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "produces": [ + "image/png", + "image/gif", + "image/jpeg" + ], + "consumes": [ + "application/x-www-form-urlencoded" + ], + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + produces: + - image/png + - image/gif + - image/jpeg + consumes: + - application/x-www-form-urlencoded + +``` diff --git a/docs/queries/openapi-queries/fb7d81e7-4150-48c4-b914-92fc05da6a2f.md b/docs/queries/openapi-queries/fb7d81e7-4150-48c4-b914-92fc05da6a2f.md new file mode 100644 index 00000000000..e9089c35748 --- /dev/null +++ b/docs/queries/openapi-queries/fb7d81e7-4150-48c4-b914-92fc05da6a2f.md @@ -0,0 +1,478 @@ +--- +title: Unknown Property (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fb7d81e7-4150-48c4-b914-92fc05da6a2f +- **Query name:** Unknown Property (v3) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/3.0/unknown_property) + +### Description +All properties defined in OpenAPI objects should be known
+[Documentation](https://swagger.io/specification/) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="28 14" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "descrinnption": "200 response" + } + } + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ], + "tags": [ + { + "name": "pets", + "desdddcription": "Everything about your Pets", + "externalDocs": { + "url": "http://docs.my-api.com/pet-operations.htm" + } + }, + { + "name": "store", + "description": "Access to Petstore orders", + "externalDocs": { + "url": "http://docs.my-api.com/store-orders.htm" + } + } + ] +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="3 20" +{ + "openapi": "3.0.0", + "infjnjnjno": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "tybhbhbpe:": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```json title="Postitive test num. 3 - json file" hl_lines="20" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "OK" + } + }, + "callbacks": { + "inProgress": { + "{$request.body#/inProgressUrl}": { + "pbhbhbost": { + "requestBody": { + "$ref": "#/components/requestBodies/callbackMessage1" + }, + "responses": { + "200": { + "description": "OK" + } + } + } + } + } + } + } + } + } +} + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="17 12" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + descrinnption: 200 response +security: + - exampleSecurity: [] +tags: + - name: pets + desdddcription: Everything about your Pets + externalDocs: + url: http://docs.my-api.com/pet-operations.htm + - name: store + description: Access to Petstore orders + externalDocs: + url: http://docs.my-api.com/store-orders.htm + +``` +
+
Postitive test num. 5 - yaml file + +```yaml hl_lines="2 19" +openapi: 3.0.0 +infjnjnjno: + title: Simple API Overview + version: 1.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + tybhbhbpe: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="16" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: OK + callbacks: + inProgress: + "{$request.body#/inProgressUrl}": + pbhbhbost: + requestBody: + $ref: "#/components/requestBodies/callbackMessage1" + responses: + "200": + description: OK + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response" + } + } + } + } + }, + "security": [ + { + "exampleSecurity": [] + } + ], + "tags": [ + { + "name": "pets", + "description": "Everything about your Pets", + "externalDocs": { + "url": "http://docs.my-api.com/pet-operations.htm" + } + }, + { + "name": "store", + "description": "Access to Petstore orders", + "externalDocs": { + "url": "http://docs.my-api.com/store-orders.htm" + } + } + ] +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "properties": { + "code": { + "type": "string", + "format": "binary" + }, + "message": { + "type": "string" + } + } + }, + "encoding": { + "code": { + "contentType": "image/png, image/jpeg" + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```json title="Negative test num. 3 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "OK" + } + }, + "callbacks": { + "inProgress": { + "{$request.body#/inProgressUrl}": { + "post": { + "requestBody": { + "$ref": "#/components/requestBodies/callbackMessage1" + }, + "responses": { + "200": { + "description": "OK" + } + } + } + } + } + } + } + } + } +} + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response +security: + - exampleSecurity: [] +tags: + - name: pets + description: Everything about your Pets + externalDocs: + url: http://docs.my-api.com/pet-operations.htm + - name: store + description: Access to Petstore orders + externalDocs: + url: http://docs.my-api.com/store-orders.htm + +``` +
+
Negative test num. 5 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + properties: + code: + type: string + format: binary + message: + type: string + encoding: + code: + contentType: image/png, image/jpeg + +``` +
+
Negative test num. 6 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: OK + callbacks: + inProgress: + "{$request.body#/inProgressUrl}": + post: + requestBody: + $ref: "#/components/requestBodies/callbackMessage1" + responses: + "200": + description: OK + +``` +
diff --git a/docs/queries/openapi-queries/fb889ae9-2d16-40b5-b41f-9da716c5abc1.md b/docs/queries/openapi-queries/fb889ae9-2d16-40b5-b41f-9da716c5abc1.md new file mode 100644 index 00000000000..009e3334293 --- /dev/null +++ b/docs/queries/openapi-queries/fb889ae9-2d16-40b5-b41f-9da716c5abc1.md @@ -0,0 +1,225 @@ +--- +title: Parameter JSON Reference Does Not Exists (v2) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fb889ae9-2d16-40b5-b41f-9da716c5abc1 +- **Query name:** Parameter JSON Reference Does Not Exists (v2) +- **Platform:** OpenAPI +- **Severity:** Info +- **Category:** Structure and Semantics +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/2.0/json_reference_does_not_exists_parameter) + +### Description +Parameter reference should exist on parameters definition field
+[Documentation](https://swagger.io/specification/v2/#parameterObject) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="19" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/definitions/User" + } + }, + "parameters": [ + { + "$ref": "#/parameters/maxParam" + }, + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Postitive test num. 2 - yaml file" hl_lines="14" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/maxParam" + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` + + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0" + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "$ref": "#/definitions/User" + } + }, + "parameters": [ + { + "$ref": "#/parameters/limitParam" + } + ] + } + } + }, + "parameters": { + "limitParam": { + "name": "limit", + "in": "query", + "description": "max records to return", + "required": true, + "schema": { + "type": "integer" + } + } + }, + "definitions": { + "User": { + "type": "object", + "required": [ + "id", + "name" + ], + "properties": { + "id": { + "type": "integer", + "format": "int64" + }, + "name": { + "type": "string" + } + } + } + } +} + +``` +```yaml title="Negative test num. 2 - yaml file" +swagger: '2.0' +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + '200': + "$ref": "#/definitions/User" + parameters: + - "$ref": "#/parameters/limitParam" +parameters: + limitParam: + name: limit + in: query + description: max records to return + required: true + schema: + type: integer +definitions: + User: + type: object + required: + - id + - name + properties: + id: + type: integer + format: int64 + name: + type: string + +``` diff --git a/docs/queries/openapi-queries/fbf699b5-ef74-4542-9cf1-f6eeac379373.md b/docs/queries/openapi-queries/fbf699b5-ef74-4542-9cf1-f6eeac379373.md new file mode 100644 index 00000000000..c73a63b94e5 --- /dev/null +++ b/docs/queries/openapi-queries/fbf699b5-ef74-4542-9cf1-f6eeac379373.md @@ -0,0 +1,685 @@ +--- +title: Numeric Schema Without Format (v3) +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fbf699b5-ef74-4542-9cf1-f6eeac379373 +- **Query name:** Numeric Schema Without Format (v3) +- **Platform:** OpenAPI +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/openAPI/general/numeric_schema_without_format) + +### Description +Numeric schema (type set to 'integer' or 'number') should have 'format' defined.
+[Documentation](https://swagger.io/specification/#schema-object) + +### Code samples +#### Code samples with security vulnerabilities +```json title="Postitive test num. 1 - json file" hl_lines="58" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "minimum": 0, + "maximum": 50 + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="27" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "minimum": 0, + "maximum": 50 + } + }, + "required": [ + "petType" + ], + "type": "object" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Postitive test num. 3 - yaml file" hl_lines="34" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + minimum: 0 + maximum: 50 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Postitive test num. 4 - yaml file + +```yaml hl_lines="22" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + minimum: 0 + maximum: 50 + required: + - petType + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="23" +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "minimum": 0, + "maximum": 50 + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +
+
Postitive test num. 6 - yaml file + +```yaml hl_lines="20" +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + responses: + "200": + description: 200 response + schema: + discriminator: petType + additionalProperties: false + properties: + code: + type: integer + minimum: 0 + maximum: 50 + required: + - petType + type: object + operationId: listVersionsv2 + summary: List API versions + +``` +
+ + +#### Code samples without security vulnerabilities +```json title="Negative test num. 1 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "format": "int32", + "minimum": 0, + "maximum": 50 + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "schema": { + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "minimum": 0, + "maximum": 50, + "format": "int32" + } + }, + "required": [ + "petType" + ], + "type": "object" + }, + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +```yaml title="Negative test num. 3 - yaml file" +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + format: int32 + minimum: 0 + maximum: 50 + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" + +``` +
Negative test num. 4 - yaml file + +```yaml +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + schema: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: integer + minimum: 0 + maximum: 50 + format: int32 + required: + - petType + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self + +``` +
+
Negative test num. 5 - json file + +```json +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "integer", + "minimum": 0, + "maximum": 50, + "format": "int32" + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + }, + "operationId": "listVersionsv2", + "summary": "List API versions" + } + } + } +} + +``` +
+
Negative test num. 6 - yaml file + +```yaml +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 + contact: + name: contact + url: https://www.google.com/ + email: user@gmail.com +paths: + "/": + get: + responses: + "200": + description: 200 response + schema: + discriminator: petType + additionalProperties: false + properties: + code: + type: integer + minimum: 0 + maximum: 50 + format: int32 + required: + - petType + type: object + operationId: listVersionsv2 + summary: List API versions + +``` +
diff --git a/docs/queries/pulumi-queries.md b/docs/queries/pulumi-queries.md index 44c4f894c71..1b5571e314c 100644 --- a/docs/queries/pulumi-queries.md +++ b/docs/queries/pulumi-queries.md @@ -8,8 +8,8 @@ Bellow are listed queries related with Pulumi AZURE: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Medium|Encryption|Redis Cache resource should not allow non-SSL connections.|Documentation
| +|Storage Account Not Forcing HTTPS
cb8e4bf0-903d-45c6-a278-9a947d82a27b|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
49e30ac8-f58e-4222-b488-3dcb90158ec1|Medium|Encryption|Redis Cache resource should not allow non-SSL connections. (read more)|Documentation
| ### AWS Bellow are listed queries related with Pulumi AWS: @@ -18,16 +18,16 @@ Bellow are listed queries related with Pulumi AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0|Documentation
| -|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled|Documentation
| -|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Medium|Insecure Configurations|SSL Client Certificate should be defined|Documentation
| -|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
9b18fc19-7fb8-49b1-8452-9c757c70f926|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
e93bbe63-a631-4c0f-b6ef-700d48441ff2|Medium|Backup|ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0 (read more)|Documentation
| +|IAM Password Without Lowercase Letter
de92dd34-1b88-43e8-b825-6e02d73c4549|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Minimum Length
9850d621-7485-44f7-8bdd-b3cf426315cf|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|DynamoDB Table Not Encrypted
b6a7e0ae-aed8-4a19-a993-a95760bf8836|Medium|Encryption|AWS DynamoDB Tables should have serverSideEncryption enabled (read more)|Documentation
| +|API Gateway Without SSL Certificate
f27791a5-e2ae-4905-8910-6f995c576d09|Medium|Insecure Configurations|SSL Client Certificate should be defined (read more)|Documentation
| +|API Gateway Access Logging Disabled
bf4b48b9-fc1f-4552-984a-4becdb5bf503|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|EC2 Not EBS Optimized
d991e4ae-42ab-429b-ab43-d5e5fa9ca633|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
327b0729-4c5c-4c44-8b5c-e476cd9c7290|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
daa581ef-731c-4121-832d-cf078f67759d|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| ### GCP Bellow are listed queries related with Pulumi GCP: @@ -36,8 +36,8 @@ Bellow are listed queries related with Pulumi GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
48f7e44d-d1d1-44c2-b336-9f11b65c4fb0|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
965e8830-2bec-4b9b-a7f0-24dbc200a68f|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| ### KUBERNETES Bellow are listed queries related with Pulumi KUBERNETES: @@ -46,5 +46,5 @@ Bellow are listed queries related with Pulumi KUBERNETES: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| +|PSP Set To Privileged
ee305555-6b1d-4055-94cf-e22131143c34|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Missing App Armor Config
95588189-1abd-4df1-9588-b0a5034f9e87|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| diff --git a/docs/queries/pulumi-queries/95588189-1abd-4df1-9588-b0a5034f9e87.md b/docs/queries/pulumi-queries/95588189-1abd-4df1-9588-b0a5034f9e87.md new file mode 100644 index 00000000000..d8708f36738 --- /dev/null +++ b/docs/queries/pulumi-queries/95588189-1abd-4df1-9588-b0a5034f9e87.md @@ -0,0 +1,109 @@ +--- +title: Missing App Armor Config +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 95588189-1abd-4df1-9588-b0a5034f9e87 +- **Query name:** Missing App Armor Config +- **Platform:** Pulumi +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/kubernetes/missing_app_armor_config) + +### Description +Containers should be configured with AppArmor for any application to reduce its potential attack
+[Documentation](https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/pod/#objectmeta) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8 25 42" +name: yaml-example +description: Create a Pod with auto-naming +runtime: yaml +resources: + pod: + type: kubernetes:core/v1:Pod + properties: + metadata: + annotations: + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 + type: kubernetes:core/v1:Pod +--- +name: yaml-example +description: Create a Pod with auto-naming +runtime: yaml +resources: + pod: + type: kubernetes:core/v1:Pod + properties: + metadata: + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 + type: kubernetes:core/v1:Pod +--- +name: yaml-example +description: Create a Pod with auto-naming +runtime: yaml +resources: + pod: + type: kubernetes:core/v1:Pod + properties: + metadata: + annotations: + container.notapparmor.security.beta.kubernetes.io: localhost/k8s-apparmor-example-allow-write + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 + type: kubernetes:core/v1:Pod + + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: yaml-example +description: Create a Pod with auto-naming +runtime: yaml +resources: + pod: + type: kubernetes:core/v1:Pod + properties: + metadata: + annotations: + container.apparmor.security.beta.kubernetes.io: localhost/k8s-apparmor-example-allow-write + container.apparmor.security.beta.kubernetes.io2: localhost/k8s-apparmor-example-allow-write + spec: + containers: + - image: nginx:1.14.2 + name: nginx + ports: + - containerPort: 80 + type: kubernetes:core/v1:Pod + +``` diff --git a/docs/queries/pulumi-queries/aws/327b0729-4c5c-4c44-8b5c-e476cd9c7290.md b/docs/queries/pulumi-queries/aws/327b0729-4c5c-4c44-8b5c-e476cd9c7290.md new file mode 100644 index 00000000000..74c16398766 --- /dev/null +++ b/docs/queries/pulumi-queries/aws/327b0729-4c5c-4c44-8b5c-e476cd9c7290.md @@ -0,0 +1,71 @@ +--- +title: DynamoDB Table Point In Time Recovery Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 327b0729-4c5c-4c44-8b5c-e476cd9c7290 +- **Query name:** DynamoDB Table Point In Time Recovery Disabled +- **Platform:** Pulumi +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/aws/dynamodb_table_point_in_time_recovery_disabled) + +### Description +It's considered a best practice to have point in time recovery enabled for DynamoDB Table
+[Documentation](https://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#pointintimerecovery_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="21 7" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:dynamodb:Table + properties: + serverSideEncryption: + enabled: true +--- +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:dynamodb:Table + properties: + serverSideEncryption: + enabled: true + pointInTimeRecovery: + enabled: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:dynamodb:Table + properties: + serverSideEncryption: + enabled: true + pointInTimeRecovery: + enabled: true + +``` diff --git a/docs/queries/pulumi-queries/aws/9850d621-7485-44f7-8bdd-b3cf426315cf.md b/docs/queries/pulumi-queries/aws/9850d621-7485-44f7-8bdd-b3cf426315cf.md new file mode 100644 index 00000000000..d24d70aa8dd --- /dev/null +++ b/docs/queries/pulumi-queries/aws/9850d621-7485-44f7-8bdd-b3cf426315cf.md @@ -0,0 +1,63 @@ +--- +title: IAM Password Without Minimum Length +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9850d621-7485-44f7-8bdd-b3cf426315cf +- **Query name:** IAM Password Without Minimum Length +- **Platform:** Pulumi +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/aws/iam_password_without_minimum_length) + +### Description +IAM password should have the required minimum length
+[Documentation](https://www.pulumi.com/registry/packages/aws/api-docs/iam/accountpasswordpolicy/#minimumpasswordlength_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 7" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:iam:AccountPasswordPolicy + properties: +--- +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:iam:AccountPasswordPolicy + properties: + minimumPasswordLength: 10 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:iam:AccountPasswordPolicy + properties: + minimumPasswordLength: 14 + +``` diff --git a/docs/queries/pulumi-queries/aws/9b18fc19-7fb8-49b1-8452-9c757c70f926.md b/docs/queries/pulumi-queries/aws/9b18fc19-7fb8-49b1-8452-9c757c70f926.md new file mode 100644 index 00000000000..cbdf7661393 --- /dev/null +++ b/docs/queries/pulumi-queries/aws/9b18fc19-7fb8-49b1-8452-9c757c70f926.md @@ -0,0 +1,80 @@ +--- +title: ElastiCache Nodes Not Created Across Multi AZ +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9b18fc19-7fb8-49b1-8452-9c757c70f926 +- **Query name:** ElastiCache Nodes Not Created Across Multi AZ +- **Platform:** Pulumi +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/aws/elasticache_nodes_not_created_across_multi_az) + +### Description +ElastiCache Nodes should be created across multi az, which means 'AZMode' should be set to 'cross-az' in multi nodes cluster
+[Documentation](https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/cluster/#azmode_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 18" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:elasticache:Cluster + properties: + engine: memcached + numCacheNodes: 2 + azMode: single-az +--- +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:elasticache:Cluster + properties: + engine: memcached + numCacheNodes: 2 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:elasticache:Cluster + properties: + engine: memcached + numCacheNodes: 2 + azMode: cross-az +--- +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:elasticache:Cluster + properties: + engine: memcached + numCacheNodes: 1 + + +``` diff --git a/docs/queries/pulumi-queries/aws/b6a7e0ae-aed8-4a19-a993-a95760bf8836.md b/docs/queries/pulumi-queries/aws/b6a7e0ae-aed8-4a19-a993-a95760bf8836.md new file mode 100644 index 00000000000..3db2fdad0a4 --- /dev/null +++ b/docs/queries/pulumi-queries/aws/b6a7e0ae-aed8-4a19-a993-a95760bf8836.md @@ -0,0 +1,66 @@ +--- +title: DynamoDB Table Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b6a7e0ae-aed8-4a19-a993-a95760bf8836 +- **Query name:** DynamoDB Table Not Encrypted +- **Platform:** Pulumi +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/aws/dynamodb_table_not_encrypted) + +### Description +AWS DynamoDB Tables should have serverSideEncryption enabled
+[Documentation](https://www.pulumi.com/registry/packages/aws/api-docs/dynamodb/table/#serversideencryption_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="17 7" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:dynamodb:Table + properties: +--- +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:dynamodb:Table + properties: + serverSideEncryption: + enabled: false + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:dynamodb:Table + properties: + serverSideEncryption: + enabled: true + +``` diff --git a/docs/queries/pulumi-queries/aws/bf4b48b9-fc1f-4552-984a-4becdb5bf503.md b/docs/queries/pulumi-queries/aws/bf4b48b9-fc1f-4552-984a-4becdb5bf503.md new file mode 100644 index 00000000000..cdfaf577924 --- /dev/null +++ b/docs/queries/pulumi-queries/aws/bf4b48b9-fc1f-4552-984a-4becdb5bf503.md @@ -0,0 +1,58 @@ +--- +title: API Gateway Access Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bf4b48b9-fc1f-4552-984a-4becdb5bf503 +- **Query name:** API Gateway Access Logging Disabled +- **Platform:** Pulumi +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/aws/api_gateway_access_logging_disabled) + +### Description +API Gateway should have Access Log Settings defined
+[Documentation](https://www.pulumi.com/registry/packages/aws/api-docs/apigatewayv2/stage/#accesslogsettings_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:apigatewayv2:Stage + properties: + apiId: ${aws_apigatewayv2_api.example.id} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:apigatewayv2:Stage + properties: + apiId: ${aws_apigatewayv2_api.example.id} + accessLogSettings: + destinationArn: sampleArn + format: CLF + +``` diff --git a/docs/queries/pulumi-queries/aws/d991e4ae-42ab-429b-ab43-d5e5fa9ca633.md b/docs/queries/pulumi-queries/aws/d991e4ae-42ab-429b-ab43-d5e5fa9ca633.md new file mode 100644 index 00000000000..de125732873 --- /dev/null +++ b/docs/queries/pulumi-queries/aws/d991e4ae-42ab-429b-ab43-d5e5fa9ca633.md @@ -0,0 +1,79 @@ +--- +title: EC2 Not EBS Optimized +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d991e4ae-42ab-429b-ab43-d5e5fa9ca633 +- **Query name:** EC2 Not EBS Optimized +- **Platform:** Pulumi +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/aws/ec2_not_ebs_optimized) + +### Description +It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance
+[Documentation](https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#ebsoptimized_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="10 18" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:ec2:Instance + properties: + instanceType: t2.micro + monitoring: true + ebsOptimized: false +--- +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:ec2:Instance + properties: + instanceType: t2.micro + monitoring: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:ec2:Instance + properties: + instanceType: t2.micro + monitoring: true + ebsOptimized: true +--- +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:ec2:Instance + properties: + instanceType: t3.nano + monitoring: true + +``` diff --git a/docs/queries/pulumi-queries/aws/daa581ef-731c-4121-832d-cf078f67759d.md b/docs/queries/pulumi-queries/aws/daa581ef-731c-4121-832d-cf078f67759d.md new file mode 100644 index 00000000000..1946e5afb11 --- /dev/null +++ b/docs/queries/pulumi-queries/aws/daa581ef-731c-4121-832d-cf078f67759d.md @@ -0,0 +1,63 @@ +--- +title: EC2 Instance Monitoring Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** daa581ef-731c-4121-832d-cf078f67759d +- **Query name:** EC2 Instance Monitoring Disabled +- **Platform:** Pulumi +- **Severity:** Info +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/aws/ec2_instance_monitoring_disabled) + +### Description +EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods
+[Documentation](https://www.pulumi.com/registry/packages/aws/api-docs/ec2/instance/#monitoring_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 7" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:ec2:Instance + properties: +--- +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:ec2:Instance + properties: + monitoring: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:ec2:Instance + properties: + monitoring: true + +``` diff --git a/docs/queries/pulumi-queries/aws/de92dd34-1b88-43e8-b825-6e02d73c4549.md b/docs/queries/pulumi-queries/aws/de92dd34-1b88-43e8-b825-6e02d73c4549.md new file mode 100644 index 00000000000..26986e49fa0 --- /dev/null +++ b/docs/queries/pulumi-queries/aws/de92dd34-1b88-43e8-b825-6e02d73c4549.md @@ -0,0 +1,63 @@ +--- +title: IAM Password Without Lowercase Letter +hide: + toc: true + navigation: true +--- + + + +- **Query id:** de92dd34-1b88-43e8-b825-6e02d73c4549 +- **Query name:** IAM Password Without Lowercase Letter +- **Platform:** Pulumi +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/aws/iam_password_without_lowercase_letter) + +### Description +IAM Password should have at least one lowercase letter
+[Documentation](https://www.pulumi.com/registry/packages/aws/api-docs/iam/accountpasswordpolicy/#requirelowercasecharacters_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 7" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:iam:AccountPasswordPolicy + properties: +--- +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:iam:AccountPasswordPolicy + properties: + requireLowercaseCharacters: false + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:iam:AccountPasswordPolicy + properties: + requireLowercaseCharacters: true + +``` diff --git a/docs/queries/pulumi-queries/aws/e93bbe63-a631-4c0f-b6ef-700d48441ff2.md b/docs/queries/pulumi-queries/aws/e93bbe63-a631-4c0f-b6ef-700d48441ff2.md new file mode 100644 index 00000000000..ec3561c5b43 --- /dev/null +++ b/docs/queries/pulumi-queries/aws/e93bbe63-a631-4c0f-b6ef-700d48441ff2.md @@ -0,0 +1,75 @@ +--- +title: ElastiCache Redis Cluster Without Backup +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e93bbe63-a631-4c0f-b6ef-700d48441ff2 +- **Query name:** ElastiCache Redis Cluster Without Backup +- **Platform:** Pulumi +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/aws/elasticache_redis_cluster_without_backup) + +### Description +ElastiCache Redis cluster should have 'snapshotRetentionLimit' higher than 0
+[Documentation](https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/cluster/#snapshotretentionlimit_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9 17" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:elasticache:Cluster + properties: + engine: redis + snapshotRetentionLimit: 0 +--- +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:elasticache:Cluster + properties: + engine: redis + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:elasticache:Cluster + properties: + engine: redis + snapshotRetentionLimit: 5 +--- +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:elasticache:Cluster + properties: + engine: memcached + +``` diff --git a/docs/queries/pulumi-queries/aws/f27791a5-e2ae-4905-8910-6f995c576d09.md b/docs/queries/pulumi-queries/aws/f27791a5-e2ae-4905-8910-6f995c576d09.md new file mode 100644 index 00000000000..b188609c221 --- /dev/null +++ b/docs/queries/pulumi-queries/aws/f27791a5-e2ae-4905-8910-6f995c576d09.md @@ -0,0 +1,56 @@ +--- +title: API Gateway Without SSL Certificate +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f27791a5-e2ae-4905-8910-6f995c576d09 +- **Query name:** API Gateway Without SSL Certificate +- **Platform:** Pulumi +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/aws/api_gateway_without_ssl_certificate) + +### Description +SSL Client Certificate should be defined
+[Documentation](https://www.pulumi.com/registry/packages/aws/api-docs/apigatewayv2/stage/#clientcertificateid_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:apigatewayv2:Stage + properties: + apiId: ${aws_apigatewayv2_api.example.id} + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:apigatewayv2:Stage + properties: + apiId: ${aws_apigatewayv2_api.example.id} + clientCertificateId: 12131323a + +``` diff --git a/docs/queries/pulumi-queries/azure/49e30ac8-f58e-4222-b488-3dcb90158ec1.md b/docs/queries/pulumi-queries/azure/49e30ac8-f58e-4222-b488-3dcb90158ec1.md new file mode 100644 index 00000000000..fd8139810cb --- /dev/null +++ b/docs/queries/pulumi-queries/azure/49e30ac8-f58e-4222-b488-3dcb90158ec1.md @@ -0,0 +1,87 @@ +--- +title: Redis Cache Allows Non SSL Connections +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 49e30ac8-f58e-4222-b488-3dcb90158ec1 +- **Query name:** Redis Cache Allows Non SSL Connections +- **Platform:** Pulumi +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/azure/redis_cache_allows_non_ssl_connections) + +### Description +Redis Cache resource should not allow non-SSL connections.
+[Documentation](https://www.pulumi.com/registry/packages/azure-native/api-docs/cache/redis/#enablenonsslport_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="8" +name: azure-aks +runtime: yaml +description: An Aks cluster +resources: + redis: + type: azure-native:cache:Redis + properties: + enableNonSslPort: true + location: West US + minimumTlsVersion: 1.2 + name: cache1 + redisConfiguration: + maxmemoryPolicy: allkeys-lru + replicasPerMaster: 2 + resourceGroupName: rg1 + shardCount: 2 + sku: + capacity: 1 + family: P + name: Premium + staticIP: 192.168.0.5 + subnetId: /subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Network/virtualNetworks/network1/subnets/subnet1 + zones: + - 1 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: azure-aks +runtime: yaml +description: An Aks cluster +resources: + redis: + type: azure-native:cache:Redis + properties: + enableNonSslPort: false + location: West US + minimumTlsVersion: 1.2 + name: cache1 + redisConfiguration: + maxmemoryPolicy: allkeys-lru + replicasPerMaster: 2 + resourceGroupName: rg1 + shardCount: 2 + sku: + capacity: 1 + family: P + name: Premium + staticIP: 192.168.0.5 + subnetId: /subscriptions/subid/resourceGroups/rg2/providers/Microsoft.Network/virtualNetworks/network1/subnets/subnet1 + zones: + - 1 + +``` diff --git a/docs/queries/pulumi-queries/azure/cb8e4bf0-903d-45c6-a278-9a947d82a27b.md b/docs/queries/pulumi-queries/azure/cb8e4bf0-903d-45c6-a278-9a947d82a27b.md new file mode 100644 index 00000000000..30428d11a6a --- /dev/null +++ b/docs/queries/pulumi-queries/azure/cb8e4bf0-903d-45c6-a278-9a947d82a27b.md @@ -0,0 +1,83 @@ +--- +title: Storage Account Not Forcing HTTPS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cb8e4bf0-903d-45c6-a278-9a947d82a27b +- **Query name:** Storage Account Not Forcing HTTPS +- **Platform:** Pulumi +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/azure/storage_account_not_forcing_https) + +### Description +Storage Accounts should enforce the use of HTTPS
+[Documentation](https://www.pulumi.com/registry/packages/azure-native/api-docs/storage/storageaccount/#enablehttpstrafficonly_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="9" +name: azure-aks +runtime: yaml +description: An Aks cluster +resources: + storageAccount: + type: azure-native:storage:StorageAccount + properties: + accountName: sto4445 + enableHttpsTrafficOnly: false + enableNfsV3: true + isHnsEnabled: true + kind: BlockBlobStorage + location: eastus + networkRuleSet: + bypass: AzureServices + defaultAction: Allow + ipRules: [] + virtualNetworkRules: + - virtualNetworkResourceId: /subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.Network/virtualNetworks/net123/subnets/subnet12 + resourceGroupName: res9101 + sku: + name: Premium_LRS + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: azure-aks +runtime: yaml +description: An Aks cluster +resources: + storageAccount: + type: azure-native:storage:StorageAccount + properties: + accountName: sto4445 + enableHttpsTrafficOnly: true + enableNfsV3: true + isHnsEnabled: true + kind: BlockBlobStorage + location: eastus + networkRuleSet: + bypass: AzureServices + defaultAction: Allow + ipRules: [] + virtualNetworkRules: + - virtualNetworkResourceId: /subscriptions/{subscription-id}/resourceGroups/res9101/providers/Microsoft.Network/virtualNetworks/net123/subnets/subnet12 + resourceGroupName: res9101 + sku: + name: Premium_LRS + +``` diff --git a/docs/queries/pulumi-queries/ee305555-6b1d-4055-94cf-e22131143c34.md b/docs/queries/pulumi-queries/ee305555-6b1d-4055-94cf-e22131143c34.md new file mode 100644 index 00000000000..9c77c2ae08e --- /dev/null +++ b/docs/queries/pulumi-queries/ee305555-6b1d-4055-94cf-e22131143c34.md @@ -0,0 +1,61 @@ +--- +title: PSP Set To Privileged +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ee305555-6b1d-4055-94cf-e22131143c34 +- **Query name:** PSP Set To Privileged +- **Platform:** Pulumi +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/kubernetes/psp_set_to_privileged) + +### Description +Do not allow pod to request execution as privileged.
+[Documentation](https://www.pulumi.com/registry/packages/kubernetes/api-docs/policy/v1beta1/podsecuritypolicy/#privileged_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="11" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: kubernetes:policy/v1beta1:PodSecurityPolicy + properties: + metadata: + name: example + spec: + privileged: true + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: kubernetes:policy/v1beta1:PodSecurityPolicy + properties: + metadata: + name: example + spec: + privileged: false + +``` diff --git a/docs/queries/pulumi-queries/gcp/48f7e44d-d1d1-44c2-b336-9f11b65c4fb0.md b/docs/queries/pulumi-queries/gcp/48f7e44d-d1d1-44c2-b336-9f11b65c4fb0.md new file mode 100644 index 00000000000..bf7cc3e9ff8 --- /dev/null +++ b/docs/queries/pulumi-queries/gcp/48f7e44d-d1d1-44c2-b336-9f11b65c4fb0.md @@ -0,0 +1,57 @@ +--- +title: Cloud Storage Bucket Logging Not Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 48f7e44d-d1d1-44c2-b336-9f11b65c4fb0 +- **Query name:** Cloud Storage Bucket Logging Not Enabled +- **Platform:** Pulumi +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/gcp/cloud_storage_bucket_logging_not_enabled) + +### Description +Cloud storage bucket should have logging enabled
+[Documentation](https://www.pulumi.com/registry/packages/gcp/api-docs/storage/bucket/#logging_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="7" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: gcp:storage:Bucket + properties: + location: US-CENTRAL1 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: gcp:storage:Bucket + properties: + location: US-CENTRAL1 + logging: + logObjectPrefix: some_obj_prefix + +``` diff --git a/docs/queries/pulumi-queries/gcp/965e8830-2bec-4b9b-a7f0-24dbc200a68f.md b/docs/queries/pulumi-queries/gcp/965e8830-2bec-4b9b-a7f0-24dbc200a68f.md new file mode 100644 index 00000000000..dd75737670d --- /dev/null +++ b/docs/queries/pulumi-queries/gcp/965e8830-2bec-4b9b-a7f0-24dbc200a68f.md @@ -0,0 +1,63 @@ +--- +title: Google Compute SSL Policy Weak Cipher In Use +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 965e8830-2bec-4b9b-a7f0-24dbc200a68f +- **Query name:** Google Compute SSL Policy Weak Cipher In Use +- **Platform:** Pulumi +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/pulumi/gcp/google_compute_ssl_policy_weak_cipher_in_use) + +### Description +This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers
+[Documentation](https://www.pulumi.com/registry/packages/gcp/api-docs/compute/sslpolicy/#mintlsversion_yaml) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="16 7" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: gcp:compute:SSLPolicy + properties: +--- +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: gcp:compute:SSLPolicy + properties: + minTlsVersion: TLS_1_1 + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: gcp:compute:SSLPolicy + properties: + minTlsVersion: TLS_1_2 + +``` diff --git a/docs/queries/serverlessfw-queries.md b/docs/queries/serverlessfw-queries.md index 91094cd496d..4faa0e7640e 100644 --- a/docs/queries/serverlessfw-queries.md +++ b/docs/queries/serverlessfw-queries.md @@ -3,13 +3,13 @@ This page contains all queries from ServerlessFW. | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges.|Documentation
| -|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|High|Encryption|Serverless Function should encrypt environment variables|Documentation
| -|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760|Documentation
| -|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks|Documentation
| -|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|Medium|Insecure Configurations|Serverless Function should be have associated tags|Documentation
| -|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet|Documentation
| -|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled|Documentation
| -|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled|Documentation
| -|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter|Documentation
| -|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'|Documentation
| +|Serverless Role With Full Privileges
59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd|High|Access Control|Roles defined in Serverless files should not have policies granting full administrative privileges. (read more)|Documentation
| +|Serverless Function Environment Variables Not Encrypted
4495bc5d-4d1e-4a26-ae92-152d18195648|High|Encryption|Serverless Function should encrypt environment variables (read more)|Documentation
| +|Serverless API Without Content Encoding
d5d1fe08-89db-440c-8725-b93223387309|Medium|Encryption|Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760 (read more)|Documentation
| +|Serverless Function Without Unique IAM Role
165aae3b-a56a-48f3-b76d-d2b5083f5b8f|Medium|Insecure Configurations|Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks (read more)|Documentation
| +|Serverless Function Without Tags
f99d3482-fa8c-4f79-bad9-35212dded164|Medium|Insecure Configurations|Serverless Function should be have associated tags (read more)|Documentation
| +|Serverless API Endpoint Config Not Private
4d424558-c6d1-453c-be98-9a7f877abd9a|Medium|Networking and Firewall|Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet (read more)|Documentation
| +|Serverless API Access Logging Setting Undefined
a4d32883-aac7-42e1-b403-9415af0f3846|Medium|Observability|Serverless FW API should have HTTP Access Logging enabled (read more)|Documentation
| +|Serverless API X-Ray Tracing Disabled
434945e5-4dfd-41b1-aba1-47075ccd9265|Medium|Observability|Serverless API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Serverless Function Without Dead Letter Queue
dec7bc85-d156-4f64-9a33-96ed3d9f3fed|Low|Insecure Configurations|Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter (read more)|Documentation
| +|Serverless Function Without X-Ray Tracing
0d7ef70f-e176-44e6-bdba-add3e429788d|Low|Observability|Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active' (read more)|Documentation
| diff --git a/docs/queries/serverlessfw-queries/0d7ef70f-e176-44e6-bdba-add3e429788d.md b/docs/queries/serverlessfw-queries/0d7ef70f-e176-44e6-bdba-add3e429788d.md new file mode 100644 index 00000000000..418d8c182a2 --- /dev/null +++ b/docs/queries/serverlessfw-queries/0d7ef70f-e176-44e6-bdba-add3e429788d.md @@ -0,0 +1,33 @@ +--- +title: Serverless Function Without X-Ray Tracing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0d7ef70f-e176-44e6-bdba-add3e429788d +- **Query name:** Serverless Function Without X-Ray Tracing +- **Platform:** ServerlessFW +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/serverlessFW/serverless_function_without_x-ray_tracing) + +### Description +Serverless Function should have Tracing enabled. For this, property 'tracing' should have the value 'Active'
+[Documentation](https://www.serverless.com/framework/docs/providers/aws/guide/functions#aws-x-ray-tracing) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/serverlessfw-queries/165aae3b-a56a-48f3-b76d-d2b5083f5b8f.md b/docs/queries/serverlessfw-queries/165aae3b-a56a-48f3-b76d-d2b5083f5b8f.md new file mode 100644 index 00000000000..3970e73dd43 --- /dev/null +++ b/docs/queries/serverlessfw-queries/165aae3b-a56a-48f3-b76d-d2b5083f5b8f.md @@ -0,0 +1,33 @@ +--- +title: Serverless Function Without Unique IAM Role +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 165aae3b-a56a-48f3-b76d-d2b5083f5b8f +- **Query name:** Serverless Function Without Unique IAM Role +- **Platform:** ServerlessFW +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/serverlessFW/serverless_function_without_unique_iam_role) + +### Description +Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks
+[Documentation](https://www.serverless.com/framework/docs/providers/aws/guide/serverless.yml#functions) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/serverlessfw-queries/434945e5-4dfd-41b1-aba1-47075ccd9265.md b/docs/queries/serverlessfw-queries/434945e5-4dfd-41b1-aba1-47075ccd9265.md new file mode 100644 index 00000000000..62b254c727b --- /dev/null +++ b/docs/queries/serverlessfw-queries/434945e5-4dfd-41b1-aba1-47075ccd9265.md @@ -0,0 +1,33 @@ +--- +title: Serverless API X-Ray Tracing Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 434945e5-4dfd-41b1-aba1-47075ccd9265 +- **Query name:** Serverless API X-Ray Tracing Disabled +- **Platform:** ServerlessFW +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/serverlessFW/serverless_api_xray_tracing_disabled) + +### Description +Serverless API Gateway should have X-Ray Tracing enabled
+[Documentation](https://www.serverless.com/framework/docs/providers/aws/events/apigateway#aws-x-ray-tracing) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/serverlessfw-queries/4495bc5d-4d1e-4a26-ae92-152d18195648.md b/docs/queries/serverlessfw-queries/4495bc5d-4d1e-4a26-ae92-152d18195648.md new file mode 100644 index 00000000000..968e7406526 --- /dev/null +++ b/docs/queries/serverlessfw-queries/4495bc5d-4d1e-4a26-ae92-152d18195648.md @@ -0,0 +1,33 @@ +--- +title: Serverless Function Environment Variables Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4495bc5d-4d1e-4a26-ae92-152d18195648 +- **Query name:** Serverless Function Environment Variables Not Encrypted +- **Platform:** ServerlessFW +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/serverlessFW/serverless_function_environment_variables_not_encrypted) + +### Description +Serverless Function should encrypt environment variables
+[Documentation](https://www.serverless.com/framework/docs/providers/aws/guide/functions#kms-keys) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/serverlessfw-queries/4d424558-c6d1-453c-be98-9a7f877abd9a.md b/docs/queries/serverlessfw-queries/4d424558-c6d1-453c-be98-9a7f877abd9a.md new file mode 100644 index 00000000000..c4a4ddee061 --- /dev/null +++ b/docs/queries/serverlessfw-queries/4d424558-c6d1-453c-be98-9a7f877abd9a.md @@ -0,0 +1,33 @@ +--- +title: Serverless API Endpoint Config Not Private +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4d424558-c6d1-453c-be98-9a7f877abd9a +- **Query name:** Serverless API Endpoint Config Not Private +- **Platform:** ServerlessFW +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/serverlessFW/serverless_api_endpoint_config_not_private) + +### Description +Serverless should have endpointType set to 'PRIVATE'. This way, it's not exposed to the public internet
+[Documentation](https://www.serverless.com/framework/docs/providers/aws/events/apigateway#configuring-endpoint-types) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/serverlessfw-queries/59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd.md b/docs/queries/serverlessfw-queries/59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd.md new file mode 100644 index 00000000000..7e861dab779 --- /dev/null +++ b/docs/queries/serverlessfw-queries/59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd.md @@ -0,0 +1,33 @@ +--- +title: Serverless Role With Full Privileges +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 59ebb4f3-2a6c-46dc-b4f0-cc5418dcddcd +- **Query name:** Serverless Role With Full Privileges +- **Platform:** ServerlessFW +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/serverlessFW/serverless_role_with_full_privileges) + +### Description +Roles defined in Serverless files should not have policies granting full administrative privileges.
+[Documentation](https://www.serverless.com/framework/docs/providers/aws/guide/iam) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/serverlessfw-queries/a4d32883-aac7-42e1-b403-9415af0f3846.md b/docs/queries/serverlessfw-queries/a4d32883-aac7-42e1-b403-9415af0f3846.md new file mode 100644 index 00000000000..525682a14ab --- /dev/null +++ b/docs/queries/serverlessfw-queries/a4d32883-aac7-42e1-b403-9415af0f3846.md @@ -0,0 +1,33 @@ +--- +title: Serverless API Access Logging Setting Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a4d32883-aac7-42e1-b403-9415af0f3846 +- **Query name:** Serverless API Access Logging Setting Undefined +- **Platform:** ServerlessFW +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/serverlessFW/serverless_api_access_logging_setting_undefined) + +### Description +Serverless FW API should have HTTP Access Logging enabled
+[Documentation](https://www.serverless.com/framework/docs/providers/aws/guide/serverless.yml#logs) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/serverlessfw-queries/d5d1fe08-89db-440c-8725-b93223387309.md b/docs/queries/serverlessfw-queries/d5d1fe08-89db-440c-8725-b93223387309.md new file mode 100644 index 00000000000..951196c2cbf --- /dev/null +++ b/docs/queries/serverlessfw-queries/d5d1fe08-89db-440c-8725-b93223387309.md @@ -0,0 +1,33 @@ +--- +title: Serverless API Without Content Encoding +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d5d1fe08-89db-440c-8725-b93223387309 +- **Query name:** Serverless API Without Content Encoding +- **Platform:** ServerlessFW +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/serverlessFW/serverless_api_without_content_encoding) + +### Description +Serverless should have API Gateway with Content Encoding enabled through the attribute 'minimumCompressionSize'. This value should be greater than -1 and smaller than 10485760
+[Documentation](https://www.serverless.com/framework/docs/providers/aws/events/apigateway#compression) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/serverlessfw-queries/dec7bc85-d156-4f64-9a33-96ed3d9f3fed.md b/docs/queries/serverlessfw-queries/dec7bc85-d156-4f64-9a33-96ed3d9f3fed.md new file mode 100644 index 00000000000..65c4e5b1291 --- /dev/null +++ b/docs/queries/serverlessfw-queries/dec7bc85-d156-4f64-9a33-96ed3d9f3fed.md @@ -0,0 +1,33 @@ +--- +title: Serverless Function Without Dead Letter Queue +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dec7bc85-d156-4f64-9a33-96ed3d9f3fed +- **Query name:** Serverless Function Without Dead Letter Queue +- **Platform:** ServerlessFW +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/serverlessFW/serverless_function_without_dead_letter_queue) + +### Description +Serverless Function should be configured for a Dead Letter Queue(DLQ). A Dead Letter Queue(DLQ) can be set up in 'onError' config parameter
+[Documentation](https://www.serverless.com/framework/docs/providers/aws/guide/functions#dead-letter-queue-dlq) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/serverlessfw-queries/f99d3482-fa8c-4f79-bad9-35212dded164.md b/docs/queries/serverlessfw-queries/f99d3482-fa8c-4f79-bad9-35212dded164.md new file mode 100644 index 00000000000..55a213f3994 --- /dev/null +++ b/docs/queries/serverlessfw-queries/f99d3482-fa8c-4f79-bad9-35212dded164.md @@ -0,0 +1,33 @@ +--- +title: Serverless Function Without Tags +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f99d3482-fa8c-4f79-bad9-35212dded164 +- **Query name:** Serverless Function Without Tags +- **Platform:** ServerlessFW +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/serverlessFW/serverless_function_without_tags) + +### Description +Serverless Function should be have associated tags
+[Documentation](https://www.serverless.com/framework/docs/providers/aws/guide/functions#tags) + +### Code samples +#### Code samples with security vulnerabilities + + +#### Code samples without security vulnerabilities diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index 27e2480d6e5..31f652b6429 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -8,100 +8,100 @@ Bellow are listed queries related with Terraform AZURE: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled|Documentation
| -|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges|Documentation
| -|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry|Documentation
| -|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage|Documentation
| -|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions|Documentation
| -|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user|Documentation
| -|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled|Documentation
| -|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication|Documentation
| -|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption|Documentation
| -|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled|Documentation
| -|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS|Documentation
| -|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption|Documentation
| -|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'|Documentation
| -|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server|Documentation
| -|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates|Documentation
| -|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine|Documentation
| -|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service.|Documentation
| -|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet|Documentation
| -|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled|Documentation
| -|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false.|Documentation
| -|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'|Documentation
| -|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled|Documentation
| -|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled|Documentation
| -|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored|Documentation
| -|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.|Documentation
| -|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources|Documentation
| -|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet|Documentation
| -|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access|Documentation
| -|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled|Documentation
| -|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet|Documentation
| -|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet|Documentation
| -|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled'|Documentation
| -|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled|Documentation
| -|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled|Documentation
| -|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database|Documentation
| -|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set|Documentation
| -|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set|Documentation
| -|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled|Documentation
| -|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)|Documentation
| -|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).|Documentation
| -|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled|Documentation
| -|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict|Documentation
| -|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict|Documentation
| -|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined|Documentation
| -|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags.|Documentation
| -|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption|Documentation
| -|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk|Documentation
| -|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk|Documentation
| -|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty|Documentation
| -|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled|Documentation
| -|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches|Documentation
| -|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections|Documentation
| -|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected.|Documentation
| -|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required|Documentation
| -|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined|Documentation
| -|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny|Documentation
| -|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol|Documentation
| -|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.|Documentation
| -|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol|Documentation
| -|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search|Documentation
| -|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)|Documentation
| -|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled|Documentation
| -|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.|Documentation
| -|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server|Documentation
| -|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'|Documentation
| -|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days|Documentation
| -|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'|Documentation
| -|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On'|Documentation
| -|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days|Documentation
| -|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'|Documentation
| -|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact|Documentation
| -|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'|Documentation
| -|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'|Documentation
| -|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'|Documentation
| -|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days|Documentation
| -|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater|Documentation
| -|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric|Documentation
| -|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled|Documentation
| -|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On|Documentation
| -|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type|Documentation
| -|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.|Documentation
| -|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled|Documentation
| -|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled|Documentation
| -|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled|Documentation
| -|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled.|Documentation
| -|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled|Documentation
| -|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled|Documentation
| -|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled|Documentation
| +|Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|High|Access Control|Azure Function App authentication settings should be enabled (read more)|Documentation
| +|Public Storage Account
17f75827-0684-48f4-8747-61129c7e4198|High|Access Control|Storage Account should not be public to grant the principle of least privileges (read more)|Documentation
| +|Admin User Enabled For Container Registry
b897dfbf-322c-45a8-b67c-1e698beeaa51|High|Access Control|Admin user is enabled for Container Registry (read more)|Documentation
| +|Storage Container Is Publicly Accessible
dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299|High|Access Control|Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage (read more)|Documentation
| +|Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|High|Access Control|Role Assignment should limit guest user permissions (read more)|Documentation
| +|Role Assignment Of Guest Users
2bc626a8-0751-446f-975d-8139214fc790|High|Access Control|There is a role assignment for guest user (read more)|Documentation
| +|Geo Redundancy Is Disabled
8b042c30-e441-453f-b162-7696982ebc58|High|Backup|Make sure that on PostgreSQL Geo Redundant Backups is enabled (read more)|Documentation
| +|Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|High|Best Practices|Azure Instances should use SSH Key instead of basic authentication (read more)|Documentation
| +|Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|High|Encryption|Ensure Function App is using the latest version of TLS encryption (read more)|Documentation
| +|MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|High|Encryption|Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled (read more)|Documentation
| +|Storage Account Not Forcing HTTPS
12944ec4-1fa0-47be-8b17-42a034f937c2|High|Encryption|Storage Accounts should enforce the use of HTTPS (read more)|Documentation
| +|App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|High|Encryption|Ensure App Service is using the latest version of TLS encryption (read more)|Documentation
| +|SSL Enforce Disabled
0437633b-daa6-4bbc-8526-c0d2443b946e|High|Encryption|Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED' (read more)|Documentation
| +|AD Admin Not Configured For SQL Server
a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b|High|Insecure Configurations|The Active Directory Administrator is not configured for a SQL server (read more)|Documentation
| +|Function App FTPS Enforce Disabled
9dab0179-433d-4dff-af8f-0091025691df|High|Insecure Configurations|Azure Function App should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|Redis Not Updated Regularly
b947809d-dd2f-4de9-b724-04d101c515aa|High|Insecure Configurations|Redis Cache is not configured to be updated regularly with security and operational updates (read more)|Documentation
| +|VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|High|Insecure Configurations|No Network Security Group is attached to the Virtual Machine (read more)|Documentation
| +|Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|High|Insecure Configurations|Web app should only accept HTTPS traffic in Azure Web App Service. (read more)|Documentation
| +|AKS Private Cluster Disabled
599318f2-6653-4569-9e21-041d06c63a89|High|Insecure Configurations|Azure Kubernetes Service (AKS) API should not be exposed to the internet (read more)|Documentation
| +|App Service FTPS Enforce Disabled
85da374f-b00f-4832-9d44-84a1ca1e89f8|High|Insecure Configurations|Azure App Service should only enforce FTPS when 'ftps_state' is enabled (read more)|Documentation
| +|Network Watcher Flow Disabled
b90842e5-6779-44d4-9760-972f4c03ba1c|High|Insecure Configurations|Check if enable field in the resource azurerm_network_watcher_flow_log is false. (read more)|Documentation
| +|Azure Container Registry With No Locks
a187ac47-8163-42ce-8a63-c115236be6fb|High|Insecure Configurations|Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry' (read more)|Documentation
| +|Azure App Service Client Certificate Disabled
a81573f9-3691-4d83-88a0-7d4af63e17a3|High|Insecure Configurations|Azure App Service client certificate should be enabled (read more)|Documentation
| +|MSSQL Server Public Network Access Enabled
ade36cf4-329f-4830-a83d-9db72c800507|High|Networking and Firewall|MSSQL Server public network access should be disabled (read more)|Documentation
| +|CosmosDB Account IP Range Filter Not Set
c2a3efb6-8a58-481c-82f2-bfddf34bb4b7|High|Networking and Firewall|The IP range filter should be defined to secure the data stored (read more)|Documentation
| +|SQLServer Ingress From Any IP
25c0ea09-f1c5-4380-b055-3b83863f2bb8|High|Networking and Firewall|Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255. (read more)|Documentation
| +|Redis Publicly Accessible
5089d055-53ff-421b-9482-a5267bdce629|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from other Azure sources (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
594c198b-4d79-41b8-9b36-fde13348b619|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|RDP Is Exposed To The Internet
efbf6449-5ec5-4cfe-8f15-acc51e0d787c|High|Networking and Firewall|Port 3389 (Remote Desktop) is exposed to the internet (read more)|Documentation
| +|Trusted Microsoft Services Not Enabled
5400f379-a347-4bdd-a032-446465fdcc6f|High|Networking and Firewall|Trusted Microsoft Services should be enabled for Storage Account access (read more)|Documentation
| +|MySQL Server Public Access Enabled
f118890b-2468-42b1-9ce9-af35146b425b|High|Networking and Firewall|MySQL Server public access should be disabled (read more)|Documentation
| +|SSH Is Exposed To The Internet
3e3c175e-aadf-4e2b-a464-3fdac5748d24|High|Networking and Firewall|Port 22 (SSH) is exposed to the internet (read more)|Documentation
| +|Redis Entirely Accessible
fd8da341-6760-4450-b26c-9f6d8850575e|High|Networking and Firewall|Firewall rule allowing unrestricted access to Redis from the Internet (read more)|Documentation
| +|Vault Auditing Disabled
38c71c00-c177-4cd7-8d36-cd1007cdb190|High|Observability|Ensure that logging for Azure KeyVault is 'Enabled' (read more)|Documentation
| +|PostgreSQL Server Threat Detection Policy Disabled
c407c3cf-c409-4b29-b590-db5f4138d332|High|Resource Management|PostgreSQL Server Threat Detection Policy should be enabled (read more)|Documentation
| +|App Service Managed Identity Disabled
b61cce4b-0cc4-472b-8096-15617a6d769b|High|Resource Management|Azure App Service should have managed identity enabled (read more)|Documentation
| +|SQL Database Audit Disabled
83a229ba-483e-47c6-8db7-dc96969bce5a|High|Resource Management|Ensure that 'Threat Detection' is enabled for Azure SQL Database (read more)|Documentation
| +|Secret Expiration Not Set
dfa20ffa-f476-428f-a490-424b41e91c7f|High|Secret Management|Make sure that for all secrets the expiration date is set (read more)|Documentation
| +|Key Expiration Not Set
4d080822-5ee2-49a4-8984-68f3d4c890fc|High|Secret Management|Make sure that for all keys the expiration date is set (read more)|Documentation
| +|AKS RBAC Disabled
86f92117-eed8-4614-9c6c-b26da20ff37f|Medium|Access Control|Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled (read more)|Documentation
| +|Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write) (read more)|Documentation
| +|Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|Storage Share File Allows All ACL Permissions
48bbe0fd-57e4-4678-a4a1-119e79c90fc3|Medium|Access Control|Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list). (read more)|Documentation
| +|Virtual Network with DDoS Protection Plan disabled
b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a|Medium|Availability|Virtual Network should have DDoS Protection Plan enabled (read more)|Documentation
| +|SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Medium|Best Practices|Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict (read more)|Documentation
| +|SQL Server Predictable Active Directory Account Name
bcd3fc01-5902-4f2a-b05a-227f9bbf5450|Medium|Best Practices|Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict (read more)|Documentation
| +|Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Security Contact Email should be defined (read more)|Documentation
| +|Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Medium|Build Process|Cosmos DB Account must have a mapping of tags. (read more)|Documentation
| +|Storage Account Not Using Latest TLS Encryption Version
8263f146-5e03-43e0-9cfe-db960d56d1e7|Medium|Encryption|Ensure Storage Account is using the latest version of TLS encryption (read more)|Documentation
| +|Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Ensure that the encryption is active on the disk (read more)|Documentation
| +|AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Medium|Encryption|Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk (read more)|Documentation
| +|Security Group is Not Configured
5c822443-e1ea-46b8-84eb-758ec602e844|Medium|Insecure Configurations|Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty (read more)|Documentation
| +|Function App Managed Identity Disabled
c87749b3-ff10-41f5-9df2-c421e8151759|Medium|Insecure Configurations|Azure Function App should have managed identity enabled (read more)|Documentation
| +|Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches (read more)|Documentation
| +|Redis Cache Allows Non SSL Connections
e29a75e6-aba3-4896-b42d-b87818c16b58|Medium|Insecure Configurations|Redis Cache resources should not allow non-SSL connections (read more)|Documentation
| +|Security Center Pricing Tier Is Not Standard
819d50fd-1cdf-45c3-9936-be408aaad93e|Medium|Insecure Configurations|Make sure that the 'Standard' pricing tiers were selected. (read more)|Documentation
| +|Function App Client Certificates Unrequired
9bb3c639-5edf-458c-8ee5-30c17c7d671d|Medium|Insecure Configurations|Azure Function App should have 'client_cert_mode' set to required (read more)|Documentation
| +|AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Medium|Insecure Configurations|Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined (read more)|Documentation
| +|Default Azure Storage Account Network Access Is Too Permissive
a5613650-32ec-4975-a305-31af783153ea|Medium|Insecure Defaults|Default Azure Storage Account network access should be set to Deny (read more)|Documentation
| +|Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Check if any firewall rule allows too many hosts to access Redis Cache (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e9dee01f-2505-4df2-b9bf-7804d1fd9082|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol (read more)|Documentation
| +|WAF Is Disabled For Azure Application Gateway
2e48d91c-50e4-45c8-9312-27b625868a72|Medium|Networking and Firewall|Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway. (read more)|Documentation
| +|Network Interfaces IP Forwarding Enabled
4216ebac-d74c-4423-b437-35025cb88af5|Medium|Networking and Firewall|Network Interfaces IP Forwarding should be disabled (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol (read more)|Documentation
| +|Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Public Network Access should be disabled for Azure Cognitive Search (read more)|Documentation
| +|Network Interfaces With Public IP
c1573577-e494-4417-8854-7e119368dc8b|Medium|Networking and Firewall|Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline) (read more)|Documentation
| +|MariaDB Server Public Network Access Enabled
7f0a8696-7159-4337-ad0d-8a3ab4a78195|Medium|Networking and Firewall|MariaDB Server Public Network Access should be disabled (read more)|Documentation
| +|Unrestricted SQL Server Access
d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28|Medium|Networking and Firewall|Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'. (read more)|Documentation
| +|PostgreSQL Server Without Connection Throttling
2b3c671f-1b76-4741-8789-ed1fe0785dc4|Medium|Observability|Ensure that Connection Throttling is set for the PostgreSQL server (read more)|Documentation
| +|PostgreSQL Log Disconnections Not Set
07f7134f-9f37-476e-8664-670c218e4702|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON' (read more)|Documentation
| +|Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Medium|Observability|Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days (read more)|Documentation
| +|PostgreSQL Log Duration Not Set
16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON' (read more)|Documentation
| +|SQL Server Auditing Disabled
f7e296b0-6660-4bc5-8f87-22ac4a815edf|Medium|Observability|Make sure that for SQL Servers, 'Auditing' is set to 'On' (read more)|Documentation
| +|Small PostgreSQL DB Server Log Retention Period
261a83f8-dd72-4e8c-b5e1-ebf06e8fe606|Medium|Observability|Check if PostgreSQL Database Server retains logs for less than 3 Days (read more)|Documentation
| +|MSSQL Server Auditing Disabled
609839ae-bd81-4375-9910-5bce72ae7b92|Medium|Observability|Make sure that for MSSQL Servers, that 'Auditing' is set to 'On' (read more)|Documentation
| +|Email Alerts Disabled
9db38e87-f6aa-4b5e-a1ec-7266df259409|Medium|Observability|Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact (read more)|Documentation
| +|PostgreSQL Log Checkpoints Disabled
3790d386-be81-4dcf-9850-eaa7df6c10d9|Medium|Observability|Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON' (read more)|Documentation
| +|PostgreSQL Log Connections Not Set
c640d783-10c5-4071-b6c1-23507300d333|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON' (read more)|Documentation
| +|Log Retention Is Not Set
ffb02aca-0d12-475e-b77c-a726f7aeff4b|Medium|Observability|Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON' (read more)|Documentation
| +|Small MSSQL Server Audit Retention
59acb56b-2b10-4c2c-ba38-f2223c3f5cfc|Medium|Observability|Make sure for SQL Servers that Auditing Retention is greater than 90 days (read more)|Documentation
| +|Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Medium|Observability|Ensure that Activity Log Retention is set 365 days or greater (read more)|Documentation
| +|Azure Active Directory Authentication
a21c8da9-41bf-40cf-941d-330cf0d11fc7|Low|Access Control|Azure Active Directory must be used for authentication for Service Fabric (read more)|Documentation
| +|MariaDB Server Geo-redundant Backup Disabled
0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1|Low|Backup|MariaDB Server Geo-redundant Backup should be enabled (read more)|Documentation
| +|AKS Uses Azure Policies Add-On Disabled
43789711-161b-4708-b5bb-9d1c626f7492|Low|Best Practices|Azure Container Service (AKS) should use Azure Policies Add-On (read more)|Documentation
| +|Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Low|Best Practices|Key Vault Secrets should have set Content Type (read more)|Documentation
| +|App Service Without Latest Python Version
cc4aaa9d-1070-461a-b519-04e00f42db8a|Low|Best Practices|Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|App Service Without Latest PHP Version
96fe318e-d631-4156-99fa-9080d57280ae|Low|Best Practices|Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version. (read more)|Documentation
| +|PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|PostgreSQL Server Infrastructure Encryption should be enabled (read more)|Documentation
| +|App Service HTTP2 Disabled
525b53be-62ed-4244-b4df-41aecfcb4071|Low|Insecure Configurations|App Service should have 'http2_enabled' enabled (read more)|Documentation
| +|Function App HTTP2 Disabled
ace823d1-4432-4dee-945b-cdf11a5a6bd0|Low|Insecure Configurations|Function App should have 'http2_enabled' enabled (read more)|Documentation
| +|Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Check if the Kubernetes Dashboard is enabled. (read more)|Documentation
| +|Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Azure Front Door WAF should be enabled (read more)|Documentation
| +|App Service Authentication Disabled
c7fc1481-2899-4490-bbd8-544a3a61a2f3|Info|Access Control|Azure App Service authentication settings should be enabled (read more)|Documentation
| +|SQL Server Alert Email Disabled
55975007-f6e7-4134-83c3-298f1fe4b519|Info|Best Practices|SQL Server alert email should be enabled (read more)|Documentation
| ### AWS Bellow are listed queries related with Terraform AWS: @@ -110,339 +110,339 @@ Bellow are listed queries related with Terraform AWS: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.|Documentation
| -|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating|Documentation
| -|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.|Documentation
| -|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.|Documentation
| -|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.|Documentation
| -|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.|Documentation
| -|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed|Documentation
| -|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources)|Documentation
| -|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.|Documentation
| -|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.|Documentation
| -|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals|Documentation
| -|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy|Documentation
| -|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.|Documentation
| -|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role|Documentation
| -|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user|Documentation
| -|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible|Documentation
| -|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access|Documentation
| -|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users|Documentation
| -|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible|Documentation
| -|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded|Documentation
| -|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled|Documentation
| -|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted|Documentation
| -|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled|Documentation
| -|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted|Documentation
| -|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled|Documentation
| -|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled|Documentation
| -|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily|Documentation
| -|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted|Documentation
| -|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS|Documentation
| -|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled|Documentation
| -|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume|Documentation
| -|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true|Documentation
| -|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled|Documentation
| -|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.|Documentation
| -|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront|Documentation
| -|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys|Documentation
| -|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version|Documentation
| -|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest|Documentation
| -|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup|Documentation
| -|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key|Documentation
| -|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.|Documentation
| -|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS|Documentation
| -|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted|Documentation
| -|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'.|Documentation
| -|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required|Documentation
| -|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled|Documentation
| -|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted|Documentation
| -|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted|Documentation
| -|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data.|Documentation
| -|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'|Documentation
| -|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data|Documentation
| -|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements|Documentation
| -|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)|Documentation
| -|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted|Documentation
| -|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.|Documentation
| -|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled|Documentation
| -|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted|Documentation
| -|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA|Documentation
| -|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions.|Documentation
| -|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.|Documentation
| -|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure|Documentation
| -|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)|Documentation
| -|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating.|Documentation
| -|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations|Documentation
| -|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket|Documentation
| -|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2.|Documentation
| -|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes|Documentation
| -|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations|Documentation
| -|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface|Documentation
| -|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2|Documentation
| -|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties|Documentation
| -|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').|Documentation
| -|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.|Documentation
| -|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.|Documentation
| -|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0|Documentation
| -|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"|Documentation
| -|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic.|Documentation
| -|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL|Documentation
| -|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol|Documentation
| -|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR|Documentation
| -|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group|Documentation
| -|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address.|Documentation
| -|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL|Documentation
| -|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP|Documentation
| -|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic|Documentation
| -|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet|Documentation
| -|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group|Documentation
| -|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group|Documentation
| -|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it|Documentation
| -|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing|Documentation
| -|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts.|Documentation
| -|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet|Documentation
| -|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set|Documentation
| -|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA|Documentation
| -|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window|Documentation
| -|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes|Documentation
| -|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls|Documentation
| -|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail.|Documentation
| -|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible|Documentation
| -|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.|Documentation
| -|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage|Documentation
| -|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals|Documentation
| -|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard|Documentation
| -|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal'|Documentation
| -|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'|Documentation
| -|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request.|Documentation
| -|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access|Documentation
| -|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console|Documentation
| -|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.|Documentation
| -|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image|Documentation
| -|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions'|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway|Documentation
| -|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue|Documentation
| -|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources|Documentation
| -|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication|Documentation
| -|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.|Documentation
| -|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed|Documentation
| -|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access|Documentation
| -|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.|Documentation
| -|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.|Documentation
| -|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster|Documentation
| -|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running|Documentation
| -|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction|Documentation
| -|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup|Documentation
| -|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0|Documentation
| -|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields|Documentation
| -|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter|Documentation
| -|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols|Documentation
| -|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users|Documentation
| -|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy|Documentation
| -|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter|Documentation
| -|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24|Documentation
| -|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length|Documentation
| -|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined|Documentation
| -|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS|Documentation
| -|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption|Documentation
| -|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source.|Documentation
| -|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests|Documentation
| -|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest|Documentation
| -|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined|Documentation
| -|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)|Documentation
| -|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled|Documentation
| -|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned|Documentation
| -|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.|Documentation
| -|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit|Documentation
| -|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted|Documentation
| -|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS.|Documentation
| -|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node|Documentation
| -|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted|Documentation
| -|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest|Documentation
| -|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'|Documentation
| -|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret|Documentation
| -|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys|Documentation
| -|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit|Documentation
| -|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy|Documentation
| -|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).|Documentation
| -|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible|Documentation
| -|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud)|Documentation
| -|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten.|Documentation
| -|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled|Documentation
| -|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials|Documentation
| -|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.|Documentation
| -|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes|Documentation
| -|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.|Documentation
| -|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false|Documentation
| -|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol|Documentation
| -|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol|Documentation
| -|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated|Documentation
| -|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.|Documentation
| -|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service|Documentation
| -|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet|Documentation
| -|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP|Documentation
| -|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled|Documentation
| -|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association|Documentation
| -|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled|Documentation
| -|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled|Documentation
| -|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.|Documentation
| -|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes|Documentation
| -|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes|Documentation
| -|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation|Documentation
| -|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch|Documentation
| -|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones|Documentation
| -|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes|Documentation
| -|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events|Documentation
| -|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation|Documentation
| -|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable|Documentation
| -|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True|Documentation
| -|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK|Documentation
| -|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined|Documentation
| -|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).|Documentation
| -|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs|Documentation
| -|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled|Documentation
| -|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled|Documentation
| -|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail|Documentation
| -|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled|Documentation
| -|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC|Documentation
| -|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster|Documentation
| -|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined|Documentation
| -|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled|Documentation
| -|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes|Documentation
| -|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs|Documentation
| -|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified|Documentation
| -|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled|Documentation
| -|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled|Documentation
| -|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures|Documentation
| -|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions|Documentation
| -|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|AWS Access Key should not be hardcoded|Documentation
| -|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda access/secret keys should not be hardcoded|Documentation
| -|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'|Documentation
| -|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it|Documentation
| -|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated|Documentation
| -|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services.|Documentation
| -|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.|Documentation
| -|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s)|Documentation
| -|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services|Documentation
| -|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Autoscaling groups should supply tags to configurate|Documentation
| -|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it|Documentation
| -|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.|Documentation
| -|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions|Documentation
| -|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'|Documentation
| -|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.|Documentation
| -|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail|Documentation
| -|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation|Documentation
| -|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL|Documentation
| -|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled|Documentation
| -|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network|Documentation
| -|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks|Documentation
| -|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port|Documentation
| -|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC)|Documentation
| -|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service|Documentation
| -|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433|Documentation
| -|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211|Documentation
| -|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated.|Documentation
| -|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types|Documentation
| -|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered|Documentation
| -|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled|Documentation
| -|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes|Documentation
| -|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL|Documentation
| -|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled|Documentation
| -|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes|Documentation
| -|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights|Documentation
| -|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'|Documentation
| -|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes|Documentation
| -|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes|Documentation
| -|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled|Documentation
| -|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated.|Documentation
| -|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared|Documentation
| -|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance|Documentation
| -|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description|Documentation
| -|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'|Documentation
| -|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table|Documentation
| -|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description|Documentation
| -|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods|Documentation
| -|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger|Documentation
| -|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled|Documentation
| +|IAM Policies With Full Privileges
2f37c4a3-58b9-4afe-8a87-d7f1d2286f84|High|Access Control|IAM policies shouldn't allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows List Action From All Principals
66c6f96f-2d9e-417e-a998-9058aeeecd44|High|Access Control|S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals. (read more)|Documentation
| +|Authentication Without MFA
3ddfa124-6407-4845-a501-179f90c65097|High|Access Control|Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating (read more)|Documentation
| +|IAM Policy Grants Full Permissions
575a2155-6af1-4026-b1af-d5bc8fe2a904|High|Access Control|IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary. (read more)|Documentation
| +|S3 Bucket Allows Put Action From All Principals
d24c0755-c028-44b1-b503-8e719c898832|High|Access Control|S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals. (read more)|Documentation
| +|S3 Bucket ACL Grants WRITE_ACP Permission
64a222aa-7793-4e40-915f-4b302c76e4d4|High|Access Control|S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket. (read more)|Documentation
| +|SSO Policy with full privileges
132a8c31-9837-4203-9fd1-15ca210c7b73|High|Access Control|SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed. (read more)|Documentation
| +|SQS Queue Exposed
abb06e5f-ef9a-4a99-98c6-376d396bfcdf|High|Access Control|Checks if the SQS Queue is exposed (read more)|Documentation
| +|IAM Role With Full Privileges
b1ffa705-19a3-4b73-b9d0-0c97d0663842|High|Access Control|IAM role policy that allow full administrative privileges (for all resources) (read more)|Documentation
| +|S3 Bucket Allows Delete Action From All Principals
ffdf4b37-7703-4dfe-a682-9d2e99bc6c09|High|Access Control|S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals. (read more)|Documentation
| +|S3 Bucket Allows Get Action From All Principals
1df37f4b-7197-45ce-83f8-9994d2fcf885|High|Access Control|S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals. (read more)|Documentation
| +|S3 Bucket Access to Any Principal
7af43613-6bb9-4a0e-8c4d-1314b799425e|High|Access Control|S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals (read more)|Documentation
| +|S3 Bucket Allows Public Policy
1a4bc881-9f69-4d44-8c9a-d37d08f54c50|High|Access Control|S3 bucket allows public policy (read more)|Documentation
| +|S3 Bucket With All Permissions
a4966c4f-9141-48b8-a564-ffe9959945bc|High|Access Control|S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals. (read more)|Documentation
| +|EFS With Vulnerable Policy
fae52418-bb8b-4ac2-b287-0b9082d6a3fd|High|Access Control|EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|ECS Service Admin Role Is Present
3206240f-2e87-4e58-8d24-3e19e7c83d7c|High|Access Control|ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role (read more)|Documentation
| +|S3 Bucket ACL Allows Read to Any Authenticated User
57b9893d-33b1-4419-bcea-a717ea87e139|High|Access Control|S3 Buckets should not be readable to any authenticated user (read more)|Documentation
| +|MSK Broker Is Publicly Accessible
54378d69-dd7c-4b08-a43e-80d563396857|High|Access Control|Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible (read more)|Documentation
| +|SNS Topic is Publicly Accessible
b26d2b7e-60f6-413d-a3a1-a57db24aa2b3|High|Access Control|SNS Topic Policy should not allow any principal to access (read more)|Documentation
| +|S3 Bucket ACL Allows Read Or Write to All Users
38c5ee0d-7f22-4260-ab72-5073048df100|High|Access Control|S3 Buckets should not be readable and writable to all users (read more)|Documentation
| +|Neptune Cluster Instance is Publicly Accessible
9ba198e0-fef4-464a-8a4d-75ea55300de7|High|Access Control|Neptune Cluster Instance should not be publicly accessible (read more)|Documentation
| +|User Data Shell Script Is Encoded
9cf718ce-46f9-430e-89ec-c456f8b469ee|High|Encryption|User Data Shell Script must be encoded (read more)|Documentation
| +|Glue Security Configuration Encryption Disabled
ad5b4e97-2850-4adf-be17-1d293e0b85ee|High|Encryption|Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled (read more)|Documentation
| +|API Gateway Method Settings Cache Not Encrypted
b7c9a40c-23e4-4a2d-8d39-a3352f10f288|High|Encryption|API Gateway Method Settings Cache should be encrypted (read more)|Documentation
| +|RDS Database Cluster not Encrypted
656880aa-1388-488f-a6d4-8f73c23149b2|High|Encryption|RDS Database Cluster Encryption should be enabled (read more)|Documentation
| +|Workspaces Workspace Volume Not Encrypted
b9033580-6886-401a-8631-5f19f5bb24c7|High|Encryption|AWS Workspaces Workspace data stored in volumes should be encrypted (read more)|Documentation
| +|AMI Not Encrypted
8bbb242f-6e38-4127-86d4-d8f0b2687ae2|High|Encryption|AWS AMI Encryption is not enabled (read more)|Documentation
| +|Glue Data Catalog Encryption Disabled
01d50b14-e933-4c99-b314-6d08cd37ad35|High|Encryption|Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled (read more)|Documentation
| +|User Data Contains Encoded Private Key
443488f5-c734-460b-a36d-5b3f330174dc|High|Encryption|User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily (read more)|Documentation
| +|EFS Not Encrypted
48207659-729f-4b5c-9402-f884257d794f|High|Encryption|Elastic File System (EFS) must be encrypted (read more)|Documentation
| +|Sagemaker Notebook Instance Without KMS
f3674e0c-f6be-43fa-b71c-bf346d1aed99|High|Encryption|AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS (read more)|Documentation
| +|S3 Bucket Object Not Encrypted
5fb49a69-8d46-4495-a2f8-9c8c622b2b6e|High|Encryption|S3 Bucket Object should have server-side encryption enabled (read more)|Documentation
| +|Launch Configuration Is Not Encrypted
4de9de27-254e-424f-bd70-4c1e95790838|High|Encryption|Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume (read more)|Documentation
| +|EBS Volume Snapshot Not Encrypted
e6b4b943-6883-47a9-9739-7ada9568f8ca|High|Encryption|The value on AWS EBS Volume Snapshot Encryptation must be true (read more)|Documentation
| +|MSK Cluster Encryption Disabled
6db52fa6-d4da-4608-908a-89f0c59e743e|High|Encryption|Ensure MSK Cluster encryption in rest and transit is enabled (read more)|Documentation
| +|ELB Using Insecure Protocols
126c1788-23c2-4a10-906c-ef179f4f96ec|High|Encryption|ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols. (read more)|Documentation
| +|Secure Ciphers Disabled
5c0003fb-9aa0-42c1-9da3-eb0e332bef21|High|Encryption|Check if secure ciphers aren't used in CloudFront (read more)|Documentation
| +|EFS Without KMS
25d251f3-f348-4f95-845c-1090e41a615c|High|Encryption|Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys (read more)|Documentation
| +|IAM Database Auth Not Enabled
88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6|High|Encryption|IAM Database Auth Enabled should be configured to true when using compatible engine and version (read more)|Documentation
| +|DAX Cluster Not Encrypted
f11aec39-858f-4b6f-b946-0a1bf46c0c87|High|Encryption|AWS DAX Cluster should have server-side encryption at rest (read more)|Documentation
| +|Athena Workgroup Not Encrypted
d364984a-a222-4b5f-a8b0-e23ab19ebff3|High|Encryption|Athena Workgroup query results should be encrypted, for all queries that run in the workgroup (read more)|Documentation
| +|DOCDB Cluster Without KMS
4766d3ea-241c-4ee6-93ff-c380c996bd1a|High|Encryption|AWS DOCDB Cluster should be encrypted with a KMS encryption key (read more)|Documentation
| +|ELB Using Weak Ciphers
4a800e14-c94a-442d-9067-5a2e9f6c0a4c|High|Encryption|ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers. (read more)|Documentation
| +|Kinesis Not Encrypted With KMS
862fe4bf-3eec-4767-a517-40f378886b88|High|Encryption|AWS Kinesis Streams and metadata should be protected with KMS (read more)|Documentation
| +|EKS Cluster Encryption Disabled
63ebcb19-2739-4d3f-aa5c-e8bbb9b85281|High|Encryption|EKS Cluster should be encrypted (read more)|Documentation
| +|CA Certificate Identifier Is Outdated
9f40c07e-699e-4410-8856-3ba0f2e3a2dd|High|Encryption|The CA certificate Identifier must be 'rds-ca-2019'. (read more)|Documentation
| +|S3 Bucket SSE Disabled
6726dcc0-5ff5-459d-b473-a780bef7665c|High|Encryption|If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required (read more)|Documentation
| +|EBS Default Encryption Disabled
3d3f6270-546b-443c-adb4-bb6fb2187ca6|High|Encryption|EBS Encryption should be enabled (read more)|Documentation
| +|Athena Database Not Encrypted
b2315cae-b110-4426-81e0-80bb8640cdd3|High|Encryption|AWS Athena Database data in S3 should be encrypted (read more)|Documentation
| +|DOCDB Cluster Not Encrypted
bc1f9009-84a0-490f-ae09-3e0ea6d74ad6|High|Encryption|AWS DOCDB Cluster storage should be encrypted (read more)|Documentation
| +|ECS Task Definition Container With Plaintext Password
d40210ea-64b9-4cce-a4fb-e8604f3c062c|High|Encryption|It's not recommended to use plaintext environment variables for sensitive information, such as credential data. (read more)|Documentation
| +|RDS Storage Not Encrypted
3199c26c-7871-4cb3-99c2-10a59244ce7f|High|Encryption|RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true' (read more)|Documentation
| +|Sagemaker Endpoint Configuration Encryption Disabled
58b35504-0287-4154-bf69-02c0573deab8|High|Encryption|Sagemaker endpoint configuration should encrypt data (read more)|Documentation
| +|CodeBuild Project Encrypted With AWS Managed Key
3deec14b-03d2-4d27-9670-7d79322e3340|High|Encryption|CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|Redis Not Compliant
254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4|High|Encryption|Check if the redis version is compliant with the necessary AWS PCI DSS requirements (read more)|Documentation
| +|Redshift Not Encrypted
cfdcabb0-fc06-427c-865b-c59f13e898ce|High|Encryption|AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false) (read more)|Documentation
| +|Cloudfront Viewer Protocol Policy Allows HTTP
55af1353-2f62-4fa0-a8e1-a210ca2708f5|High|Encryption|Checks if the connection between CloudFront and the viewer is encrypted (read more)|Documentation
| +|DB Instance Storage Not Encrypted
08bd0760-8752-44e1-9779-7bb369b2b4e4|High|Encryption|AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'. (read more)|Documentation
| +|Kinesis SSE Not Configured
5c6dd5e7-1fe0-4cae-8f81-4c122717cef3|High|Encryption|AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled (read more)|Documentation
| +|ECS Task Definition Volume Not Encrypted
4d46ff3b-7160-41d1-a310-71d6d370b08f|High|Encryption|AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted (read more)|Documentation
| +|IAM User Policy Without MFA
b5681959-6c09-4f55-b42b-c40fa12d03ec|High|Insecure Configurations|Check if the root user is authenticated with MFA (read more)|Documentation
| +|Lambda Function With Privileged Role
1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2|High|Insecure Configurations|It is not advisable for AWS Lambda Functions to have privileged permissions. (read more)|Documentation
| +|Root Account Has Active Access Keys
970d224d-b42a-416b-81f9-8f4dfe70c4bc|High|Insecure Configurations|The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive. (read more)|Documentation
| +|S3 Bucket with Unsecured CORS Rule
98a8f708-121b-455b-ae2f-da3fb59d17e1|High|Insecure Configurations|If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure (read more)|Documentation
| +|Redshift Publicly Accessible
af173fde-95ea-4584-b904-bb3923ac4bda|High|Insecure Configurations|AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true) (read more)|Documentation
| +|KMS Key With Vulnerable Policy
7ebc9038-0bde-479a-acc4-6ed7b6758899|High|Insecure Configurations|Checks if the policy is vulnerable and needs updating. (read more)|Documentation
| +|S3 Bucket Without Enabled MFA Delete
c5b31ab9-0f26-4a49-b8aa-4cc064392f4d|High|Insecure Configurations|S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations (read more)|Documentation
| +|S3 Bucket Without Restriction Of Public Bucket
1ec253ab-c220-4d63-b2de-5b40e0af9293|High|Insecure Configurations|S3 bucket without restriction of public bucket (read more)|Documentation
| +|API Gateway Without Security Policy
4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b|High|Insecure Configurations|API Gateway should have a Security Policy defined and use TLS 1.2. (read more)|Documentation
| +|No Password Policy Enabled
b592ffd4-0577-44b6-bd35-8c5ee81b5918|High|Insecure Configurations|IAM password policies should be set through the password minimum length and reset password attributes (read more)|Documentation
| +|ECS Task Definition Network Mode Not Recommended
9f4a9409-9c60-4671-be96-9716dbf63db1|High|Insecure Configurations|Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations (read more)|Documentation
| +|DB Security Group Has Public Interface
f0d8781f-99bf-4958-9917-d39283b168a0|High|Insecure Configurations|The CIDR IP should not be a public interface (read more)|Documentation
| +|CloudFront Without Minimum Protocol TLS 1.2
00e5e55e-c2ff-46b3-a757-a7a1cd802456|High|Insecure Configurations|CloudFront Minimum Protocol version should be at least TLS 1.2 (read more)|Documentation
| +|Batch Job Definition With Privileged Container Properties
66cd88ac-9ddf-424a-b77e-e55e17630bee|High|Insecure Configurations|Batch Job Definition should not have Privileged Container Properties (read more)|Documentation
| +|DB Instance Publicly Accessible
35113e6f-2c6b-414d-beec-7a9482d3b2d1|High|Insecure Configurations|RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false'). (read more)|Documentation
| +|S3 Static Website Host Enabled
42bb6b7f-6d54-4428-b707-666f669d94fb|High|Insecure Configurations|Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured. (read more)|Documentation
| +|Vulnerable Default SSL Certificate
3a1e94df-6847-4c0e-a3b6-6c6af4e128ef|High|Insecure Defaults|CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one. (read more)|Documentation
| +|Unrestricted Security Group Ingress
4728cd65-a20c-49da-8b31-9c08b423e4db|High|Networking and Firewall|Security groups allow ingress from 0.0.0.0:0 and/or ::/0 (read more)|Documentation
| +|EKS Cluster Has Public Access CIDRs
61cf9883-1752-4768-b18c-0d57f2737709|High|Networking and Firewall|Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0" (read more)|Documentation
| +|Default Security Groups With Unrestricted Traffic
46883ce1-dc3e-4b17-9195-c6a601624c73|High|Networking and Firewall|Check if default security group does not restrict all inbound and outbound traffic. (read more)|Documentation
| +|Network ACL With Unrestricted Access To RDP
a20be318-cac7-457b-911d-04cc6e812c25|High|Networking and Firewall|'RDP' (TCP:3389) should not be public in AWS Network ACL (read more)|Documentation
| +|Sensitive Port Is Exposed To Entire Network
381c3f2a-ef6f-4eff-99f7-b169cda3422c|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol (read more)|Documentation
| +|VPC Peering Route Table with Unrestricted CIDR
b3a41501-f712-4c4f-81e5-db9a7dc0e34e|High|Networking and Firewall|VPC Peering Route Table should restrict CIDR (read more)|Documentation
| +|Remote Desktop Port Open To Internet
151187cb-0efc-481c-babd-ad24e3c9bc22|High|Networking and Firewall|The Remote Desktop port is open to the internet in a Security Group (read more)|Documentation
| +|EC2 Instance Has Public IP
5a2486aa-facf-477d-a5c1-b010789459ce|High|Networking and Firewall|EC2 Instance should not have a public IP address. (read more)|Documentation
| +|Network ACL With Unrestricted Access To SSH
3af7f2fd-06e6-4dab-b996-2912bea19ba4|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Network ACL (read more)|Documentation
| +|ALB Listening on HTTP
de7f5e83-da88-4046-871f-ea18504b1d43|High|Networking and Firewall|AWS Application Load Balancer (alb) should not listen on HTTP (read more)|Documentation
| +|VPC Default Security Group Accepts All Traffic
9a4ef195-74b9-4c58-b8ed-2b2fe4353a75|High|Networking and Firewall|Default Security Group attached to every VPC should restrict all traffic (read more)|Documentation
| +|Unknown Port Exposed To Internet
590d878b-abdc-428f-895a-e2b68a0e1998|High|Networking and Firewall|AWS Security Group should not have an unknown port exposed to the entire Internet (read more)|Documentation
| +|HTTP Port Open To Internet
ffac8a12-322e-42c1-b9b9-81ff85c39ef7|High|Networking and Firewall|The HTTP port is open to the internet in a Security Group (read more)|Documentation
| +|Security Group With Unrestricted Access To SSH
65905cec-d691-4320-b320-2000436cb696|High|Networking and Firewall|'SSH' (TCP:22) should not be public in AWS Security Group (read more)|Documentation
| +|DB Security Group With Public Scope
1e0ef61b-ad85-4518-a3d3-85eaad164885|High|Networking and Firewall|The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it (read more)|Documentation
| +|EKS node group remote access disabled
ba40ace1-a047-483c-8a8d-bc2d3a67a82d|High|Networking and Firewall|EKS node group remote access is disabled when 'SourceSecurityGroups' is missing (read more)|Documentation
| +|DB Security Group Open To Large Scope
4f615f3e-fb9c-4fad-8b70-2e9f781806ce|High|Networking and Firewall|The IP address in a DB Security Group must not have more than 256 hosts. (read more)|Documentation
| +|RDS Associated with Public Subnet
2f737336-b18a-4602-8ea0-b200312e1ac1|High|Networking and Firewall|RDS should not run in public subnet (read more)|Documentation
| +|Route53 Record Undefined
25db74bf-fa3b-44da-934e-8c3e005c0453|High|Networking and Firewall|Check if Record is set (read more)|Documentation
| +|CloudWatch Console Sign-in Without MFA Alarm Missing
44ceb4fa-0897-4fd2-b676-30e7a58f2933|High|Observability|Ensure a log metric filter and alarm exist for management console sign-in without MFA (read more)|Documentation
| +|KMS Key With No Deletion Window
0b530315-0ea4-497f-b34c-4ff86268f59d|High|Observability|AWS KMS Key should have a valid deletion window (read more)|Documentation
| +|CloudWatch IAM Policy Changes Alarm Missing
eaaba502-2f94-411a-a3c2-83d63cc1776d|High|Observability|Ensure a log metric filter and alarm exist for IAM policy changes (read more)|Documentation
| +|CloudWatch Unauthorized Access Alarm Missing
4c18a45b-4ab1-4790-9f83-399ac695f1e5|High|Observability|Ensure a log metric filter and alarm exist for unauthorized API calls (read more)|Documentation
| +|CloudTrail Logging Disabled
4bb76f17-3d63-4529-bdca-2b454529d774|High|Observability|Checks if logging is enabled for CloudTrail. (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket is Publicly Accessible
bd0088a5-c133-4b20-b129-ec9968b16ef3|High|Observability|CloudTrail Log Files S3 Bucket should not be publicly accessible (read more)|Documentation
| +|CMK Rotation Disabled
22fbfeac-7b5a-421a-8a27-7a2178bb910b|High|Observability|Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled. (read more)|Documentation
| +|CloudWatch Root Account Use Missing
8b1b1e67-6248-4dca-bbad-93486bb181c0|High|Observability|Ensure a log metric filter and alarm exist for root acount usage (read more)|Documentation
| +|CloudTrail Log Files S3 Bucket with Logging Disabled
ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4|High|Observability|CloudTrail Log Files S3 Bucket should have 'logging' enabled (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
970ed7a2-0aca-4425-acf1-0453c9ecbca1|Medium|Access Control|Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|S3 Bucket Allows Public ACL
d0cc8694-fcad-43ff-ac86-32331d7e867f|Medium|Access Control|S3 bucket allows public ACL (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
ad296c0d-8131-4d6b-b030-1b0e73a99ad3|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SES Policy With Allowed IAM Actions
34b921bd-90a0-402e-a0a5-dc73371fd963|Medium|Access Control|SES policy should not allow IAM actions to all principals (read more)|Documentation
| +|SSO Permission With Inadequate User Session Duration
ce9dfce0-5fc8-433b-944a-3b16153111a8|Medium|Access Control|SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
9a205ba3-0dd1-42eb-8d54-2ffec836b51a|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
9b0ffadc-a61f-4c2a-b1e6-68fab60f6267|Medium|Access Control|Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutUserPolicy'
0c10d7da-85c4-4d62-b2a8-d6c104f1bd77|Medium|Access Control|User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
7d544dad-8a6c-431c-84c1-5f07fe9afc0e|Medium|Access Control|Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|API Gateway Without Configured Authorizer
0a96ce49-4163-4ee6-8169-eb3b0797d694|Medium|Access Control|API Gateway REST API should have an API Gateway Authorizer (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
f906113d-cdc0-415a-ba60-609cc6daaf4d|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
60263b4a-6801-4587-911d-919c37ed733b|Medium|Access Control|Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
70cb518c-d990-46f6-bc05-44a5041493d6|Medium|Access Control|User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
eda48c88-2b7d-4e34-b6ca-04c0194aee17|Medium|Access Control|Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
43a41523-386a-4cb1-becb-42af6b414433|Medium|Access Control|User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda With Vulnerable Policy
ad9dabc7-7839-4bae-a957-aa9120013f39|Medium|Access Control|The attribute 'action' should not have wildcard (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AddUserToGroup'
bf9d42c7-c2f9-4dfe-942c-c8cc8249a081|Medium|Access Control|User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
c583f0f9-7dfd-476b-a056-f47c62b47b46|Medium|Access Control|Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
b69247e5-7e73-464e-ba74-ec9b715c6e12|Medium|Access Control|User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Policy Without Principal
bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54|Medium|Access Control|All policies, except IAM identity-based policies, should have the 'Principal' element defined (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
db78d14b-10e5-4e6e-84b1-dace6327b1ec|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
15e6ad8c-f420-49a6-bafb-074f5eb1ec74|Medium|Access Control|Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
d6047119-a0b2-4b59-a4f2-127a36fb685b|Medium|Access Control|Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
8f3c16b3-354d-45db-8ad5-5066778a9485|Medium|Access Control|Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public and Private EC2 Share Role
c53c7a89-f9d7-4c7b-8b66-8a555be99593|Medium|Access Control|Public and private EC2 istances should not share the same role. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
6d23d87e-1c5b-4308-b224-92624300f29b|Medium|Access Control|User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
846646e3-2af1-428c-ac5d-271eccfa6faf|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|CloudWatch Logs Destination With Vulnerable Policy
db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8|Medium|Access Control|CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
9b877bd8-94b4-4c10-a060-8e0436cc09fa|Medium|Access Control|User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Neptune Cluster With IAM Database Authentication Disabled
c91d7ea0-d4d1-403b-8fe1-c9961ac082c5|Medium|Access Control|Neptune Cluster should have IAM Database Authentication enabled (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
04c686f1-e0cd-4812-88e1-4e038410074c|Medium|Access Control|Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|REST API With Vulnerable Policy
b161c11b-a59b-4431-9a29-4e19f63e6b27|Medium|Access Control|REST API policy should avoid wildcard in 'Action' and 'Principal' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
be2aa235-bd93-4b68-978a-1cc65d49082f|Medium|Access Control|Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
35ccf766-0e4d-41ed-9ec4-2dab155082b4|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
8bfbf7ab-d5e8-4100-8618-798956e101e0|Medium|Access Control|User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Secrets Manager With Vulnerable Policy
fa00ce45-386d-4718-8392-fb485e1f3c5b|Medium|Access Control|Secrets Manager policy should avoid wildcard in 'Principal' and 'Action' (read more)|Documentation
| +|API Gateway Method Does Not Contains An API Key
671211c5-5d2a-4e97-8867-30fc28b02216|Medium|Access Control|An API Key should be required on a method request. (read more)|Documentation
| +|Cross-Account IAM Assume Role Policy Without ExternalId or MFA
09c35abf-5852-4622-ac7a-b987b331232e|Medium|Access Control|Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access (read more)|Documentation
| +|IAM User With Access To Console
9ec311bf-dfd9-421f-8498-0b063c8bc552|Medium|Access Control|AWS IAM Users should not have access to console (read more)|Documentation
| +|IAM Access Key Is Exposed
7081f85c-b94d-40fd-8b45-a4f1cac75e46|Medium|Access Control|IAM Access Key should not be active for root users (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7|Medium|Access Control|Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
e77c89f6-9c85-49ea-b95b-5f960fe5be92|Medium|Access Control|Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
89561b03-cb35-44a9-a7e9-8356e71606f4|Medium|Access Control|User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SNS Topic Publicity Has Allow and NotAction Simultaneously
5ea624e4-c8b1-4bb3-87a4-4235a776adcc|Medium|Access Control|SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'. (read more)|Documentation
| +|AMI Shared With Multiple Accounts
ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698|Medium|Access Control|Limits access to AWS AMIs by checking if more than one account is using the same image (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
118281d0-6471-422e-a7c5-051bc667926e|Medium|Access Control|Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
8055dec2-efb8-4fe6-8837-d9bed6ff202a|Medium|Access Control|User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Glue With Vulnerable Policy
d25edb51-07fb-4a73-97d4-41cecdc53a22|Medium|Access Control|Glue policy should avoid wildcard in 'principals' and 'actions' (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ee49557d-750c-4cc1-aa95-94ab36cbefde|Medium|Access Control|Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
0a592060-8166-49f5-8e65-99ac6dce9871|Medium|Access Control|Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
3dd96caa-0b5f-4a85-b929-acfac4646cc2|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
e227091e-2228-4b40-b046-fc13650d8e88|Medium|Access Control|User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
7782d4b3-e23e-432b-9742-d9528432e771|Medium|Access Control|Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
7c96920c-6fd0-449d-9a52-0aa431b6beaf|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
571254d8-aa6a-432e-9725-535d3ef04d69|Medium|Access Control|Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy Allows All Actions
816ea8cf-d589-442d-a917-2dd0ce0e45e3|Medium|Access Control|SQS policy allows ALL (*) actions (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
b8a31292-509d-4b61-bc40-13b167db7e9c|Medium|Access Control|Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
ec49cbfd-fae4-45f3-81b1-860526d66e3f|Medium|Access Control|Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Public Lambda via API Gateway
3ef8696c-e4ae-4872-92c7-520bb44dfe77|Medium|Access Control|Allowing to run lambda function using public API Gateway (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
f465fff1-0a0f-457d-aa4d-1bddb6f204ff|Medium|Access Control|Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
fa62ac4f-f5b9-45b9-97c1-625c8b6253ca|Medium|Access Control|Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
6deb34e2-5d9c-499a-801b-ea6d9eda894f|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
78f1ec6f-5659-41ea-bd48-d0a142dce4f2|Medium|Access Control|Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
034d0aee-620f-4bf7-b7fb-efdf661fdb9e|Medium|Access Control|Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|SQS Policy With Public Access
730675f9-52ed-49b6-8ead-0acb5dd7df7f|Medium|Access Control|Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
70b42736-efee-4bce-80d5-50358ed94990|Medium|Access Control|Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Lambda Permission Principal Is Wildcard
e08ed7eb-f3ef-494d-9d22-2e3db756a347|Medium|Access Control|Lambda Permission Principal should not contain a wildcard. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
f1173d8c-3264-4148-9fdb-61181e031b51|Medium|Access Control|Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:PutRolePolicy'
eeb4d37a-3c59-4789-a00c-1509bc3af1e5|Medium|Access Control|User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
30b88745-eebe-4ecb-a3a9-5cf886e96204|Medium|Access Control|Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
33627268-1445-4385-988a-318fd9d1a512|Medium|Access Control|User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
94fbe150-27e3-4eba-9ca6-af32865e4503|Medium|Access Control|User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
c0c1e744-0f37-445e-924a-1846f0839f69|Medium|Access Control|Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateAccessKey'
113208f2-a886-4526-9ecc-f3218600e12c|Medium|Access Control|User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Policies Attached To User
b4378389-a9aa-44ee-91e7-ef183f11079e|Medium|Access Control|IAM policies should be attached only to groups or roles (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
1743f5f1-0bb0-4934-acef-c80baa5dadfa|Medium|Access Control|User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|IAM Role Policy passRole Allows All
e39bee8c-fe54-4a3f-824d-e5e2d1cca40a|Medium|Access Control|Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources (read more)|Documentation
| +|Elasticsearch Without IAM Authentication
e7530c3c-b7cf-4149-8db9-d037a0b5268e|Medium|Access Control|AWS Elasticsearch should ensure IAM Authentication (read more)|Documentation
| +|Elasticsearch Domain With Vulnerable Policy
16c4216a-50d3-4785-bfb2-4adb5144a8ba|Medium|Access Control|Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
0fd7d920-4711-46bd-aff2-d307d82cd8b7|Medium|Access Control|User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
19ffbe31-9d72-4379-9768-431195eae328|Medium|Access Control|User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Certificate Has Expired
c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6|Medium|Access Control|Expired SSL/TLS certificates should be removed (read more)|Documentation
| +|ECR Repository Is Publicly Accessible
e86e26fc-489e-44f0-9bcd-97305e4ba69a|Medium|Access Control|Amazon ECR image repositories shouldn't have public access (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
5b4d4aee-ac94-4810-9611-833636e5916d|Medium|Access Control|Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
8f75840d-9ee7-42f3-b203-b40e3979eb12|Medium|Access Control|Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. (read more)|Documentation
| +|CMK Is Unusable
7350fa23-dcf7-4938-916d-6a60b0c73b50|Medium|Availability|AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|Auto Scaling Group With No Associated ELB
8e94dced-9bcc-4203-8eb7-7e41202b2505|Medium|Availability|AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. (read more)|Documentation
| +|ElastiCache Nodes Not Created Across Multi AZ
6db03a91-f933-4f13-ab38-a8b87a7de54d|Medium|Availability|ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster (read more)|Documentation
| +|ECS Service Without Running Tasks
91f16d09-689e-4926-aca7-155157f634ed|Medium|Availability|ECS Service should have at least 1 task running (read more)|Documentation
| +|Stack Retention Disabled
6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97|Medium|Backup|Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction (read more)|Documentation
| +|RDS With Backup Disabled
1dc73fb4-5b51-430c-8c5f-25dcf9090b02|Medium|Backup|Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup (read more)|Documentation
| +|ElastiCache Redis Cluster Without Backup
8fdb08a0-a868-4fdf-9c27-ccab0237f1ab|Medium|Backup|ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0 (read more)|Documentation
| +|ALB Not Dropping Invalid Headers
6e3fd2ed-5c83-4c68-9679-7700d224d379|Medium|Best Practices|It's considered a best practice when using Application Load Balancers to drop invalid header fields (read more)|Documentation
| +|IAM Password Without Lowercase Letter
bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9|Medium|Best Practices|IAM Password should have at least one lowercase letter (read more)|Documentation
| +|IAM Password Without Symbol
7a70eed6-de3a-4da2-94da-a2bbc8fe2a48|Medium|Best Practices|IAM password should have the required symbols (read more)|Documentation
| +|Cognito UserPool Without MFA
ec28bf61-a474-4dbe-b414-6dd3a067d6f0|Medium|Best Practices|AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users (read more)|Documentation
| +|Misconfigured Password Policy Expiration
ce60d060-efb8-4bfd-9cf7-ff8945d00d90|Medium|Best Practices|No password expiration policy (read more)|Documentation
| +|IAM Password Without Uppercase Letter
c5ff7bc9-d8ea-46dd-81cb-8286f3222249|Medium|Best Practices|IAM password should have at least one uppercase letter (read more)|Documentation
| +|Password Without Reuse Prevention
89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a|Medium|Best Practices|Check if IAM account password has the reuse password configured with 24 (read more)|Documentation
| +|IAM Password Without Minimum Length
1bc1c685-e593-450e-88fb-19db4c82aa1d|Medium|Best Practices|IAM password should have the required minimum length (read more)|Documentation
| +|RDS Cluster With Backup Disabled
e542bd46-58c4-4e0f-a52a-1fb4f9548e02|Medium|Best Practices|RDS Cluster backup retention period should be specifically defined (read more)|Documentation
| +|Stack Without Template
91bea7b8-0c31-4863-adc9-93f6177266c4|Medium|Build Process|AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|CloudWatch Log Group Without KMS
0afbcfe9-d341-4b92-a64c-7e6de0543879|Medium|Encryption|AWS CloudWatch Log groups should be encrypted using KMS (read more)|Documentation
| +|DynamoDB Table Not Encrypted
ce089fd4-1406-47bd-8aad-c259772bb294|Medium|Encryption|AWS DynamoDB Tables should have server-side encryption (read more)|Documentation
| +|Config Rule For Encrypted Volumes Disabled
abdb29d4-5ca1-4e91-800b-b3569bbd788c|Medium|Encryption|Check if AWS config rules do not identify Encrypted Volumes as a source. (read more)|Documentation
| +|S3 Bucket Policy Accepts HTTP Requests
4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9|Medium|Encryption|S3 Bucket policy should not accept HTTP Requests (read more)|Documentation
| +|SNS Topic Encrypted With AWS Managed Key
b1a72f66-2236-4f3b-87ba-0da1b366956f|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|ElasticSearch Not Encrypted At Rest
24e16922-4330-4e9d-be8a-caa90299466a|Medium|Encryption|Check if ElasticSearch encryption is disabled at Rest (read more)|Documentation
| +|AmazonMQ Broker Encryption Disabled
3db3f534-e3a3-487f-88c7-0a9fbf64b702|Medium|Encryption|AmazonMQ Broker should have Encryption Options defined (read more)|Documentation
| +|SQS With SSE Disabled
6e8849c1-3aa7-40e3-9063-b85ee300f29f|Medium|Encryption|Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE) (read more)|Documentation
| +|Neptune Database Cluster Encryption Disabled
98d59056-f745-4ef5-8613-32bca8d40b7e|Medium|Encryption|Neptune database cluster storage should have encryption enabled (read more)|Documentation
| +|Secretsmanager Secret Encrypted With AWS Managed Key
b0d3ef3f-845d-4b1b-83d6-63a5a380375f|Medium|Encryption|Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|Unscanned ECR Image
9630336b-3fed-4096-8173-b9afdfe346a7|Medium|Encryption|Checks if the ECR Image has been scanned (read more)|Documentation
| +|API Gateway With Invalid Compression
ed35928e-195c-4405-a252-98ccb664ab7b|Medium|Encryption|API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760. (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Transit
1afbb3fa-cf6c-4a3d-b730-95e9f4df343e|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Transit (read more)|Documentation
| +|EBS Volume Encryption Disabled
cc997676-481b-4e93-aa81-d19f8c5e9b12|Medium|Encryption|EBS volumes should be encrypted (read more)|Documentation
| +|ElasticSearch Encryption With KMS Disabled
7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2|Medium|Encryption|Check if any ElasticSearch domain isn't encrypted with KMS. (read more)|Documentation
| +|Elasticsearch Domain Not Encrypted Node To Node
967eb3e6-26fc-497d-8895-6428beb6e8e2|Medium|Encryption|Elasticsearch Domain encryption should be enabled node to node (read more)|Documentation
| +|SNS Topic Not Encrypted
28545147-2fc6-42d5-a1f9-cf226658e591|Medium|Encryption|SNS (Simple Notification Service) Topic should be encrypted (read more)|Documentation
| +|ElastiCache Replication Group Not Encrypted At Rest
76976de7-c7b1-4f64-a94f-90c1345914c2|Medium|Encryption|ElastiCache Replication Group encryption should be enabled at Rest (read more)|Documentation
| +|Redis Disabled
4bd15dd9-8d5e-4008-8532-27eb0c3706d3|Medium|Encryption|ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html' (read more)|Documentation
| +|Secretsmanager Secret Without KMS
a2f548f2-188c-4fff-b172-e9a6acb216bd|Medium|Encryption|AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret (read more)|Documentation
| +|DOCDB Cluster Encrypted With AWS Managed Key
2134641d-30a4-4b16-8ffc-2cd4c4ffd15d|Medium|Encryption|DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys (read more)|Documentation
| +|SSM Session Transit Encryption Disabled
ce60cc6b-6831-4bd7-84a2-cc7f8ee71433|Medium|Encryption|SSM Session should be encrypted in transit (read more)|Documentation
| +|AWS Password Policy With Unchangeable Passwords
9ef7d25d-9764-4224-9968-fa321c56ef76|Medium|Insecure Configurations|Unchangeable passwords in AWS password policy (read more)|Documentation
| +|Service Control Policies Disabled
5ba6229c-8057-433e-91d0-21cf13569ca9|Medium|Insecure Configurations|Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). (read more)|Documentation
| +|MQ Broker Is Publicly Accessible
4eb5f791-c861-4afd-9f94-f2a6a3fe49cb|Medium|Insecure Configurations|Check if any MQ Broker is not publicly accessible (read more)|Documentation
| +|Redshift Cluster Without VPC
0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3|Medium|Insecure Configurations|Redshift Cluster should be configured in VPC (Virtual Private Cloud) (read more)|Documentation
| +|ECR Image Tag Not Immutable
d1846b12-20c5-4d45-8798-fc35b79268eb|Medium|Insecure Configurations|ECR should have an image tag be immutable. This prevents image tags from being overwritten. (read more)|Documentation
| +|API Gateway Without SSL Certificate
0b4869fc-a842-4597-aa00-1294df425440|Medium|Insecure Configurations|SSL Client Certificate should be enabled (read more)|Documentation
| +|IAM User Has Too Many Access Keys
3561130e-9c5f-485b-9e16-2764c82763e5|Medium|Insecure Configurations|Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials (read more)|Documentation
| +|API Gateway With Open Access
15ccec05-5476-4890-ad19-53991eba1db8|Medium|Insecure Configurations|API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method. (read more)|Documentation
| +|Certificate RSA Key Bytes Lower Than 256
874d68a3-bfbe-4a4b-aaa0-9e74d7da634b|Medium|Insecure Configurations|The certificate should use a RSA key with a length equal to or higher than 256 bytes (read more)|Documentation
| +|Instance With No VPC
a31a5a29-718a-4ff4-8001-a69e5e4d029e|Medium|Insecure Configurations|EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. (read more)|Documentation
| +|EKS Cluster Has Public Access
42f4b905-3736-4213-bfe9-c0660518cda8|Medium|Insecure Configurations|Amazon EKS public endpoint shoud be set to false (read more)|Documentation
| +|Sensitive Port Is Exposed To Small Public Network
e35c16a2-d54e-419d-8546-a804d8e024d0|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol (read more)|Documentation
| +|Sensitive Port Is Exposed To Wide Private Network
92fe237e-074c-4262-81a4-2077acb928c1|Medium|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol (read more)|Documentation
| +|VPC Without Network Firewall
fd632aaf-b8a1-424d-a4d1-0de22fd3247a|Medium|Networking and Firewall|VPC should have a Network Firewall associated (read more)|Documentation
| +|SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
54c417bf-c762-48b9-9d31-b3d87047e3f0|Medium|Networking and Firewall|Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it. (read more)|Documentation
| +|ALB Is Not Integrated With WAF
0afa6ab8-a047-48cf-be07-93a2f8c34cf7|Medium|Networking and Firewall|All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service (read more)|Documentation
| +|API Gateway Endpoint Config is Not Private
6b2739db-9c49-4db7-b980-7816e0c248c1|Medium|Networking and Firewall|The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet (read more)|Documentation
| +|VPC Subnet Assigns Public IP
52f04a44-6bfa-4c41-b1d3-4ae99a2de05c|Medium|Networking and Firewall|VPC Subnet should not assign public IP (read more)|Documentation
| +|API Gateway without WAF
a186e82c-1078-4a7b-85d8-579561fde884|Medium|Networking and Firewall|API Gateway should have WAF (Web Application Firewall) enabled (read more)|Documentation
| +|Dynamodb VPC Endpoint Without Route Table Association
0bc534c5-13d1-4353-a7fe-b8665d5c1d7d|Medium|Networking and Firewall|Dynamodb VPC Endpoint should be associated with Route Table Association (read more)|Documentation
| +|SQS VPC Endpoint Without DNS Resolution
e9b7acf9-9ba0-4837-a744-31e7df1e434d|Medium|Networking and Firewall|SQS VPC Endpoint should have DNS resolution enabled (read more)|Documentation
| +|S3 Bucket Without Versioning
568a4d22-3517-44a6-a7ad-6a7eed88722c|Medium|Observability|S3 bucket should have versioning enabled (read more)|Documentation
| +|API Gateway Deployment Without Access Log Setting
625abc0e-f980-4ac9-a775-f7519ee34296|Medium|Observability|API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage. (read more)|Documentation
| +|CloudWatch S3 policy Change Alarm Missing
27c6a499-895a-4dc7-9617-5c485218db13|Medium|Observability|Ensure a log metric filter and alarm exist for S3 bucket policy changes (read more)|Documentation
| +|CloudWatch AWS Organizations Changes Missing Alarm
38b85c45-e772-4de8-a247-69619ca137b3|Medium|Observability|Ensure a log metric filter and alarm exist for AWS organizations changes (read more)|Documentation
| +|API Gateway With CloudWatch Logging Disabled
982aa526-6970-4c59-8b9b-2ce7e019fe36|Medium|Observability|AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation (read more)|Documentation
| +|CloudTrail Not Integrated With CloudWatch
17b30f8f-8dfb-4597-adf6-57600b6cf25e|Medium|Observability|CloudTrail should be integrated with CloudWatch (read more)|Documentation
| +|CloudWatch Logging Disabled
7dbba512-e244-42dc-98bb-422339827967|Medium|Observability|Check if CloudWatch logging is disabled for Route53 hosted zones (read more)|Documentation
| +|Cloudwatch Security Group Changes Alarm Missing
4beaf898-9f8b-4237-89e2-5ffdc7ee6006|Medium|Observability|Ensure a log metric filter and alarm exist for security group changes (read more)|Documentation
| +|S3 Bucket Object Level CloudTrail Logging Disabled
a8fc2180-b3ac-4c93-bd0d-a55b974e4b07|Medium|Observability|S3 Bucket object-level CloudTrail logging should be enabled for read and write events (read more)|Documentation
| +|ELB Access Log Disabled
20018359-6fd7-4d05-ab26-d4dffccbdf79|Medium|Observability|ELB should have logging enabled to help on error investigation (read more)|Documentation
| +|S3 Bucket Logging Disabled
f861041c-8c9f-4156-acfc-5e6e524f5884|Medium|Observability|Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable (read more)|Documentation
| +|Configuration Aggregator to All Regions Disabled
ac5a0bc0-a54c-45aa-90c3-15f7703b9132|Medium|Observability|AWS Config Configuration Aggregator All Regions must be set to True (read more)|Documentation
| +|CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
56a585f5-555c-48b2-8395-e64e4740a9cf|Medium|Observability|Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK (read more)|Documentation
| +|API Gateway Access Logging Disabled
1b6799eb-4a7a-4b04-9001-8cceb9999326|Medium|Observability|API Gateway should have Access Log Settings defined (read more)|Documentation
| +|MQ Broker Logging Disabled
31245f98-a6a9-4182-9fc1-45482b9d030a|Medium|Observability|Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general). (read more)|Documentation
| +|Stack Notifications Disabled
b72d0026-f649-4c91-a9ea-15d8f681ac09|Medium|Observability|AWS CloudFormation should have stack notifications enabled to be notified when an event occurs (read more)|Documentation
| +|CloudTrail Multi Region Disabled
8173d5eb-96b5-4aa6-a71b-ecfa153c123d|Medium|Observability|CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled (read more)|Documentation
| +|Elasticsearch Log Disabled
acb6b4e2-a086-4f35-aefd-4db6ea51ada2|Medium|Observability|AWS Elasticsearch should have logs enabled (read more)|Documentation
| +|CloudTrail SNS Topic Name Undefined
482b7d26-0bdb-4b5f-bf6f-545826c0a3dd|Medium|Observability|Check if SNS topic name is set for CloudTrail (read more)|Documentation
| +|GuardDuty Detector Disabled
704dadd3-54fc-48ac-b6a0-02f170011473|Medium|Observability|Make sure that Amazon GuardDuty is Enabled (read more)|Documentation
| +|Default VPC Exists
96ed3526-0179-4c73-b1b2-372fde2e0d13|Medium|Observability|It isn't recommended to use resources in default VPC (read more)|Documentation
| +|Redshift Cluster Logging Disabled
15ffbacc-fa42-4f6f-a57d-2feac7365caa|Medium|Observability|Make sure Logging is enabled for Redshift Cluster (read more)|Documentation
| +|CloudFront Logging Disabled
94690d79-b3b0-43de-b656-84ebef5753e5|Medium|Observability|AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined (read more)|Documentation
| +|API Gateway X-Ray Disabled
5813ef56-fa94-406a-b35d-977d4a56ff2b|Medium|Observability|API Gateway should have X-Ray Tracing enabled (read more)|Documentation
| +|Cloudwatch Cloudtrail Configuration Changes Alarm Missing
0f6cbf69-41bb-47dc-93f3-3844640bf480|Medium|Observability|Ensure a log metric filter and alarm exist for CloudTrail configuration changes (read more)|Documentation
| +|ElasticSearch Without Slow Logs
e979fcbc-df6c-422d-9458-c33d65e71c45|Medium|Observability|Ensure that AWS Elasticsearch enables support for slow logs (read more)|Documentation
| +|CloudWatch Without Retention Period Specified
ef0b316a-211e-42f1-888e-64efe172b755|Medium|Observability|AWS CloudWatch Log groups should have retention days specified (read more)|Documentation
| +|CloudWatch Metrics Disabled
081069cb-588b-4ce1-884c-2a1ce3029fe5|Medium|Observability|Checks if CloudWatch Metrics is Enabled (read more)|Documentation
| +|MSK Cluster Logging Disabled
2f56b7ab-7fba-4e93-82f0-247e5ddeb239|Medium|Observability|Ensure MSK Cluster Logging is enabled (read more)|Documentation
| +|CloudWatch Management Console Auth Failed Alarm Missing
5864d189-ee9a-4009-ac0c-8a582e6b7919|Medium|Observability|Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (read more)|Documentation
| +|No Stack Policy
2f01fb2d-828a-499d-b98e-b83747305052|Medium|Resource Management|AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions (read more)|Documentation
| +|Hardcoded AWS Access Key
d7b9d850-3e06-4a75-852f-c46c2e92240b|Medium|Secret Management|AWS Access Key should not be hardcoded (read more)|Documentation
| +|Hardcoded AWS Access Key In Lambda
1402afd8-a95c-4e84-8b0b-6fb43758e6ce|Medium|Secret Management|Lambda access/secret keys should not be hardcoded (read more)|Documentation
| +|S3 Bucket Public ACL Overridden By Public Access Block
bf878b1a-7418-4de3-b13c-3a86cf894920|Low|Access Control|S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets' (read more)|Documentation
| +|IAM Role Allows All Principals To Assume
12b7e704-37f0-4d1e-911a-44bf60c48c21|Low|Access Control|IAM role allows all services or principals to assume it (read more)|Documentation
| +|IAM Group Without Users
fc101ca7-c9dd-4198-a1eb-0fbe92e80044|Low|Access Control|IAM Group should have at least one user associated (read more)|Documentation
| +|IAM Policy Grants 'AssumeRole' Permission Across All Services
bcdcbdc6-a350-4855-ae7c-d1e6436f7c97|Low|Access Control|IAM Policy should not grant 'AssumeRole' permission across all services. (read more)|Documentation
| +|SSO Identity User Unsafe Creation
4003118b-046b-4640-b200-b8c7a4c8b89f|Low|Access Control|The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place. (read more)|Documentation
| +|EC2 Instance Using Default Security Group
f1adc521-f79a-4d71-b55b-a68294687432|Low|Access Control|EC2 instances should not use default security group(s) (read more)|Documentation
| +|EC2 Instance Using API Keys
0b93729a-d882-4803-bdc3-ac429a21f158|Low|Access Control|EC2 instances should use roles to be granted access to other AWS services (read more)|Documentation
| +|Autoscaling Groups Supply Tags
ba48df05-eaa1-4d64-905e-4a4b051e7587|Low|Availability|Autoscaling groups should supply tags to configurate (read more)|Documentation
| +|ECR Repository Without Policy
69e7c320-b65d-41bb-be02-d63ecc0bcc9d|Low|Best Practices|ECR Repository should have Policies attached to it (read more)|Documentation
| +|CDN Configuration Is Missing
1bc367f6-901d-4870-ad0c-71d79762ef52|Low|Best Practices|Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination. (read more)|Documentation
| +|Lambda Permission Misconfigured
75ec6890-83af-4bf1-9f16-e83726df0bd0|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|IAM Access Analyzer Not Enabled
e592a0c5-5bdb-414c-9066-5dba7cdea370|Low|Best Practices|IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions (read more)|Documentation
| +|Lambda IAM InvokeFunction Misconfigured
0ca1017d-3b80-423e-bb9c-6cd5898d34bd|Low|Best Practices|Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction' (read more)|Documentation
| +|Automatic Minor Upgrades Disabled
3b6d777b-76e3-4133-80a3-0d6f667ade7f|Low|Best Practices|RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true. (read more)|Documentation
| +|CloudTrail Log Files Not Encrypted With KMS
5d9e3164-9265-470c-9a10-57ae454ac0c7|Low|Encryption|Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail (read more)|Documentation
| +|ECR Repository Not Encrypted With CMK
0e32d561-4b5a-4664-a6e3-a3fa85649157|Low|Encryption|ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation (read more)|Documentation
| +|S3 Bucket Without Ignore Public ACL
4fa66806-0dd9-4f8d-9480-3174d39c7c91|Low|Insecure Configurations|S3 bucket without ignore public ACL (read more)|Documentation
| +|ALB Deletion Protection Disabled
afecd1f1-6378-4f7e-bb3b-60c35801fdd4|Low|Insecure Configurations|Application Load Balancer should have deletion protection enabled (read more)|Documentation
| +|EC2 Instance Using Default VPC
7e4a6e76-568d-43ef-8c4e-36dea481bff1|Low|Networking and Firewall|EC2 Instances should not be configured under a default VPC network (read more)|Documentation
| +|Shield Advanced Not In Use
084c6686-2a70-4710-91b1-000393e54c12|Low|Networking and Firewall|AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks (read more)|Documentation
| +|Redshift Using Default Port
41abc6cc-dde1-4217-83d3-fb5f0cc09d8f|Low|Networking and Firewall|Redshift should not use the default port (5439) because an attacker can easily guess the port (read more)|Documentation
| +|EMR Without VPC
2b3c8a6d-9856-43e6-ab1d-d651094f03b4|Low|Networking and Firewall|Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|ElastiCache Without VPC
8c849af7-a399-46f7-a34c-32d3dc96f1fc|Low|Networking and Firewall|ElastiCache should be launched in a Virtual Private Cloud (VPC) (read more)|Documentation
| +|CloudFront Without WAF
1419b4c6-6d5c-4534-9cf6-6a5266085333|Low|Networking and Firewall|All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service (read more)|Documentation
| +|RDS Using Default Port
bca7cc4d-b3a4-4345-9461-eb69c68fcd26|Low|Networking and Firewall|RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433 (read more)|Documentation
| +|ElastiCache Using Default Port
5d89db57-8b51-4b38-bb76-b9bd42bd40f0|Low|Networking and Firewall|ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211 (read more)|Documentation
| +|API Gateway Deployment Without API Gateway UsagePlan Associated
b3a59b8e-94a3-403e-b6e2-527abaf12034|Low|Observability|API Gateway Deployment should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|Missing Cluster Log Types
66f130d9-b81d-4e8e-9b08-da74b9c891df|Low|Observability|Amazon EKS control plane logging don't enabled for all log types (read more)|Documentation
| +|CloudTrail Log File Validation Disabled
52ffcfa6-6c70-4ea6-8376-d828d3961669|Low|Observability|CloudTrail log file validation should be enabled to determine whether a log file has not been tampered (read more)|Documentation
| +|VPC FlowLogs Disabled
f83121ea-03da-434f-9277-9cd247ab3047|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|DocDB Logging Is Disabled
56f6a008-1b14-4af4-b9b2-ab7cf7e27641|Low|Observability|DocDB logging should be enabled (read more)|Documentation
| +|CloudWatch Network Gateways Changes Alarm Missing
6b6874fe-4c2f-4eea-8b90-7cceaa4a125e|Low|Observability|Ensure a log metric filter and alarm exist for network gateways changes (read more)|Documentation
| +|CloudWatch Changes To NACL Alarm Missing
0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0|Low|Observability|Ensure a log metric filter and alarm exist for changes to NACL (read more)|Documentation
| +|Global Accelerator Flow Logs Disabled
96e8183b-e985-457b-90cd-61c0503a3369|Low|Observability|Global Accelerator should have flow logs enabled (read more)|Documentation
| +|CloudWatch Route Table Changes Alarm Missing
2285e608-ddbc-47f3-ba54-ce7121e31216|Low|Observability|Ensure a log metric filter and alarm exist for route table changes (read more)|Documentation
| +|ECS Cluster with Container Insights Disabled
97cb0688-369a-4d26-b1f7-86c4c91231bc|Low|Observability|ECS Cluster should enable container insights (read more)|Documentation
| +|Lambda Functions Without X-Ray Tracing
8152e0cf-d2f0-47ad-96d5-d003a76eabd1|Low|Observability|AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active' (read more)|Documentation
| +|CloudWatch VPC Changes Alarm Missing
9d0d4512-1959-43a2-a17f-72360ff06d1b|Low|Observability|Ensure a log metric filter and alarm exist for VPC changes (read more)|Documentation
| +|CloudWatch AWS Config Configuration Changes Alarm Missing
5b8d7527-de8e-4114-b9dd-9d988f1f418f|Low|Observability|Ensure a log metric filter and alarm exist for AWS Config configuration changes (read more)|Documentation
| +|EKS cluster logging is not enabled
37304d3f-f852-40b8-ae3f-725e87a7cedf|Low|Observability|Amazon EKS control plane logging is not enabled (read more)|Documentation
| +|API Gateway Stage Without API Gateway UsagePlan Associated
c999cf62-0920-40f8-8dda-0caccd66ed7e|Low|Resource Management|API Gateway Stage should have API Gateway UsagePlan defined and associated. (read more)|Documentation
| +|Security Group Not Used
4849211b-ac39-479e-ae78-5694d506cb24|Info|Access Control|Security group must be used or not declared (read more)|Documentation
| +|EC2 Not EBS Optimized
60224630-175a-472a-9e23-133827040766|Info|Best Practices|It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance (read more)|Documentation
| +|Security Group Rule Without Description
68eb4bf3-f9bf-463d-b5cf-e029bb446d2e|Info|Best Practices|It's considered a best practice for all rules in AWS Security Group to have a description (read more)|Documentation
| +|Resource Not Using Tags
e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10|Info|Best Practices|AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' (read more)|Documentation
| +|DynamoDB Table Point In Time Recovery Disabled
741f1291-47ac-4a85-a07b-3d32a9d6bd3e|Info|Best Practices|It's considered a best practice to have point in time recovery enabled for DynamoDB Table (read more)|Documentation
| +|Security Group Rule Without Description
cb3f5ed6-0d18-40de-a93d-b3538db31e8c|Info|Best Practices|It's considered a best practice for AWS Security Group to have a description (read more)|Documentation
| +|EC2 Instance Monitoring Disabled
23b70e32-032e-4fa6-ba5c-82f56b9980e6|Info|Observability|EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods (read more)|Documentation
| +|RDS Without Logging
8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56|Info|Observability|RDS does not have any kind of logger (read more)|Documentation
| +|Neptune Logging Is Disabled
45cff7b6-3b80-40c1-ba7b-2cf480678bb8|Info|Observability|Neptune logging should be enabled (read more)|Documentation
| ### SHARED (V2/V3) Bellow are listed queries related with Terraform SHARED (V2/V3): @@ -451,11 +451,11 @@ Bellow are listed queries related with Terraform SHARED (V2/V3): | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision.|Documentation
| -|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description.|Documentation
| -|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description.|Documentation
| -|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern.|Documentation
| -|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type.|Documentation
| +|Generic Git Module Without Revision
3a81fc06-566f-492a-91dd-7448e409e2cd|Info|Best Practices|All generic git repositories should reference a revision. (read more)|Documentation
| +|Output Without Description
59312e8a-a64e-41e7-a252-618533dd1ea8|Info|Best Practices|All outputs should contain a valid description. (read more)|Documentation
| +|Variable Without Description
2a153952-2544-4687-bcc9-cc8fea814a9b|Info|Best Practices|All variables should contain a valid description. (read more)|Documentation
| +|Name Is Not Snake Case
1e434b25-8763-4b00-a5ca-ca03b7abbb66|Info|Best Practices|All names should follow snake case pattern. (read more)|Documentation
| +|Variable Without Type
fc5109bf-01fd-49fb-8bde-4492b543c34a|Info|Best Practices|All variables should contain a valid type. (read more)|Documentation
| ### GCP_BOM Bellow are listed queries related with Terraform GCP_BOM: @@ -464,12 +464,12 @@ Bellow are listed queries related with Terraform GCP_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.|Documentation
| -|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.|Documentation
| -|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.|Documentation
| -|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.|Documentation
| -|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.|Documentation
| -|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.|Documentation
| +|BOM - GCP PD
dd7d70aa-a6ec-460d-b5d2-38b40253b16f|Trace|Bill Of Materials|A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine. (read more)|Documentation
| +|BOM - GCP SB
2f06d22c-56bd-4f73-8a51-db001fcf2150|Trace|Bill Of Materials|A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket. (read more)|Documentation
| +|BOM - GCP FI
c9d81239-c818-4869-9917-1570c62b81fd|Trace|Bill Of Materials|A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime. (read more)|Documentation
| +|BOM - GCP Dataflow
895ed0d9-6fec-4567-8614-d7a74b599a53|Trace|Bill Of Materials|A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective. (read more)|Documentation
| +|BOM - GCP PST
4b82202a-b18e-4891-a1eb-a0989850bbb3|Trace|Bill Of Materials|A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages. (read more)|Documentation
| +|BOM - GCP Redis
bc75ce52-a60a-4660-b533-bce837a5019b|Trace|Bill Of Materials|A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments. (read more)|Documentation
| ### GITHUB Bellow are listed queries related with Terraform GITHUB: @@ -478,8 +478,8 @@ Bellow are listed queries related with Terraform GITHUB: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks|Documentation
| -|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')|Documentation
| +|Github Organization Webhook With SSL Disabled
ce7c874e-1b88-450b-a5e4-cb76ada3c8a9|Medium|Encryption|Check if insecure SSL is being used in the GitHub organization webhooks (read more)|Documentation
| +|GitHub Repository Set To Public
15d8a7fd-465a-4d15-a868-add86552f17b|Medium|Insecure Configurations|Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private') (read more)|Documentation
| ### AWS_BOM Bellow are listed queries related with Terraform AWS_BOM: @@ -488,17 +488,17 @@ Bellow are listed queries related with Terraform AWS_BOM: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.|Documentation
| -|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.|Documentation
| -|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.|Documentation
| -|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.|Documentation
| -|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).|Documentation
| -|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.|Documentation
| -|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time|Documentation
| -|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.|Documentation
| -|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.|Documentation
| -|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.|Documentation
| -|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.|Documentation
| +|BOM - AWS EFS
f53f16d6-46a9-4277-9fbe-617b1e24cdca|Trace|Bill Of Materials|A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning. (read more)|Documentation
| +|BOM - AWS MQ
fcb1b388-f558-4b7f-9b6e-f4e98abb7380|Trace|Bill Of Materials|A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS. (read more)|Documentation
| +|BOM - AWS SNS
eccc4d59-74b9-4974-86f1-74386e0c7f33|Trace|Bill Of Materials|A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. (read more)|Documentation
| +|BOM - AWS SQS
baecd2da-492a-4d59-b9dc-29540a1398e0|Trace|Bill Of Materials|A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. (read more)|Documentation
| +|BOM - AWS EBS
86571149-eef3-4280-a645-01e60df854b0|Trace|Bill Of Materials|A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2). (read more)|Documentation
| +|BOM - AWS Elasticache
54229498-850b-4f78-b3a7-218d24ef2c37|Trace|Bill Of Materials|A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. (read more)|Documentation
| +|BOM - AWS Kinesis
0e59d33e-bba2-4037-8f88-9765647ca7ad|Trace|Bill Of Materials|A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time (read more)|Documentation
| +|BOM - AWS S3 Buckets
2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045|Trace|Bill Of Materials|A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. (read more)|Documentation
| +|BOM - AWS DynamoDB
23edf35f-7c22-4ff9-87e6-0ca74261cfbf|Trace|Bill Of Materials|A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. (read more)|Documentation
| +|BOM - AWS RDS
12933609-c5bf-44b4-9a41-a6467c3b685b|Trace|Bill Of Materials|A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud. (read more)|Documentation
| +|BOM - AWS MSK
051f2063-2517-4295-ad8e-ba88c1bf5cfc|Trace|Bill Of Materials|A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data. (read more)|Documentation
| ### ALICLOUD Bellow are listed queries related with Terraform ALICLOUD: @@ -507,62 +507,62 @@ Bellow are listed queries related with Terraform ALICLOUD: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.|Documentation
| -|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles|Documentation
| -|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.|Documentation
| -|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled|Documentation
| -|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.|Documentation
| -|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users|Documentation
| -|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.|Documentation
| -|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS |Documentation
| -|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances|Documentation
| -|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted|Documentation
| -|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set|Documentation
| -|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.|Documentation
| -|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list|Documentation
| -|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running.|Documentation
| -|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0'|Documentation
| -|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled|Documentation
| -|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access|Documentation
| -|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances|Documentation
| -|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol|Documentation
| -|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public|Documentation
| -|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP|Documentation
| -|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS|Documentation
| -|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible|Documentation
| -|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true'|Documentation
| -|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above|Documentation
| -|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts|Documentation
| -|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users|Documentation
| -|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true|Documentation
| -|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group|Documentation
| -|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled|Documentation
| -|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body|Documentation
| -|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled|Documentation
| -|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol|Documentation
| -|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key|Documentation
| -|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned|Documentation
| -|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies|Documentation
| -|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects.|Documentation
| -|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180|Documentation
| -|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events|Documentation
| -|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.|Documentation
| -|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled|Documentation
| -|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions|Documentation
| -|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true|Documentation
| -|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year|Documentation
| -|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol|Documentation
| -|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91|Documentation
| -|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true|Documentation
| -|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less|Documentation
| -|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true|Documentation
| -|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled|Documentation
| -|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true|Documentation
| -|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log|Documentation
| -|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances|Documentation
| -|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances|Documentation
| +|OSS Bucket Allows All Actions From All Principals
ec62a32c-a297-41ca-a850-cab40b42094a|High|Access Control|OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals. (read more)|Documentation
| +|Ram Policy Admin Access Not Attached to Users Groups Roles
e8e62026-da63-4904-b402-65adfe3ca975|High|Access Control|Ram policies with admin access should not be associated to users, groups or roles (read more)|Documentation
| +|OSS Bucket Allows Delete Action From All Principals
8c0695d8-2378-4cd6-8243-7fd5894fa574|High|Access Control|OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals. (read more)|Documentation
| +|OSS Bucket Public Access Enabled
62232513-b16f-4010-83d7-51d0e1d45426|High|Access Control|OSS Bucket should have public access disabled (read more)|Documentation
| +|OSS Bucket Allows Put Action From All Principals
fe286195-e75c-4359-bd58-00847c4f855a|High|Access Control|OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals. (read more)|Documentation
| +|RAM Security Preference Not Enforce MFA Login
dcda2d32-e482-43ee-a926-75eaabeaa4e0|High|Access Control|RAM Security preferences should enforce MFA login for RAM users (read more)|Documentation
| +|OSS Bucket Allows List Action From All Principals
88541597-6f88-42c8-bac6-7e0b855e8ff6|High|Access Control|OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals. (read more)|Documentation
| +|NAS File System Without KMS
5f670f9d-b1b4-4c90-8618-2288f1ab9676|High|Encryption|NAS File System should have encryption provided by user KMS (read more)|Documentation
| +|RDS Instance TDE Status Disabled
44d434ca-a9bf-4203-8828-4c81a8d5a598|High|Encryption|tde_status parameter should be Enabled for supported RDS instances (read more)|Documentation
| +|NAS File System Not Encrypted
67bfdff1-31ce-4525-b564-e94368735360|High|Encryption|NAS File System must be encrypted (read more)|Documentation
| +|Ecs Data Disk Kms Key Id Undefined
f262118c-1ac6-4bb3-8495-cc48f1775b85|High|Encryption|Ecs Data Disk Kms Key Id should be set (read more)|Documentation
| +|Launch Template Is Not Encrypted
1455cb21-1d48-46d6-8ae3-cef911b71fd5|High|Encryption|ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true. (read more)|Documentation
| +|RDS DB Instance Publicly Accessible
1b4565c0-4877-49ac-ab03-adebbccd42ae|High|Insecure Configurations|'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list (read more)|Documentation
| +|OSS Bucket Has Static Website
2b13c6ff-b87a-484d-86fd-21ef6e97d426|High|Insecure Configurations|Checks if any static websties are hosted on buckets. Be aware of any website you are running. (read more)|Documentation
| +|DB Instance Publicly Accessible
faaefc15-51a5-419e-bb5e-51a4b5ab3485|High|Insecure Configurations|The field 'address' should not be set to '0.0.0.0/0' (read more)|Documentation
| +|OSS Buckets Secure Transport Disabled
c01d10de-c468-4790-b3a0-fc887a56f289|High|Networking and Firewall|OSS Buckets should have secure transport enabled (read more)|Documentation
| +|OSS Bucket Ip Restriction Disabled
6107c530-7178-464a-88bc-df9cdd364ac8|High|Networking and Firewall|OSS Bucket should have ip restricted access (read more)|Documentation
| +|RDS Instance SSL Action Disabled
7a1ee8a9-71be-4b11-bb70-efb62d16863b|High|Networking and Firewall|ssl_action parameter should be set to Open for RDS instances (read more)|Documentation
| +|Public Security Group Rule Sensitive Port
2ae9d554-23fb-4065-bfd1-fe43d5f7c419|High|Networking and Firewall|A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol (read more)|Documentation
| +|Public Security Group Rule All Ports or Protocols
60587dbd-6b67-432e-90f7-a8cf1892d968|High|Networking and Firewall|Alicloud Security Group Rule should not allow all ports or all protocols to the public (read more)|Documentation
| +|ALB Listening on HTTP
ee3b1557-9fb5-4685-a95d-93f1edf2a0d7|High|Networking and Firewall|Application Load Balancer (alb) Listener should not listen on HTTP (read more)|Documentation
| +|API Gateway API Protocol Not HTTPS
1bcdf9f0-b1aa-40a4-b8c6-cd7785836843|High|Networking and Firewall|API Gateway API protocol should be set to HTTPS (read more)|Documentation
| +|ActionTrail Trail OSS Bucket is Publicly Accessible
69b5d7da-a5db-4db9-a42e-90b65d0efb0b|High|Observability|ActionTrail Trail OSS Bucket should not be publicly accessible (read more)|Documentation
| +|RDS Instance Events Not Logged
b9c524a4-fe76-4021-a6a2-cb978fb4fde1|High|Observability|All RDS Instance events trackers should be 'true' (read more)|Documentation
| +|Ram Account Password Policy Not Required Minimum Length
a9dfec39-a740-4105-bbd6-721ba163c053|High|Secret Management|Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above (read more)|Documentation
| +|Ram Account Password Policy Max Login Attempts Unrecommended
e76fd7ab-7333-40c6-a2d8-ea28af4a319e|High|Secret Management|Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts (read more)|Documentation
| +|Ram Policy Attached to User
66505003-7aba-45a1-8d83-5162d5706ef5|Medium|Access Control|Ram policies should not be attached to users (read more)|Documentation
| +|CMK Is Unusable
ed6e3ba0-278f-47b6-a1f5-173576b40b7e|Medium|Availability|Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true (read more)|Documentation
| +|ROS Stack Retention Disabled
4bb06fa1-2114-4a00-b7b5-6aeab8b896f0|Medium|Backup|The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group (read more)|Documentation
| +|OSS Bucket Versioning Disabled
70919c0b-2548-4e6b-8d7a-3d84ab6dabba|Medium|Backup|OSS Bucket should have versioning enabled (read more)|Documentation
| +|ROS Stack Without Template
92d65c51-5d82-4507-a2a1-d252e9706855|Medium|Build Process|Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body (read more)|Documentation
| +|Disk Encryption Disabled
39750e32-3fe9-453b-8c33-dd277acdb2cc|Medium|Encryption|Disks should have encryption enabled (read more)|Documentation
| +|SLB Policy With Insecure TLS Version In Use
dbfc834a-56e5-4750-b5da-73fda8e73f70|Medium|Encryption|SLB Policy should not support insecure versions of TLS protocol (read more)|Documentation
| +|OSS Bucket Encryption Using CMK Disabled
f20e97f9-4919-43f1-9be9-f203cd339cdd|Medium|Encryption|OSS Bucket should have encryption enabled using Customer Master Key (read more)|Documentation
| +|CS Kubernetes Node Pool Auto Repair Disabled
81ce9394-013d-4731-8fcc-9d229b474073|Medium|Insecure Configurations|Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|Public Security Group Rule Unknown Port
dd706080-b7a8-47dc-81fb-3e8184430ec0|Medium|Networking and Firewall|A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned (read more)|Documentation
| +|Kubernetes Cluster Without Terway as CNI Network Plugin
b9b7ada8-3868-4a35-854e-6100a2bb863d|Medium|Networking and Firewall|Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies (read more)|Documentation
| +|OSS Bucket Logging Disabled
05db341e-de7d-4972-a106-3e2bd5ee53e1|Medium|Observability|OSS Bucket should have logging enabled, for better visibility of resources and objects. (read more)|Documentation
| +|RDS Instance Retention Period Not Recommended
dc158941-28ce-481d-a7fa-dc80761edf46|Medium|Observability|RDS Instance SQL Retention Period should be greater than 180 (read more)|Documentation
| +|ROS Stack Notifications Disabled
9ef08939-ea40-489c-8851-667870b2ef50|Medium|Observability|The ROS Stack Notifications should be defined and populated to receive stack related events (read more)|Documentation
| +|Log Retention Is Not Greater Than 90 Days
ed6cf6ff-9a1f-491c-9f88-e03c0807f390|Medium|Observability|OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects. (read more)|Documentation
| +|Action Trail Logging For All Regions Disabled
c065b98e-1515-4991-9dca-b602bd6a2fbb|Medium|Observability|Action Trail Logging for all regions should be enabled (read more)|Documentation
| +|No ROS Stack Policy
72ceb736-0aee-43ea-a191-3a69ab135681|Medium|Resource Management|ROS Stack should have a stack policy in order to protect stack resources from and during update actions (read more)|Documentation
| +|Ram Account Password Policy Not Require At Least one Lowercase Character
89143358-cec6-49f5-9392-920c591c669c|Medium|Secret Management|Ram Account Password Policy should have 'require_lowercase_characters' set to true (read more)|Documentation
| +|High KMS Key Rotation Period
cb319d87-b90f-485e-a7e7-f2408380f309|Medium|Secret Management|KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year (read more)|Documentation
| +|RAM Account Password Policy Not Required Symbols
41a38329-d81b-4be4-aef4-55b2615d3282|Medium|Secret Management|RAM account password security should require at least one symbol (read more)|Documentation
| +|Ram Account Password Policy Max Password Age Unrecommended
2bb13841-7575-439e-8e0a-cccd9ede2fa8|Medium|Secret Management|Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91 (read more)|Documentation
| +|RAM Account Password Policy Not Require at Least one Uppercase Character
5e0fb613-ba9b-44c3-88f0-b44188466bfd|Medium|Secret Management|Ram Account Password Policy should have 'require_uppercase_characters' set to true (read more)|Documentation
| +|RAM Account Password Policy without Reuse Prevention
a8128dd2-89b0-464b-98e9-5d629041dfe0|Medium|Secret Management|RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less (read more)|Documentation
| +|Ram Account Password Policy Not Required Numbers
063234c0-91c0-4ab5-bbd0-47ddb5f23786|Medium|Secret Management|Ram Account Password Policy should have 'require_numbers' set to true (read more)|Documentation
| +|OSS Bucket Transfer Acceleration Disabled
8f98334a-99aa-4d85-b72a-1399ca010413|Low|Availability|OSS Bucket should have transfer acceleration enabled (read more)|Documentation
| +|OSS Bucket Lifecycle Rule Disabled
7db8bd7e-9772-478c-9ec5-4bc202c5686f|Low|Backup|OSS Bucket should have lifecycle rule enabled and set to true (read more)|Documentation
| +|VPC Flow Logs Disabled
d2731f3d-a992-44ed-812e-f4f1c2747d71|Low|Observability|Every VPC resource should have an associated Flow Log (read more)|Documentation
| +|RDS Instance Log Duration Disabled
a597e05a-c065-44e7-9cc8-742f572a504a|Low|Observability|log_duration parameter should be set to ON for RDS instances (read more)|Documentation
| +|RDS Instance Log Connections Disabled
140869ea-25f2-40d4-a595-0c0da135114e|Low|Observability|'log_connections' parameter should be set to ON for RDS instances (read more)|Documentation
| +|RDS Instance Log Disconnections Disabled
d53f4123-f8d8-4224-8cb3-f920b151cc98|Low|Observability|log_disconnections parameter should be set to ON for RDS instances (read more)|Documentation
| ### GCP Bellow are listed queries related with Terraform GCP: @@ -571,59 +571,59 @@ Bellow are listed queries related with Terraform GCP: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs|Documentation
| -|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled|Documentation
| -|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible|Documentation
| -|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible|Documentation
| -|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'|Documentation
| -|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances|Documentation
| -|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled|Documentation
| -|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'|Documentation
| -|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.|Documentation
| -|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true|Documentation
| -|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined|Documentation
| -|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true|Documentation
| -|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false|Documentation
| -|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials|Documentation
| -|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false |Documentation
| -|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible.|Documentation
| -|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true|Documentation
| -|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE |Documentation
| -|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled|Documentation
| -|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes'|Documentation
| -|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled|Documentation
| -|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective|Documentation
| -|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes'|Documentation
| -|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters|Documentation
| -|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member|Documentation
| -|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated|Documentation
| -|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated|Documentation
| -|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated|Documentation
| -|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined|Documentation
| -|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers|Documentation
| -|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS)|Documentation
| -|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true|Documentation
| -|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled|Documentation
| -|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS|Documentation
| -|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled|Documentation
| -|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin|Documentation
| -|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.|Documentation
| -|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account|Documentation
| -|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.|Documentation
| -|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports|Documentation
| -|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389|Documentation
| -|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone|Documentation
| -|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges|Documentation
| -|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule|Documentation
| -|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true|Documentation
| -|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource.|Documentation
| -|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles|Documentation
| -|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.|Documentation
| -|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys|Documentation
| -|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.|Documentation
| -|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user|Documentation
| -|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range|Documentation
| -|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true|Documentation
| +|VM With Full Cloud Access
bc280331-27b9-4acb-a010-018e8098aa5d|High|Access Control|A VM instance is configured to use the default service account with full access to all Cloud APIs (read more)|Documentation
| +|OSLogin Disabled
32ecd6eb-0711-421f-9627-1a28d9eff217|High|Access Control|Verifies that the OSLogin is enabled (read more)|Documentation
| +|BigQuery Dataset Is Public
e576ce44-dd03-4022-a8c0-3906acca2ab4|High|Access Control|BigQuery dataset is anonymously or publicly accessible (read more)|Documentation
| +|Cloud Storage Bucket Is Publicly Accessible
c010082c-76e0-4b91-91d9-6e8439e455dd|High|Access Control|Cloud Storage Bucket is anonymously or publicly accessible (read more)|Documentation
| +|Cloud Storage Anonymous or Publicly Accessible
a6cd52a1-3056-4910-96a5-894de9f3f3b3|High|Access Control|Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers' (read more)|Documentation
| +|SQL DB Instance Backup Disabled
cf3c7631-cd1e-42f3-8801-a561214a6e79|High|Backup|Checks if backup configuration is enabled for all Cloud SQL Database instances (read more)|Documentation
| +|SQL DB Instance With SSL Disabled
02474449-71aa-40a1-87ae-e14497747b00|High|Encryption|Cloud SQL Database Instance should have SLL enabled (read more)|Documentation
| +|KMS Crypto Key is Publicly Accessible
16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5|High|Encryption|KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members' (read more)|Documentation
| +|DNSSEC Using RSASHA1
ccc3100c-0fdd-4a5e-9908-c10107291860|High|Encryption|DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad. (read more)|Documentation
| +|Pod Security Policy Disabled
9192e0f9-eca5-4056-9282-ae2a736a4088|High|Insecure Configurations|Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true (read more)|Documentation
| +|Cluster Labels Disabled
65c1bc7a-4835-4ac4-a2b6-13d310b0648d|High|Insecure Configurations|Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined (read more)|Documentation
| +|GKE Legacy Authorization Enabled
5baa92d2-d8ee-4c75-88a4-52d9d8bb8067|High|Insecure Configurations|Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true (read more)|Documentation
| +|Legacy Client Certificate Auth Enabled
73fb21a1-b19a-45b1-b648-b47b1678681e|High|Insecure Configurations|Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false (read more)|Documentation
| +|Not Proper Email Account In Use
9356962e-4a4f-4d06-ac59-dc8008775eaa|High|Insecure Configurations|Gmail accounts are being used instead of corporate credentials (read more)|Documentation
| +|Network Policy Disabled
11e7550e-c4b6-472e-adff-c698f157cdd7|High|Insecure Configurations|Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false (read more)|Documentation
| +|SQL DB Instance Publicly Accessible
b187edca-b81e-4fdc-aff4-aab57db45edb|High|Insecure Configurations|Cloud SQL instances should not be publicly accessible. (read more)|Documentation
| +|Private Cluster Disabled
6ccb85d7-0420-4907-9380-50313f80946b|High|Insecure Configurations|Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true (read more)|Documentation
| +|IP Aliasing Disabled
c606ba1d-d736-43eb-ac24-e16108f3a9e0|High|Insecure Configurations|Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE (read more)|Documentation
| +|Cloud Storage Bucket Versioning Disabled
e7e961ac-d17e-4413-84bc-8a1fbe242944|High|Observability|Cloud Storage Bucket should have versioning enabled (read more)|Documentation
| +|Stackdriver Monitoring Disabled
30e8dfd2-3591-4d19-8d11-79e93106c93d|High|Observability|Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes' (read more)|Documentation
| +|Cloud Storage Bucket Logging Not Enabled
d6cabc3a-d57e-48c2-b341-bf3dd4f4a120|High|Observability|Cloud storage bucket should have logging enabled (read more)|Documentation
| +|IAM Audit Not Properly Configured
89fe890f-b480-460c-8b6b-7d8b1468adb4|High|Observability|Audit Logging Configuration is defective (read more)|Documentation
| +|Stackdriver Logging Disabled
4c7ebcb2-eae2-461e-bc83-456ee2d4f694|High|Observability|Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes' (read more)|Documentation
| +|Node Auto Upgrade Disabled
b139213e-7d24-49c2-8025-c18faa21ecaa|High|Resource Management|Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters (read more)|Documentation
| +|KMS Admin and CryptoKey Roles In Use
92e4464a-4139-4d57-8742-b5acc0347680|Medium|Access Control|Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member (read more)|Documentation
| +|Google Project IAM Member Service Account Has Admin Role
84d36481-fd63-48cb-838e-635c44806ec2|Medium|Access Control|Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated (read more)|Documentation
| +|Google Project IAM Binding Service Account has Token Creator or Account User Role
617ef6ff-711e-4bd7-94ae-e965911b1b40|Medium|Access Control|Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated (read more)|Documentation
| +|Google Project IAM Member Service Account has Token Creator or Account User Role
c68b4e6d-4e01-4ca1-b256-1e18e875785c|Medium|Access Control|Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated (read more)|Documentation
| +|Disk Encryption Disabled
b1d51728-7270-4991-ac2f-fc26e2695b38|Medium|Encryption|VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined (read more)|Documentation
| +|Google Compute SSL Policy Weak Cipher In Use
14a457f0-473d-4d1d-9e37-6d99b355b336|Medium|Encryption|This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers (read more)|Documentation
| +|COS Node Image Not Used
8a893e46-e267-485a-8690-51f39951de58|Medium|Insecure Configurations|The node image should be Container-Optimized OS(COS) (read more)|Documentation
| +|Shielded VM Disabled
1b44e234-3d73-41a8-9954-0b154135280e|Medium|Insecure Configurations|Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true (read more)|Documentation
| +|Google Project Auto Create Network Disabled
59571246-3f62-4965-a96f-c7d97e269351|Medium|Insecure Configurations|Verifies if the Google Project Auto Create Network is Disabled (read more)|Documentation
| +|Cloud DNS Without DNSSEC
5ef61c88-bbb4-4725-b1df-55d23c9676bb|Medium|Insecure Configurations|DNSSEC must be enabled for Cloud DNS (read more)|Documentation
| +|Google Storage Bucket Level Access Disabled
bb0db090-5509-4853-a827-75ced0b3caa0|Medium|Insecure Configurations|Google Storage Bucket Level Access should be enabled (read more)|Documentation
| +|OSLogin Is Disabled For VM Instance
d0b4d550-c001-46c3-bbdb-d5d75d33f05f|Medium|Insecure Configurations|Check if any VM instance disables OSLogin (read more)|Documentation
| +|Google Container Node Pool Auto Repair Disabled
acfdbec6-4a17-471f-b412-169d77553332|Medium|Insecure Configurations|Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state. (read more)|Documentation
| +|GKE Using Default Service Account
1c8eef02-17b1-4a3e-b01d-dcc3292d2c38|Medium|Insecure Defaults|Kubernetes Engine Clusters should not be configured to use the default service account (read more)|Documentation
| +|Using Default Service Account
3cb4af0b-056d-4fb1-8b95-fdc4593625ff|Medium|Insecure Defaults|Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account. (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows All Ports
22ef1d26-80f8-4a6c-8c15-f35aab3cac78|Medium|Networking and Firewall|Google Compute Network should not use a firewall rule that allows all ports (read more)|Documentation
| +|RDP Access Is Not Restricted
678fd659-96f2-454a-a2a0-c2571f83a4a3|Medium|Networking and Firewall|Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389 (read more)|Documentation
| +|Serial Ports Are Enabled For VM Instances
97fa667a-d05b-4f16-9071-58b939f34751|Medium|Networking and Firewall|Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone (read more)|Documentation
| +|SSH Access Is Not Restricted
c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0|Medium|Networking and Firewall|Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges (read more)|Documentation
| +|Google Compute Network Using Default Firewall Rule
40abce54-95b1-478c-8e5f-ea0bf0bb0e33|Medium|Networking and Firewall|Google Compute Network should not use default firewall rule (read more)|Documentation
| +|IP Forwarding Enabled
f34c0c25-47b4-41eb-9c79-249b4dd47b89|Medium|Networking and Firewall|Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true (read more)|Documentation
| +|Google Compute Subnetwork Logging Disabled
40430747-442d-450a-a34f-dc57149f4609|Medium|Observability|This query checks if logs are enabled for a Google Compute Subnetwork resource. (read more)|Documentation
| +|Service Account with Improper Privileges
cefdad16-0dd5-4ac5-8ed2-a37502c78672|Medium|Resource Management|Service account should not have improper privileges like admin, editor, owner, or write roles (read more)|Documentation
| +|High Google KMS Crypto Key Rotation Period
d8c57c4e-bf6f-4e32-a2bf-8643532de77b|Medium|Secret Management|KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise. (read more)|Documentation
| +|Project-wide SSH Keys Are Enabled In VM Instances
3e4d5ce6-3280-4027-8010-c26eeea1ec01|Medium|Secret Management|VM Instance should block project-wide SSH keys (read more)|Documentation
| +|Outdated GKE Version
128df7ec-f185-48bc-8913-ce756a3ccb85|Low|Best Practices|Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version. (read more)|Documentation
| +|User with IAM Role
704fcc44-a58f-4af5-82e2-93f2a58ef918|Low|Best Practices|As a best practice, it is better to assign an IAM Role to a group than to a user (read more)|Documentation
| +|Google Compute Network Using Firewall Rule that Allows Port Range
e6f61c37-106b-449f-a5bb-81bfcaceb8b4|Low|Networking and Firewall|Google Compute Network should not use a firewall rule that allows port range (read more)|Documentation
| +|Google Compute Subnetwork with Private Google Access Disabled
ee7b93c1-b3f8-4a3b-9588-146d481814f5|Low|Networking and Firewall|Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true (read more)|Documentation
| ### KUBERNETES Bellow are listed queries related with Terraform KUBERNETES: @@ -632,66 +632,66 @@ Bellow are listed queries related with Terraform KUBERNETES: | Query |Severity|Category|Description|Help| |------------------------------|--------|--------|-----------|----| -|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed.|Documentation
| -|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy|Documentation
| -|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.|Documentation
| -|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false|Documentation
| -|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace.|Documentation
| -|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process|Documentation
| -|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account|Documentation
| -|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted|Documentation
| -|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation.|Documentation
| -|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys|Documentation
| -|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured.|Documentation
| -|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden|Documentation
| -|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'|Documentation
| -|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace|Documentation
| -|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls|Documentation
| -|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged.|Documentation
| -|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability|Documentation
| -|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used|Documentation
| -|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities|Documentation
| -|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities|Documentation
| -|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks|Documentation
| -|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation|Documentation
| -|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities|Documentation
| -|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed|Documentation
| -|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace|Documentation
| -|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory|Documentation
| -|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.|Documentation
| -|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory|Documentation
| -|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used|Documentation
| -|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.|Documentation
| -|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary|Documentation
| -|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet|Documentation
| -|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod.|Documentation
| -|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes|Documentation
| -|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests|Documentation
| -|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.|Documentation
| -|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node|Documentation
| -|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace|Documentation
| -|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace|Documentation
| -|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory|Documentation
| -|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads|Documentation
| -|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs|Documentation
| -|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC)|Documentation
| -|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack|Documentation
| -|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers|Documentation
| -|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.|Documentation
| -|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it|Documentation
| -|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object|Documentation
| -|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability|Documentation
| -|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context|Documentation
| -|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid.|Documentation
| -|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only.|Documentation
| -|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage.|Documentation
| -|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always|Documentation
| -|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container|Documentation
| -|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity|Documentation
| -|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort|Documentation
| -|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified|Documentation
| -|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined|Documentation
| -|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.|Documentation
| -|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables|Documentation
| -|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest.|Documentation
| +|Tiller (Helm v2) Is Deployed
ca2fba76-c1a7-4afd-be67-5249f861cb0e|High|Insecure Configurations|Check if Tiller is deployed. (read more)|Documentation
| +|Not Limited Capabilities For Pod Security Policy
2acb555f-f4ad-4b1b-b984-84e6588f4b05|High|Insecure Configurations|Limit capabilities for a Pod Security Policy (read more)|Documentation
| +|Cluster Allows Unsafe Sysctls
a9174d31-d526-4ad9-ace4-ce7ddbf52e03|High|Insecure Configurations|A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined. (read more)|Documentation
| +|Container Is Privileged
87065ef8-de9b-40d8-9753-f4a4303e27a4|High|Insecure Configurations|Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false (read more)|Documentation
| +|PSP Allows Containers To Share The Host Network Namespace
4950837c-0ce5-4e42-9bee-a25eae73740b|High|Insecure Configurations|Check if Pod Security Policies allow containers to share the host network namespace. (read more)|Documentation
| +|Privilege Escalation Allowed
c878abb4-cca5-4724-92b9-289be68bd47c|High|Insecure Configurations|Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process (read more)|Documentation
| +|Role Binding To Default Service Account
3360c01e-c8c0-4812-96a2-a6329b9b7f9f|High|Insecure Defaults|No role nor cluster role should bind to a default service account (read more)|Documentation
| +|Non Kube System Pod With Host Mount
86a947ea-f577-4efb-a8b0-5fc00257d521|Medium|Access Control|A non kube-system workload should not have hostPath mounted (read more)|Documentation
| +|Permissive Access to Create Pods
522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba|Medium|Access Control|The permission to create pods in a cluster should be restricted because it allows privilege escalation. (read more)|Documentation
| +|RBAC Roles with Read Secrets Permissions
826abb30-3cd5-4e0b-a93b-67729b4f7e63|Medium|Access Control|Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys (read more)|Documentation
| +|Readiness Probe Is Not Configured
8657197e-3f87-4694-892b-8144701d83c1|Medium|Availability|Check if Readiness Probe is not configured. (read more)|Documentation
| +|Root Containers Admitted
4c415497-7410-4559-90e8-f2c8ac64ee38|Medium|Best Practices|Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden (read more)|Documentation
| +|Incorrect Volume Claim Access Mode ReadWriteOnce
26b047a9-0329-48fd-8fb7-05bbe5ba80ee|Medium|Build Process|Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce' (read more)|Documentation
| +|Container Host Pid Is True
587d5d82-70cf-449b-9817-f60f9bccb88c|Medium|Insecure Configurations|Minimize the admission of containers wishing to share the host process ID namespace (read more)|Documentation
| +|Seccomp Profile Is Not Configured
455f2e0c-686d-4fcb-8b5f-3f953f12c43c|Medium|Insecure Configurations|Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls (read more)|Documentation
| +|PSP Set To Privileged
a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9|Medium|Insecure Configurations|Do not allow pod to request execution as privileged. (read more)|Documentation
| +|Containers With Sys Admin Capabilities
3f55386d-75cd-4e9a-ac47-167b26c04724|Medium|Insecure Configurations|Containers should not have CAP_SYS_ADMIN Linux capability (read more)|Documentation
| +|Default Service Account In Use
737a0dd9-0aaa-4145-8118-f01778262b8a|Medium|Insecure Configurations|Default service accounts should not be actively used (read more)|Documentation
| +|PSP With Added Capabilities
48388bd2-7201-4dcc-b56d-e8a9efa58fad|Medium|Insecure Configurations|PodSecurityPolicy should not have added capabilities (read more)|Documentation
| +|NET_RAW Capabilities Not Being Dropped
e5587d53-a673-4a6b-b3f2-ba07ec274def|Medium|Insecure Configurations|Containers should drop 'ALL' or at least 'NET_RAW' capabilities (read more)|Documentation
| +|Ingress Controller Exposes Workload
e2c83c1f-84d7-4467-966c-ed41fd015bb9|Medium|Insecure Configurations|Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks (read more)|Documentation
| +|PSP Allows Privilege Escalation
2bff9906-4e9b-4f71-9346-8ebedfdf43ef|Medium|Insecure Configurations|PodSecurityPolicy should not allow privilege escalation (read more)|Documentation
| +|NET_RAW Capabilities Disabled for PSP
9aa32890-ac1a-45ee-81ca-5164e2098556|Medium|Insecure Configurations|Containers need to have NET_RAW or All as drop capabilities (read more)|Documentation
| +|Containers With Added Capabilities
fe771ff7-ba15-4f8f-ad7a-8aa232b49a28|Medium|Insecure Configurations|Containers should not have extra capabilities allowed (read more)|Documentation
| +|PSP Allows Sharing Host IPC
51bed0ac-a8ae-407a-895e-90c6cb0610ce|Medium|Insecure Configurations|Pod Security Policy allows containers to share the host IPC namespace (read more)|Documentation
| +|Workload Mounting With Sensitive OS Directory
a737be28-37d8-4bff-aa6d-1be8aa0a0015|Medium|Insecure Configurations|Workload is mounting a volume with sensitive OS Directory (read more)|Documentation
| +|Container Runs Unmasked
0ad60203-c050-4115-83b6-b94bde92541d|Medium|Insecure Configurations|Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime. (read more)|Documentation
| +|Container Resources Limits Undefined
60af03ff-a421-45c8-b214-6741035476fa|Medium|Insecure Configurations|Kubernetes container should have resource limitations defined such as CPU and memory (read more)|Documentation
| +|Using Default Namespace
abcb818b-5af7-4d72-aba9-6dd84956b451|Medium|Insecure Configurations|The default namespace should not be used (read more)|Documentation
| +|Service Account Name Undefined Or Empty
24b132df-5cc7-4823-8029-f898e1c50b72|Medium|Insecure Defaults|A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty. (read more)|Documentation
| +|Service Account Token Automount Not Disabled
a9a13d4f-f17a-491b-b074-f54bffffcb4a|Medium|Insecure Defaults|Service Account Tokens are automatically mounted even if not necessary (read more)|Documentation
| +|Service With External Load Balancer
2a52567c-abb8-4651-a038-52fa27c77aed|Medium|Networking and Firewall|Service has an external load balancer, which may cause accessibility from other networks and the Internet (read more)|Documentation
| +|Network Policy Is Not Targeting Any Pod
b80b14c6-aaa2-4876-b651-8a48b6c32fbf|Medium|Networking and Firewall|Check if any network policy is not targeting any pod. (read more)|Documentation
| +|Memory Requests Not Defined
21719347-d02b-497d-bda4-04a03c8e5b61|Medium|Resource Management|Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes (read more)|Documentation
| +|CPU Limits Not Set
5f4735ce-b9ba-4d95-a089-a37a767b716f|Medium|Resource Management|CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests (read more)|Documentation
| +|Volume Mount With OS Directory Write Permissions
a62a99d1-8196-432f-8f80-3c100b05d62a|Medium|Resource Management|Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. (read more)|Documentation
| +|CPU Requests Not Set
577ac19c-6a77-46d7-9f14-e049cdd15ec2|Medium|Resource Management|CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node (read more)|Documentation
| +|Shared Host IPC Namespace
e94d3121-c2d1-4e34-a295-139bfeb73ea3|Medium|Resource Management|Container should not share the host IPC namespace (read more)|Documentation
| +|Shared Host Network Namespace
ac1564a3-c324-4747-9fa1-9dfc234dace0|Medium|Resource Management|Container should not share the host network namespace (read more)|Documentation
| +|Memory Limits Not Defined
fd097ed0-7fe6-4f58-8b71-fef9f0820a21|Medium|Resource Management|Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory (read more)|Documentation
| +|Shared Service Account
f74b9c43-161a-4799-bc95-0b0ec81801b9|Medium|Secret Management|A Service Account token is shared between workloads (read more)|Documentation
| +|Service Account Allows Access Secrets
07fc3413-e572-42f7-9877-5c8fc6fccfb5|Medium|Secret Management|Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs (read more)|Documentation
| +|Cluster Admin Rolebinding With Superuser Permissions
17172bc2-56fb-4f17-916f-a014147706cd|Low|Access Control|Ensure that the cluster-admin role is only used where required (RBAC) (read more)|Documentation
| +|Missing App Armor Config
bd6bd46c-57db-4887-956d-d372f21291b6|Low|Access Control|Containers should be configured with AppArmor for any application to reduce its potential attack (read more)|Documentation
| +|Docker Daemon Socket is Exposed to Containers
4e203a65-c8d8-49a2-b749-b124d43c9dc1|Low|Access Control|Sees if Docker Daemon Socket is not exposed to Containers (read more)|Documentation
| +|StatefulSet Without Service Name
420e6360-47bb-46f6-9072-b20ed22c842d|Low|Availability|StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels. (read more)|Documentation
| +|Liveness Probe Is Not Defined
5b6d53dd-3ba3-4269-b4d7-f82e880e43c3|Low|Availability|In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it (read more)|Documentation
| +|HPA Targets Invalid Object
17e52ca3-ddd0-4610-9d56-ce107442e110|Low|Availability|The Horizontal Pod Autoscaler must target a valid object (read more)|Documentation
| +|Deployment Without PodDisruptionBudget
a05331ee-1653-45cb-91e6-13637a76e4f0|Low|Availability|Deployments should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|StatefulSet Without PodDisruptionBudget
7249e3b0-9231-4af3-bc5f-5daf4988ecbf|Low|Availability|StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability (read more)|Documentation
| +|No Drop Capabilities for Containers
21cef75f-289f-470e-8038-c7cee0664164|Low|Best Practices|Sees if Kubernetes Drop Capabilities exists to ensure containers security context (read more)|Documentation
| +|Metadata Label Is Invalid
bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e|Low|Best Practices|Check if any label in the metadata is invalid. (read more)|Documentation
| +|Root Container Not Mounted As Read-only
d532566b-8d9d-4f3b-80bd-361fe802f9c2|Low|Build Process|Check if the root container filesystem is not being mounted as read-only. (read more)|Documentation
| +|StatefulSet Requests Storage
fcc2612a-1dfe-46e4-8ce6-0320959f0040|Low|Build Process|A StatefulSet requests volume storage. (read more)|Documentation
| +|Image Pull Policy Of The Container Is Not Set To Always
aa737abf-6b1d-4aba-95aa-5c160bd7f96e|Low|Insecure Configurations|Image Pull Policy of the container must be defined and set to Always (read more)|Documentation
| +|Pod or Container Without Security Context
ad69e38a-d92e-4357-a8da-f2f29d545883|Low|Insecure Configurations|A security context defines privilege and access control settings for a Pod or Container (read more)|Documentation
| +|Image Without Digest
228c4c19-feeb-4c18-848c-800ac70fdfb7|Low|Insecure Configurations|Images should be specified together with their digests to ensure integrity (read more)|Documentation
| +|Service Type is NodePort
5c281bf8-d9bb-47f2-b909-3f6bb11874ad|Low|Networking and Firewall|Service type should not be NodePort (read more)|Documentation
| +|Workload Host Port Not Specified
4e74cf4f-ff65-4c1a-885c-67ab608206ce|Low|Networking and Firewall|Verifies if Kubernetes workload's host port is specified (read more)|Documentation
| +|CronJob Deadline Not Configured
58876b44-a690-4e9f-9214-7735fa0dd15d|Low|Resource Management|Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined (read more)|Documentation
| +|Deployment Has No PodAntiAffinity
461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3|Low|Resource Management|Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node. (read more)|Documentation
| +|Secrets As Environment Variables
6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8|Low|Secret Management|Container should not use secrets as environment variables (read more)|Documentation
| +|Invalid Image
e76cca7c-c3f9-4fc9-884c-b2831168ebd8|Low|Supply-Chain|Image must be defined and not be empty or equal to latest. (read more)|Documentation
| diff --git a/docs/queries/terraform-queries/07fc3413-e572-42f7-9877-5c8fc6fccfb5.md b/docs/queries/terraform-queries/07fc3413-e572-42f7-9877-5c8fc6fccfb5.md new file mode 100644 index 00000000000..2b99417de88 --- /dev/null +++ b/docs/queries/terraform-queries/07fc3413-e572-42f7-9877-5c8fc6fccfb5.md @@ -0,0 +1,218 @@ +--- +title: Service Account Allows Access Secrets +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 07fc3413-e572-42f7-9877-5c8fc6fccfb5 +- **Query name:** Service Account Allows Access Secrets +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/service_account_allows_access_secrets) + +### Description +Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="49 7" +# Cluster Role +resource "kubernetes_cluster_role" "cluster_role_name" { + metadata { + name = "terraform-example-1" + } + + rule { + api_groups = [""] + resources = ["namespaces", "pods", "secrets"] + verbs = ["get", "list", "watch"] + } +} + +resource "kubernetes_cluster_role_binding" "example" { + metadata { + name = "terraform-example-2" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "cluster_role_name" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "ServiceAccount" + name = "default" + namespace = "kube-system" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + +# Role +resource "kubernetes_role" "role_name" { + metadata { + name = "terraform-example" + labels = { + test = "MyRole" + } + } + + rule { + api_groups = [""] + resources = ["pods"] + resource_names = ["foo"] + verbs = ["get", "list", "watch"] + } + rule { + api_groups = ["apps"] + resources = ["deployments"] + verbs = ["get", "list"] + } + rule { + api_groups = [""] + resources = ["secrets"] + verbs = ["*"] + } +} + +resource "kubernetes_role_binding" "example" { + metadata { + name = "terraform-example" + namespace = "default" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "Role" + name = "role_name" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "ServiceAccount" + name = "default" + namespace = "kube-system" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +# Cluster Role +resource "kubernetes_cluster_role" "cluster_role_name" { + metadata { + name = "terraform-example-1" + } + + rule { + api_groups = [""] + resources = ["namespaces", "pods"] + verbs = ["get", "list", "watch"] + } +} + +resource "kubernetes_cluster_role_binding" "example" { + metadata { + name = "terraform-example-2" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "cluster_role_name" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "ServiceAccount" + name = "default" + namespace = "kube-system" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + +# Role +resource "kubernetes_role" "role_name" { + metadata { + name = "terraform-example" + labels = { + test = "MyRole" + } + } + + rule { + api_groups = [""] + resources = ["pods"] + resource_names = ["foo"] + verbs = ["get", "list", "watch"] + } + rule { + api_groups = ["apps"] + resources = ["deployments"] + verbs = ["get", "list"] + } +} + +resource "kubernetes_role_binding" "example" { + metadata { + name = "terraform-example" + namespace = "default" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "Role" + name = "role_name" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "ServiceAccount" + name = "default" + namespace = "kube-system" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + +``` diff --git a/docs/queries/terraform-queries/0ad60203-c050-4115-83b6-b94bde92541d.md b/docs/queries/terraform-queries/0ad60203-c050-4115-83b6-b94bde92541d.md new file mode 100644 index 00000000000..854672dd5f9 --- /dev/null +++ b/docs/queries/terraform-queries/0ad60203-c050-4115-83b6-b94bde92541d.md @@ -0,0 +1,129 @@ +--- +title: Container Runs Unmasked +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0ad60203-c050-4115-83b6-b94bde92541d +- **Query name:** Container Runs Unmasked +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/container_runs_unmasked) + +### Description +Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_proc_mount_types) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "kubernetes_pod_security_policy" "example" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + allowed_proc_mount_types = ["Unmasked"] + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod_security_policy" "example" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + allowed_proc_mount_types = ["Default"] + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` diff --git a/docs/queries/terraform-queries/15d8a7fd-465a-4d15-a868-add86552f17b.md b/docs/queries/terraform-queries/15d8a7fd-465a-4d15-a868-add86552f17b.md new file mode 100644 index 00000000000..3c8b236519b --- /dev/null +++ b/docs/queries/terraform-queries/15d8a7fd-465a-4d15-a868-add86552f17b.md @@ -0,0 +1,84 @@ +--- +title: GitHub Repository Set To Public +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 15d8a7fd-465a-4d15-a868-add86552f17b +- **Query name:** GitHub Repository Set To Public +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/github/github_repository_set_to_public) + +### Description +Repositories must be set to private, which means the attribute 'visibility' must be set to 'private' and/or the attribute 'private' must be set to true (the attribute 'visibility' overrides 'private')
+[Documentation](https://www.terraform.io/docs/providers/github/r/repository.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 28 15" +resource "github_repository" "positive1" { + name = "example" + description = "My awesome codebase" + + template { + owner = "github" + repository = "terraform-module-template" + } +} + +resource "github_repository" "positive2" { + name = "example" + description = "My awesome codebase" + + private = false + + template { + owner = "github" + repository = "terraform-module-template" + } +} + +resource "github_repository" "positive3" { + name = "example" + description = "My awesome codebase" + + private = true + visibility = "public" + + template { + owner = "github" + repository = "terraform-module-template" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "github_repository" "negative1" { + name = "example" + description = "My awesome codebase" + + private = true + + template { + owner = "github" + repository = "terraform-module-template" + } +} + +``` diff --git a/docs/queries/terraform-queries/17172bc2-56fb-4f17-916f-a014147706cd.md b/docs/queries/terraform-queries/17172bc2-56fb-4f17-916f-a014147706cd.md new file mode 100644 index 00000000000..a5ef2cefba3 --- /dev/null +++ b/docs/queries/terraform-queries/17172bc2-56fb-4f17-916f-a014147706cd.md @@ -0,0 +1,89 @@ +--- +title: Cluster Admin Rolebinding With Superuser Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 17172bc2-56fb-4f17-916f-a014147706cd +- **Query name:** Cluster Admin Rolebinding With Superuser Permissions +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/cluster_admin_role_binding_with_super_user_permissions) + +### Description +Ensure that the cluster-admin role is only used where required (RBAC)
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding#name) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "kubernetes_cluster_role_binding" "example2" { + metadata { + name = "terraform-example2" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "cluster-admin" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "ServiceAccount" + name = "default" + namespace = "kube-system" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_cluster_role_binding" "example1" { + metadata { + name = "terraform-example1" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "cluster" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "ServiceAccount" + name = "default" + namespace = "kube-system" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + +``` diff --git a/docs/queries/terraform-queries/17e52ca3-ddd0-4610-9d56-ce107442e110.md b/docs/queries/terraform-queries/17e52ca3-ddd0-4610-9d56-ce107442e110.md new file mode 100644 index 00000000000..fe79e58cd88 --- /dev/null +++ b/docs/queries/terraform-queries/17e52ca3-ddd0-4610-9d56-ce107442e110.md @@ -0,0 +1,131 @@ +--- +title: HPA Targets Invalid Object +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 17e52ca3-ddd0-4610-9d56-ce107442e110 +- **Query name:** HPA Targets Invalid Object +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/hpa_targets_invalid_object) + +### Description +The Horizontal Pod Autoscaler must target a valid object
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/horizontal_pod_autoscaler#metric) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="49 15" +resource "kubernetes_horizontal_pod_autoscaler" "example" { + metadata { + name = "test" + } + + spec { + min_replicas = 50 + max_replicas = 100 + + scale_target_ref { + kind = "Deployment" + name = "MyApp" + } + + metric { + type = "External" + external { + metric { + name = "latency" + selector { + match_labels = { + lb_name = "test" + } + } + } + target { + type = "Value" + value = "100" + } + } + } + } +} + +resource "kubernetes_horizontal_pod_autoscaler" "example2" { + metadata { + name = "test" + } + + spec { + min_replicas = 50 + max_replicas = 100 + + scale_target_ref { + kind = "Deployment" + name = "MyApp" + } + + metric { + type = "Object" + object { + target { + type = "Value" + value = "100" + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_horizontal_pod_autoscaler" "example5" { + metadata { + name = "test" + } + + spec { + min_replicas = 50 + max_replicas = 100 + + scale_target_ref { + kind = "Deployment" + name = "MyApp" + } + + metric { + type = "Object" + object { + metric { + name = "latency" + } + described_object { + name = "main-route" + api_version = "networking.k8s.io/v1beta1" + kind = "Ingress" + } + target { + type = "Value" + value = "100" + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/21719347-d02b-497d-bda4-04a03c8e5b61.md b/docs/queries/terraform-queries/21719347-d02b-497d-bda4-04a03c8e5b61.md new file mode 100644 index 00000000000..40315b3823d --- /dev/null +++ b/docs/queries/terraform-queries/21719347-d02b-497d-bda4-04a03c8e5b61.md @@ -0,0 +1,368 @@ +--- +title: Memory Requests Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 21719347-d02b-497d-bda4-04a03c8e5b61 +- **Query name:** Memory Requests Not Defined +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/memory_requests_not_defined) + +### Description +Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 105" + +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + resources = { + requests = { + cpu = "250m" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + resources { + limits { + cpu = "0.5" + memory = "512Mi" + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + resources = { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + resources = { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "negative2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + resources { + limits { + cpu = "0.5" + memory = "512Mi" + } + requests { + cpu = "250m" + memory = "50Mi" + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/21cef75f-289f-470e-8038-c7cee0664164.md b/docs/queries/terraform-queries/21cef75f-289f-470e-8038-c7cee0664164.md new file mode 100644 index 00000000000..400e5c22b99 --- /dev/null +++ b/docs/queries/terraform-queries/21cef75f-289f-470e-8038-c7cee0664164.md @@ -0,0 +1,426 @@ +--- +title: No Drop Capabilities for Containers +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 21cef75f-289f-470e-8038-c7cee0664164 +- **Query name:** No Drop Capabilities for Containers +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/no_drop_capabilities_for_containers) + +### Description +Sees if Kubernetes Drop Capabilities exists to ensure containers security context
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "kubernetes_pod" "test1" { + metadata { + name = "terraform-example" + } + + spec { + + container = [ + { + image = "nginx:1.7.9" + name = "example" + + security_context = { + capabilities = { + add = ["NET_BIND_SERVICE"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + + { + image = "nginx:1.7.9" + name = "example2" + + security_context = { + capabilities = { + drop = ["ALL"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9" + +resource "kubernetes_pod" "test2" { + metadata { + name = "terraform-example" + } + + spec { + + container = [ + { + image = "nginx:1.7.9" + name = "example" + + security_context = { + allow_privilege_escalation = false + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + + { + image = "nginx:1.7.9" + name = "example2" + + security_context = { + capabilities = { + drop = ["ALL"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="9" + +resource "kubernetes_pod" "test3" { + metadata { + name = "terraform-example" + } + + spec { + + container = [ + { + image = "nginx:1.7.9" + name = "example" + + + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + + { + image = "nginx:1.7.9" + name = "example2" + + security_context = { + capabilities = { + drop = ["ALL"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "negative4" { + metadata { + name = "terraform-example" + } + + spec { + + container = [ + { + image = "nginx:1.7.9" + name = "example" + + security_context = { + capabilities = { + drop = ["ALL"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + + { + image = "nginx:1.7.9" + name = "example2" + + security_context = { + capabilities = { + drop = ["ALL"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/228c4c19-feeb-4c18-848c-800ac70fdfb7.md b/docs/queries/terraform-queries/228c4c19-feeb-4c18-848c-800ac70fdfb7.md new file mode 100644 index 00000000000..9a5f839c0e2 --- /dev/null +++ b/docs/queries/terraform-queries/228c4c19-feeb-4c18-848c-800ac70fdfb7.md @@ -0,0 +1,251 @@ +--- +title: Image Without Digest +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 228c4c19-feeb-4c18-848c-800ac70fdfb7 +- **Query name:** Image Without Digest +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/image_without_digest) + +### Description +Images should be specified together with their digests to ensure integrity
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 113 60" +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "uses-private-image" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + +resource "kubernetes_pod" "positive3" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "uses-private-image" + name = "example" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "negative" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "image@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/24b132df-5cc7-4823-8029-f898e1c50b72.md b/docs/queries/terraform-queries/24b132df-5cc7-4823-8029-f898e1c50b72.md new file mode 100644 index 00000000000..b58ae022fd1 --- /dev/null +++ b/docs/queries/terraform-queries/24b132df-5cc7-4823-8029-f898e1c50b72.md @@ -0,0 +1,213 @@ +--- +title: Service Account Name Undefined Or Empty +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 24b132df-5cc7-4823-8029-f898e1c50b72 +- **Query name:** Service Account Name Undefined Or Empty +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/service_account_name_undefined_or_empty) + +### Description +A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "kubernetes_pod" "test1" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="6" +resource "kubernetes_pod" "test2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + service_account_name = null + } + +} + + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="36" +resource "kubernetes_pod" "test3" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + service_account_name = "" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + service_account_name = "service_name" + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/26b047a9-0329-48fd-8fb7-05bbe5ba80ee.md b/docs/queries/terraform-queries/26b047a9-0329-48fd-8fb7-05bbe5ba80ee.md new file mode 100644 index 00000000000..da84e147cd5 --- /dev/null +++ b/docs/queries/terraform-queries/26b047a9-0329-48fd-8fb7-05bbe5ba80ee.md @@ -0,0 +1,624 @@ +--- +title: Incorrect Volume Claim Access Mode ReadWriteOnce +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 26b047a9-0329-48fd-8fb7-05bbe5ba80ee +- **Query name:** Incorrect Volume Claim Access Mode ReadWriteOnce +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/incorrect_volume_claim_access_mode_read_write_once) + +### Description +Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="166 367" +resource "kubernetes_stateful_set" "prometheus-1" { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus" + } + + spec { + pod_management_policy = "Parallel" + replicas = 1 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + service_name = "prometheus" + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] + + port { + container_port = 9090 + } + + resources { + limits = { + cpu = "200m" + memory = "1000Mi" + } + + requests = { + cpu = "200m" + memory = "1000Mi" + } + } + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + } + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + + readiness_probe { + http_get { + path = "/-/ready" + port = 9090 + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + + liveness_probe { + http_get { + path = "/-/healthy" + port = 9090 + scheme = "HTTPS" + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + } + + termination_grace_period_seconds = 300 + + volume { + name = "config-volume" + + config_map { + name = "prometheus-config" + } + } + } + } + + update_strategy { + type = "RollingUpdate" + + rolling_update { + partition = 1 + } + } + + volume_claim_template { + metadata { + name = "prometheus-data-1" + } + + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + + volume_claim_template { + metadata { + name = "prometheus-data-2" + } + + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + } +} + +resource "kubernetes_stateful_set" "prometheus-2" { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus" + } + + spec { + pod_management_policy = "Parallel" + replicas = 1 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + service_name = "prometheus" + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] + + port { + container_port = 9090 + } + + resources { + limits = { + cpu = "200m" + memory = "1000Mi" + } + + requests = { + cpu = "200m" + memory = "1000Mi" + } + } + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + } + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + + readiness_probe { + http_get { + path = "/-/ready" + port = 9090 + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + + liveness_probe { + http_get { + path = "/-/healthy" + port = 9090 + scheme = "HTTPS" + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + } + + termination_grace_period_seconds = 300 + + volume { + name = "config-volume" + + config_map { + name = "prometheus-config" + } + } + } + } + + update_strategy { + type = "RollingUpdate" + + rolling_update { + partition = 1 + } + } + + volume_claim_template { + metadata { + name = "prometheus-data-1" + } + + spec { + access_modes = ["ReadWrite"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + } +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_stateful_set" "prometheus" { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus" + } + + spec { + pod_management_policy = "Parallel" + replicas = 1 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + service_name = "prometheus" + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] + + port { + container_port = 9090 + } + + resources { + limits = { + cpu = "200m" + memory = "1000Mi" + } + + requests = { + cpu = "200m" + memory = "1000Mi" + } + } + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + } + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + + readiness_probe { + http_get { + path = "/-/ready" + port = 9090 + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + + liveness_probe { + http_get { + path = "/-/healthy" + port = 9090 + scheme = "HTTPS" + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + } + + termination_grace_period_seconds = 300 + + volume { + name = "config-volume" + + config_map { + name = "prometheus-config" + } + } + } + } + + update_strategy { + type = "RollingUpdate" + + rolling_update { + partition = 1 + } + } + + volume_claim_template { + metadata { + name = "prometheus-data-1" + } + + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + + volume_claim_template { + metadata { + name = "prometheus-data-2" + } + + spec { + access_modes = ["ReadWrite"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/2a52567c-abb8-4651-a038-52fa27c77aed.md b/docs/queries/terraform-queries/2a52567c-abb8-4651-a038-52fa27c77aed.md new file mode 100644 index 00000000000..514e199ed2d --- /dev/null +++ b/docs/queries/terraform-queries/2a52567c-abb8-4651-a038-52fa27c77aed.md @@ -0,0 +1,227 @@ +--- +title: Service With External Load Balancer +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2a52567c-abb8-4651-a038-52fa27c77aed +- **Query name:** Service With External Load Balancer +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/service_with_external_load_balancer) + +### Description +Service has an external load balancer, which may cause accessibility from other networks and the Internet
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="24 4" +resource "kubernetes_service" "example1" { + metadata { + name = "terraform-example1" + annotations = { + "service.beta.kubernetes.io/aws-load-balancer-internal" = "false" + } + } + spec { + selector = { + app = kubernetes_pod.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + +resource "kubernetes_service" "example2" { + metadata { + name = "terraform-example2" + } + spec { + selector = { + app = kubernetes_pod.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="25 4 46" +resource "kubernetes_service" "example2" { + metadata { + name = "terraform-example2" + annotations = { + "service.beta.kubernetes.io/azure-load-balancer-internal" = "false" + } + } + spec { + selector = { + app = kubernetes_pod.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + +resource "kubernetes_service" "example3" { + metadata { + name = "terraform-example3" + annotations = { + "networking.gke.io/load-balancer-type" = "External" + } + } + spec { + selector = { + app = kubernetes_pod.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + +resource "kubernetes_service" "example4" { + metadata { + name = "terraform-example4" + annotations = { + "cloud.google.com/load-balancer-type" = "External" + } + } + spec { + selector = { + app = kubernetes_pod.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_service" "example3" { + metadata { + name = "terraform-example3" + annotations = { + "service.beta.kubernetes.io/aws-load-balancer-internal" = "true" + } + } + spec { + selector = { + app = kubernetes_pod.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "kubernetes_service" "example2" { + metadata { + name = "terraform-example2" + annotations = { + "service.beta.kubernetes.io/azure-load-balancer-internal" = "true" + } + } + spec { + selector = { + app = kubernetes_pod.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + +resource "kubernetes_service" "example3" { + metadata { + name = "terraform-example3" + annotations = { + "networking.gke.io/load-balancer-type" = "Internal" + } + } + spec { + selector = { + app = kubernetes_pod.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + +resource "kubernetes_service" "example4" { + metadata { + name = "terraform-example4" + annotations = { + "cloud.google.com/load-balancer-type" = "Internal" + } + } + spec { + selector = { + app = kubernetes_pod.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + +``` diff --git a/docs/queries/terraform-queries/2acb555f-f4ad-4b1b-b984-84e6588f4b05.md b/docs/queries/terraform-queries/2acb555f-f4ad-4b1b-b984-84e6588f4b05.md new file mode 100644 index 00000000000..52582eb31d0 --- /dev/null +++ b/docs/queries/terraform-queries/2acb555f-f4ad-4b1b-b984-84e6588f4b05.md @@ -0,0 +1,128 @@ +--- +title: Not Limited Capabilities For Pod Security Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2acb555f-f4ad-4b1b-b984-84e6588f4b05 +- **Query name:** Not Limited Capabilities For Pod Security Policy +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/not_limited_capabilities_for_pod_security_policy) + +### Description +Limit capabilities for a Pod Security Policy
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "kubernetes_pod_security_policy" "example" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod_security_policy" "example2" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + required_drop_capabilities = ["ALL"] + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` diff --git a/docs/queries/terraform-queries/2bff9906-4e9b-4f71-9346-8ebedfdf43ef.md b/docs/queries/terraform-queries/2bff9906-4e9b-4f71-9346-8ebedfdf43ef.md new file mode 100644 index 00000000000..3c8a4d5a640 --- /dev/null +++ b/docs/queries/terraform-queries/2bff9906-4e9b-4f71-9346-8ebedfdf43ef.md @@ -0,0 +1,172 @@ +--- +title: PSP Allows Privilege Escalation +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2bff9906-4e9b-4f71-9346-8ebedfdf43ef +- **Query name:** PSP Allows Privilege Escalation +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/psp_allows_privilege_escalation) + +### Description +PodSecurityPolicy should not allow privilege escalation
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allow_privilege_escalation) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="50 7" +resource "kubernetes_pod_security_policy" "example" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = true + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +resource "kubernetes_pod_security_policy" "example2" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod_security_policy" "example2" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` diff --git a/docs/queries/terraform-queries/3360c01e-c8c0-4812-96a2-a6329b9b7f9f.md b/docs/queries/terraform-queries/3360c01e-c8c0-4812-96a2-a6329b9b7f9f.md new file mode 100644 index 00000000000..f8142b8b86b --- /dev/null +++ b/docs/queries/terraform-queries/3360c01e-c8c0-4812-96a2-a6329b9b7f9f.md @@ -0,0 +1,91 @@ +--- +title: Role Binding To Default Service Account +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3360c01e-c8c0-4812-96a2-a6329b9b7f9f +- **Query name:** Role Binding To Default Service Account +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/role_binding_to_default_service_account) + +### Description +No role nor cluster role should bind to a default service account
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding#subject) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "kubernetes_role_binding" "example" { + metadata { + name = "terraform-example" + namespace = "default" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "Role" + name = "admin" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "ServiceAccount" + name = "default" + namespace = "kube-system" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_role_binding" "example2" { + metadata { + name = "terraform-example" + namespace = "default" + } + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "Role" + name = "admin" + } + subject { + kind = "User" + name = "admin" + api_group = "rbac.authorization.k8s.io" + } + subject { + kind = "ServiceAccount" + name = "serviceExample" + namespace = "kube-system" + } + subject { + kind = "Group" + name = "system:masters" + api_group = "rbac.authorization.k8s.io" + } +} + +``` diff --git a/docs/queries/terraform-queries/3f55386d-75cd-4e9a-ac47-167b26c04724.md b/docs/queries/terraform-queries/3f55386d-75cd-4e9a-ac47-167b26c04724.md new file mode 100644 index 00000000000..5a0e29c13c8 --- /dev/null +++ b/docs/queries/terraform-queries/3f55386d-75cd-4e9a-ac47-167b26c04724.md @@ -0,0 +1,339 @@ +--- +title: Containers With Sys Admin Capabilities +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3f55386d-75cd-4e9a-ac47-167b26c04724 +- **Query name:** Containers With Sys Admin Capabilities +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/containers_with_sys_admin_capabilities) + +### Description +Containers should not have CAP_SYS_ADMIN Linux capability
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 113" + +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + capabilities = { + add = ["SYS_ADMIN"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + capabilities = { + add = ["SYS_ADMIN"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + add = ["SYS_ADMIN"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative3" { + metadata { + name = "terraform-example" + } + + spec { + + container = [ + { + image = "nginx:1.7.9" + name = "example" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + + { + image = "nginx:1.7.9" + name = "example2" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "negative4" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/420e6360-47bb-46f6-9072-b20ed22c842d.md b/docs/queries/terraform-queries/420e6360-47bb-46f6-9072-b20ed22c842d.md new file mode 100644 index 00000000000..3a14a27bfdc --- /dev/null +++ b/docs/queries/terraform-queries/420e6360-47bb-46f6-9072-b20ed22c842d.md @@ -0,0 +1,447 @@ +--- +title: StatefulSet Without Service Name +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 420e6360-47bb-46f6-9072-b20ed22c842d +- **Query name:** StatefulSet Without Service Name +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/statefulset_without_service_name) + +### Description +StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="49" +resource "kubernetes_service" "example" { + metadata { + name = "prometheus" + namespace = "prometheus" + } + spec { + cluster_ip = "ALL" + selector = { + k8s-app = "prometheus" + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + +resource "kubernetes_stateful_set" "prometheus" { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus" + namespace = "prometheus" + } + + spec { + pod_management_policy = "Parallel" + replicas = 1 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + service_name = "prometheus" + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] + + port { + container_port = 9090 + } + + resources { + limits = { + cpu = "200m" + memory = "1000Mi" + } + + requests = { + cpu = "200m" + memory = "1000Mi" + } + } + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + } + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + + readiness_probe { + http_get { + path = "/-/ready" + port = 9090 + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + + liveness_probe { + http_get { + path = "/-/healthy" + port = 9090 + scheme = "HTTPS" + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + } + + termination_grace_period_seconds = 300 + + volume { + name = "config-volume" + + config_map { + name = "prometheus-config" + } + } + } + } + + update_strategy { + type = "RollingUpdate" + + rolling_update { + partition = 1 + } + } + + volume_claim_template { + metadata { + name = "prometheus-data" + } + + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_service" "example22" { + metadata { + name = "prometheus22" + namespace = "prometheus22" + } + spec { + cluster_ip = "None" + selector = { + k8s-app = "prometheus22" + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + +resource "kubernetes_stateful_set" "prometheus22" { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus22" + namespace = "prometheus22" + } + + spec { + pod_management_policy = "Parallel" + replicas = 1 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app = "prometheus22" + } + } + + service_name = "prometheus22" + + template { + metadata { + labels = { + k8s-app = "prometheus22" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus22" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] + + port { + container_port = 9090 + } + + resources { + limits = { + cpu = "200m" + memory = "1000Mi" + } + + requests = { + cpu = "200m" + memory = "1000Mi" + } + } + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + } + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + + readiness_probe { + http_get { + path = "/-/ready" + port = 9090 + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + + liveness_probe { + http_get { + path = "/-/healthy" + port = 9090 + scheme = "HTTPS" + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + } + + termination_grace_period_seconds = 300 + + volume { + name = "config-volume" + + config_map { + name = "prometheus-config" + } + } + } + } + + update_strategy { + type = "RollingUpdate" + + rolling_update { + partition = 1 + } + } + + volume_claim_template { + metadata { + name = "prometheus-data" + } + + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/455f2e0c-686d-4fcb-8b5f-3f953f12c43c.md b/docs/queries/terraform-queries/455f2e0c-686d-4fcb-8b5f-3f953f12c43c.md new file mode 100644 index 00000000000..4685c5d8047 --- /dev/null +++ b/docs/queries/terraform-queries/455f2e0c-686d-4fcb-8b5f-3f953f12c43c.md @@ -0,0 +1,642 @@ +--- +title: Seccomp Profile Is Not Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 455f2e0c-686d-4fcb-8b5f-3f953f12c43c +- **Query name:** Seccomp Profile Is Not Configured +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/secoomp_profile_is_not_configured) + +### Description +Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2 115 348 215 184 249 58 411 284" +resource "kubernetes_pod" "pod1" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_pod" "pod2" { + metadata { + name = "terraform-example" + + annotations = { + SomeAnnotation = "foobar" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_pod" "pod3" { + metadata { + name = "terraform-example" + + annotations = { + seccomp.security.alpha.kubernetes.io/defaultProfileName = "rntim/dfl" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_cron_job" "cron1" { + metadata { + name = "demo" + } + spec { + concurrency_policy = "Replace" + failed_jobs_history_limit = 5 + schedule = "1 0 * * *" + starting_deadline_seconds = 10 + successful_jobs_history_limit = 10 + job_template { + metadata {} + spec { + backoff_limit = 2 + ttl_seconds_after_finished = 10 + template { + metadata {} + spec { + container { + name = "hello" + image = "busybox" + command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"] + } + } + } + } + } + } +} + +resource "kubernetes_cron_job" "cron2" { + metadata { + name = "demo" + } + spec { + concurrency_policy = "Replace" + failed_jobs_history_limit = 5 + schedule = "1 0 * * *" + starting_deadline_seconds = 10 + successful_jobs_history_limit = 10 + job_template { + metadata {} + spec { + backoff_limit = 2 + ttl_seconds_after_finished = 10 + template { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + } + spec { + container { + name = "hello" + image = "busybox" + command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"] + } + } + } + } + } + } +} + +resource "kubernetes_cron_job" "cron3" { + metadata { + name = "demo" + } + spec { + concurrency_policy = "Replace" + failed_jobs_history_limit = 5 + schedule = "1 0 * * *" + starting_deadline_seconds = 10 + successful_jobs_history_limit = 10 + job_template { + metadata {} + spec { + backoff_limit = 2 + ttl_seconds_after_finished = 10 + template { + metadata { + annotations = { + seccomp.security.alpha.kubernetes.io/defaultProfileName = "rntim/dfl" + } + } + spec { + container { + name = "hello" + image = "busybox" + command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"] + } + } + } + } + } + } +} + +resource "kubernetes_deployment" "deployment1" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +resource "kubernetes_deployment" "deployment2" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + annotations = { + SomeAnnotation = "foobar" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +resource "kubernetes_deployment" "deployment3" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + annotations = { + seccomp.security.alpha.kubernetes.io/defaultProfileName = "rntim/dfl" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "pod" { + metadata { + name = "terraform-example" + + annotations = { + seccomp.security.alpha.kubernetes.io/defaultProfileName = "runtime/default" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_cron_job" "cron" { + metadata { + name = "demo" + } + spec { + concurrency_policy = "Replace" + failed_jobs_history_limit = 5 + schedule = "1 0 * * *" + starting_deadline_seconds = 10 + successful_jobs_history_limit = 10 + job_template { + metadata {} + spec { + backoff_limit = 2 + ttl_seconds_after_finished = 10 + template { + metadata { + annotations = { + seccomp.security.alpha.kubernetes.io/defaultProfileName = "runtime/default" + } + } + spec { + container { + name = "hello" + image = "busybox" + command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"] + } + } + } + } + } + } +} + +resource "kubernetes_deployment" "deployment" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + annotations = { + seccomp.security.alpha.kubernetes.io/defaultProfileName = "runtime/default" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3.md b/docs/queries/terraform-queries/461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3.md new file mode 100644 index 00000000000..1c81dd0d125 --- /dev/null +++ b/docs/queries/terraform-queries/461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3.md @@ -0,0 +1,418 @@ +--- +title: Deployment Has No PodAntiAffinity +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 461ed7e4-f8d5-4bc1-b3c6-64ddb4fd00a3 +- **Query name:** Deployment Has No PodAntiAffinity +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/deployment_has_no_pod_anti_affinity) + +### Description +Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#affinity) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="25" +resource "kubernetes_deployment" "example" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "prometheus" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="26" +resource "kubernetes_deployment" "example2" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "prometheus" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + } + + spec { + affinity { + pod_affinity { + required_during_scheduling_ignored_during_execution { + label_selector { + match_expressions { + key = "security" + operator = "In" + values = ["S1"] + } + } + + topology_key = "failure-domain.beta.kubernetes.io/zone" + } + } + } + + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="26" +resource "kubernetes_deployment" "example3" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "prometheus" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + } + + spec { + affinity { + pod_anti_affinity { + preferred_during_scheduling_ignored_during_execution { + weight = 100 + + pod_affinity_term { + label_selector { + match_expressions { + key = "security" + operator = "In" + values = ["S2"] + } + } + + topology_key = "failure-domain.beta.kubernetes.io/zone" + } + } + } + } + + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="26" +resource "kubernetes_deployment" "example4" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "prometheus" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + } + + spec { + affinity { + pod_anti_affinity { + preferred_during_scheduling_ignored_during_execution { + weight = 100 + + pod_affinity_term { + label_selector { + match_labels { + k8s-app = "prometheus2" + } + } + + topology_key = "kubernetes.io/hostname" + } + } + } + } + + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_deployment" "example433" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "prometheus" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + } + + spec { + affinity { + pod_anti_affinity { + preferred_during_scheduling_ignored_during_execution { + weight = 100 + + pod_affinity_term { + label_selector { + match_labels { + k8s-app = "prometheus" + } + } + + topology_key = "kubernetes.io/hostname" + } + } + } + } + + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/48388bd2-7201-4dcc-b56d-e8a9efa58fad.md b/docs/queries/terraform-queries/48388bd2-7201-4dcc-b56d-e8a9efa58fad.md new file mode 100644 index 00000000000..9b3963b3aff --- /dev/null +++ b/docs/queries/terraform-queries/48388bd2-7201-4dcc-b56d-e8a9efa58fad.md @@ -0,0 +1,128 @@ +--- +title: PSP With Added Capabilities +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 48388bd2-7201-4dcc-b56d-e8a9efa58fad +- **Query name:** PSP With Added Capabilities +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/psp_with_added_capabilities) + +### Description +PodSecurityPolicy should not have added capabilities
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_capabilities) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "kubernetes_pod_security_policy" "example" { + metadata { + name = "terraform-example" + } + spec { + allowed_capabilities = ["NET_BIND_SERVICE"] + privileged = false + allow_privilege_escalation = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod_security_policy" "example2" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` diff --git a/docs/queries/terraform-queries/4950837c-0ce5-4e42-9bee-a25eae73740b.md b/docs/queries/terraform-queries/4950837c-0ce5-4e42-9bee-a25eae73740b.md new file mode 100644 index 00000000000..7bd21f47e6d --- /dev/null +++ b/docs/queries/terraform-queries/4950837c-0ce5-4e42-9bee-a25eae73740b.md @@ -0,0 +1,129 @@ +--- +title: PSP Allows Containers To Share The Host Network Namespace +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4950837c-0ce5-4e42-9bee-a25eae73740b +- **Query name:** PSP Allows Containers To Share The Host Network Namespace +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/psp_allows_containers_to_share_the_host_network_namespace) + +### Description +Check if Pod Security Policies allow containers to share the host network namespace.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_network) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "kubernetes_pod_security_policy" "example" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + host_network = true + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod_security_policy" "example" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + host_network = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` diff --git a/docs/queries/terraform-queries/4c415497-7410-4559-90e8-f2c8ac64ee38.md b/docs/queries/terraform-queries/4c415497-7410-4559-90e8-f2c8ac64ee38.md new file mode 100644 index 00000000000..dbd06463d8c --- /dev/null +++ b/docs/queries/terraform-queries/4c415497-7410-4559-90e8-f2c8ac64ee38.md @@ -0,0 +1,125 @@ +--- +title: Root Containers Admitted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4c415497-7410-4559-90e8-f2c8ac64ee38 +- **Query name:** Root Containers Admitted +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/root_containers_admitted) + +### Description +Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#run_as_user) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="37 6 7 19 27" +resource "kubernetes_pod_security_policy" "example" { + metadata { + name = "terraform-example" + } + spec { + privileged = true + allow_privilege_escalation = true + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "RunAsAny" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "RunAsAny" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 0 + max = 65535 + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod_security_policy" "example2" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` diff --git a/docs/queries/terraform-queries/4e203a65-c8d8-49a2-b749-b124d43c9dc1.md b/docs/queries/terraform-queries/4e203a65-c8d8-49a2-b749-b124d43c9dc1.md new file mode 100644 index 00000000000..9b14e70cac3 --- /dev/null +++ b/docs/queries/terraform-queries/4e203a65-c8d8-49a2-b749-b124d43c9dc1.md @@ -0,0 +1,429 @@ +--- +title: Docker Daemon Socket is Exposed to Containers +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4e203a65-c8d8-49a2-b749-b124d43c9dc1 +- **Query name:** Docker Daemon Socket is Exposed to Containers +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/docker_daemon_socket_is_exposed_to_containers) + +### Description +Sees if Docker Daemon Socket is not exposed to Containers
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 169 98" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + } + + spec { + + volume = [ + { + host_path = { + path = "/var/run/docker.sock" + type = "Directory" + } + } + , + { + host_path = { + path = "/var/run/docker.sock" + type = "Directory" + } + } + ] + + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + +resource "kubernetes_deployment" "example" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + + volume = [ + { + host_path = { + path = "/var/run/docker.sock" + type = "Directory" + } + } + , + { + host_path = { + path = "/var/run/docker.sock" + type = "Directory" + } + } + ] + + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + + +resource "kubernetes_cron_job" "demo2" { + metadata { + name = "demo" + } + spec { + concurrency_policy = "Replace" + failed_jobs_history_limit = 5 + schedule = "1 0 * * *" + starting_deadline_seconds = 10 + successful_jobs_history_limit = 10 + job_template { + metadata {} + spec { + backoff_limit = 2 + ttl_seconds_after_finished = 10 + template { + metadata {} + spec { + + volume = [ + { + host_path = { + path = "/var/run/docker.sock" + type = "Directory" + } + } + , + { + host_path = { + path = "/var/run/docker.sock" + type = "Directory" + } + } + ] + + container { + name = "hello" + image = "busybox" + command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"] + } + } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "test2" { + metadata { + name = "terraform-example" + } + + spec { + + volume = [ + { + host_path = { + path = "/data" + type = "Directory" + } + } + , + { + host_path = { + path = "/data" + type = "Directory" + } + } + ] + + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + +resource "kubernetes_deployment" "example2" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + + volume = [ + { + host_path = { + path = "/data" + type = "Directory" + } + } + , + { + host_path = { + path = "/data" + type = "Directory" + } + } + ] + + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + + +resource "kubernetes_cron_job" "demo22" { + metadata { + name = "demo" + } + spec { + concurrency_policy = "Replace" + failed_jobs_history_limit = 5 + schedule = "1 0 * * *" + starting_deadline_seconds = 10 + successful_jobs_history_limit = 10 + job_template { + metadata {} + spec { + backoff_limit = 2 + ttl_seconds_after_finished = 10 + template { + metadata {} + spec { + + volume = [ + { + host_path = { + path = "/data" + type = "Directory" + } + } + , + { + host_path = { + path = "/data" + type = "Directory" + } + } + ] + + container { + name = "hello" + image = "busybox" + command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"] + } + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/4e74cf4f-ff65-4c1a-885c-67ab608206ce.md b/docs/queries/terraform-queries/4e74cf4f-ff65-4c1a-885c-67ab608206ce.md new file mode 100644 index 00000000000..fce94916bf2 --- /dev/null +++ b/docs/queries/terraform-queries/4e74cf4f-ff65-4c1a-885c-67ab608206ce.md @@ -0,0 +1,277 @@ +--- +title: Workload Host Port Not Specified +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4e74cf4f-ff65-4c1a-885c-67ab608206ce +- **Query name:** Workload Host Port Not Specified +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/workload_host_port_not_specified) + +### Description +Verifies if Kubernetes workload's host port is specified
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_port) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="16" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="41" + +resource "kubernetes_deployment" "example" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + host_port = 2 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` +```tf title="Negative test num. 2 - tf file" + +resource "kubernetes_deployment" "example" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + port { + container_port = 8080 + host_port = 2 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/51bed0ac-a8ae-407a-895e-90c6cb0610ce.md b/docs/queries/terraform-queries/51bed0ac-a8ae-407a-895e-90c6cb0610ce.md new file mode 100644 index 00000000000..b76392b52fb --- /dev/null +++ b/docs/queries/terraform-queries/51bed0ac-a8ae-407a-895e-90c6cb0610ce.md @@ -0,0 +1,129 @@ +--- +title: PSP Allows Sharing Host IPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 51bed0ac-a8ae-407a-895e-90c6cb0610ce +- **Query name:** PSP Allows Sharing Host IPC +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/psp_allows_sharing_host_ipc) + +### Description +Pod Security Policy allows containers to share the host IPC namespace
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#host_ipc) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "kubernetes_pod_security_policy" "example2" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + host_ipc = true + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod_security_policy" "example2" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + host_ipc = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` diff --git a/docs/queries/terraform-queries/522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba.md b/docs/queries/terraform-queries/522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba.md new file mode 100644 index 00000000000..f989a40d6bd --- /dev/null +++ b/docs/queries/terraform-queries/522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba.md @@ -0,0 +1,192 @@ +--- +title: Permissive Access to Create Pods +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 522d4a64-4dc9-44bd-9240-7d8a0d5cb5ba +- **Query name:** Permissive Access to Create Pods +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/permissive_access_to_create_pods) + +### Description +The permission to create pods in a cluster should be restricted because it allows privilege escalation.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="51 67 35 13" +resource "kubernetes_role" "example1" { + metadata { + name = "terraform-example1" + labels = { + test = "MyRole" + } + } + + rule { + api_groups = [""] + resources = ["pods"] + resource_names = ["foo"] + verbs = ["create", "list", "watch"] + } + + rule { + api_groups = ["apps"] + resources = ["deployments"] + verbs = ["get", "list"] + } +} + +resource "kubernetes_role" "example2" { + metadata { + name = "terraform-example2" + labels = { + test = "MyRole" + } + } + + rule { + api_groups = [""] + resources = ["*"] + resource_names = ["foo"] + verbs = ["create", "list", "watch"] + } +} + +resource "kubernetes_role" "example3" { + metadata { + name = "terraform-example3" + labels = { + test = "MyRole" + } + } + + rule { + api_groups = [""] + resources = ["pods"] + resource_names = ["foo"] + verbs = ["*", "list", "watch"] + } +} + +resource "kubernetes_role" "example4" { + metadata { + name = "terraform-example4" + labels = { + test = "MyRole" + } + } + + rule { + api_groups = [""] + resources = ["*"] + resource_names = ["foo"] + verbs = ["*", "list", "watch"] + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9 45 21 33" +resource "kubernetes_cluster_role" "example1" { + metadata { + name = "terraform-example1" + } + + rule { + api_groups = [""] + resources = ["namespaces", "pods"] + verbs = ["create", "list", "watch"] + } +} + +resource "kubernetes_cluster_role" "example2" { + metadata { + name = "terraform-example2" + } + + rule { + api_groups = [""] + resources = ["namespaces", "*"] + verbs = ["create", "list", "watch"] + } +} + +resource "kubernetes_cluster_role" "example3" { + metadata { + name = "terraform-example3" + } + + rule { + api_groups = [""] + resources = ["namespaces", "*"] + verbs = ["*", "list", "watch"] + } +} + +resource "kubernetes_cluster_role" "example4" { + metadata { + name = "terraform-example4" + } + + rule { + api_groups = [""] + resources = ["namespaces", "pods"] + verbs = ["*", "list", "watch"] + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_role" "example" { + metadata { + name = "terraform-example" + labels = { + test = "MyRole" + } + } + + rule { + api_groups = [""] + resources = ["pods"] + resource_names = ["foo"] + verbs = ["get", "list", "watch"] + } + rule { + api_groups = ["apps"] + resources = ["deployments"] + verbs = ["get", "list"] + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "kubernetes_cluster_role" "example" { + metadata { + name = "terraform-example" + } + + rule { + api_groups = [""] + resources = ["namespaces", "pods"] + verbs = ["get", "list", "watch"] + } +} + +``` diff --git a/docs/queries/terraform-queries/577ac19c-6a77-46d7-9f14-e049cdd15ec2.md b/docs/queries/terraform-queries/577ac19c-6a77-46d7-9f14-e049cdd15ec2.md new file mode 100644 index 00000000000..a89ec2fe061 --- /dev/null +++ b/docs/queries/terraform-queries/577ac19c-6a77-46d7-9f14-e049cdd15ec2.md @@ -0,0 +1,368 @@ +--- +title: CPU Requests Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 577ac19c-6a77-46d7-9f14-e049cdd15ec2 +- **Query name:** CPU Requests Not Set +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/cpu_requests_not_set) + +### Description +CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#requests) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 105" + +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + resources = { + requests = { + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + resources { + limits { + cpu = "0.5" + memory = "512Mi" + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + resources = { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + resources = { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "negative2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + resources { + limits { + cpu = "0.5" + memory = "512Mi" + } + requests { + cpu = "250m" + memory = "50Mi" + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/587d5d82-70cf-449b-9817-f60f9bccb88c.md b/docs/queries/terraform-queries/587d5d82-70cf-449b-9817-f60f9bccb88c.md new file mode 100644 index 00000000000..3748e2d25de --- /dev/null +++ b/docs/queries/terraform-queries/587d5d82-70cf-449b-9817-f60f9bccb88c.md @@ -0,0 +1,215 @@ +--- +title: Container Host Pid Is True +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 587d5d82-70cf-449b-9817-f60f9bccb88c +- **Query name:** Container Host Pid Is True +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/container_host_pid_is_true) + +### Description +Minimize the admission of containers wishing to share the host process ID namespace
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_pid) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + + host_pid = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "negative1" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + + + + + + + +resource "kubernetes_pod" "negative2" { + metadata { + name = "terraform-example" + } + + spec { + + host_pid = false + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + + +``` diff --git a/docs/queries/terraform-queries/58876b44-a690-4e9f-9214-7735fa0dd15d.md b/docs/queries/terraform-queries/58876b44-a690-4e9f-9214-7735fa0dd15d.md new file mode 100644 index 00000000000..debefc2b7b0 --- /dev/null +++ b/docs/queries/terraform-queries/58876b44-a690-4e9f-9214-7735fa0dd15d.md @@ -0,0 +1,96 @@ +--- +title: CronJob Deadline Not Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 58876b44-a690-4e9f-9214-7735fa0dd15d +- **Query name:** CronJob Deadline Not Configured +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/cronjob_deadline_not_configured) + +### Description +Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cron_job#starting_deadline_seconds) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "kubernetes_cron_job" "demo" { + metadata { + name = "demo" + } + spec { + concurrency_policy = "Replace" + failed_jobs_history_limit = 5 + schedule = "1 0 * * *" + successful_jobs_history_limit = 10 + job_template { + metadata {} + spec { + backoff_limit = 2 + ttl_seconds_after_finished = 10 + template { + metadata {} + spec { + container { + name = "hello" + image = "busybox" + command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"] + } + } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_cron_job" "demo2" { + metadata { + name = "demo" + } + spec { + concurrency_policy = "Replace" + failed_jobs_history_limit = 5 + schedule = "1 0 * * *" + starting_deadline_seconds = 10 + successful_jobs_history_limit = 10 + job_template { + metadata {} + spec { + backoff_limit = 2 + ttl_seconds_after_finished = 10 + template { + metadata {} + spec { + container { + name = "hello" + image = "busybox" + command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"] + } + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/5b6d53dd-3ba3-4269-b4d7-f82e880e43c3.md b/docs/queries/terraform-queries/5b6d53dd-3ba3-4269-b4d7-f82e880e43c3.md new file mode 100644 index 00000000000..fbba89370a7 --- /dev/null +++ b/docs/queries/terraform-queries/5b6d53dd-3ba3-4269-b4d7-f82e880e43c3.md @@ -0,0 +1,239 @@ +--- +title: Liveness Probe Is Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5b6d53dd-3ba3-4269-b4d7-f82e880e43c3 +- **Query name:** Liveness Probe Is Not Defined +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/liveness_probe_is_not_defined) + +### Description +In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#liveness_probe) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="27" + +resource "kubernetes_deployment" "example" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` +```tf title="Negative test num. 2 - tf file" + +resource "kubernetes_deployment" "example" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/5c281bf8-d9bb-47f2-b909-3f6bb11874ad.md b/docs/queries/terraform-queries/5c281bf8-d9bb-47f2-b909-3f6bb11874ad.md new file mode 100644 index 00000000000..2df71868c9d --- /dev/null +++ b/docs/queries/terraform-queries/5c281bf8-d9bb-47f2-b909-3f6bb11874ad.md @@ -0,0 +1,73 @@ +--- +title: Service Type is NodePort +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5c281bf8-d9bb-47f2-b909-3f6bb11874ad +- **Query name:** Service Type is NodePort +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/service_type_is_nodeport) + +### Description +Service type should not be NodePort
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service#type) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="15" +resource "kubernetes_service" "example" { + metadata { + name = "terraform-example" + } + spec { + selector = { + app = kubernetes_pod.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "NodePort" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_service" "example2" { + metadata { + name = "terraform-example" + } + spec { + selector = { + app = kubernetes_pod.example.metadata.0.labels.app + } + session_affinity = "ClientIP" + port { + port = 8080 + target_port = 80 + } + + type = "LoadBalancer" + } +} + +``` diff --git a/docs/queries/terraform-queries/5f4735ce-b9ba-4d95-a089-a37a767b716f.md b/docs/queries/terraform-queries/5f4735ce-b9ba-4d95-a089-a37a767b716f.md new file mode 100644 index 00000000000..f9642cac319 --- /dev/null +++ b/docs/queries/terraform-queries/5f4735ce-b9ba-4d95-a089-a37a767b716f.md @@ -0,0 +1,367 @@ +--- +title: CPU Limits Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5f4735ce-b9ba-4d95-a089-a37a767b716f +- **Query name:** CPU Limits Not Set +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/cpu_limits_not_set) + +### Description +CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 106" + +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + resources = { + requests = { + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + resources { + limits { + memory = "512Mi" + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + resources = { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + resources = { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "negative2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + resources { + limits { + cpu = "0.5" + memory = "512Mi" + } + requests { + cpu = "250m" + memory = "50Mi" + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/60af03ff-a421-45c8-b214-6741035476fa.md b/docs/queries/terraform-queries/60af03ff-a421-45c8-b214-6741035476fa.md new file mode 100644 index 00000000000..47970e50291 --- /dev/null +++ b/docs/queries/terraform-queries/60af03ff-a421-45c8-b214-6741035476fa.md @@ -0,0 +1,483 @@ +--- +title: Container Resources Limits Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 60af03ff-a421-45c8-b214-6741035476fa +- **Query name:** Container Resources Limits Undefined +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/container_resources_limits_undefined) + +### Description +Kubernetes container should have resource limitations defined such as CPU and memory
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 224 106 167" + +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + resources = { + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + resources { + limits { + cpu = "0.5" + memory = "512Mi" + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_pod" "positive3" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + resources { + requests { + cpu = "250m" + memory = "50Mi" + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_pod" "positive4" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + resources = { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + resources = { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "negative2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + resources { + limits { + cpu = "0.5" + memory = "512Mi" + } + requests { + cpu = "250m" + memory = "50Mi" + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8.md b/docs/queries/terraform-queries/6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8.md new file mode 100644 index 00000000000..eb42518ad06 --- /dev/null +++ b/docs/queries/terraform-queries/6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8.md @@ -0,0 +1,151 @@ +--- +title: Secrets As Environment Variables +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6d8f1a10-b6cd-48f0-b960-f7c535d5cdb8 +- **Query name:** Secrets As Environment Variables +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/secrets_as_environment_variables) + +### Description +Container should not use secrets as environment variables
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#secret_key_ref) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11 20" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + + value_from = { + secret_key_ref = "hjjhjh" + } + } + + env_from { + secret_ref = "wwww" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "test55" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/7249e3b0-9231-4af3-bc5f-5daf4988ecbf.md b/docs/queries/terraform-queries/7249e3b0-9231-4af3-bc5f-5daf4988ecbf.md new file mode 100644 index 00000000000..24d2d28290c --- /dev/null +++ b/docs/queries/terraform-queries/7249e3b0-9231-4af3-bc5f-5daf4988ecbf.md @@ -0,0 +1,620 @@ +--- +title: StatefulSet Without PodDisruptionBudget +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7249e3b0-9231-4af3-bc5f-5daf4988ecbf +- **Query name:** StatefulSet Without PodDisruptionBudget +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/statefulset_without_pod_disruption_budget) + +### Description +StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#selector) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="23" +resource "kubernetes_stateful_set" "prometheus" { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus" + } + + spec { + pod_management_policy = "Parallel" + replicas = 2 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app2 = "prometheus2" + } + } + + service_name = "prometheus" + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] + + port { + container_port = 9090 + } + + resources { + limits = { + cpu = "200m" + memory = "1000Mi" + } + + requests = { + cpu = "200m" + memory = "1000Mi" + } + } + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + } + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + + readiness_probe { + http_get { + path = "/-/ready" + port = 9090 + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + + liveness_probe { + http_get { + path = "/-/healthy" + port = 9090 + scheme = "HTTPS" + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + } + + termination_grace_period_seconds = 300 + + volume { + name = "config-volume" + + config_map { + name = "prometheus-config" + } + } + } + } + + update_strategy { + type = "RollingUpdate" + + rolling_update { + partition = 1 + } + } + + volume_claim_template { + metadata { + name = "prometheus-data" + } + + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + } +} + + +resource "kubernetes_pod_disruption_budget" "demo" { + metadata { + name = "demo" + } + spec { + max_unavailable = "20%" + selector { + match_labels = { + test = "MyExampleApp" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_stateful_set" "prometheus2" { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus" + } + + spec { + pod_management_policy = "Parallel" + replicas = 2 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + service_name = "prometheus" + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] + + port { + container_port = 9090 + } + + resources { + limits = { + cpu = "200m" + memory = "1000Mi" + } + + requests = { + cpu = "200m" + memory = "1000Mi" + } + } + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + } + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + + readiness_probe { + http_get { + path = "/-/ready" + port = 9090 + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + + liveness_probe { + http_get { + path = "/-/healthy" + port = 9090 + scheme = "HTTPS" + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + } + + termination_grace_period_seconds = 300 + + volume { + name = "config-volume" + + config_map { + name = "prometheus-config" + } + } + } + } + + update_strategy { + type = "RollingUpdate" + + rolling_update { + partition = 1 + } + } + + volume_claim_template { + metadata { + name = "prometheus-data" + } + + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + } +} + + +resource "kubernetes_pod_disruption_budget" "demo2" { + metadata { + name = "demo" + } + spec { + max_unavailable = "20%" + selector { + match_labels = { + k8s-app = "prometheus" + } + } + } +} + + +resource "kubernetes_stateful_set" "prometheus3" { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus" + } + + spec { + pod_management_policy = "Parallel" + replicas = 2 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app = "kubernetes_pod_disruption_budget.demo2.spec.selector.0.match_labels.k8s-app2" + } + } + + service_name = "prometheus" + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] + + port { + container_port = 9090 + } + + resources { + limits = { + cpu = "200m" + memory = "1000Mi" + } + + requests = { + cpu = "200m" + memory = "1000Mi" + } + } + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + } + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + + readiness_probe { + http_get { + path = "/-/ready" + port = 9090 + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + + liveness_probe { + http_get { + path = "/-/healthy" + port = 9090 + scheme = "HTTPS" + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + } + + termination_grace_period_seconds = 300 + + volume { + name = "config-volume" + + config_map { + name = "prometheus-config" + } + } + } + } + + update_strategy { + type = "RollingUpdate" + + rolling_update { + partition = 1 + } + } + + volume_claim_template { + metadata { + name = "prometheus-data" + } + + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/737a0dd9-0aaa-4145-8118-f01778262b8a.md b/docs/queries/terraform-queries/737a0dd9-0aaa-4145-8118-f01778262b8a.md new file mode 100644 index 00000000000..ae4de72abe6 --- /dev/null +++ b/docs/queries/terraform-queries/737a0dd9-0aaa-4145-8118-f01778262b8a.md @@ -0,0 +1,59 @@ +--- +title: Default Service Account In Use +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 737a0dd9-0aaa-4145-8118-f01778262b8a +- **Query name:** Default Service Account In Use +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/default_service_account_in_use) + +### Description +Default service accounts should not be actively used
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account#automount_service_account_token) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 12" +resource "kubernetes_service_account" "example" { + metadata { + name = "default" + } +} + +resource "kubernetes_service_account" "example2" { + metadata { + name = "default" + } + + automount_service_account_token = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_service_account" "example3" { + metadata { + name = "default" + } + + automount_service_account_token = false +} + +``` diff --git a/docs/queries/terraform-queries/826abb30-3cd5-4e0b-a93b-67729b4f7e63.md b/docs/queries/terraform-queries/826abb30-3cd5-4e0b-a93b-67729b4f7e63.md new file mode 100644 index 00000000000..8900980968e --- /dev/null +++ b/docs/queries/terraform-queries/826abb30-3cd5-4e0b-a93b-67729b4f7e63.md @@ -0,0 +1,139 @@ +--- +title: RBAC Roles with Read Secrets Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 826abb30-3cd5-4e0b-a93b-67729b4f7e63 +- **Query name:** RBAC Roles with Read Secrets Permissions +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/rbac_roles_with_read_secrets_permissions) + +### Description +Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role#rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="48 9 27 62" +resource "kubernetes_role" "example1" { + metadata { + name = "terraform-example1" + labels = { + test = "MyRole" + } + } + + rule { + api_groups = [""] + resources = ["secrets", "namespaces"] + resource_names = ["foo"] + verbs = ["get", "list", "watch"] + } + rule { + api_groups = ["apps"] + resources = ["deployments"] + verbs = ["get", "list"] + } +} + +resource "kubernetes_cluster_role" "example2" { + metadata { + name = "terraform-example2" + } + + rule { + api_groups = [""] + resources = ["namespaces", "secrets"] + verbs = ["get", "list", "watch"] + } + rule { + api_groups = ["apps"] + resources = ["deployments"] + verbs = ["get", "list"] + } +} + + +resource "kubernetes_role" "example3" { + metadata { + name = "terraform-example3" + labels = { + test = "MyRole" + } + } + + rule { + api_groups = [""] + resources = ["secrets", "namespaces"] + resource_names = ["foo"] + verbs = ["get", "list", "watch"] + } + +} + +resource "kubernetes_cluster_role" "example4" { + metadata { + name = "terraform-example4" + } + + rule { + api_groups = [""] + resources = ["namespaces", "secrets"] + verbs = ["get", "list", "watch"] + } + +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_role" "example1" { + metadata { + name = "terraform-example1" + labels = { + test = "MyRole" + } + } + + rule { + api_groups = [""] + resources = ["pods"] + resource_names = ["foo"] + verbs = ["get", "list", "watch"] + } + rule { + api_groups = ["apps"] + resources = ["deployments"] + verbs = ["get", "list"] + } +} + +resource "kubernetes_cluster_role" "example2" { + metadata { + name = "terraform-example2" + } + + rule { + api_groups = [""] + resources = ["namespaces", "pods"] + verbs = ["get", "list", "watch"] + } +} + +``` diff --git a/docs/queries/terraform-queries/8657197e-3f87-4694-892b-8144701d83c1.md b/docs/queries/terraform-queries/8657197e-3f87-4694-892b-8144701d83c1.md new file mode 100644 index 00000000000..29bb93394e2 --- /dev/null +++ b/docs/queries/terraform-queries/8657197e-3f87-4694-892b-8144701d83c1.md @@ -0,0 +1,147 @@ +--- +title: Readiness Probe Is Not Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8657197e-3f87-4694-892b-8144701d83c1 +- **Query name:** Readiness Probe Is Not Configured +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/readiness_probe_is_not_configured) + +### Description +Check if Readiness Probe is not configured.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#readiness_probe) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "test2" { + metadata { + name = "terraform-example" + } + + spec { + container { + readiness_probe { + initial_delay_seconds = 10 + } + + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/86a947ea-f577-4efb-a8b0-5fc00257d521.md b/docs/queries/terraform-queries/86a947ea-f577-4efb-a8b0-5fc00257d521.md new file mode 100644 index 00000000000..e78e88a46a2 --- /dev/null +++ b/docs/queries/terraform-queries/86a947ea-f577-4efb-a8b0-5fc00257d521.md @@ -0,0 +1,383 @@ +--- +title: Non Kube System Pod With Host Mount +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 86a947ea-f577-4efb-a8b0-5fc00257d521 +- **Query name:** Non Kube System Pod With Host Mount +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/non_kube_system_pod_with_host_mount) + +### Description +A non kube-system workload should not have hostPath mounted
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="113 233 53 173" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + namespace = "kube" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + volume { + host_path { + path = "/var/log" + } + } + + dns_policy = "None" + } +} + + +resource "kubernetes_pod" "test2" { + metadata { + name = "terraform-example2" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + volume { + host_path { + path = "/var/log" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_persistent_volume" "test3" { + metadata { + name = "terraform-example3" + namespace = "kube" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + volume { + host_path { + path = "/var/log" + } + } + + dns_policy = "None" + } +} + + +resource "kubernetes_persistent_volume" "test4" { + metadata { + name = "terraform-example4" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + volume { + host_path { + path = "/var/log" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_persistent_volume" "test" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/87065ef8-de9b-40d8-9753-f4a4303e27a4.md b/docs/queries/terraform-queries/87065ef8-de9b-40d8-9753-f4a4303e27a4.md new file mode 100644 index 00000000000..f222605afcb --- /dev/null +++ b/docs/queries/terraform-queries/87065ef8-de9b-40d8-9753-f4a4303e27a4.md @@ -0,0 +1,345 @@ +--- +title: Container Is Privileged +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 87065ef8-de9b-40d8-9753-f4a4303e27a4 +- **Query name:** Container Is Privileged +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/container_is_privileged) + +### Description +Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="108 14 47" + +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + security_context = { + privileged = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative4" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + privileged = false + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + privileged = false + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "negative5" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + security_context = { + privileged = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/9aa32890-ac1a-45ee-81ca-5164e2098556.md b/docs/queries/terraform-queries/9aa32890-ac1a-45ee-81ca-5164e2098556.md new file mode 100644 index 00000000000..6b12c7f49f1 --- /dev/null +++ b/docs/queries/terraform-queries/9aa32890-ac1a-45ee-81ca-5164e2098556.md @@ -0,0 +1,134 @@ +--- +title: NET_RAW Capabilities Disabled for PSP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9aa32890-ac1a-45ee-81ca-5164e2098556 +- **Query name:** NET_RAW Capabilities Disabled for PSP +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/net_raw_capabilities_disabled_for_psp) + +### Description +Containers need to have NET_RAW or All as drop capabilities
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#required_drop_capabilities) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="17" +resource "kubernetes_pod_security_policy" "example" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + required_drop_capabilities = [ + "KILL", + "SYS_TIME", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod_security_policy" "example" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + required_drop_capabilities = [ + "ALL" + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` diff --git a/docs/queries/terraform-queries/a05331ee-1653-45cb-91e6-13637a76e4f0.md b/docs/queries/terraform-queries/a05331ee-1653-45cb-91e6-13637a76e4f0.md new file mode 100644 index 00000000000..2cb869d1f20 --- /dev/null +++ b/docs/queries/terraform-queries/a05331ee-1653-45cb-91e6-13637a76e4f0.md @@ -0,0 +1,249 @@ +--- +title: Deployment Without PodDisruptionBudget +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a05331ee-1653-45cb-91e6-13637a76e4f0 +- **Query name:** Deployment Without PodDisruptionBudget +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/deployment_without_pod_disruption_budget) + +### Description +Deployments should be assigned with a PodDisruptionBudget to ensure high availability
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment#selector) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="13" +resource "kubernetes_deployment" "example" { + metadata { + name = "terraform-example" + labels = { + k8s-app = "prometheus" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + + +resource "kubernetes_pod_disruption_budget" "demo" { + metadata { + name = "demo" + } + spec { + max_unavailable = "20%" + selector { + match_labels = { + test = "MyExampleApp" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_deployment" "example2" { + metadata { + name = "terraform-example" + labels = { + k8s-app2 = "prometheus2" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app2 = "prometheus2" + } + } + + template { + metadata { + labels = { + k8s-app2 = "prometheus2" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + + +resource "kubernetes_pod_disruption_budget" "demo2" { + metadata { + name = "demo" + } + spec { + max_unavailable = "20%" + selector { + match_labels = { + k8s-app2 = "prometheus2" + } + } + } +} + + + +resource "kubernetes_deployment" "example3" { + metadata { + name = "terraform-example" + labels = { + k8s-app2 = "prometheus2" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + k8s-app2 = "kubernetes_pod_disruption_budget.demo2.spec.selector.0.match_labels.k8s-app2" + } + } + + template { + metadata { + labels = { + k8s-app2 = "prometheus2" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/a62a99d1-8196-432f-8f80-3c100b05d62a.md b/docs/queries/terraform-queries/a62a99d1-8196-432f-8f80-3c100b05d62a.md new file mode 100644 index 00000000000..bff5dec8925 --- /dev/null +++ b/docs/queries/terraform-queries/a62a99d1-8196-432f-8f80-3c100b05d62a.md @@ -0,0 +1,280 @@ +--- +title: Volume Mount With OS Directory Write Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a62a99d1-8196-432f-8f80-3c100b05d62a +- **Query name:** Volume Mount With OS Directory Write Permissions +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/volume_mount_with_os_directory_write_permissions) + +### Description +Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#volume_mount) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + } + + spec { + container { + volume_mount { + name = "config-volume" + mount_path = "/bin" + } + + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +resource "kubernetes_pod" "test2" { + metadata { + name = "terraform-example" + } + + spec { + container { + volume_mount { + name = "config-volume" + mount_path = "/bin" + read_only = false + } + + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="12" +resource "kubernetes_pod" "test3" { + metadata { + name = "terraform-example" + } + + spec { + container { + volume_mount = [ + { + name = "config-volume" + mount_path = "/bin" + read_only = false + } + + ] + + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "testttt" { + metadata { + name = "terraform-example" + } + + spec { + container { + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9.md b/docs/queries/terraform-queries/a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9.md new file mode 100644 index 00000000000..89b2eb2a79c --- /dev/null +++ b/docs/queries/terraform-queries/a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9.md @@ -0,0 +1,127 @@ +--- +title: PSP Set To Privileged +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a6a4d4fc-4e8f-47d1-969f-e9d4a084f3b9 +- **Query name:** PSP Set To Privileged +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/psp_set_to_privileged) + +### Description +Do not allow pod to request execution as privileged.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#privileged) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "kubernetes_pod_security_policy" "example" { + metadata { + name = "terraform-example" + } + spec { + privileged = true + allow_privilege_escalation = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod_security_policy" "example2" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + +``` diff --git a/docs/queries/terraform-queries/a737be28-37d8-4bff-aa6d-1be8aa0a0015.md b/docs/queries/terraform-queries/a737be28-37d8-4bff-aa6d-1be8aa0a0015.md new file mode 100644 index 00000000000..4c2a780b1d6 --- /dev/null +++ b/docs/queries/terraform-queries/a737be28-37d8-4bff-aa6d-1be8aa0a0015.md @@ -0,0 +1,263 @@ +--- +title: Workload Mounting With Sensitive OS Directory +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a737be28-37d8-4bff-aa6d-1be8aa0a0015 +- **Query name:** Workload Mounting With Sensitive OS Directory +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/workload_mounting_with_sensitive_os_directory) + +### Description +Workload is mounting a volume with sensitive OS Directory
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_path) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="112 53" +resource "kubernetes_pod" "test1" { + metadata { + name = "terraform-example1" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + volume { + host_path { + path = "/var/log" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_persistent_volume" "test2" { + metadata { + name = "terraform-example2" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + volume { + host_path { + path = "/var/log" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "test3" { + metadata { + name = "terraform-example3" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_persistent_volume" "test4" { + metadata { + name = "terraform-example4" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/a9174d31-d526-4ad9-ace4-ce7ddbf52e03.md b/docs/queries/terraform-queries/a9174d31-d526-4ad9-ace4-ce7ddbf52e03.md new file mode 100644 index 00000000000..d3126d7ea13 --- /dev/null +++ b/docs/queries/terraform-queries/a9174d31-d526-4ad9-ace4-ce7ddbf52e03.md @@ -0,0 +1,258 @@ +--- +title: Cluster Allows Unsafe Sysctls +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a9174d31-d526-4ad9-ace4-ce7ddbf52e03 +- **Query name:** Cluster Allows Unsafe Sysctls +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/cluster_allows_unsafe_sysctls) + +### Description +A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod_security_policy#allowed_unsafe_sysctls) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "kubernetes_pod_security_policy" "example" { + metadata { + name = "terraform-example" + } + spec { + allowed_unsafe_sysctls = ["kernel.msg*"] + privileged = false + allow_privilege_escalation = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9" + +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + } + + spec { + security_context { + sysctl = [ + { + name = "net.core.somaxconn" + value = "1024" + } + ] + } + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod_security_policy" "exampleW" { + metadata { + name = "terraform-example" + } + spec { + privileged = false + allow_privilege_escalation = false + + volumes = [ + "configMap", + "emptyDir", + "projected", + "secret", + "downwardAPI", + "persistentVolumeClaim", + ] + + run_as_user { + rule = "MustRunAsNonRoot" + } + + se_linux { + rule = "RunAsAny" + } + + supplemental_groups { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + fs_group { + rule = "MustRunAs" + range { + min = 1 + max = 65535 + } + } + + read_only_root_filesystem = true + } +} + + +``` +```tf title="Negative test num. 2 - tf file" + +resource "kubernetes_pod" "test2" { + metadata { + name = "terraform-example" + } + + spec { + security_context { + sysctl = [ + { + name = "kernel.shm_rmid_forced" + value = "0" + } + ] + } + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/a9a13d4f-f17a-491b-b074-f54bffffcb4a.md b/docs/queries/terraform-queries/a9a13d4f-f17a-491b-b074-f54bffffcb4a.md new file mode 100644 index 00000000000..be3fc827a43 --- /dev/null +++ b/docs/queries/terraform-queries/a9a13d4f-f17a-491b-b074-f54bffffcb4a.md @@ -0,0 +1,457 @@ +--- +title: Service Account Token Automount Not Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a9a13d4f-f17a-491b-b074-f54bffffcb4a +- **Query name:** Service Account Token Automount Not Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/service_account_token_automount_not_disabled) + +### Description +Service Account Tokens are automatically mounted even if not necessary
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#automount_service_account_token) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="88 25 162 144" +resource "kubernetes_deployment" "example" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + + +resource "kubernetes_daemonset" "example2" { + metadata { + name = "terraform-example" + namespace = "something" + labels = { + test = "MyExampleApp" + } + } + + spec { + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + + automount_service_account_token = true + + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + + } + } + } + } +} + +resource "kubernetes_cron_job" "demo3" { + metadata { + name = "demo" + } + spec { + concurrency_policy = "Replace" + failed_jobs_history_limit = 5 + schedule = "1 0 * * *" + starting_deadline_seconds = 10 + successful_jobs_history_limit = 10 + job_template { + metadata {} + spec { + backoff_limit = 2 + ttl_seconds_after_finished = 10 + template { + metadata {} + spec { + automount_service_account_token = true + container { + name = "hello" + image = "busybox" + command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"] + } + } + } + } + } + } +} + +resource "kubernetes_pod" "test6" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_deployment" "example9" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + automount_service_account_token = false + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + + +resource "kubernetes_daemonset" "example22" { + metadata { + name = "terraform-example" + namespace = "something" + labels = { + test = "MyExampleApp" + } + } + + spec { + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + + automount_service_account_token = false + + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + + } + } + } + } +} + +resource "kubernetes_cron_job" "demo32" { + metadata { + name = "demo" + } + spec { + concurrency_policy = "Replace" + failed_jobs_history_limit = 5 + schedule = "1 0 * * *" + starting_deadline_seconds = 10 + successful_jobs_history_limit = 10 + job_template { + metadata {} + spec { + backoff_limit = 2 + ttl_seconds_after_finished = 10 + template { + metadata {} + spec { + automount_service_account_token = false + container { + name = "hello" + image = "busybox" + command = ["/bin/sh", "-c", "date; echo Hello from the Kubernetes cluster"] + } + } + } + } + } + } +} + +resource "kubernetes_pod" "test62" { + metadata { + name = "terraform-example" + } + + spec { + automount_service_account_token = false + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/aa737abf-6b1d-4aba-95aa-5c160bd7f96e.md b/docs/queries/terraform-queries/aa737abf-6b1d-4aba-95aa-5c160bd7f96e.md new file mode 100644 index 00000000000..5d730de5a68 --- /dev/null +++ b/docs/queries/terraform-queries/aa737abf-6b1d-4aba-95aa-5c160bd7f96e.md @@ -0,0 +1,122 @@ +--- +title: Image Pull Policy Of The Container Is Not Set To Always +hide: + toc: true + navigation: true +--- + + + +- **Query id:** aa737abf-6b1d-4aba-95aa-5c160bd7f96e +- **Query name:** Image Pull Policy Of The Container Is Not Set To Always +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/image_pull_policy_of_container_is_not_always) + +### Description +Image Pull Policy of the container must be defined and set to Always
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image_pull_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="12" +resource "kubernetes_pod" "busybox" { + metadata { + name = "busybox-tf" + } + + spec { + container { + image = "busybox" + command = ["sleep", "3600"] + name = "busybox" + + image_pull_policy = "IfNotPresent" + } + + restart_policy = "Always" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="30" + +resource "kubernetes_deployment" "example" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + container { + image = "nginx:1.7.8" + name = "example" + image_pull_policy = "IfNotPresent" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "busybox" { + metadata { + name = "busybox-tf" + } + + spec { + container { + image = "busybox" + command = ["sleep", "3600"] + name = "busybox" + + image_pull_policy = "Always" + } + + restart_policy = "Always" + } +} + +``` diff --git a/docs/queries/terraform-queries/abcb818b-5af7-4d72-aba9-6dd84956b451.md b/docs/queries/terraform-queries/abcb818b-5af7-4d72-aba9-6dd84956b451.md new file mode 100644 index 00000000000..9a41a1b380b --- /dev/null +++ b/docs/queries/terraform-queries/abcb818b-5af7-4d72-aba9-6dd84956b451.md @@ -0,0 +1,64 @@ +--- +title: Using Default Namespace +hide: + toc: true + navigation: true +--- + + + +- **Query id:** abcb818b-5af7-4d72-aba9-6dd84956b451 +- **Query name:** Using Default Namespace +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/using_default_namespace) + +### Description +The default namespace should not be used
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#namespace) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9 4" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + namespace = "default" + } +} + +resource "kubernetes_cron_job" "test2" { + metadata { + name = "terraform-example" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "test3" { + metadata { + name = "terraform-example" + namespace = "terraform-namespace" + } +} + +resource "kubernetes_cron_job" "test4" { + metadata { + name = "terraform-example" + namespace = "terraform-namespace" + } +} + +``` diff --git a/docs/queries/terraform-queries/ac1564a3-c324-4747-9fa1-9dfc234dace0.md b/docs/queries/terraform-queries/ac1564a3-c324-4747-9fa1-9dfc234dace0.md new file mode 100644 index 00000000000..184ec4f0ac9 --- /dev/null +++ b/docs/queries/terraform-queries/ac1564a3-c324-4747-9fa1-9dfc234dace0.md @@ -0,0 +1,145 @@ +--- +title: Shared Host Network Namespace +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ac1564a3-c324-4747-9fa1-9dfc234dace0 +- **Query name:** Shared Host Network Namespace +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/shared_host_network_namespace) + +### Description +Container should not share the host network namespace
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_network) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + } + + spec { + host_network = true + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "test2" { + metadata { + name = "terraform-example" + } + + spec { + host_network = false + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/ad69e38a-d92e-4357-a8da-f2f29d545883.md b/docs/queries/terraform-queries/ad69e38a-d92e-4357-a8da-f2f29d545883.md new file mode 100644 index 00000000000..e4e09373686 --- /dev/null +++ b/docs/queries/terraform-queries/ad69e38a-d92e-4357-a8da-f2f29d545883.md @@ -0,0 +1,344 @@ +--- +title: Pod or Container Without Security Context +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ad69e38a-d92e-4357-a8da-f2f29d545883 +- **Query name:** Pod or Container Without Security Context +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/pod_or_container_without_security_context) + +### Description +A security context defines privilege and access control settings for a Pod or Container
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#security_context) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="93 6 7" +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + security_context = { + allow_privilege_escalation = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative4" { + metadata { + name = "terraform-example" + } + + spec { + security_context = { + allow_privilege_escalation = false + } + + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + allow_privilege_escalation = false + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + allow_privilege_escalation = false + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "negative5" { + metadata { + name = "terraform-example" + } + + spec { + security_context = { + allow_privilege_escalation = false + } + + container { + image = "nginx:1.7.9" + name = "example" + + security_context = { + allow_privilege_escalation = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/05db341e-de7d-4972-a106-3e2bd5ee53e1.md b/docs/queries/terraform-queries/alicloud/05db341e-de7d-4972-a106-3e2bd5ee53e1.md new file mode 100644 index 00000000000..71b9b13bdee --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/05db341e-de7d-4972-a106-3e2bd5ee53e1.md @@ -0,0 +1,63 @@ +--- +title: OSS Bucket Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 05db341e-de7d-4972-a106-3e2bd5ee53e1 +- **Query name:** OSS Bucket Logging Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_bucket_logging_disabled) + +### Description +OSS Bucket should have logging enabled, for better visibility of resources and objects.
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#logging) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "alicloud_oss_bucket" "bucket_logging2" { + bucket = "bucket-170309-acl" + acl = "public-read" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="3" +resource "alicloud_oss_bucket" "bucket_logging1" { + bucket = "bucket-170309-logging" + logging_isenable = false + + logging { + target_bucket = alicloud_oss_bucket.bucket-target.id + target_prefix = "log/" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_oss_bucket" "bucket_logging1" { + bucket = "bucket-170309-logging" + + logging { + target_bucket = alicloud_oss_bucket.bucket-target.id + target_prefix = "log/" + } +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/063234c0-91c0-4ab5-bbd0-47ddb5f23786.md b/docs/queries/terraform-queries/alicloud/063234c0-91c0-4ab5-bbd0-47ddb5f23786.md new file mode 100644 index 00000000000..1a4ee2598c5 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/063234c0-91c0-4ab5-bbd0-47ddb5f23786.md @@ -0,0 +1,74 @@ +--- +title: Ram Account Password Policy Not Required Numbers +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 063234c0-91c0-4ab5-bbd0-47ddb5f23786 +- **Query name:** Ram Account Password Policy Not Required Numbers +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_numbers) + +### Description +Ram Account Password Policy should have 'require_numbers' set to true
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_numbers) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = true + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/140869ea-25f2-40d4-a595-0c0da135114e.md b/docs/queries/terraform-queries/alicloud/140869ea-25f2-40d4-a595-0c0da135114e.md new file mode 100644 index 00000000000..2dcef39c036 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/140869ea-25f2-40d4-a595-0c0da135114e.md @@ -0,0 +1,96 @@ +--- +title: RDS Instance Log Connections Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 140869ea-25f2-40d4-a595-0c0da135114e +- **Query name:** RDS Instance Log Connections Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/rds_instance_log_connections_disabled) + +### Description +'log_connections' parameter should be set to ON for RDS instances
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="14" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + },{ + name = "log_connections" + value = "OFF" + }] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + },{ + name = "log_connections" + value = "ON" + }] +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/1455cb21-1d48-46d6-8ae3-cef911b71fd5.md b/docs/queries/terraform-queries/alicloud/1455cb21-1d48-46d6-8ae3-cef911b71fd5.md new file mode 100644 index 00000000000..c5026ad43f9 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/1455cb21-1d48-46d6-8ae3-cef911b71fd5.md @@ -0,0 +1,212 @@ +--- +title: Launch Template Is Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1455cb21-1d48-46d6-8ae3-cef911b71fd5 +- **Query name:** Launch Template Is Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/launch_template_is_not_encrypted) + +### Description +ECS Launch Template should have the data in the disk encrypted. To encrypt the data, the 'encrypted' argument should be set to true.
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/launch_template#encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="36" +data "alicloud_images" "images" { + owners = "system" +} + +data "alicloud_instances" "instances" { +} + +resource "alicloud_launch_template" "templatepos1" { + name = "tf-test-template" + description = "test1" + image_id = data.alicloud_images.images.images[0].id + host_name = "tf-test-host" + instance_charge_type = "PrePaid" + instance_name = "tf-instance-name" + instance_type = data.alicloud_instances.instances.instances[0].instance_type + internet_charge_type = "PayByBandwidth" + internet_max_bandwidth_in = 5 + internet_max_bandwidth_out = 0 + io_optimized = "none" + key_pair_name = "test-key-pair" + ram_role_name = "xxxxx" + network_type = "vpc" + security_enhancement_strategy = "Active" + spot_price_limit = 5 + spot_strategy = "SpotWithPriceLimit" + security_group_id = "sg-zxcvj0lasdf102350asdf9a" + system_disk_category = "cloud_ssd" + system_disk_description = "test disk" + system_disk_name = "hello" + system_disk_size = 40 + resource_group_id = "rg-zkdfjahg9zxncv0" + userdata = "xxxxxxxxxxxxxx" + vswitch_id = "sw-ljkngaksdjfj0nnasdf" + vpc_id = "vpc-asdfnbg0as8dfk1nb2" + zone_id = "beijing-a" + encrypted = false + + tags = { + tag1 = "hello" + tag2 = "world" + } + network_interfaces { + name = "eth0" + description = "hello1" + primary_ip = "10.0.0.2" + security_group_id = "xxxx" + vswitch_id = "xxxxxxx" + } + data_disks { + name = "disk1" + description = "test1" + } + data_disks { + name = "disk2" + description = "test2" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="8" +data "alicloud_images" "images" { + owners = "system" +} + +data "alicloud_instances" "instances" { +} + +resource "alicloud_launch_template" "templatepos2" { + name = "tf-test-template" + description = "test1" + image_id = data.alicloud_images.images.images[0].id + host_name = "tf-test-host" + instance_charge_type = "PrePaid" + instance_name = "tf-instance-name" + instance_type = data.alicloud_instances.instances.instances[0].instance_type + internet_charge_type = "PayByBandwidth" + internet_max_bandwidth_in = 5 + internet_max_bandwidth_out = 0 + io_optimized = "none" + key_pair_name = "test-key-pair" + ram_role_name = "xxxxx" + network_type = "vpc" + security_enhancement_strategy = "Active" + spot_price_limit = 5 + spot_strategy = "SpotWithPriceLimit" + security_group_id = "sg-zxcvj0lasdf102350asdf9a" + system_disk_category = "cloud_ssd" + system_disk_description = "test disk" + system_disk_name = "hello" + system_disk_size = 40 + resource_group_id = "rg-zkdfjahg9zxncv0" + userdata = "xxxxxxxxxxxxxx" + vswitch_id = "sw-ljkngaksdjfj0nnasdf" + vpc_id = "vpc-asdfnbg0as8dfk1nb2" + zone_id = "beijing-a" + + tags = { + tag1 = "hello" + tag2 = "world" + } + network_interfaces { + name = "eth0" + description = "hello1" + primary_ip = "10.0.0.2" + security_group_id = "xxxx" + vswitch_id = "xxxxxxx" + } + data_disks { + name = "disk1" + description = "test1" + } + data_disks { + name = "disk2" + description = "test2" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +data "alicloud_images" "images" { + owners = "system" +} + +data "alicloud_instances" "instances" { +} + +resource "alicloud_launch_template" "templateneg1" { + name = "tf-test-template" + description = "test1" + image_id = data.alicloud_images.images.images[0].id + host_name = "tf-test-host" + instance_charge_type = "PrePaid" + instance_name = "tf-instance-name" + instance_type = data.alicloud_instances.instances.instances[0].instance_type + internet_charge_type = "PayByBandwidth" + internet_max_bandwidth_in = 5 + internet_max_bandwidth_out = 0 + io_optimized = "none" + key_pair_name = "test-key-pair" + ram_role_name = "xxxxx" + network_type = "vpc" + security_enhancement_strategy = "Active" + spot_price_limit = 5 + spot_strategy = "SpotWithPriceLimit" + security_group_id = "sg-zxcvj0lasdf102350asdf9a" + system_disk_category = "cloud_ssd" + system_disk_description = "test disk" + system_disk_name = "hello" + system_disk_size = 40 + resource_group_id = "rg-zkdfjahg9zxncv0" + userdata = "xxxxxxxxxxxxxx" + vswitch_id = "sw-ljkngaksdjfj0nnasdf" + vpc_id = "vpc-asdfnbg0as8dfk1nb2" + zone_id = "beijing-a" + encrypted = true + + tags = { + tag1 = "hello" + tag2 = "world" + } + network_interfaces { + name = "eth0" + description = "hello1" + primary_ip = "10.0.0.2" + security_group_id = "xxxx" + vswitch_id = "xxxxxxx" + } + data_disks { + name = "disk1" + description = "test1" + } + data_disks { + name = "disk2" + description = "test2" + } +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/1b4565c0-4877-49ac-ab03-adebbccd42ae.md b/docs/queries/terraform-queries/alicloud/1b4565c0-4877-49ac-ab03-adebbccd42ae.md new file mode 100644 index 00000000000..5ccf8f5cba2 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/1b4565c0-4877-49ac-ab03-adebbccd42ae.md @@ -0,0 +1,108 @@ +--- +title: RDS DB Instance Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1b4565c0-4877-49ac-ab03-adebbccd42ae +- **Query name:** RDS DB Instance Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/rds_instance_publicly_accessible) + +### Description +'0.0.0.0' or '0.0.0.0/0' should not be in 'security_ips' list
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#security_ips) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + security_ips = [ + "0.0.0.0", + "10.23.12.24/24" + ] + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="7" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + security_ips = [ + "0.0.0.0/0", + "10.23.12.24/24" + ] + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + security_ips = [ + "10.23.12.24" + ] + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/1bcdf9f0-b1aa-40a4-b8c6-cd7785836843.md b/docs/queries/terraform-queries/alicloud/1bcdf9f0-b1aa-40a4-b8c6-cd7785836843.md new file mode 100644 index 00000000000..33c3a523ec1 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/1bcdf9f0-b1aa-40a4-b8c6-cd7785836843.md @@ -0,0 +1,178 @@ +--- +title: API Gateway API Protocol Not HTTPS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1bcdf9f0-b1aa-40a4-b8c6-cd7785836843 +- **Query name:** API Gateway API Protocol Not HTTPS +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/api_gateway_api_protocol_not_https) + +### Description +API Gateway API protocol should be set to HTTPS
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/api_gateway_api#protocol) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="14" +resource "alicloud_api_gateway_group" "apiGroup" { + name = "ApiGatewayGroup" + description = "description of the api group" +} + +resource "alicloud_api_gateway_api" "apiGatewayApi" { + name = alicloud_api_gateway_group.apiGroup.name + group_id = alicloud_api_gateway_group.apiGroup.id + description = "your description" + auth_type = "APP" + force_nonce_check = false + + request_config { + protocol = "HTTP" + method = "GET" + path = "/test/path1" + mode = "MAPPING" + } + + service_type = "HTTP" + + http_service_config { + address = "http://apigateway-backend.alicloudapi.com:8080" + method = "GET" + path = "/web/cloudapi" + timeout = 12 + aone_name = "cloudapi-openapi" + } + + request_parameters { + name = "aaa" + type = "STRING" + required = "OPTIONAL" + in = "QUERY" + in_service = "QUERY" + name_service = "testparams" + } + + stage_names = [ + "RELEASE", + "TEST", + ] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="21 14" +resource "alicloud_api_gateway_group" "apiGroup" { + name = "ApiGatewayGroup" + description = "description of the api group" +} + +resource "alicloud_api_gateway_api" "apiGatewayApi" { + name = alicloud_api_gateway_group.apiGroup.name + group_id = alicloud_api_gateway_group.apiGroup.id + description = "your description" + auth_type = "APP" + force_nonce_check = false + + request_config { + protocol = "HTTP" + method = "GET" + path = "/test/path1" + mode = "MAPPING" + } + + request_config { + protocol = "HTTP" + method = "GET" + path = "/test/path2" + mode = "MAPPING" + } + + service_type = "HTTP" + + http_service_config { + address = "http://apigateway-backend.alicloudapi.com:8080" + method = "GET" + path = "/web/cloudapi" + timeout = 12 + aone_name = "cloudapi-openapi" + } + + request_parameters { + name = "aaa" + type = "STRING" + required = "OPTIONAL" + in = "QUERY" + in_service = "QUERY" + name_service = "testparams" + } + + stage_names = [ + "RELEASE", + "TEST", + ] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_api_gateway_group" "apiGroup" { + name = "ApiGatewayGroup" + description = "description of the api group" +} + +resource "alicloud_api_gateway_api" "apiGatewayApi" { + name = alicloud_api_gateway_group.apiGroup.name + group_id = alicloud_api_gateway_group.apiGroup.id + description = "your description" + auth_type = "APP" + force_nonce_check = false + + request_config { + protocol = "HTTPS" + method = "GET" + path = "/test/path1" + mode = "MAPPING" + } + + service_type = "HTTP" + + http_service_config { + address = "https://apigateway-backend.alicloudapi.com:8080" + method = "GET" + path = "/web/cloudapi" + timeout = 12 + aone_name = "cloudapi-openapi" + } + + request_parameters { + name = "aaa" + type = "STRING" + required = "OPTIONAL" + in = "QUERY" + in_service = "QUERY" + name_service = "testparams" + } + + stage_names = [ + "RELEASE", + "TEST", + ] +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/2ae9d554-23fb-4065-bfd1-fe43d5f7c419.md b/docs/queries/terraform-queries/alicloud/2ae9d554-23fb-4065-bfd1-fe43d5f7c419.md new file mode 100644 index 00000000000..023255dcb46 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/2ae9d554-23fb-4065-bfd1-fe43d5f7c419.md @@ -0,0 +1,118 @@ +--- +title: Public Security Group Rule Sensitive Port +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2ae9d554-23fb-4065-bfd1-fe43d5f7c419 +- **Query name:** Public Security Group Rule Sensitive Port +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/public_security_group_rule_sensitive_port) + +### Description +A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#port_range) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "tcp" + nic_type = "internet" + policy = "accept" + port_range = "19/20" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "0.0.0.0/0" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="10" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "udp" + nic_type = "internet" + policy = "accept" + port_range = "4333/4334" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "0.0.0.0/0" +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="10" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "all" + nic_type = "internet" + policy = "accept" + port_range = "444/445" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "0.0.0.0/0" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "tcp" + nic_type = "internet" + policy = "accept" + port_range = "1/65535" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "10.159.6.18/12" +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "icmp" + nic_type = "internet" + policy = "accept" + port_range = "1/65535" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "0.0.0.0/0" +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/2b13c6ff-b87a-484d-86fd-21ef6e97d426.md b/docs/queries/terraform-queries/alicloud/2b13c6ff-b87a-484d-86fd-21ef6e97d426.md new file mode 100644 index 00000000000..6df46a5c7ea --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/2b13c6ff-b87a-484d-86fd-21ef6e97d426.md @@ -0,0 +1,51 @@ +--- +title: OSS Bucket Has Static Website +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2b13c6ff-b87a-484d-86fd-21ef6e97d426 +- **Query name:** OSS Bucket Has Static Website +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_bucket_has_static_website) + +### Description +Checks if any static websties are hosted on buckets. Be aware of any website you are running.
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#website) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "alicloud_oss_bucket" "bucket-website1" { + bucket = "bucket-1-website" + + website { + index_document = "index.html" + error_document = "error.html" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_oss_bucket" "bucket-acl1" { + bucket = "bucket-1-acl" + acl = "private" +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/2bb13841-7575-439e-8e0a-cccd9ede2fa8.md b/docs/queries/terraform-queries/alicloud/2bb13841-7575-439e-8e0a-cccd9ede2fa8.md new file mode 100644 index 00000000000..f0f721dc2d7 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/2bb13841-7575-439e-8e0a-cccd9ede2fa8.md @@ -0,0 +1,88 @@ +--- +title: Ram Account Password Policy Max Password Age Unrecommended +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2bb13841-7575-439e-8e0a-cccd9ede2fa8 +- **Query name:** Ram Account Password Policy Max Password Age Unrecommended +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ram_account_password_policy_max_password_age_unrecommended) + +### Description +Ram Account Password Policy Password 'max_password_age' should be higher than 0 and lower than 91
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#max_password_age) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="8" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 92 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="8" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 0 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/39750e32-3fe9-453b-8c33-dd277acdb2cc.md b/docs/queries/terraform-queries/alicloud/39750e32-3fe9-453b-8c33-dd277acdb2cc.md new file mode 100644 index 00000000000..6ce17efee7d --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/39750e32-3fe9-453b-8c33-dd277acdb2cc.md @@ -0,0 +1,80 @@ +--- +title: Disk Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 39750e32-3fe9-453b-8c33-dd277acdb2cc +- **Query name:** Disk Encryption Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/disk_encryption_disabled) + +### Description +Disks should have encryption enabled
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/disk#encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "alicloud_disk" "disk_encryption1" { + # cn-beijing + availability_zone = "cn-beijing-b" + name = "New-disk" + description = "Hello ecs disk." + category = "cloud_efficiency" + size = "30" + tags = { + Name = "TerraformTest" + } +} + + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="8" +resource "alicloud_disk" "disk_encryption2" { + # cn-beijing + availability_zone = "cn-beijing-b" + name = "New-disk" + description = "Hello ecs disk." + category = "cloud_efficiency" + size = "30" + encrypted = false + kms_key_id = "2a6767f0-a16c-4679-a60f-13bf*****" + tags = { + Name = "TerraformTest" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_disk" "disk_encryption3" { + # cn-beijing + availability_zone = "cn-beijing-b" + name = "New-disk" + description = "Hello ecs disk." + category = "cloud_efficiency" + size = "30" + encrypted = true + kms_key_id = "2a6767f0-a16c-4679-a60f-13bf*****" + tags = { + Name = "TerraformTest" + } +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/41a38329-d81b-4be4-aef4-55b2615d3282.md b/docs/queries/terraform-queries/alicloud/41a38329-d81b-4be4-aef4-55b2615d3282.md new file mode 100644 index 00000000000..4d54a211a40 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/41a38329-d81b-4be4-aef4-55b2615d3282.md @@ -0,0 +1,61 @@ +--- +title: RAM Account Password Policy Not Required Symbols +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 41a38329-d81b-4be4-aef4-55b2615d3282 +- **Query name:** RAM Account Password Policy Not Required Symbols +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_symbols) + +### Description +RAM account password security should require at least one symbol
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_symbols) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "alicloud_ram_account_password_policy" "corporate2" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_ram_account_password_policy" "corporate1" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = true + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/44d434ca-a9bf-4203-8828-4c81a8d5a598.md b/docs/queries/terraform-queries/alicloud/44d434ca-a9bf-4203-8828-4c81a8d5a598.md new file mode 100644 index 00000000000..69ce780e6f5 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/44d434ca-a9bf-4203-8828-4c81a8d5a598.md @@ -0,0 +1,162 @@ +--- +title: RDS Instance TDE Status Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 44d434ca-a9bf-4203-8828-4c81a8d5a598 +- **Query name:** RDS Instance TDE Status Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/rds_instance_tde_status_disabled) + +### Description +tde_status parameter should be Enabled for supported RDS instances
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#tde_status) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + tde_status = "Disabled" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "8" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="6" +resource "alicloud_db_instance" "default" { + engine = "SQLServer" + engine_version = "2019_std_ha" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + tde_status = "Disabled" + parameters = [] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "alicloud_db_instance" "default" { + engine = "SQLServer" + engine_version = "2016_ent_ha" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + tde_status = "Enabled" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "8" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + tde_status = "Enabled" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "alicloud_db_instance" "default" { + engine = "SQLServer" + engine_version = "2019_std_ha" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + tde_status = "Enabled" + parameters = [] +} + +``` +
Negative test num. 4 - tf file + +```tf +resource "alicloud_db_instance" "default" { + engine = "SQLServer" + engine_version = "2016_ent_ha" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + tde_status = "Enabled" + parameters = [] +} + +``` +
+
Negative test num. 5 - tf file + +```tf +resource "alicloud_db_instance" "default" { + engine = "SQLServer" + engine_version = "2012_web" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [] +} + +``` +
diff --git a/docs/queries/terraform-queries/alicloud/4bb06fa1-2114-4a00-b7b5-6aeab8b896f0.md b/docs/queries/terraform-queries/alicloud/4bb06fa1-2114-4a00-b7b5-6aeab8b896f0.md new file mode 100644 index 00000000000..1a66e72a4f7 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/4bb06fa1-2114-4a00-b7b5-6aeab8b896f0.md @@ -0,0 +1,61 @@ +--- +title: ROS Stack Retention Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4bb06fa1-2114-4a00-b7b5-6aeab8b896f0 +- **Query name:** ROS Stack Retention Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ros_stack_retention_disabled) + +### Description +The retain_stacks should be enabled to keep the Stack upon deleting the stack instance from the stack group
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack_instance#retain_stacks) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 6" +resource "alicloud_ros_stack_instance" "example" { + stack_group_name = alicloud_ros_stack_group.example.stack_group_name + stack_instance_account_id = "example_value" + stack_instance_region_id = data.alicloud_ros_regions.example.regions.0.region_id + operation_preferences = "{\"FailureToleranceCount\": 1, \"MaxConcurrentCount\": 2}" + retain_stacks = false + parameter_overrides { + parameter_value = "VpcName" + parameter_key = "VpcName" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_ros_stack_instance" "example" { + stack_group_name = alicloud_ros_stack_group.example.stack_group_name + stack_instance_account_id = "example_value" + stack_instance_region_id = data.alicloud_ros_regions.example.regions.0.region_id + operation_preferences = "{\"FailureToleranceCount\": 1, \"MaxConcurrentCount\": 2}" + retain_stacks = true + parameter_overrides { + parameter_value = "VpcName" + parameter_key = "VpcName" + } +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/5e0fb613-ba9b-44c3-88f0-b44188466bfd.md b/docs/queries/terraform-queries/alicloud/5e0fb613-ba9b-44c3-88f0-b44188466bfd.md new file mode 100644 index 00000000000..16b3fbb02e8 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/5e0fb613-ba9b-44c3-88f0-b44188466bfd.md @@ -0,0 +1,74 @@ +--- +title: RAM Account Password Policy Not Require at Least one Uppercase Character +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5e0fb613-ba9b-44c3-88f0-b44188466bfd +- **Query name:** RAM Account Password Policy Not Require at Least one Uppercase Character +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_uppercase_character) + +### Description +Ram Account Password Policy should have 'require_uppercase_characters' set to true
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_uppercase_characters) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = true + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/5f670f9d-b1b4-4c90-8618-2288f1ab9676.md b/docs/queries/terraform-queries/alicloud/5f670f9d-b1b4-4c90-8618-2288f1ab9676.md new file mode 100644 index 00000000000..e4839f8031e --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/5f670f9d-b1b4-4c90-8618-2288f1ab9676.md @@ -0,0 +1,51 @@ +--- +title: NAS File System Without KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5f670f9d-b1b4-4c90-8618-2288f1ab9676 +- **Query name:** NAS File System Without KMS +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/nas_file_system_without_kms) + +### Description +NAS File System should have encryption provided by user KMS
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/nas_file_system#kms_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 5" +resource "alicloud_nas_file_system" "foo" { + protocol_type = "NFS" + storage_type = "Performance" + description = "tf-testAccNasConfig" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_nas_file_system" "foo" { + protocol_type = "NFS" + storage_type = "Performance" + description = "tf-testAccNasConfig" + encrypt_type = "2" + kms_key_id = "1234abcd-12ab-34cd-56ef-1234567890ab" +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/60587dbd-6b67-432e-90f7-a8cf1892d968.md b/docs/queries/terraform-queries/alicloud/60587dbd-6b67-432e-90f7-a8cf1892d968.md new file mode 100644 index 00000000000..565faf74875 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/60587dbd-6b67-432e-90f7-a8cf1892d968.md @@ -0,0 +1,118 @@ +--- +title: Public Security Group Rule All Ports or Protocols +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 60587dbd-6b67-432e-90f7-a8cf1892d968 +- **Query name:** Public Security Group Rule All Ports or Protocols +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/public_security_group_rule_all_ports_or_protocols) + +### Description +Alicloud Security Group Rule should not allow all ports or all protocols to the public
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#cidr_ip) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="13" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "all" + nic_type = "internet" + policy = "accept" + port_range = "-1/-1" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "0.0.0.0/0" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="13" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "gre" + nic_type = "internet" + policy = "accept" + port_range = "-1/-1" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "0.0.0.0/0" +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="13" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "tcp" + nic_type = "internet" + policy = "accept" + port_range = "1/65535" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "0.0.0.0/0" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "tcp" + nic_type = "internet" + policy = "accept" + port_range = "1/65535" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "10.159.6.18/12" +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "icmp" + nic_type = "internet" + policy = "accept" + port_range = "-1/-1" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "10.159.6.18/12" +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/6107c530-7178-464a-88bc-df9cdd364ac8.md b/docs/queries/terraform-queries/alicloud/6107c530-7178-464a-88bc-df9cdd364ac8.md new file mode 100644 index 00000000000..241789d90a5 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/6107c530-7178-464a-88bc-df9cdd364ac8.md @@ -0,0 +1,151 @@ +--- +title: OSS Bucket Ip Restriction Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6107c530-7178-464a-88bc-df9cdd364ac8 +- **Query name:** OSS Bucket Ip Restriction Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_bucket_ip_restriction_disabled) + +### Description +OSS Bucket should have ip restricted access
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "alicloud_oss_bucket" "bucket-policy" { + bucket = "bucket-170309-policy" + acl = "private" + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 62232513-b16f-4010-83d7-51d0e1d45426 +- **Query name:** OSS Bucket Public Access Enabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_bucket_public_access_enabled) + +### Description +OSS Bucket should have public access disabled
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#acl) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +resource "alicloud_oss_bucket" "bucket_public_access_enabled2" { + bucket = "bucket-170309-acl" + acl = "public-read" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="3" +resource "alicloud_oss_bucket" "bucket_public_access_enabled3" { + bucket = "bucket-170309-acl" + acl = "public-read-write" +} + +resource "alicloud_oss_bucket" "bucket-logging" { + bucket = "bucket-170309-logging" + + logging { + target_bucket = alicloud_oss_bucket.bucket-target.id + target_prefix = "log/" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_oss_bucket" "bucket_public_access_enabled1" { + bucket = "bucket-170309-acl" + acl = "private" +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_oss_bucket" "bucket_public_access_enabled4" { + bucket = "bucket-170309-acl" +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/66505003-7aba-45a1-8d83-5162d5706ef5.md b/docs/queries/terraform-queries/alicloud/66505003-7aba-45a1-8d83-5162d5706ef5.md new file mode 100644 index 00000000000..0894c745b2b --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/66505003-7aba-45a1-8d83-5162d5706ef5.md @@ -0,0 +1,170 @@ +--- +title: Ram Policy Attached to User +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 66505003-7aba-45a1-8d83-5162d5706ef5 +- **Query name:** Ram Policy Attached to User +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ram_policy_attached_to_user) + +### Description +Ram policies should not be attached to users
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_user_policy_attachment) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="35" +# Create a RAM User Policy attachment. +resource "alicloud_ram_user" "user1" { + name = "userName" + display_name = "user_display_name" + mobile = "86-18688888888" + email = "hello.uuu@aaa.com" + comments = "yoyoyo" + force = true +} + +resource "alicloud_ram_policy" "policy1" { + name = "policyName" + document = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 67bfdff1-31ce-4525-b564-e94368735360 +- **Query name:** NAS File System Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/nas_file_system_not_encrypted) + +### Description +NAS File System must be encrypted
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/nas_file_system#encrypt_type) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 5" +resource "alicloud_nas_file_system" "foopos" { + protocol_type = "NFS" + storage_type = "Performance" + description = "tf-testAccNasConfig" + encrypt_type = "0" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_nas_file_system" "foo" { + protocol_type = "NFS" + storage_type = "Performance" + description = "tf-testAccNasConfig" + encrypt_type = "1" +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/69b5d7da-a5db-4db9-a42e-90b65d0efb0b.md b/docs/queries/terraform-queries/alicloud/69b5d7da-a5db-4db9-a42e-90b65d0efb0b.md new file mode 100644 index 00000000000..7a63ad26a81 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/69b5d7da-a5db-4db9-a42e-90b65d0efb0b.md @@ -0,0 +1,93 @@ +--- +title: ActionTrail Trail OSS Bucket is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 69b5d7da-a5db-4db9-a42e-90b65d0efb0b +- **Query name:** ActionTrail Trail OSS Bucket is Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/actiontrail_trail_oss_bucket_is_publicly_accessible) + +### Description +ActionTrail Trail OSS Bucket should not be publicly accessible
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/actiontrail_trail) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +resource "alicloud_oss_bucket" "bucket_actiontrail3" { + bucket = "bucket_actiontrail_3" + acl = "public-read" +} + +resource "alicloud_actiontrail_trail" "actiontrail3" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_actiontrail_3" + event_rw = "All" + trail_region = "All" +} + + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="3" +resource "alicloud_oss_bucket" "bucket_actiontrail4" { + bucket = "bucket_actiontrail_4" + acl = "public-read-write" +} + +resource "alicloud_actiontrail_trail" "actiontrail4" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_actiontrail_4" + event_rw = "All" + trail_region = "All" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_oss_bucket" "bucket_actiontrail1" { + bucket = "bucket_actiontrail_1" + acl = "private" +} + +resource "alicloud_actiontrail_trail" "actiontrail1" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_actiontrail_1" + event_rw = "All" + trail_region = "All" +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_oss_bucket" "bucket_actiontrail2" { + bucket = "bucket_actiontrail_2" +} + +resource "alicloud_actiontrail_trail" "actiontrail2" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_actiontrail_2" + event_rw = "All" + trail_region = "All" +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/70919c0b-2548-4e6b-8d7a-3d84ab6dabba.md b/docs/queries/terraform-queries/alicloud/70919c0b-2548-4e6b-8d7a-3d84ab6dabba.md new file mode 100644 index 00000000000..f3fbffb50a7 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/70919c0b-2548-4e6b-8d7a-3d84ab6dabba.md @@ -0,0 +1,62 @@ +--- +title: OSS Bucket Versioning Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 70919c0b-2548-4e6b-8d7a-3d84ab6dabba +- **Query name:** OSS Bucket Versioning Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_bucket_versioning_disabled) + +### Description +OSS Bucket should have versioning enabled
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#versioning) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "alicloud_oss_bucket" "bucket-versioning2" { + bucket = "bucket-170309-versioning" + acl = "private" + + versioning { + status = "Suspended" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "alicloud_oss_bucket" "bucket-versioning3" { + bucket = "bucket-170309-versioning" + acl = "private" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_oss_bucket" "bucket-versioning1" { + bucket = "bucket-170309-versioning" + acl = "private" + + versioning { + status = "Enabled" + } +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/72ceb736-0aee-43ea-a191-3a69ab135681.md b/docs/queries/terraform-queries/alicloud/72ceb736-0aee-43ea-a191-3a69ab135681.md new file mode 100644 index 00000000000..77a78d7fa5a --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/72ceb736-0aee-43ea-a191-3a69ab135681.md @@ -0,0 +1,76 @@ +--- +title: No ROS Stack Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 72ceb736-0aee-43ea-a191-3a69ab135681 +- **Query name:** No ROS Stack Policy +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/no_ros_stack_policy) + +### Description +ROS Stack should have a stack policy in order to protect stack resources from and during update actions
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "alicloud_ros_stack" "pos" { + stack_name = "tf-testaccstack" + template_body = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 7a1ee8a9-71be-4b11-bb70-efb62d16863b +- **Query name:** RDS Instance SSL Action Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/rds_instance_ssl_action_disabled) + +### Description +ssl_action parameter should be set to Open for RDS instances
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#ssl_action) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + ssl_action = "Close" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + ssl_action = "Open" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + ssl_action = "Update" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/7db8bd7e-9772-478c-9ec5-4bc202c5686f.md b/docs/queries/terraform-queries/alicloud/7db8bd7e-9772-478c-9ec5-4bc202c5686f.md new file mode 100644 index 00000000000..22ec057f0ad --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/7db8bd7e-9772-478c-9ec5-4bc202c5686f.md @@ -0,0 +1,96 @@ +--- +title: OSS Bucket Lifecycle Rule Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7db8bd7e-9772-478c-9ec5-4bc202c5686f +- **Query name:** OSS Bucket Lifecycle Rule Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_bucket_lifecycle_disabled) + +### Description +OSS Bucket should have lifecycle rule enabled and set to true
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#lifecycle_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "alicloud_oss_bucket" "oss_bucket_lifecycle_enabled2" { + bucket = "bucket-170309-lifecycle" + acl = "public-read" + + lifecycle_rule { + id = "rule-days" + prefix = "path1/" + enabled = false + + expiration { + days = 365 + } + } + lifecycle_rule { + id = "rule-date" + prefix = "path2/" + enabled = true + + expiration { + date = "2018-01-12" + } + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "alicloud_oss_bucket" "oss_bucket_lifecycle_enabled3" { + bucket = "bucket-170309-versioning" + acl = "private" + + versioning { + status = "Enabled" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_oss_bucket" "oss_bucket_lifecycle_enabled1" { + bucket = "bucket-170309-lifecycle" + acl = "public-read" + + lifecycle_rule { + id = "rule-days" + prefix = "path1/" + enabled = true + + expiration { + days = 365 + } + } + lifecycle_rule { + id = "rule-date" + prefix = "path2/" + enabled = true + + expiration { + date = "2018-01-12" + } + } +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/81ce9394-013d-4731-8fcc-9d229b474073.md b/docs/queries/terraform-queries/alicloud/81ce9394-013d-4731-8fcc-9d229b474073.md new file mode 100644 index 00000000000..7d9b35a17ba --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/81ce9394-013d-4731-8fcc-9d229b474073.md @@ -0,0 +1,126 @@ +--- +title: CS Kubernetes Node Pool Auto Repair Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 81ce9394-013d-4731-8fcc-9d229b474073 +- **Query name:** CS Kubernetes Node Pool Auto Repair Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/cs_kubernetes_node_pool_auto_repair_disabled) + +### Description +Verifies if Alicloud Container Service Node Pool Auto Repair is Enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cs_kubernetes_node_pool#auto_repair) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "alicloud_cs_kubernetes_node_pool" "default2" { + name = var.name + cluster_id = alicloud_cs_managed_kubernetes.default.0.id + vswitch_ids = [alicloud_vswitch.default.id] + instance_types = [data.alicloud_instance_types.default.instance_types.0.id] + + system_disk_category = "cloud_efficiency" + system_disk_size = 40 + key_name = alicloud_key_pair.default.key_name + + # comment out node_count and specify a new field desired_size + # node_count = 1 + + desired_size = 1 +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="17" +resource "alicloud_cs_kubernetes_node_pool" "default3" { + name = var.name + cluster_id = alicloud_cs_managed_kubernetes.default.0.id + vswitch_ids = [alicloud_vswitch.default.id] + instance_types = [data.alicloud_instance_types.default.instance_types.0.id] + system_disk_category = "cloud_efficiency" + system_disk_size = 40 + + # only key_name is supported in the management node pool + key_name = alicloud_key_pair.default.key_name + + # you need to specify the number of nodes in the node pool, which can be zero + desired_size = 1 + + # management node pool configuration. + management { + auto_repair = false + auto_upgrade = true + surge = 1 + max_unavailable = 1 + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="16" +resource "alicloud_cs_kubernetes_node_pool" "default4" { + name = var.name + cluster_id = alicloud_cs_managed_kubernetes.default.0.id + vswitch_ids = [alicloud_vswitch.default.id] + instance_types = [data.alicloud_instance_types.default.instance_types.0.id] + system_disk_category = "cloud_efficiency" + system_disk_size = 40 + + # only key_name is supported in the management node pool + key_name = alicloud_key_pair.default.key_name + + # you need to specify the number of nodes in the node pool, which can be zero + desired_size = 1 + + # management node pool configuration. + management { + auto_upgrade = true + surge = 1 + max_unavailable = 1 + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_cs_kubernetes_node_pool" "default1" { + name = var.name + cluster_id = alicloud_cs_managed_kubernetes.default.0.id + vswitch_ids = [alicloud_vswitch.default.id] + instance_types = [data.alicloud_instance_types.default.instance_types.0.id] + system_disk_category = "cloud_efficiency" + system_disk_size = 40 + + # only key_name is supported in the management node pool + key_name = alicloud_key_pair.default.key_name + + # you need to specify the number of nodes in the node pool, which can be zero + desired_size = 1 + + # management node pool configuration. + management { + auto_repair = true + auto_upgrade = true + surge = 1 + max_unavailable = 1 + } + +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/88541597-6f88-42c8-bac6-7e0b855e8ff6.md b/docs/queries/terraform-queries/alicloud/88541597-6f88-42c8-bac6-7e0b855e8ff6.md new file mode 100644 index 00000000000..47e336d44bd --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/88541597-6f88-42c8-bac6-7e0b855e8ff6.md @@ -0,0 +1,158 @@ +--- +title: OSS Bucket Allows List Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 88541597-6f88-42c8-bac6-7e0b855e8ff6 +- **Query name:** OSS Bucket Allows List Action From All Principals +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_bucket_allows_list_action_from_all_principals) + +### Description +OSS Bucket should not allow list action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'List', for all Principals.
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "alicloud_oss_bucket" "bucket-policy1" { + bucket = "bucket-1-policy" + acl = "private" + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 89143358-cec6-49f5-9392-920c591c669c +- **Query name:** Ram Account Password Policy Not Require At Least one Lowercase Character +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ram_password_security_policy_not_require_at_least_one_lowercase_character) + +### Description +Ram Account Password Policy should have 'require_lowercase_characters' set to true
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#require_lowercase_characters) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = true + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/8c0695d8-2378-4cd6-8243-7fd5894fa574.md b/docs/queries/terraform-queries/alicloud/8c0695d8-2378-4cd6-8243-7fd5894fa574.md new file mode 100644 index 00000000000..01b4ff4d444 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/8c0695d8-2378-4cd6-8243-7fd5894fa574.md @@ -0,0 +1,133 @@ +--- +title: OSS Bucket Allows Delete Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8c0695d8-2378-4cd6-8243-7fd5894fa574 +- **Query name:** OSS Bucket Allows Delete Action From All Principals +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_bucket_allows_delete_from_all_principals) + +### Description +OSS Bucket should not allow delete action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is DeleteBucket, for all Principals.
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "alicloud_oss_bucket" "bucket-policy1" { + bucket = "bucket-1-policy" + acl = "private" + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 8f98334a-99aa-4d85-b72a-1399ca010413 +- **Query name:** OSS Bucket Transfer Acceleration Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_bucket_transfer_acceleration_disabled) + +### Description +OSS Bucket should have transfer acceleration enabled
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#transfer_acceleration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "alicloud_oss_bucket" "bucket-accelerate" { + bucket = "bucket_name" + + transfer_acceleration { + enabled = false + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "alicloud_oss_bucket" "bucket-accelerate2" { + bucket = "bucket_name" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_oss_bucket" "bucket-accelerate3" { + bucket = "bucket_name" + + transfer_acceleration { + enabled = true + } +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/9ef08939-ea40-489c-8851-667870b2ef50.md b/docs/queries/terraform-queries/alicloud/9ef08939-ea40-489c-8851-667870b2ef50.md new file mode 100644 index 00000000000..d93a47f5086 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/9ef08939-ea40-489c-8851-667870b2ef50.md @@ -0,0 +1,77 @@ +--- +title: ROS Stack Notifications Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9ef08939-ea40-489c-8851-667870b2ef50 +- **Query name:** ROS Stack Notifications Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ros_stack_notifications_disabled) + +### Description +The ROS Stack Notifications should be defined and populated to receive stack related events
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack#notification_urls) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 3" +resource "alicloud_ros_stack" "example" { + stack_name = "tf-testaccstack" + notification_urls = [] + template_body = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** a597e05a-c065-44e7-9cc8-742f572a504a +- **Query name:** RDS Instance Log Duration Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/rds_instance_log_duration_disabled) + +### Description +log_duration parameter should be set to ON for RDS instances
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="14" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + },{ + name = "log_duration" + value = "OFF" + }] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="6" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + },{ + name = "log_duration" + value = "ON" + }] +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/a8128dd2-89b0-464b-98e9-5d629041dfe0.md b/docs/queries/terraform-queries/alicloud/a8128dd2-89b0-464b-98e9-5d629041dfe0.md new file mode 100644 index 00000000000..72dd088f584 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/a8128dd2-89b0-464b-98e9-5d629041dfe0.md @@ -0,0 +1,74 @@ +--- +title: RAM Account Password Policy without Reuse Prevention +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a8128dd2-89b0-464b-98e9-5d629041dfe0 +- **Query name:** RAM Account Password Policy without Reuse Prevention +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ram_account_password_policy_without_reuse_prevention) + +### Description +RAM Account Password Policy 'password_reuse_prevention' should be defined and set to 24 or less
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#password_reuse_prevention) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + max_login_attempts = 3 +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 25 + max_login_attempts = 3 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/a9dfec39-a740-4105-bbd6-721ba163c053.md b/docs/queries/terraform-queries/alicloud/a9dfec39-a740-4105-bbd6-721ba163c053.md new file mode 100644 index 00000000000..c83fd5df5a9 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/a9dfec39-a740-4105-bbd6-721ba163c053.md @@ -0,0 +1,74 @@ +--- +title: Ram Account Password Policy Not Required Minimum Length +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a9dfec39-a740-4105-bbd6-721ba163c053 +- **Query name:** Ram Account Password Policy Not Required Minimum Length +- **Platform:** Terraform +- **Severity:** High +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ram_account_password_policy_not_required_minimum_length) + +### Description +Ram Account Password Policy should have 'minimum_password_length' defined and set to 14 or above
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#minimum_password_length) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "alicloud_ram_account_password_policy" "corporate" { + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 14 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 14 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/b9b7ada8-3868-4a35-854e-6100a2bb863d.md b/docs/queries/terraform-queries/alicloud/b9b7ada8-3868-4a35-854e-6100a2bb863d.md new file mode 100644 index 00000000000..11707ffaa95 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/b9b7ada8-3868-4a35-854e-6100a2bb863d.md @@ -0,0 +1,143 @@ +--- +title: Kubernetes Cluster Without Terway as CNI Network Plugin +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b9b7ada8-3868-4a35-854e-6100a2bb863d +- **Query name:** Kubernetes Cluster Without Terway as CNI Network Plugin +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/kubernetes_cluster_without_terway_as_cni_network_plugin) + +### Description +Kubernetes Cluster should have Terway as CNI Network Plugin to configure network policies
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/cs_kubernetes#cluster_network_type) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="15" +terraform { + required_providers { + alicloud = { + source = "aliyun/alicloud" + version = "1.160.0" + } + } +} + +provider "alicloud" { + access_key = "xxxxxx" + secret_key = "xxxxxx" +} + +resource "alicloud_cs_kubernetes" "positive1" { + worker_number = 4 + worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="15" +terraform { + required_providers { + alicloud = { + source = "aliyun/alicloud" + version = "1.160.0" + } + } +} + +provider "alicloud" { + access_key = "xxxxxx" + secret_key = "xxxxxx" +} + +resource "alicloud_cs_kubernetes" "positive2" { + worker_number = 4 + worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + + addons { + config = "" + name = "terway-eniip" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="15" +terraform { + required_providers { + alicloud = { + source = "aliyun/alicloud" + version = "1.160.0" + } + } +} + +provider "alicloud" { + access_key = "xxxxxx" + secret_key = "xxxxxx" +} + +resource "alicloud_cs_kubernetes" "positive3" { + worker_number = 4 + worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + + pod_vswitch_ids = ["id1"] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +terraform { + required_providers { + alicloud = { + source = "aliyun/alicloud" + version = "1.160.0" + } + } +} + +provider "alicloud" { + access_key = "xxxxxx" + secret_key = "xxxxxx" +} + +resource "alicloud_cs_kubernetes" "k8s" { + worker_number = 4 + worker_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_vswitch_ids = ["vsw-id1", "vsw-id1", "vsw-id3"] + master_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + worker_instance_types = ["ecs.n4.small", "ecs.sn1ne.xlarge", "ecs.n4.xlarge"] + + addons { + config = "" + name = "terway-eniip" + } + + pod_vswitch_ids = ["id1"] +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/b9c524a4-fe76-4021-a6a2-cb978fb4fde1.md b/docs/queries/terraform-queries/alicloud/b9c524a4-fe76-4021-a6a2-cb978fb4fde1.md new file mode 100644 index 00000000000..a03499590c8 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/b9c524a4-fe76-4021-a6a2-cb978fb4fde1.md @@ -0,0 +1,361 @@ +--- +title: RDS Instance Events Not Logged +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b9c524a4-fe76-4021-a6a2-cb978fb4fde1 +- **Query name:** RDS Instance Events Not Logged +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/rds_instance_events_not_logged) + +### Description +All RDS Instance events trackers should be 'true'
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/log_audit) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="15" +resource "alicloud_log_audit" "example" { + display_name = "tf-audit-test" + aliuid = "12345678" + variable_map = { + "actiontrail_enabled" = "true", + "actiontrail_ttl" = "180", + "actiontrail_ti_enabled" = "true", + "oss_access_enabled" = "true", + "oss_access_ttl" = "7", + "oss_sync_enabled" = "true", + "oss_sync_ttl" = "180", + "oss_access_ti_enabled" = "true", + "oss_metering_enabled" = "true", + "oss_metering_ttl" = "180", + "rds_enabled" = "false", + "rds_audit_collection_policy" = "", + "rds_ttl" = "180", + "rds_ti_enabled" = "true", + "rds_slow_enabled" = "true", + "rds_slow_collection_policy" = "", + "rds_slow_ttl" = "180", + "rds_perf_enabled" = "true", + "rds_perf_collection_policy" = "", + "rds_perf_ttl" = "180", + "vpc_flow_enabled" = "true", + "vpc_flow_ttl" = "7", + "vpc_flow_collection_policy" = "", + "vpc_sync_enabled" = "true", + "vpc_sync_ttl" = "180", + "polardb_enabled" = "true", + "polardb_audit_collection_policy" = "", + "polardb_ttl" = "180", + "polardb_ti_enabled" = "true", + "polardb_slow_enabled" = "true", + "polardb_slow_collection_policy" = "", + "polardb_slow_ttl" = "180", + "polardb_perf_enabled" = "true", + "polardb_perf_collection_policy" = "", + "polardb_perf_ttl" = "180", + "drds_audit_enabled" = "true", + "drds_audit_collection_policy" = "", + "drds_audit_ttl" = "7", + "drds_sync_enabled" = "true", + "drds_sync_ttl" = "180", + "drds_audit_ti_enabled" = "true", + "slb_access_enabled" = "true", + "slb_access_collection_policy" = "", + "slb_access_ttl" = "7", + "slb_sync_enabled" = "true", + "slb_sync_ttl" = "180", + "slb_access_ti_enabled" = "true", + "bastion_enabled" = "true", + "bastion_ttl" = "180", + "bastion_ti_enabled" = "true", + "waf_enabled" = "true", + "waf_ttl" = "180", + "waf_ti_enabled" = "true", + "cloudfirewall_enabled" = "true", + "cloudfirewall_ttl" = "180", + "cloudfirewall_ti_enabled" = "true", + "ddos_coo_access_enabled" = "true", + "ddos_coo_access_ttl" = "180", + "ddos_coo_access_ti_enabled" = "true", + "ddos_bgp_access_enabled" = "true", + "ddos_bgp_access_ttl" = "180", + "ddos_dip_access_enabled" = "true", + "ddos_dip_access_ttl" = "180", + "ddos_dip_access_ti_enabled" = "true", + "sas_crack_enabled" = "true", + "sas_dns_enabled" = "true", + "sas_http_enabled" = "true", + "sas_local_dns_enabled" = "true", + "sas_login_enabled" = "true", + "sas_network_enabled" = "true", + "sas_process_enabled" = "true", + "sas_security_alert_enabled" = "true", + "sas_security_hc_enabled" = "true", + "sas_security_vul_enabled" = "true", + "sas_session_enabled" = "true", + "sas_snapshot_account_enabled" = "true", + "sas_snapshot_port_enabled" = "true", + "sas_snapshot_process_enabled" = "true", + "sas_ttl" = "180", + "sas_ti_enabled" = "true", + "apigateway_enabled" = "true", + "apigateway_ttl" = "180", + "apigateway_ti_enabled" = "true", + "nas_enabled" = "true", + "nas_ttl" = "180", + "nas_ti_enabled" = "true", + "appconnect_enabled" = "true", + "appconnect_ttl" = "180", + "cps_enabled" = "true", + "cps_ttl" = "180", + "cps_ti_enabled" = "true", + "k8s_audit_enabled" = "true", + "k8s_audit_collection_policy" = "", + "k8s_audit_ttl" = "180", + "k8s_event_enabled" = "true", + "k8s_event_collection_policy" = "", + "k8s_event_ttl" = "180", + "k8s_ingress_enabled" = "true", + "k8s_ingress_collection_policy" = "", + "k8s_ingress_ttl" = "180" + "appconnect_ti_enabled":"false" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="4" +resource "alicloud_log_audit" "example" { + display_name = "tf-audit-test" + aliuid = "12345678" + variable_map = { + "actiontrail_enabled" = "true", + "actiontrail_ttl" = "180", + "actiontrail_ti_enabled" = "true", + "oss_access_enabled" = "true", + "oss_access_ttl" = "7", + "oss_sync_enabled" = "true", + "oss_sync_ttl" = "180", + "oss_access_ti_enabled" = "true", + "oss_metering_enabled" = "true", + "oss_metering_ttl" = "180", + "rds_audit_collection_policy" = "", + "rds_ttl" = "180", + "rds_ti_enabled" = "true", + "rds_slow_enabled" = "true", + "rds_slow_collection_policy" = "", + "rds_slow_ttl" = "180", + "rds_perf_enabled" = "true", + "rds_perf_collection_policy" = "", + "rds_perf_ttl" = "180", + "vpc_flow_enabled" = "true", + "vpc_flow_ttl" = "7", + "vpc_flow_collection_policy" = "", + "vpc_sync_enabled" = "true", + "vpc_sync_ttl" = "180", + "polardb_enabled" = "true", + "polardb_audit_collection_policy" = "", + "polardb_ttl" = "180", + "polardb_ti_enabled" = "true", + "polardb_slow_enabled" = "true", + "polardb_slow_collection_policy" = "", + "polardb_slow_ttl" = "180", + "polardb_perf_enabled" = "true", + "polardb_perf_collection_policy" = "", + "polardb_perf_ttl" = "180", + "drds_audit_enabled" = "true", + "drds_audit_collection_policy" = "", + "drds_audit_ttl" = "7", + "drds_sync_enabled" = "true", + "drds_sync_ttl" = "180", + "drds_audit_ti_enabled" = "true", + "slb_access_enabled" = "true", + "slb_access_collection_policy" = "", + "slb_access_ttl" = "7", + "slb_sync_enabled" = "true", + "slb_sync_ttl" = "180", + "slb_access_ti_enabled" = "true", + "bastion_enabled" = "true", + "bastion_ttl" = "180", + "bastion_ti_enabled" = "true", + "waf_enabled" = "true", + "waf_ttl" = "180", + "waf_ti_enabled" = "true", + "cloudfirewall_enabled" = "true", + "cloudfirewall_ttl" = "180", + "cloudfirewall_ti_enabled" = "true", + "ddos_coo_access_enabled" = "true", + "ddos_coo_access_ttl" = "180", + "ddos_coo_access_ti_enabled" = "true", + "ddos_bgp_access_enabled" = "true", + "ddos_bgp_access_ttl" = "180", + "ddos_dip_access_enabled" = "true", + "ddos_dip_access_ttl" = "180", + "ddos_dip_access_ti_enabled" = "true", + "sas_crack_enabled" = "true", + "sas_dns_enabled" = "true", + "sas_http_enabled" = "true", + "sas_local_dns_enabled" = "true", + "sas_login_enabled" = "true", + "sas_network_enabled" = "true", + "sas_process_enabled" = "true", + "sas_security_alert_enabled" = "true", + "sas_security_hc_enabled" = "true", + "sas_security_vul_enabled" = "true", + "sas_session_enabled" = "true", + "sas_snapshot_account_enabled" = "true", + "sas_snapshot_port_enabled" = "true", + "sas_snapshot_process_enabled" = "true", + "sas_ttl" = "180", + "sas_ti_enabled" = "true", + "apigateway_enabled" = "true", + "apigateway_ttl" = "180", + "apigateway_ti_enabled" = "true", + "nas_enabled" = "true", + "nas_ttl" = "180", + "nas_ti_enabled" = "true", + "appconnect_enabled" = "true", + "appconnect_ttl" = "180", + "cps_enabled" = "true", + "cps_ttl" = "180", + "cps_ti_enabled" = "true", + "k8s_audit_enabled" = "true", + "k8s_audit_collection_policy" = "", + "k8s_audit_ttl" = "180", + "k8s_event_enabled" = "true", + "k8s_event_collection_policy" = "", + "k8s_event_ttl" = "180", + "k8s_ingress_enabled" = "true", + "k8s_ingress_collection_policy" = "", + "k8s_ingress_ttl" = "180" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_log_audit" "example" { + display_name = "tf-audit-test" + aliuid = "12345678" + variable_map = { + "actiontrail_enabled" = "true", + "actiontrail_ttl" = "180", + "actiontrail_ti_enabled" = "true", + "oss_access_enabled" = "true", + "oss_access_ttl" = "7", + "oss_sync_enabled" = "true", + "oss_sync_ttl" = "180", + "oss_access_ti_enabled" = "true", + "oss_metering_enabled" = "true", + "oss_metering_ttl" = "180", + "rds_enabled" = "true", + "rds_audit_collection_policy" = "", + "rds_ttl" = "180", + "rds_ti_enabled" = "true", + "rds_slow_enabled" = "true", + "rds_slow_collection_policy" = "", + "rds_slow_ttl" = "180", + "rds_perf_enabled" = "true", + "rds_perf_collection_policy" = "", + "rds_perf_ttl" = "180", + "vpc_flow_enabled" = "true", + "vpc_flow_ttl" = "7", + "vpc_flow_collection_policy" = "", + "vpc_sync_enabled" = "true", + "vpc_sync_ttl" = "180", + "polardb_enabled" = "true", + "polardb_audit_collection_policy" = "", + "polardb_ttl" = "180", + "polardb_ti_enabled" = "true", + "polardb_slow_enabled" = "true", + "polardb_slow_collection_policy" = "", + "polardb_slow_ttl" = "180", + "polardb_perf_enabled" = "true", + "polardb_perf_collection_policy" = "", + "polardb_perf_ttl" = "180", + "drds_audit_enabled" = "true", + "drds_audit_collection_policy" = "", + "drds_audit_ttl" = "7", + "drds_sync_enabled" = "true", + "drds_sync_ttl" = "180", + "drds_audit_ti_enabled" = "true", + "slb_access_enabled" = "true", + "slb_access_collection_policy" = "", + "slb_access_ttl" = "7", + "slb_sync_enabled" = "true", + "slb_sync_ttl" = "180", + "slb_access_ti_enabled" = "true", + "bastion_enabled" = "true", + "bastion_ttl" = "180", + "bastion_ti_enabled" = "true", + "waf_enabled" = "true", + "waf_ttl" = "180", + "waf_ti_enabled" = "true", + "cloudfirewall_enabled" = "true", + "cloudfirewall_ttl" = "180", + "cloudfirewall_ti_enabled" = "true", + "ddos_coo_access_enabled" = "true", + "ddos_coo_access_ttl" = "180", + "ddos_coo_access_ti_enabled" = "true", + "ddos_bgp_access_enabled" = "true", + "ddos_bgp_access_ttl" = "180", + "ddos_dip_access_enabled" = "true", + "ddos_dip_access_ttl" = "180", + "ddos_dip_access_ti_enabled" = "true", + "sas_crack_enabled" = "true", + "sas_dns_enabled" = "true", + "sas_http_enabled" = "true", + "sas_local_dns_enabled" = "true", + "sas_login_enabled" = "true", + "sas_network_enabled" = "true", + "sas_process_enabled" = "true", + "sas_security_alert_enabled" = "true", + "sas_security_hc_enabled" = "true", + "sas_security_vul_enabled" = "true", + "sas_session_enabled" = "true", + "sas_snapshot_account_enabled" = "true", + "sas_snapshot_port_enabled" = "true", + "sas_snapshot_process_enabled" = "true", + "sas_ttl" = "180", + "sas_ti_enabled" = "true", + "apigateway_enabled" = "true", + "apigateway_ttl" = "180", + "apigateway_ti_enabled" = "true", + "nas_enabled" = "true", + "nas_ttl" = "180", + "nas_ti_enabled" = "true", + "appconnect_enabled" = "true", + "appconnect_ttl" = "180", + "cps_enabled" = "true", + "cps_ttl" = "180", + "cps_ti_enabled" = "true", + "k8s_audit_enabled" = "true", + "k8s_audit_collection_policy" = "", + "k8s_audit_ttl" = "180", + "k8s_event_enabled" = "true", + "k8s_event_collection_policy" = "", + "k8s_event_ttl" = "180", + "k8s_ingress_enabled" = "true", + "k8s_ingress_collection_policy" = "", + "k8s_ingress_ttl" = "180", + "appconnect_ti_enabled":"true" + } +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/c01d10de-c468-4790-b3a0-fc887a56f289.md b/docs/queries/terraform-queries/alicloud/c01d10de-c468-4790-b3a0-fc887a56f289.md new file mode 100644 index 00000000000..a28184f7033 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/c01d10de-c468-4790-b3a0-fc887a56f289.md @@ -0,0 +1,207 @@ +--- +title: OSS Buckets Secure Transport Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c01d10de-c468-4790-b3a0-fc887a56f289 +- **Query name:** OSS Buckets Secure Transport Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_buckets_securetransport_disabled) + +### Description +OSS Buckets should have secure transport enabled
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +resource "alicloud_oss_bucket" "bucket-securetransport1"{ + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** c065b98e-1515-4991-9dca-b602bd6a2fbb +- **Query name:** Action Trail Logging For All Regions Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/action_trail_logging_all_regions_disabled) + +### Description +Action Trail Logging for all regions should be enabled
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/actiontrail_trail#trail_region) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "alicloud_actiontrail_trail" "actiontrail2" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_name" + event_rw = "All" + trail_region = "cn-hangzhou" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="5 6" +resource "alicloud_actiontrail_trail" "actiontrail3" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_name" + event_rw = "Read" + trail_region = "cn-hangzhou" +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="5 6" +resource "alicloud_actiontrail_trail" "actiontrail4" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_name" + event_rw = "Write" + trail_region = "cn-hangzhou" +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="6" +resource "alicloud_actiontrail_trail" "actiontrail5" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_name" + event_rw = "All" + trail_region = "cn-beijing" +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="5 6" +resource "alicloud_actiontrail_trail" "actiontrail6" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_name" + event_rw = "Read" + trail_region = "cn-beijing" +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="5 6" +resource "alicloud_actiontrail_trail" "actiontrail7" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_name" + event_rw = "Write" + trail_region = "cn-beijing" +} + +``` +
+
Postitive test num. 7 - tf file + +```tf hl_lines="1" +resource "alicloud_actiontrail_trail" "actiontrail8" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_name" + event_rw = "All" +} + +``` +
+
Postitive test num. 8 - tf file + +```tf hl_lines="1" +resource "alicloud_actiontrail_trail" "actiontrail9" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_name" + trail_region = "All" +} + +``` +
+
Postitive test num. 9 - tf file + +```tf hl_lines="1" +resource "alicloud_actiontrail_trail" "actiontrail10" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + trail_region = "All" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_actiontrail_trail" "actiontrail1" { + trail_name = "action-trail" + oss_write_role_arn = "acs:ram::1182725xxxxxxxxxxx" + oss_bucket_name = "bucket_name" + event_rw = "All" + trail_region = "All" +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/cb319d87-b90f-485e-a7e7-f2408380f309.md b/docs/queries/terraform-queries/alicloud/cb319d87-b90f-485e-a7e7-f2408380f309.md new file mode 100644 index 00000000000..05f4f693746 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/cb319d87-b90f-485e-a7e7-f2408380f309.md @@ -0,0 +1,83 @@ +--- +title: High KMS Key Rotation Period +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cb319d87-b90f-485e-a7e7-f2408380f309 +- **Query name:** High KMS Key Rotation Period +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/high_kms_key_rotation_period) + +### Description +KMS Key should have automatic rotation enabled and the rotation period should not be higher than a year
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_key) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 5 6" +resource "alicloud_kms_key" "keypos1" { + description = "Hello KMS" + pending_window_in_days = "7" + status = "Enabled" + automatic_rotation = "Disabled" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="6" +resource "alicloud_kms_key" "keypos1" { + description = "Hello KMS" + pending_window_in_days = "7" + status = "Enabled" + automatic_rotation = "Enabled" + rotation_interval = "366d" +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="6" +resource "alicloud_kms_key" "keypos1" { + description = "Hello KMS" + pending_window_in_days = "7" + status = "Enabled" + automatic_rotation = "Enabled" + rotation_interval = "31536010s" +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "alicloud_kms_key" "keypos1" { + description = "Hello KMS" + pending_window_in_days = "7" + status = "Enabled" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_kms_key" "key" { + description = "Hello KMS" + pending_window_in_days = "7" + status = "Enabled" + automatic_rotation = "Enabled" + rotation_interval = "7d" +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/d2731f3d-a992-44ed-812e-f4f1c2747d71.md b/docs/queries/terraform-queries/alicloud/d2731f3d-a992-44ed-812e-f4f1c2747d71.md new file mode 100644 index 00000000000..bbd3349c46e --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/d2731f3d-a992-44ed-812e-f4f1c2747d71.md @@ -0,0 +1,69 @@ +--- +title: VPC Flow Logs Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d2731f3d-a992-44ed-812e-f4f1c2747d71 +- **Query name:** VPC Flow Logs Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/vpc_flow_logs_disabled) + +### Description +Every VPC resource should have an associated Flow Log
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/vpc_flow_log) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "alicloud_vpc" "main" { + cidr_block = "192.168.0.0/24" + name = var.name +} + +resource "alicloud_vpc_flow_log" "default" { + depends_on = ["alicloud_vpc.default"] + resource_id = alicloud_vpc.default.id + resource_type = "VPC" + traffic_type = "All" + log_store_name = var.log_store_name + project_name = var.project_name + flow_log_name = var.name + status = "Active" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_vpc" "main" { + cidr_block = "192.168.0.0/24" + name = var.name +} + +resource "alicloud_vpc_flow_log" "default" { + depends_on = ["alicloud_vpc.main"] + resource_id = alicloud_vpc.main.id + resource_type = "VPC" + traffic_type = "All" + log_store_name = var.log_store_name + project_name = var.project_name + flow_log_name = var.name + status = "Active" +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/d53f4123-f8d8-4224-8cb3-f920b151cc98.md b/docs/queries/terraform-queries/alicloud/d53f4123-f8d8-4224-8cb3-f920b151cc98.md new file mode 100644 index 00000000000..75479637988 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/d53f4123-f8d8-4224-8cb3-f920b151cc98.md @@ -0,0 +1,96 @@ +--- +title: RDS Instance Log Disconnections Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d53f4123-f8d8-4224-8cb3-f920b151cc98 +- **Query name:** RDS Instance Log Disconnections Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/rds_instance_log_disconnections_disabled) + +### Description +log_disconnections parameter should be set to ON for RDS instances
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#parameters) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="14" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + },{ + name = "log_disconnections" + value = "OFF" + }] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="6" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + }] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + },{ + name = "log_disconnections" + value = "ON" + }] +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/dbfc834a-56e5-4750-b5da-73fda8e73f70.md b/docs/queries/terraform-queries/alicloud/dbfc834a-56e5-4750-b5da-73fda8e73f70.md new file mode 100644 index 00000000000..6a7c8ac2004 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/dbfc834a-56e5-4750-b5da-73fda8e73f70.md @@ -0,0 +1,49 @@ +--- +title: SLB Policy With Insecure TLS Version In Use +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dbfc834a-56e5-4750-b5da-73fda8e73f70 +- **Query name:** SLB Policy With Insecure TLS Version In Use +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/slb_policy_with_insecure_tls_version_in_use) + +### Description +SLB Policy should not support insecure versions of TLS protocol
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/slb_tls_cipher_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +resource "alicloud_slb_tls_cipher_policy" "positive" { + tls_cipher_policy_name = "Test-example_value" + tls_versions = ["TLSv1.1","TLSv1.2"] + ciphers = ["AES256-SHA","AES256-SHA256", "AES128-GCM-SHA256"] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_slb_tls_cipher_policy" "negative" { + tls_cipher_policy_name = "Test-example_value" + tls_versions = ["TLSv1.2","TLSv1.3"] + ciphers = ["AES256-SHA256", "AES128-GCM-SHA256","TLS_AES_256_GCM_SHA384"] +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/dc158941-28ce-481d-a7fa-dc80761edf46.md b/docs/queries/terraform-queries/alicloud/dc158941-28ce-481d-a7fa-dc80761edf46.md new file mode 100644 index 00000000000..a30928e78ef --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/dc158941-28ce-481d-a7fa-dc80761edf46.md @@ -0,0 +1,137 @@ +--- +title: RDS Instance Retention Period Not Recommended +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dc158941-28ce-481d-a7fa-dc80761edf46 +- **Query name:** RDS Instance Retention Period Not Recommended +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/rds_instance_retention_not_recommended) + +### Description +RDS Instance SQL Retention Period should be greater than 180
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#sql_collector_config_value) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + },{ + name = "log_connections" + value = "ON" + }] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1 6" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + sql_collector_status = "Disabled" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + },{ + name = "log_connections" + value = "ON" + }] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + sql_collector_status = "Enabled" + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + },{ + name = "log_connections" + value = "ON" + }] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="7" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + sql_collector_status = "Enabled" + sql_collector_config_value = 30 + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + },{ + name = "log_connections" + value = "ON" + }] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_db_instance" "default" { + engine = "MySQL" + engine_version = "5.6" + db_instance_class = "rds.mysql.t1.small" + db_instance_storage = "10" + sql_collector_status = "Enabled" + sql_collector_config_value = 180 + parameters = [{ + name = "innodb_large_prefix" + value = "ON" + },{ + name = "connect_timeout" + value = "50" + },{ + name = "log_connections" + value = "ON" + }] +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/dcda2d32-e482-43ee-a926-75eaabeaa4e0.md b/docs/queries/terraform-queries/alicloud/dcda2d32-e482-43ee-a926-75eaabeaa4e0.md new file mode 100644 index 00000000000..d2afe8bfb76 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/dcda2d32-e482-43ee-a926-75eaabeaa4e0.md @@ -0,0 +1,100 @@ +--- +title: RAM Security Preference Not Enforce MFA Login +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dcda2d32-e482-43ee-a926-75eaabeaa4e0 +- **Query name:** RAM Security Preference Not Enforce MFA Login +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ram_security_preference_not_enforce_mfa) + +### Description +RAM Security preferences should enforce MFA login for RAM users
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_security_preference#enforce_mfa_for_login) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +# Create a new RAM user. +resource "alicloud_ram_user" "user1" { + name = "user_test" + display_name = "user_display_name" + mobile = "86-18688888888" + email = "hello.uuu@aaa.com" + comments = "yoyoyo" + force = true +} + +resource "alicloud_ram_security_preference" "example1" { + enable_save_mfa_ticket = false + allow_user_to_change_password = true +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="14" +# Create a new RAM user. +resource "alicloud_ram_user" "user2" { + name = "user_test" + display_name = "user_display_name" + mobile = "86-18688888888" + email = "hello.uuu@aaa.com" + comments = "yoyoyo" + force = true +} + +resource "alicloud_ram_security_preference" "example2" { + enable_save_mfa_ticket = false + allow_user_to_change_password = true + enforce_mfa_for_login = false +} + +``` +```tf title="Postitive test num. 3 - tf file" +# this file does not return any result because inside the test folder exists at least one resource "alicloud_ram_security_preference" in the samples +#resource "alicloud_ram_user" "user3" { +# name = "user_test" +# display_name = "user_display_name" +# mobile = "86-18688888888" +# email = "hello.uuu@aaa.com" +# comments = "yoyoyo" +# force = true +#} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +# Create a new RAM user. +resource "alicloud_ram_user" "user0" { + name = "user_test" + display_name = "user_display_name" + mobile = "86-18688888888" + email = "hello.uuu@aaa.com" + comments = "yoyoyo" + force = true +} + +resource "alicloud_ram_security_preference" "example0" { + enable_save_mfa_ticket = false + allow_user_to_change_password = true + enforce_mfa_for_login = true +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/dd706080-b7a8-47dc-81fb-3e8184430ec0.md b/docs/queries/terraform-queries/alicloud/dd706080-b7a8-47dc-81fb-3e8184430ec0.md new file mode 100644 index 00000000000..c6229f3bd2e --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/dd706080-b7a8-47dc-81fb-3e8184430ec0.md @@ -0,0 +1,101 @@ +--- +title: Public Security Group Rule Unknown Port +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dd706080-b7a8-47dc-81fb-3e8184430ec0 +- **Query name:** Public Security Group Rule Unknown Port +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/public_security_group_rule_unknown_port) + +### Description +A unknown port, such as port 24 or port 111, is open to the public in either TCP or UDP or ALL protocol/protocols mentioned
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/security_group_rule#port_range) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "tcp" + nic_type = "internet" + policy = "accept" + port_range = "54/60" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "0.0.0.0/0" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="10" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "all" + nic_type = "internet" + policy = "accept" + port_range = "-1/-1" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "0.0.0.0/0" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "tcp" + nic_type = "internet" + policy = "accept" + port_range = "1/65535" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "10.159.6.18/12" +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_security_group" "default" { + name = "default" +} + +resource "alicloud_security_group_rule" "allow_all_tcp" { + type = "ingress" + ip_protocol = "icmp" + nic_type = "internet" + policy = "accept" + port_range = "-1/-1" + priority = 1 + security_group_id = alicloud_security_group.default.id + cidr_ip = "10.159.6.18/12" +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/e76fd7ab-7333-40c6-a2d8-ea28af4a319e.md b/docs/queries/terraform-queries/alicloud/e76fd7ab-7333-40c6-a2d8-ea28af4a319e.md new file mode 100644 index 00000000000..349dfa3be12 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/e76fd7ab-7333-40c6-a2d8-ea28af4a319e.md @@ -0,0 +1,74 @@ +--- +title: Ram Account Password Policy Max Login Attempts Unrecommended +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e76fd7ab-7333-40c6-a2d8-ea28af4a319e +- **Query name:** Ram Account Password Policy Max Login Attempts Unrecommended +- **Platform:** Terraform +- **Severity:** High +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ram_account_password_policy_max_login_attempts_unrecommended) + +### Description +Ram Account Password Policy should have 'max_login_attempts' to a maximum of 5 incorrect login attempts
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_account_password_policy#max_login_attempts) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 6 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 + max_login_attempts = 3 +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_ram_account_password_policy" "corporate" { + minimum_password_length = 9 + require_lowercase_characters = false + require_uppercase_characters = false + require_numbers = false + require_symbols = false + hard_expiry = true + max_password_age = 12 + password_reuse_prevention = 5 +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/e8e62026-da63-4904-b402-65adfe3ca975.md b/docs/queries/terraform-queries/alicloud/e8e62026-da63-4904-b402-65adfe3ca975.md new file mode 100644 index 00000000000..f323d5fa9fe --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/e8e62026-da63-4904-b402-65adfe3ca975.md @@ -0,0 +1,304 @@ +--- +title: Ram Policy Admin Access Not Attached to Users Groups Roles +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e8e62026-da63-4904-b402-65adfe3ca975 +- **Query name:** Ram Policy Admin Access Not Attached to Users Groups Roles +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ram_policy_admin_access_not_attached_to_users_groups_roles) + +### Description +Ram policies with admin access should not be associated to users, groups or roles
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ram_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="35" +# Create a RAM User Policy attachment. +resource "alicloud_ram_user" "user4" { + name = "userName" + display_name = "user_display_name" + mobile = "86-18688888888" + email = "hello.uuu@aaa.com" + comments = "yoyoyo" + force = true +} + +resource "alicloud_ram_policy" "policy4" { + name = "policyName" + document = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** ec62a32c-a297-41ca-a850-cab40b42094a +- **Query name:** OSS Bucket Allows All Actions From All Principals +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_bucket_allows_all_actions_from_all_principals) + +### Description +OSS Buckets should not allow all actions (wildcard) from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is *, for all Principals.
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "alicloud_oss_bucket" "bucket-policy1" { + bucket = "bucket-1-policy" + acl = "private" + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** ed6cf6ff-9a1f-491c-9f88-e03c0807f390 +- **Query name:** Log Retention Is Not Greater Than 90 Days +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/log_retention_is_not_greater_than_90_days) + +### Description +OSS Log Store should have logging enabled for longer than 90 days, for better visibility of resources and objects.
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/log_store#retention_period) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "alicloud_log_project" "example2" { + name = "tf-log" + description = "created by terraform" +} + +resource "alicloud_log_store" "example2" { + project = alicloud_log_project.example.name + name = "tf-log-store" + shard_count = 3 + auto_split = true + max_split_shard_count = 60 + append_meta = true +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9" +resource "alicloud_log_project" "example4" { + name = "tf-log" + description = "created by terraform" +} + +resource "alicloud_log_store" "example4" { + project = alicloud_log_project.example.name + name = "tf-log-store" + retention_period = 60 + shard_count = 3 + auto_split = true + max_split_shard_count = 60 + append_meta = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_log_project" "example1" { + name = "tf-log" + description = "created by terraform" +} + +resource "alicloud_log_store" "example1" { + project = alicloud_log_project.example.name + name = "tf-log-store" + retention_period = 91 + shard_count = 3 + auto_split = true + max_split_shard_count = 60 + append_meta = true +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/ed6e3ba0-278f-47b6-a1f5-173576b40b7e.md b/docs/queries/terraform-queries/alicloud/ed6e3ba0-278f-47b6-a1f5-173576b40b7e.md new file mode 100644 index 00000000000..717ff684763 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/ed6e3ba0-278f-47b6-a1f5-173576b40b7e.md @@ -0,0 +1,59 @@ +--- +title: CMK Is Unusable +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ed6e3ba0-278f-47b6-a1f5-173576b40b7e +- **Query name:** CMK Is Unusable +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/cmk_is_unusable) + +### Description +Alicloud KMS must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/kms_key#is_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "alicloud_kms_key" "key" { + description = "Hello KMS" + pending_window_in_days = "7" + status = "Enabled" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="5" +resource "alicloud_kms_key" "key" { + description = "Hello KMS" + pending_window_in_days = "7" + status = "Enabled" + is_enabled = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_kms_key" "key" { + description = "Hello KMS" + pending_window_in_days = "7" + status = "Enabled" + is_enabled = true +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/ee3b1557-9fb5-4685-a95d-93f1edf2a0d7.md b/docs/queries/terraform-queries/alicloud/ee3b1557-9fb5-4685-a95d-93f1edf2a0d7.md new file mode 100644 index 00000000000..81671db3061 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/ee3b1557-9fb5-4685-a95d-93f1edf2a0d7.md @@ -0,0 +1,85 @@ +--- +title: ALB Listening on HTTP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ee3b1557-9fb5-4685-a95d-93f1edf2a0d7 +- **Query name:** ALB Listening on HTTP +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/alb_listening_on_http) + +### Description +Application Load Balancer (alb) Listener should not listen on HTTP
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/alb_listener) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +resource "alicloud_alb_listener" "positive" { + load_balancer_id = alicloud_alb_load_balancer.default_3.id + listener_protocol = "HTTP" + listener_port = 443 + listener_description = "createdByTerraform" + default_actions { + type = "ForwardGroup" + forward_group_config { + server_group_tuples { + server_group_id = alicloud_alb_server_group.default.id + } + } + } + certificates { + certificate_id = join("", [alicloud_ssl_certificates_service_certificate.default.id, "-cn-hangzhou"]) + } + acl_config { + acl_type = "White" + acl_relations { + acl_id = alicloud_alb_acl.example.id + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_alb_listener" "negative" { + load_balancer_id = alicloud_alb_load_balancer.default_3.id + listener_protocol = "HTTPS" + listener_port = 443 + listener_description = "createdByTerraform" + default_actions { + type = "ForwardGroup" + forward_group_config { + server_group_tuples { + server_group_id = alicloud_alb_server_group.default.id + } + } + } + certificates { + certificate_id = join("", [alicloud_ssl_certificates_service_certificate.default.id, "-cn-hangzhou"]) + } + acl_config { + acl_type = "White" + acl_relations { + acl_id = alicloud_alb_acl.example.id + } + } +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/f20e97f9-4919-43f1-9be9-f203cd339cdd.md b/docs/queries/terraform-queries/alicloud/f20e97f9-4919-43f1-9be9-f203cd339cdd.md new file mode 100644 index 00000000000..ad9469e2430 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/f20e97f9-4919-43f1-9be9-f203cd339cdd.md @@ -0,0 +1,63 @@ +--- +title: OSS Bucket Encryption Using CMK Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f20e97f9-4919-43f1-9be9-f203cd339cdd +- **Query name:** OSS Bucket Encryption Using CMK Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_bucket_cmk_encryption_disabled) + +### Description +OSS Bucket should have encryption enabled using Customer Master Key
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#server_side_encryption_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "alicloud_oss_bucket" "bucket_cmk_encryption2" { + bucket = "bucket-170309-sserule" + acl = "private" + + server_side_encryption_rule { + sse_algorithm = "AES256" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "alicloud_oss_bucket" "bucket_cmk_encryption3" { + bucket = "bucket-170309-sserule" + acl = "private" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_oss_bucket" "bucket_cmk_encryption1" { + bucket = "bucket-170309-sserule" + acl = "private" + + server_side_encryption_rule { + sse_algorithm = "KMS" + kms_master_key_id = "your kms key id" + } +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/f262118c-1ac6-4bb3-8495-cc48f1775b85.md b/docs/queries/terraform-queries/alicloud/f262118c-1ac6-4bb3-8495-cc48f1775b85.md new file mode 100644 index 00000000000..9392e779680 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/f262118c-1ac6-4bb3-8495-cc48f1775b85.md @@ -0,0 +1,66 @@ +--- +title: Ecs Data Disk Kms Key Id Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f262118c-1ac6-4bb3-8495-cc48f1775b85 +- **Query name:** Ecs Data Disk Kms Key Id Undefined +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ecs_data_disk_kms_key_id_undefined) + +### Description +Ecs Data Disk Kms Key Id should be set
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/disk#kms_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +# Create a new ECS disk. +resource "alicloud_disk" "ecs_disk" { + # cn-beijing + availability_zone = "cn-beijing-b" + name = "New-disk" + description = "Hello ecs disk." + category = "cloud_efficiency" + size = "30" + encrypted = true + tags = { + Name = "TerraformTest" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +# Create a new ECS disk. +resource "alicloud_disk" "ecs_disk" { + # cn-beijing + availability_zone = "cn-beijing-b" + name = "New-disk" + description = "Hello ecs disk." + category = "cloud_efficiency" + size = "30" + encrypted = true + kms_key_id = "2a6767f0-a16c-4679-a60f-13bf*****" + tags = { + Name = "TerraformTest" + } +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/faaefc15-51a5-419e-bb5e-51a4b5ab3485.md b/docs/queries/terraform-queries/alicloud/faaefc15-51a5-419e-bb5e-51a4b5ab3485.md new file mode 100644 index 00000000000..821e1c5d7b1 --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/faaefc15-51a5-419e-bb5e-51a4b5ab3485.md @@ -0,0 +1,74 @@ +--- +title: DB Instance Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** faaefc15-51a5-419e-bb5e-51a4b5ab3485 +- **Query name:** DB Instance Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/db_instance_publicly_accessible) + +### Description +The field 'address' should not be set to '0.0.0.0/0'
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/db_instance#address) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +resource "alicloud_db_instance" "example" { + engine = "MySQL" + engine_version = "5.6" + instance_type = "rds.mysql.s2.large" + instance_storage = "30" + instance_charge_type = "Postpaid" + instance_name = var.name + vswitch_id = alicloud_vswitch.example.id + monitoring_period = "60" + address = "0.0.0.0/0" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "alicloud_db_instance" "example" { + engine = "MySQL" + engine_version = "5.6" + instance_type = "rds.mysql.s2.large" + instance_storage = "30" + instance_charge_type = "Postpaid" + instance_name = var.name + vswitch_id = alicloud_vswitch.example.id + monitoring_period = "60" + address = "10.23.12.24/24" +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "alicloud_db_instance" "example" { + engine = "MySQL" + engine_version = "5.6" + instance_type = "rds.mysql.s2.large" + instance_storage = "30" + instance_charge_type = "Postpaid" + instance_name = var.name + vswitch_id = alicloud_vswitch.example.id + monitoring_period = "60" +} + +``` diff --git a/docs/queries/terraform-queries/alicloud/fe286195-e75c-4359-bd58-00847c4f855a.md b/docs/queries/terraform-queries/alicloud/fe286195-e75c-4359-bd58-00847c4f855a.md new file mode 100644 index 00000000000..3931231a40a --- /dev/null +++ b/docs/queries/terraform-queries/alicloud/fe286195-e75c-4359-bd58-00847c4f855a.md @@ -0,0 +1,158 @@ +--- +title: OSS Bucket Allows Put Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fe286195-e75c-4359-bd58-00847c4f855a +- **Query name:** OSS Bucket Allows Put Action From All Principals +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/oss_bucket_allows_put_action_from_all_principals) + +### Description +OSS Bucket should not allow put action from all principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering/deletion. This means the 'Effect' must not be 'Allow' when the 'Action' contains 'Put', for all Principals.
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/oss_bucket#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "alicloud_oss_bucket" "bucket-policy4" { + bucket = "bucket-4-policy" + acl = "private" + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 00e5e55e-c2ff-46b3-a757-a7a1cd802456 +- **Query name:** CloudFront Without Minimum Protocol TLS 1.2 +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudfront_without_minimum_protocol_tls_1.2) + +### Description +CloudFront Minimum Protocol version should be at least TLS 1.2
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudfront_distribution" "positive1" { + origin { + domain_name = aws_s3_bucket.b.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + comment = "Some comment" + default_root_object = "index.html" + + default_cache_behavior { + #settings + } + + restrictions { + #restrictions + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="25" +resource "aws_cloudfront_distribution" "positive2" { + origin { + domain_name = aws_s3_bucket.b.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + comment = "Some comment" + default_root_object = "index.html" + + default_cache_behavior { + #settings + } + + restrictions { + #restrictions + } + + viewer_certificate { + cloudfront_default_certificate = false + minimum_protocol_version = "TLSv1_2016" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="24" +resource "aws_cloudfront_distribution" "positive3" { + origin { + domain_name = aws_s3_bucket.b.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + comment = "Some comment" + default_root_object = "index.html" + + default_cache_behavior { + #settings + } + + restrictions { + #restrictions + } + + viewer_certificate { + cloudfront_default_certificate = true + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="23" +resource "aws_cloudfront_distribution" "positive4" { + origin { + domain_name = aws_s3_bucket.b.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + comment = "Some comment" + default_root_object = "index.html" + + default_cache_behavior { + #settings + } + + restrictions { + #restrictions + } + + viewer_certificate { + cloudfront_default_certificate = false + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudfront_distribution" "negative1" { + origin { + domain_name = aws_s3_bucket.b.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + comment = "Some comment" + default_root_object = "index.html" + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = local.s3_origin_id + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + viewer_certificate { + cloudfront_default_certificate = false + minimum_protocol_version = "TLSv1.2_2018" + } +} + +resource "aws_cloudfront_distribution" "negative2" { + origin { + domain_name = aws_s3_bucket.b.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + comment = "Some comment" + default_root_object = "index.html" + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = local.s3_origin_id + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + viewer_certificate { + cloudfront_default_certificate = false + minimum_protocol_version = "TLSv1.2_2019" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/01d50b14-e933-4c99-b314-6d08cd37ad35.md b/docs/queries/terraform-queries/aws/01d50b14-e933-4c99-b314-6d08cd37ad35.md new file mode 100644 index 00000000000..276badb2575 --- /dev/null +++ b/docs/queries/terraform-queries/aws/01d50b14-e933-4c99-b314-6d08cd37ad35.md @@ -0,0 +1,114 @@ +--- +title: Glue Data Catalog Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 01d50b14-e933-4c99-b314-6d08cd37ad35 +- **Query name:** Glue Data Catalog Encryption Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/glue_data_catalog_encryption_disabled) + +### Description +Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_data_catalog_encryption_settings#data_catalog_encryption_settings) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_glue_data_catalog_encryption_settings" "positive1" { + data_catalog_encryption_settings { + connection_password_encryption { + aws_kms_key_id = aws_kms_key.test.arn + return_connection_password_encrypted = false + } + + encryption_at_rest { + catalog_encryption_mode = "SSE-KMS" + sse_aws_kms_key_id = aws_kms_key.test.arn + } + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="3" +resource "aws_glue_data_catalog_encryption_settings" "positive2" { + data_catalog_encryption_settings { + connection_password_encryption { + return_connection_password_encrypted = true + } + + encryption_at_rest { + catalog_encryption_mode = "SSE-KMS" + sse_aws_kms_key_id = aws_kms_key.test.arn + } + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="9" +resource "aws_glue_data_catalog_encryption_settings" "positive3" { + data_catalog_encryption_settings { + connection_password_encryption { + aws_kms_key_id = aws_kms_key.test.arn + return_connection_password_encrypted = true + } + + encryption_at_rest { + catalog_encryption_mode = "DISABLED" + sse_aws_kms_key_id = aws_kms_key.test.arn + } + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="8" +resource "aws_glue_data_catalog_encryption_settings" "positive4" { + data_catalog_encryption_settings { + connection_password_encryption { + aws_kms_key_id = aws_kms_key.test.arn + return_connection_password_encrypted = true + } + + encryption_at_rest { + catalog_encryption_mode = "SSE-KMS" + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_glue_data_catalog_encryption_settings" "negative1" { + data_catalog_encryption_settings { + connection_password_encryption { + aws_kms_key_id = aws_kms_key.test.arn + return_connection_password_encrypted = true + } + + encryption_at_rest { + catalog_encryption_mode = "SSE-KMS" + sse_aws_kms_key_id = aws_kms_key.test.arn + } + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/034d0aee-620f-4bf7-b7fb-efdf661fdb9e.md b/docs/queries/terraform-queries/aws/034d0aee-620f-4bf7-b7fb-efdf661fdb9e.md new file mode 100644 index 00000000000..4967fa9eb9c --- /dev/null +++ b/docs/queries/terraform-queries/aws/034d0aee-620f-4bf7-b7fb-efdf661fdb9e.md @@ -0,0 +1,108 @@ +--- +title: Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 034d0aee-620f-4bf7-b7fb-efdf661fdb9e +- **Query name:** Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction) + +### Description +Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:CreateFunction", + "lambda:InvokeFunction" + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + groups = [aws_iam_group.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/04c686f1-e0cd-4812-88e1-4e038410074c.md b/docs/queries/terraform-queries/aws/04c686f1-e0cd-4812-88e1-4e038410074c.md new file mode 100644 index 00000000000..c84af1eac92 --- /dev/null +++ b/docs/queries/terraform-queries/aws/04c686f1-e0cd-4812-88e1-4e038410074c.md @@ -0,0 +1,82 @@ +--- +title: Group With Privilege Escalation By Actions 'iam:CreateLoginProfile' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 04c686f1-e0cd-4812-88e1-4e038410074c +- **Query name:** Group With Privilege Escalation By Actions 'iam:CreateLoginProfile' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateLoginProfile) + +### Description +Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/051f2063-2517-4295-ad8e-ba88c1bf5cfc.md b/docs/queries/terraform-queries/aws/051f2063-2517-4295-ad8e-ba88c1bf5cfc.md new file mode 100644 index 00000000000..9a65b55eaa6 --- /dev/null +++ b/docs/queries/terraform-queries/aws/051f2063-2517-4295-ad8e-ba88c1bf5cfc.md @@ -0,0 +1,330 @@ +--- +title: BOM - AWS MSK +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 051f2063-2517-4295-ad8e-ba88c1bf5cfc +- **Query name:** BOM - AWS MSK +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws_bom/msk) + +### Description +A list of MSK resources specified. Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="84" +resource "aws_vpc" "vpc" { + cidr_block = "192.168.0.0/22" +} + +data "aws_availability_zones" "azs" { + state = "available" +} + +resource "aws_subnet" "subnet_az1" { + availability_zone = data.aws_availability_zones.azs.names[0] + cidr_block = "192.168.0.0/24" + vpc_id = aws_vpc.vpc.id +} + +resource "aws_subnet" "subnet_az2" { + availability_zone = data.aws_availability_zones.azs.names[1] + cidr_block = "192.168.1.0/24" + vpc_id = aws_vpc.vpc.id +} + +resource "aws_subnet" "subnet_az3" { + availability_zone = data.aws_availability_zones.azs.names[2] + cidr_block = "192.168.2.0/24" + vpc_id = aws_vpc.vpc.id +} + +resource "aws_security_group" "sg" { + vpc_id = aws_vpc.vpc.id +} + +resource "aws_kms_key" "kms" { + description = "positive1" +} + +resource "aws_cloudwatch_log_group" "test" { + name = "msk_broker_logs" +} + +resource "aws_s3_bucket" "bucket" { + bucket = "msk-broker-logs-bucket" + acl = "private" +} + +resource "aws_iam_role" "firehose_role" { + name = "firehose_test_role" + + assume_role_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 081069cb-588b-4ce1-884c-2a1ce3029fe5 +- **Query name:** CloudWatch Metrics Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_metrics_disabled) + +### Description +Checks if CloudWatch Metrics is Enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#metrics_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 18" +#this is a problematic code where the query should report a result(s) +resource "aws_api_gateway_method_settings" "positive1" { + rest_api_id = aws_api_gateway_rest_api.test.id + stage_name = aws_api_gateway_stage.test.stage_name + method_path = "${aws_api_gateway_resource.test.path_part}/${aws_api_gateway_method.test.http_method}" + + settings { + metrics_enabled = false + logging_level = "INFO" + } +} + +resource "aws_api_gateway_method_settings" "positive2" { + rest_api_id = aws_api_gateway_rest_api.test.id + stage_name = aws_api_gateway_stage.test.stage_name + method_path = "${aws_api_gateway_resource.test.path_part}/${aws_api_gateway_method.test.http_method}" + + settings { + logging_level = "INFO" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "aws_api_gateway_method_settings" "negative1" { + rest_api_id = aws_api_gateway_rest_api.test.id + stage_name = aws_api_gateway_stage.test.stage_name + method_path = "${aws_api_gateway_resource.test.path_part}/${aws_api_gateway_method.test.http_method}" + + settings { + metrics_enabled = true + logging_level = "INFO" + } +} +``` diff --git a/docs/queries/terraform-queries/aws/084c6686-2a70-4710-91b1-000393e54c12.md b/docs/queries/terraform-queries/aws/084c6686-2a70-4710-91b1-000393e54c12.md new file mode 100644 index 00000000000..187c8125cef --- /dev/null +++ b/docs/queries/terraform-queries/aws/084c6686-2a70-4710-91b1-000393e54c12.md @@ -0,0 +1,101 @@ +--- +title: Shield Advanced Not In Use +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 084c6686-2a70-4710-91b1-000393e54c12 +- **Query name:** Shield Advanced Not In Use +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/shield_advanced_not_in_use) + +### Description +AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/shield_protection#resource_arn) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +data "aws_availability_zones" "available" {} +data "aws_region" "current" {} +data "aws_caller_identity" "current" {} + +resource "aws_eip" "positive1" { + vpc = true +} + +resource "aws_shield_protection" "positive1" { + name = "example" + resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.positive.id}" + + tags = { + Environment = "Dev" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_route53_zone" "positive2" { + name = "example.com" +} + +resource "aws_shield_protection" "positive2" { + name = "example" + resource_arn = aws_route53_zone.positive.arn + + tags = { + Environment = "Dev" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +data "aws_availability_zones" "available" {} +data "aws_region" "current" {} +data "aws_caller_identity" "current" {} + +resource "aws_eip" "negative1" { + vpc = true +} + +resource "aws_shield_protection" "negative1" { + name = "example" + resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.negative1.id}" + + tags = { + Environment = "Dev" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_route53_zone" "negative2" { + name = "example.com" +} + +resource "aws_shield_protection" "negative2" { + name = "example" + resource_arn = aws_route53_zone.negative2.arn + + tags = { + Environment = "Dev" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/08bd0760-8752-44e1-9779-7bb369b2b4e4.md b/docs/queries/terraform-queries/aws/08bd0760-8752-44e1-9779-7bb369b2b4e4.md new file mode 100644 index 00000000000..1aad16f4e46 --- /dev/null +++ b/docs/queries/terraform-queries/aws/08bd0760-8752-44e1-9779-7bb369b2b4e4.md @@ -0,0 +1,320 @@ +--- +title: DB Instance Storage Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 08bd0760-8752-44e1-9779-7bb369b2b4e4 +- **Query name:** DB Instance Storage Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/db_instance_storage_not_encrypted) + +### Description +AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#storage_encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11 14" +resource "aws_db_instance" "positive1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + iam_database_authentication_enabled = false + storage_encrypted = false +} + +resource "aws_db_instance" "positive2" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="11" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + storage_encrypted = false + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_db_instance" "negative1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + iam_database_authentication_enabled = true + storage_encrypted = true +} + +resource "aws_db_instance" "negative2" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + iam_database_authentication_enabled = false + kms_key_id = aws_kms_key.my_key.key_id +} + +``` +```tf title="Negative test num. 2 - tf file" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + storage_encrypted = true + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` diff --git a/docs/queries/terraform-queries/aws/09c35abf-5852-4622-ac7a-b987b331232e.md b/docs/queries/terraform-queries/aws/09c35abf-5852-4622-ac7a-b987b331232e.md new file mode 100644 index 00000000000..e1129c6f737 --- /dev/null +++ b/docs/queries/terraform-queries/aws/09c35abf-5852-4622-ac7a-b987b331232e.md @@ -0,0 +1,184 @@ +--- +title: Cross-Account IAM Assume Role Policy Without ExternalId or MFA +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 09c35abf-5852-4622-ac7a-b987b331232e +- **Query name:** Cross-Account IAM Assume Role Policy Without ExternalId or MFA +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cross_account_iam_assume_role_policy_without_external_id_or_mfa) + +### Description +Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role#assume_role_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "aws_iam_role" "positive1" { + name = "test_role" + + assume_role_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 0a494a6a-ebe2-48a0-9d77-cf9d5125e1b3 +- **Query name:** Redshift Cluster Without VPC +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/redshift_cluster_without_vpc) + +### Description +Redshift Cluster should be configured in VPC (Virtual Private Cloud)
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#vpc_security_group_ids) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_redshift_cluster" "positive1" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + logging { + enable = true + bucket_name = "nameOfAnExistingS3Bucket" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_redshift_cluster" "negative1" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + logging { + enable = true + bucket_name = "nameOfAnExistingS3Bucket" + } + vpc_security_group_ids = [ + aws_security_group.redshift.id + ] + cluster_subnet_group_name = aws_redshift_subnet_group.redshift_subnet_group.id +} + +``` diff --git a/docs/queries/terraform-queries/aws/0a592060-8166-49f5-8e65-99ac6dce9871.md b/docs/queries/terraform-queries/aws/0a592060-8166-49f5-8e65-99ac6dce9871.md new file mode 100644 index 00000000000..4870017b3e5 --- /dev/null +++ b/docs/queries/terraform-queries/aws/0a592060-8166-49f5-8e65-99ac6dce9871.md @@ -0,0 +1,107 @@ +--- +title: Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0a592060-8166-49f5-8e65-99ac6dce9871 +- **Query name:** Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint) + +### Description +Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:CreateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + roles = [aws_iam_role.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0.md b/docs/queries/terraform-queries/aws/0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0.md new file mode 100644 index 00000000000..0f64886161e --- /dev/null +++ b/docs/queries/terraform-queries/aws/0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0.md @@ -0,0 +1,150 @@ +--- +title: CloudWatch Changes To NACL Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0a8e8dc5-b6fc-44fc-b5a1-969ec950f9b0 +- **Query name:** CloudWatch Changes To NACL Alarm Missing +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_changes_to_nacl_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for changes to NACL
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_changes_nacl" { + alarm_name = "CIS-4.11-Changes-NACL" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "OTHER FILTER" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_changes_nacl" { + name = "CIS-4.11-Changes-NACL" + pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.11-Changes-NACL" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_changes_nacl" { + alarm_name = "CIS-4.11-Changes-NACL" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_changes_nacl.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_changes_nacl" { + name = "CIS-4.11-Changes-NACL" + pattern = "{ ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.11-Changes-NACL" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_changes_nacl" { + alarm_name = "CIS-4.11-Changes-NACL" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_changes_nacl.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_changes_nacl" { + name = "CIS-4.11-Changes-NACL" + pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.11-Changes-NACL" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/0a96ce49-4163-4ee6-8169-eb3b0797d694.md b/docs/queries/terraform-queries/aws/0a96ce49-4163-4ee6-8169-eb3b0797d694.md new file mode 100644 index 00000000000..86e7b2091ab --- /dev/null +++ b/docs/queries/terraform-queries/aws/0a96ce49-4163-4ee6-8169-eb3b0797d694.md @@ -0,0 +1,59 @@ +--- +title: API Gateway Without Configured Authorizer +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0a96ce49-4163-4ee6-8169-eb3b0797d694 +- **Query name:** API Gateway Without Configured Authorizer +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_without_configured_authorizer) + +### Description +API Gateway REST API should have an API Gateway Authorizer
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_authorizer) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "aws_api_gateway_authorizer" "demo" { + name = "demo" + rest_api_id = aws_api_gateway_rest_api.demo.id + authorizer_uri = aws_lambda_function.authorizer.invoke_arn + authorizer_credentials = aws_iam_role.invocation_role.arn +} + +resource "aws_api_gateway_rest_api" "demo2" { + name = "auth-demo" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_authorizer" "demo" { + name = "demo" + rest_api_id = aws_api_gateway_rest_api.demo.id + authorizer_uri = aws_lambda_function.authorizer.invoke_arn + authorizer_credentials = aws_iam_role.invocation_role.arn +} + +resource "aws_api_gateway_rest_api" "demo" { + name = "auth-demo" +} + +``` diff --git a/docs/queries/terraform-queries/aws/0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md b/docs/queries/terraform-queries/aws/0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md new file mode 100644 index 00000000000..fcbb7de02ad --- /dev/null +++ b/docs/queries/terraform-queries/aws/0afa6ab8-a047-48cf-be07-93a2f8c34cf7.md @@ -0,0 +1,59 @@ +--- +title: ALB Is Not Integrated With WAF +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0afa6ab8-a047-48cf-be07-93a2f8c34cf7 +- **Query name:** ALB Is Not Integrated With WAF +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/alb_is_not_integrated_with_waf) + +### Description +All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_alb" "foo" { + internal = false + subnets = [aws_subnet.foo.id, aws_subnet.bar.id] +} + +resource "aws_wafregional_web_acl_association" "foo_waf" { + resource_arn = aws_alb.fooooo.arn + web_acl_id = aws_wafregional_web_acl.foo.id +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_alb" "foo33" { + internal = false + subnets = [aws_subnet.foo.id, aws_subnet.bar.id] +} + +resource "aws_wafregional_web_acl_association" "foo_waf33" { + resource_arn = aws_alb.foo33.arn + web_acl_id = aws_wafregional_web_acl.foo.id +} +# trigger validation + +``` diff --git a/docs/queries/terraform-queries/aws/0afbcfe9-d341-4b92-a64c-7e6de0543879.md b/docs/queries/terraform-queries/aws/0afbcfe9-d341-4b92-a64c-7e6de0543879.md new file mode 100644 index 00000000000..b1c22fe49db --- /dev/null +++ b/docs/queries/terraform-queries/aws/0afbcfe9-d341-4b92-a64c-7e6de0543879.md @@ -0,0 +1,60 @@ +--- +title: CloudWatch Log Group Without KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0afbcfe9-d341-4b92-a64c-7e6de0543879 +- **Query name:** CloudWatch Log Group Without KMS +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_log_group_not_encrypted) + +### Description +AWS CloudWatch Log groups should be encrypted using KMS
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_group" "negative1" { + name = "Yada" + + tags = { + Environment = "production" + Application = "serviceA" + } + + retention_in_days = 1 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_log_group" "negative1" { + name = "Yada" + + tags = { + Environment = "production" + Application = "serviceA" + } + + retention_in_days = 1 + kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" +} + +``` diff --git a/docs/queries/terraform-queries/aws/0b4869fc-a842-4597-aa00-1294df425440.md b/docs/queries/terraform-queries/aws/0b4869fc-a842-4597-aa00-1294df425440.md new file mode 100644 index 00000000000..02a1fd6ce53 --- /dev/null +++ b/docs/queries/terraform-queries/aws/0b4869fc-a842-4597-aa00-1294df425440.md @@ -0,0 +1,54 @@ +--- +title: API Gateway Without SSL Certificate +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0b4869fc-a842-4597-aa00-1294df425440 +- **Query name:** API Gateway Without SSL Certificate +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_without_ssl_certificate) + +### Description +SSL Client Certificate should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#client_certificate_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_api_gateway_stage" "positive1" { + stage_name = "prod" + rest_api_id = aws_api_gateway_rest_api.test.id + deployment_id = aws_api_gateway_deployment.test.id + +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_stage" "negative1" { + stage_name = "prod" + rest_api_id = aws_api_gateway_rest_api.test.id + deployment_id = aws_api_gateway_deployment.test.id + + + client_certificate_id = "12131323" + +} + +``` diff --git a/docs/queries/terraform-queries/aws/0b530315-0ea4-497f-b34c-4ff86268f59d.md b/docs/queries/terraform-queries/aws/0b530315-0ea4-497f-b34c-4ff86268f59d.md new file mode 100644 index 00000000000..8f2043556a7 --- /dev/null +++ b/docs/queries/terraform-queries/aws/0b530315-0ea4-497f-b34c-4ff86268f59d.md @@ -0,0 +1,66 @@ +--- +title: KMS Key With No Deletion Window +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0b530315-0ea4-497f-b34c-4ff86268f59d +- **Query name:** KMS Key With No Deletion Window +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/kms_key_with_no_deletion_window) + +### Description +AWS KMS Key should have a valid deletion window
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 18" +resource "aws_kms_key" "positive1" { + description = "KMS key 1" + + is_enabled = true + + enable_key_rotation = true + +} + + +resource "aws_kms_key" "positive2" { + description = "KMS key 1" + + is_enabled = true + + enable_key_rotation = true + + deletion_window_in_days = 31 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_kms_key" "negative1" { + description = "KMS key 1" + + is_enabled = true + + enable_key_rotation = true + + deletion_window_in_days = 10 +} +``` diff --git a/docs/queries/terraform-queries/aws/0b93729a-d882-4803-bdc3-ac429a21f158.md b/docs/queries/terraform-queries/aws/0b93729a-d882-4803-bdc3-ac429a21f158.md new file mode 100644 index 00000000000..b9e425e9515 --- /dev/null +++ b/docs/queries/terraform-queries/aws/0b93729a-d882-4803-bdc3-ac429a21f158.md @@ -0,0 +1,567 @@ +--- +title: EC2 Instance Using API Keys +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0b93729a-d882-4803-bdc3-ac429a21f158 +- **Query name:** EC2 Instance Using API Keys +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ec2_instance_using_api_keys) + +### Description +EC2 instances should use roles to be granted access to other AWS services
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#iam_instance_profile) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +provider "aws" { + region = "us-east-1" +} + +resource "aws_instance" "positive1" { + ami = "ami-005e54dee72cc1d00" # us-west-2 + instance_type = "t2.micro" + + tags = { + Name = "test" + } + + user_data = < ~/.aws/config +[default] +aws_access_key_id = somekey +aws_secret_access_key = somesecret +EOF +EOT + + credit_specification { + cpu_credits = "unlimited" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="5" +provider "aws" { + region = "us-east-1" +} + +resource "aws_instance" "positive3" { + ami = "ami-005e54dee72cc1d00" # us-west-2 + instance_type = "t2.micro" + + tags = { + Name = "test" + } + + user_data = < ~/.aws/credentials +[default] +aws_access_key_id = somekey +aws_secret_access_key = somesecret +EOF +EOT + + credit_specification { + cpu_credits = "unlimited" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="5" +provider "aws" { + region = "us-east-1" +} + +resource "aws_instance" "positive4" { + ami = "ami-005e54dee72cc1d00" # us-west-2 + instance_type = "t2.micro" + + tags = { + Name = "test" + } + + user_data_base64 = var.init_aws_cli + + credit_specification { + cpu_credits = "unlimited" + } +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="5" +provider "aws" { + region = "us-east-1" +} + +resource "aws_instance" "positive5" { + ami = "ami-005e54dee72cc1d00" # us-west-2 + instance_type = "t2.micro" + + tags = { + Name = "test" + } + + user_data_base64 = base64encode("apt-get install -y awscli; export AWS_ACCESS_KEY_ID=your_access_key_id_here; export AWS_SECRET_ACCESS_KEY=your_secret_access_key_here") + + credit_specification { + cpu_credits = "unlimited" + } +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="5" +provider "aws" { + region = "us-east-1" +} + +resource "aws_instance" "positive6" { + ami = "ami-005e54dee72cc1d00" # us-west-2 + instance_type = "t2.micro" + + tags = { + Name = "test" + } + + user_data = <> ~/.bashrc" ] + - [ sh, -c, "echo export AWS_SECRET_ACCESS_KEY=my-secret >> ~/.bashrc" ] +EOT + + credit_specification { + cpu_credits = "unlimited" + } +} + +``` +
+
Postitive test num. 7 - tf file + +```tf hl_lines="13" +provider "aws" { + region = "us-east-1" +} + +resource "aws_instance" "positive7" { + ami = "ami-005e54dee72cc1d00" # us-west-2 + instance_type = "t2.micro" + + tags = { + Name = "test" + } + + provisioner "remote-exec" { + inline = [ + "wget -O - http://config.remote.server.com/aws-credentials > ~/.aws/credentials;" + ] + } + + credit_specification { + cpu_credits = "unlimited" + } +} + +``` +
+
Postitive test num. 8 - tf file + +```tf hl_lines="13" +provider "aws" { + region = "us-east-1" +} + +resource "aws_instance" "positive8" { + ami = "ami-005e54dee72cc1d00" # us-west-2 + instance_type = "t2.micro" + + tags = { + Name = "test" + } + + provisioner "file" { + source = "conf/aws-credentials" + destination = "~/.aws/credentials" + } +} + +``` +
+
Postitive test num. 9 - tf file + +```tf hl_lines="13" +provider "aws" { + region = "us-east-1" +} + +resource "aws_instance" "positive9" { + ami = "ami-005e54dee72cc1d00" # us-west-2 + instance_type = "t2.micro" + + tags = { + Name = "test" + } + + provisioner "remote-exec" { + inline = [ + "echo export AWS_ACCESS_KEY_ID=my-key-id >> ~/.bashrc", + "echo export AWS_SECRET_ACCESS_KEY=my-secret >> ~/.bashrc" + ] + } + + credit_specification { + cpu_credits = "unlimited" + } +} + +``` +
+
Postitive test num. 10 - tf file + +```tf hl_lines="1" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + + user_data = < +
Postitive test num. 11 - tf file + +```tf hl_lines="1" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + + user_data_base64 = var.init_aws_cli + + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
+
Postitive test num. 12 - tf file + +```tf hl_lines="1" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + + user_data_base64 = base64encode("apt-get install -y awscli; export AWS_ACCESS_KEY_ID=your_access_key_id_here; export AWS_SECRET_ACCESS_KEY=your_secret_access_key_here") + + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +resource "aws_iam_role_policy_attachment" "test_attach" { + roles = [aws_iam_role.test_role.name] + policy_arn = aws_iam_policy.test_policy.arn +} + +resource "aws_iam_policy" "test_policy" { + name = "test_policy" + description = "test policy" + path = "/" + policy = <Negative test num. 4 - tf file + +```tf +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + + tags = { + Terraform = "true" + Environment = "dev" + } + + user_data = <<-EOF + #!/bin/bash + apt-get update + EOF +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/0bc534c5-13d1-4353-a7fe-b8665d5c1d7d.md b/docs/queries/terraform-queries/aws/0bc534c5-13d1-4353-a7fe-b8665d5c1d7d.md new file mode 100644 index 00000000000..2230404614a --- /dev/null +++ b/docs/queries/terraform-queries/aws/0bc534c5-13d1-4353-a7fe-b8665d5c1d7d.md @@ -0,0 +1,258 @@ +--- +title: Dynamodb VPC Endpoint Without Route Table Association +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0bc534c5-13d1-4353-a7fe-b8665d5c1d7d +- **Query name:** Dynamodb VPC Endpoint Without Route Table Association +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/dynamodb_vpc_endpoint_wihout_route_table_association) + +### Description +Dynamodb VPC Endpoint should be associated with Route Table Association
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint#vpc_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="31" +provider "aws" { + region = "us-east-1" +} + +locals { + s3_prefix_list_cidr_block = "3.218.183.128/25" +} +resource "aws_vpc" "main" { + cidr_block = "192.168.100.0/24" + enable_dns_support = true +} + +resource "aws_subnet" "private-subnet" { + vpc_id = aws_vpc.main.id + cidr_block = "192.168.100.128/25" + + tags = { + Name = "private-subnet" + } +} + +resource "aws_route_table" "private-rtb" { + vpc_id = aws_vpc.main.id + + tags = { + Name = "private-rtb" + } +} + +resource "aws_vpc_endpoint" "dynamodb-vpce-gw" { + vpc_id = aws_vpc.main.id + service_name = "com.amazonaws.us-east-1.dynamodb" +} + +resource "aws_network_acl" "allow-public-outbound-nacl" { + vpc_id = aws_vpc.main.id + subnet_ids = [aws_subnet.private-subnet.id] + + egress { + protocol = "tcp" + rule_no = 200 + action = "allow" + cidr_block = local.s3_prefix_list_cidr_block + from_port = 443 + to_port = 443 + } + + tags = { + Name = "allow-public-outbound-nacl" + } +} + +resource "aws_security_group" "allow-public-outbound-sg" { + name = "allow-public-outbound-sg" + description = "Allow HTTPS outbound traffic" + vpc_id = aws_vpc.main.id + + egress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [local.s3_prefix_list_cidr_block] + } + +} + +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "test" { + ami = data.aws_ami.ubuntu.id + instance_type = "t2.micro" + vpc_security_group_ids = [aws_security_group.allow-public-outbound-sg.id] + subnet_id = aws_subnet.private-subnet.id +} + +resource "aws_dynamodb_table" "basic-dynamodb-table" { + name = "GameScores" + billing_mode = "PROVISIONED" + read_capacity = 5 + write_capacity = 5 + hash_key = "UserId" + range_key = "GameTitle" + + attribute { + name = "UserId" + type = "S" + } + + attribute { + name = "GameTitle" + type = "S" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +locals { + s3_prefix_list_cidr_block = "3.218.183.128/25" +} +resource "aws_vpc" "main2" { + cidr_block = "192.168.100.0/24" + enable_dns_support = true +} + +resource "aws_subnet" "private-subnet2" { + vpc_id = aws_vpc.main2.id + cidr_block = "192.168.100.128/25" + + tags = { + Name = "private-subnet" + } +} + +resource "aws_route_table" "private-rtb2" { + vpc_id = aws_vpc.main2.id + + tags = { + Name = "private-rtb" + } +} + +resource "aws_route_table_association" "private-rtb-assoc2" { + subnet_id = aws_subnet.private-subnet2.id + route_table_id = aws_route_table.private-rtb2.id +} + +resource "aws_vpc_endpoint" "dynamodb-vpce-gw2" { + vpc_id = aws_vpc.main2.id + service_name = "com.amazonaws.us-east-1.dynamodb" +} + +resource "aws_network_acl" "allow-public-outbound-nacl2" { + vpc_id = aws_vpc.main.id + subnet_ids = [aws_subnet.private-subnet2.id] + + egress { + protocol = "tcp" + rule_no = 200 + action = "allow" + cidr_block = local.s3_prefix_list_cidr_block + from_port = 443 + to_port = 443 + } + + tags = { + Name = "allow-public-outbound-nacl" + } +} + +resource "aws_security_group" "allow-public-outbound-sg2" { + name = "allow-public-outbound-sg" + description = "Allow HTTPS outbound traffic" + vpc_id = aws_vpc.main.id + + egress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [local.s3_prefix_list_cidr_block] + } + +} + +data "aws_ami" "ubuntu2" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "test2" { + ami = data.aws_ami.ubuntu2.id + instance_type = "t2.micro" + vpc_security_group_ids = [aws_security_group.allow-public-outbound-sg2.id] + subnet_id = aws_subnet.private-subnet2.id +} + +resource "aws_dynamodb_table" "basic-dynamodb-table2" { + name = "GameScores" + billing_mode = "PROVISIONED" + read_capacity = 5 + write_capacity = 5 + hash_key = "UserId" + range_key = "GameTitle" + + attribute { + name = "UserId" + type = "S" + } + + attribute { + name = "GameTitle" + type = "S" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/0c10d7da-85c4-4d62-b2a8-d6c104f1bd77.md b/docs/queries/terraform-queries/aws/0c10d7da-85c4-4d62-b2a8-d6c104f1bd77.md new file mode 100644 index 00000000000..684380a117a --- /dev/null +++ b/docs/queries/terraform-queries/aws/0c10d7da-85c4-4d62-b2a8-d6c104f1bd77.md @@ -0,0 +1,91 @@ +--- +title: User With Privilege Escalation By Actions 'iam:PutUserPolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0c10d7da-85c4-4d62-b2a8-d6c104f1bd77 +- **Query name:** User With Privilege Escalation By Actions 'iam:PutUserPolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutUserPolicy) + +### Description +User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md b/docs/queries/terraform-queries/aws/0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md new file mode 100644 index 00000000000..c6bb9884818 --- /dev/null +++ b/docs/queries/terraform-queries/aws/0ca1017d-3b80-423e-bb9c-6cd5898d34bd.md @@ -0,0 +1,239 @@ +--- +title: Lambda IAM InvokeFunction Misconfigured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0ca1017d-3b80-423e-bb9c-6cd5898d34bd +- **Query name:** Lambda IAM InvokeFunction Misconfigured +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured) + +### Description +Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "aws_iam_policy" "positive1policy" { + name = "positive1policy" + path = "/" + description = "Positive1 Policy" + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:InvokeFunction", + ] + Effect = "Allow" + Resource = [ + "arn:aws:lambda:*:*:function:positive1" + ] + }, + ] + }) +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="8" +resource "aws_iam_policy" "positive2policy" { + name = "positive2policy" + path = "/" + description = "Positive2 Policy" + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + policy = jsonencode({ + Version = "2022-20-27" + Statement = [ + { + Action = [ + "lambda:InvokeFunction", + ] + Effect = "Allow" + Resource = [ + "arn:aws:lambda:*:*:function:positive2*:*" + ] + }, + ] + }) +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="8" +resource "aws_iam_policy" "positive3policy" { + name = "positive3policy" + path = "/" + description = "positive3 Policy" + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + policy = jsonencode({ + Version = "2022-20-27" + Statement = [ + { + Action = [ + "lambda:InvokeFunction", + ] + Effect = "Allow" + Resource = [ + "arn:aws:lambda:*:*:function:*:*" + ] + }, + ] + }) +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="5" +resource "aws_iam_policy" "positive4policy" { + name = "positive4policy" + path = "/" + description = "positive4 Policy" + policy = data.aws_iam_policy_document.datapositive4policy.json +} +# Terraform's "jsonencode" function converts a +# Terraform expression result to valid JSON syntax. +data "aws_iam_policy_document" "datapositive4policy" { + statement { + effect = "Allow" + actions = [ + "lambda:InvokeFunction" + ] + + resources = [ + "arn:aws:lambda:*:*:function:*:*" + ] + } +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="8" +resource "aws_iam_policy" "positive5policy" { + name = "positive5policy" + path = "/" + description = "positive5 Policy" + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + policy = jsonencode({ + Version = "2022-20-27" + Statement = [ + { + Action = [ + "*", + ] + Effect = "Allow" + Resource = [ + "arn:aws:lambda:*:*:function:*:*" + ] + }, + ] + }) +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="8" +resource "aws_iam_policy" "positive6policy" { + name = "positive6policy" + path = "/" + description = "positive6 Policy" + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + policy = jsonencode({ + Version = "2022-20-27" + Statement = [ + { + Action = [ + "lambda:*", + ] + Effect = "Allow" + Resource = [ + "arn:aws:lambda:*:*:function:*:*" + ] + }, + ] + }) +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_policy" "negative1policy" { + name = "negative1policy" + path = "/" + description = "negative1 Policy" + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:InvokeFunction", + ] + Effect = "Allow" + Resource = [ + "arn:aws:lambda:*:*:function:negative1", + "arn:aws:lambda:*:*:function:negative1:*" + ] + }, + ] + }) +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_iam_policy" "negative2policy" { + name = "negative2policy" + path = "/" + description = "negative2 Policy" + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "s3:*", + ] + Effect = "Allow" + Resource = ["*"] + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/0e32d561-4b5a-4664-a6e3-a3fa85649157.md b/docs/queries/terraform-queries/aws/0e32d561-4b5a-4664-a6e3-a3fa85649157.md new file mode 100644 index 00000000000..05684f03633 --- /dev/null +++ b/docs/queries/terraform-queries/aws/0e32d561-4b5a-4664-a6e3-a3fa85649157.md @@ -0,0 +1,73 @@ +--- +title: ECR Repository Not Encrypted With CMK +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0e32d561-4b5a-4664-a6e3-a3fa85649157 +- **Query name:** ECR Repository Not Encrypted With CMK +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ecr_repository_not_encrypted) + +### Description +ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 18" +resource "aws_ecr_repository" "foo" { + name = "bar" + image_tag_mutability = "IMMUTABLE" + + image_scanning_configuration { + scan_on_push = true + } +} + +resource "aws_ecr_repository" "fooX" { + name = "barX" + image_tag_mutability = "IMMUTABLE" + + image_scanning_configuration { + scan_on_push = true + } + + encryption_configuration { + encryption_type = "AES256" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ecr_repository" "foo2" { + name = "bar" + image_tag_mutability = "IMMUTABLE" + + image_scanning_configuration { + scan_on_push = true + } + + encryption_configuration { + encryption_type = "KMS" + kms_key = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/0e59d33e-bba2-4037-8f88-9765647ca7ad.md b/docs/queries/terraform-queries/aws/0e59d33e-bba2-4037-8f88-9765647ca7ad.md new file mode 100644 index 00000000000..6ee3657d333 --- /dev/null +++ b/docs/queries/terraform-queries/aws/0e59d33e-bba2-4037-8f88-9765647ca7ad.md @@ -0,0 +1,95 @@ +--- +title: BOM - AWS Kinesis +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0e59d33e-bba2-4037-8f88-9765647ca7ad +- **Query name:** BOM - AWS Kinesis +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws_bom/kinesis) + +### Description +A list of Kinesis resources found. Amazon Kinesis is a real-time streaming service that provides collection, processing, and analysis of video and data streams in real-time
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 20" +resource "aws_kinesis_stream" "positive1" { + name = "terraform-kinesis-test" + shard_count = 1 + retention_period = 48 + + shard_level_metrics = [ + "IncomingBytes", + "OutgoingBytes", + ] + + stream_mode_details { + stream_mode = "PROVISIONED" + } + + tags = { + Environment = "test" + } +} + +resource "aws_kinesis_stream" "positive2" { + name = "terraform-kinesis-test2" + shard_count = 1 + retention_period = 48 + + shard_level_metrics = [ + "IncomingBytes", + "OutgoingBytes", + ] + + stream_mode_details { + stream_mode = "PROVISIONED" + } + + tags = { + Environment = "test" + } + + kms_key_id = "1234abcd-12ab-34cd-56ef-0987654321ab" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +module "kinesis-stream" { + + source = "rodrigodelmonte/kinesis-stream/aws" + version = "v2.0.3" + + name = "kinesis_stream_example" + shard_count = 1 + retention_period = 24 + shard_level_metrics = ["IncomingBytes", "OutgoingBytes"] + enforce_consumer_deletion = false + encryption_type = "KMS" + kms_key_id = "alias/aws/kinesis" + tags = { + Name = "kinesis_stream_example" + } + +} + +``` diff --git a/docs/queries/terraform-queries/aws/0f6cbf69-41bb-47dc-93f3-3844640bf480.md b/docs/queries/terraform-queries/aws/0f6cbf69-41bb-47dc-93f3-3844640bf480.md new file mode 100644 index 00000000000..dbf4a240a03 --- /dev/null +++ b/docs/queries/terraform-queries/aws/0f6cbf69-41bb-47dc-93f3-3844640bf480.md @@ -0,0 +1,145 @@ +--- +title: Cloudwatch Cloudtrail Configuration Changes Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0f6cbf69-41bb-47dc-93f3-3844640bf480 +- **Query name:** Cloudwatch Cloudtrail Configuration Changes Alarm Missing +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_cloudtrail_configuration_changes_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for CloudTrail configuration changes
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_cloudtrail_config_change_metric_filter" { + name = "CIS-CloudTrailChanges" + pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-CloudTrailChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_cloudtrail_config_change_cw_alarm" { + alarm_name = "CIS-3.5-CloudTrailChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXXX NOT YOUR FILTER XXXX" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { + name = "CIS-UnauthorizedAPICalls" + pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-UnauthorizedAPICalls" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { + alarm_name = "CIS-3.1-UnauthorizedAPICalls" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_cloudtrail_config_change_metric_filter" { + name = "CIS-CloudTrailChanges" + pattern = "{ ($.eventName = CreateTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-CloudTrailChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_cloudtrail_config_change_cw_alarm" { + alarm_name = "CIS-3.5-CloudTrailChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_cloudtrail_config_change_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_log_metric_filter" "cis_cloudtrail_config_change_metric_filter" { + name = "CIS-CloudTrailChanges" + pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-CloudTrailChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_cloudtrail_config_change_cw_alarm" { + alarm_name = "CIS-3.5-CloudTrailChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_cloudtrail_config_change_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` diff --git a/docs/queries/terraform-queries/aws/0fd7d920-4711-46bd-aff2-d307d82cd8b7.md b/docs/queries/terraform-queries/aws/0fd7d920-4711-46bd-aff2-d307d82cd8b7.md new file mode 100644 index 00000000000..26876208762 --- /dev/null +++ b/docs/queries/terraform-queries/aws/0fd7d920-4711-46bd-aff2-d307d82cd8b7.md @@ -0,0 +1,90 @@ +--- +title: User With Privilege Escalation By Actions 'iam:CreateLoginProfile' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0fd7d920-4711-46bd-aff2-d307d82cd8b7 +- **Query name:** User With Privilege Escalation By Actions 'iam:CreateLoginProfile' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateLoginProfile) + +### Description +User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/113208f2-a886-4526-9ecc-f3218600e12c.md b/docs/queries/terraform-queries/aws/113208f2-a886-4526-9ecc-f3218600e12c.md new file mode 100644 index 00000000000..c033079c260 --- /dev/null +++ b/docs/queries/terraform-queries/aws/113208f2-a886-4526-9ecc-f3218600e12c.md @@ -0,0 +1,90 @@ +--- +title: User With Privilege Escalation By Actions 'iam:CreateAccessKey' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 113208f2-a886-4526-9ecc-f3218600e12c +- **Query name:** User With Privilege Escalation By Actions 'iam:CreateAccessKey' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreateAccessKey) + +### Description +User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateAccessKey", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/118281d0-6471-422e-a7c5-051bc667926e.md b/docs/queries/terraform-queries/aws/118281d0-6471-422e-a7c5-051bc667926e.md new file mode 100644 index 00000000000..1b6c4149652 --- /dev/null +++ b/docs/queries/terraform-queries/aws/118281d0-6471-422e-a7c5-051bc667926e.md @@ -0,0 +1,82 @@ +--- +title: Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 118281d0-6471-422e-a7c5-051bc667926e +- **Query name:** Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion) + +### Description +Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:SetDefaultPolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/126c1788-23c2-4a10-906c-ef179f4f96ec.md b/docs/queries/terraform-queries/aws/126c1788-23c2-4a10-906c-ef179f4f96ec.md new file mode 100644 index 00000000000..823bed53e61 --- /dev/null +++ b/docs/queries/terraform-queries/aws/126c1788-23c2-4a10-906c-ef179f4f96ec.md @@ -0,0 +1,166 @@ +--- +title: ELB Using Insecure Protocols +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 126c1788-23c2-4a10-906c-ef179f4f96ec +- **Query name:** ELB Using Insecure Protocols +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elb_using_insecure_protocols) + +### Description +ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/load_balancer_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="41 30" +#this is a problematic code where the query should report a result(s) +resource "aws_elb" "positive1" { + name = "wu-tang" + availability_zones = ["us-east-1a"] + + listener { + instance_port = 443 + instance_protocol = "http" + lb_port = 443 + lb_protocol = "https" + ssl_certificate_id = "arn:aws:iam::000000000000:server-certificate/wu-tang.net" + } + + tags = { + Name = "wu-tang" + } +} + +resource "aws_load_balancer_policy" "positive4" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ssl" + policy_type_name = "SSLNegotiationPolicyType" + + policy_attribute { + name = "Protocol-TLSv1.2" + value = "true" + } + + policy_attribute { + name = "Protocol-TLSv1" + value = "true" + } +} + +resource "aws_load_balancer_policy" "positive5" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ssl" + policy_type_name = "SSLNegotiationPolicyType" + + policy_attribute { + name = "Protocol-SSLv3" + value = "true" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "aws_elb" "negative1" { + name = "wu-tang" + availability_zones = ["us-east-1a"] + + listener { + instance_port = 443 + instance_protocol = "http" + lb_port = 443 + lb_protocol = "https" + ssl_certificate_id = "arn:aws:iam::000000000000:server-certificate/wu-tang.net" + } + + tags = { + Name = "wu-tang" + } +} + +resource "aws_load_balancer_policy" "negative2" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ca-pubkey-policy" + policy_type_name = "PublicKeyPolicyType" + + policy_attribute { + name = "PublicKey" + value = file("wu-tang-pubkey") + } +} + +resource "aws_load_balancer_policy" "negative3" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-root-ca-backend-auth-policy" + policy_type_name = "BackendServerAuthenticationPolicyType" + + policy_attribute { + name = "PublicKeyPolicyName" + value = aws_load_balancer_policy.wu-tang-root-ca-pubkey-policy.policy_name + } +} + +resource "aws_load_balancer_policy" "negative4" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ssl" + policy_type_name = "SSLNegotiationPolicyType" + + policy_attribute { + name = "ECDHE-ECDSA-AES128-GCM-SHA256" + value = "true" + } + + policy_attribute { + name = "Protocol-TLSv1.2" + value = "true" + } +} + +resource "aws_load_balancer_policy" "negative5" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ssl" + policy_type_name = "SSLNegotiationPolicyType" + + policy_attribute { + name = "Reference-Security-Policy" + value = "ELBSecurityPolicy-TLS-1-1-2017-01" + } +} + +resource "aws_load_balancer_backend_server_policy" "negative6" { + load_balancer_name = aws_elb.wu-tang.name + instance_port = 443 + + policy_names = [ + aws_load_balancer_policy.wu-tang-root-ca-backend-auth-policy.policy_name, + ] +} + +resource "aws_load_balancer_listener_policy" "negative7" { + load_balancer_name = aws_elb.wu-tang.name + load_balancer_port = 443 + + policy_names = [ + aws_load_balancer_policy.wu-tang-ssl.policy_name, + ] +} +``` diff --git a/docs/queries/terraform-queries/aws/12933609-c5bf-44b4-9a41-a6467c3b685b.md b/docs/queries/terraform-queries/aws/12933609-c5bf-44b4-9a41-a6467c3b685b.md new file mode 100644 index 00000000000..00c4f83de9a --- /dev/null +++ b/docs/queries/terraform-queries/aws/12933609-c5bf-44b4-9a41-a6467c3b685b.md @@ -0,0 +1,99 @@ +--- +title: BOM - AWS RDS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 12933609-c5bf-44b4-9a41-a6467c3b685b +- **Query name:** BOM - AWS RDS +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws_bom/rds) + +### Description +A list of RDS resources found. Amazon Relational Database Service (Amazon RDS) is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 35 23" +resource "aws_rds_cluster_instance" "cluster_instances" { + count = 2 + identifier = "aurora-cluster-demo-${count.index}" + cluster_identifier = aws_rds_cluster.default.id + instance_class = "db.r4.large" + engine = aws_rds_cluster.default.engine + engine_version = aws_rds_cluster.default.engine_version + publicly_accessible = false +} + +resource "aws_rds_cluster" "default" { + cluster_identifier = "aurora-cluster-demo" + engine = "aurora-mysql" + engine_version = "5.7.mysql_aurora.2.03.2" + availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] + database_name = "mydb" + master_username = "foo" + master_password = "bar" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" +} + +resource "aws_db_instance" "default" { + allocated_storage = 10 + db_name = "mydb" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t3.micro" + username = "foo" + password = "foobarbaz" + parameter_group_name = "default.mysql5.7" + skip_final_snapshot = true +} + +resource "aws_db_instance" "sample3" { + allocated_storage = 10 + db_name = "mydb" + engine_version = "5.7" + instance_class = "db.t3.micro" + username = "foo" + password = "foobarbaz" + parameter_group_name = "default.mysql5.7" + replicate_source_db = aws_db_instance.default.id + skip_final_snapshot = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +module "kafka" { + source = "cloudposse/msk-apache-kafka-cluster/aws" + version = "0.7.2" + + namespace = "eg" + stage = "prod" + name = "app" + vpc_id = "vpc-XXXXXXXX" + zone_id = "Z14EN2YD427LRQ" + security_groups = ["sg-XXXXXXXXX", "sg-YYYYYYYY"] + subnet_ids = ["subnet-XXXXXXXXX", "subnet-YYYYYYYY"] + kafka_version = "2.4.1" + number_of_broker_nodes = 2 # this has to be a multiple of the # of subnet_ids + broker_instance_type = "kafka.m5.large" +} + +``` diff --git a/docs/queries/terraform-queries/aws/12b7e704-37f0-4d1e-911a-44bf60c48c21.md b/docs/queries/terraform-queries/aws/12b7e704-37f0-4d1e-911a-44bf60c48c21.md new file mode 100644 index 00000000000..ba925667082 --- /dev/null +++ b/docs/queries/terraform-queries/aws/12b7e704-37f0-4d1e-911a-44bf60c48c21.md @@ -0,0 +1,173 @@ +--- +title: IAM Role Allows All Principals To Assume +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 12b7e704-37f0-4d1e-911a-44bf60c48c21 +- **Query name:** IAM Role Allows All Principals To Assume +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_role_allows_all_principals_to_assume) + +### Description +IAM role allows all services or principals to assume it
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="37" +// Create a role which OpenShift instances will assume. +// This role has a policy saying it can be assumed by ec2 +// instances. +resource "aws_iam_role" "positive1" { + name = "${var.name_tag_prefix}-openshift-instance-role" + + assume_role_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 132a8c31-9837-4203-9fd1-15ca210c7b73 +- **Query name:** SSO Policy with full privileges +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sso_policy_with_full_priveleges) + +### Description +SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "aws_ssoadmin_permission_set_inline_policy" "pos1" { + instance_arn = aws_ssoadmin_permission_set.example.instance_arn + permission_set_arn = aws_ssoadmin_permission_set.example.arn + inline_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 1402afd8-a95c-4e84-8b0b-6fb43758e6ce +- **Query name:** Hardcoded AWS Access Key In Lambda +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda) + +### Description +Lambda access/secret keys should not be hardcoded
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="57 36" +resource "aws_iam_role" "positive1" { + name = "iam_for_lambda" + + assume_role_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 1419b4c6-6d5c-4534-9cf6-6a5266085333 +- **Query name:** CloudFront Without WAF +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudfront_without_waf) + +### Description +All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="15" + + +module "acm" { + source = "terraform-aws-modules/acm/aws" + version = "~> v2.0" + domain_name = var.site_domain + zone_id = data.aws_route53_zone.this.zone_id + tags = var.tags + + providers = { + aws = aws.us_east_1 # cloudfront needs acm certificate to be from "us-east-1" region + } +} + +resource "aws_cloudfront_distribution" "positive1" { + origin { + domain_name = var.public_alb_domain + origin_id = "alb" + + custom_origin_config { + http_port = 80 + https_port = 443 + origin_protocol_policy = "https-only" + origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"] + } + } + + enabled = true + is_ipv6_enabled = true + comment = var.site_domain + + aliases = [var.site_domain] + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD", "OPTIONS"] + target_origin_id = "alb" + + forwarded_values { + query_string = true + headers = ["*"] + + cookies { + forward = "all" + } + + } + + viewer_protocol_policy = "redirect-to-https" + min_ttl = 0 + default_ttl = 0 + max_ttl = 0 + compress = true + } + + # Cache behavior with precedence 0 + ordered_cache_behavior { + path_pattern = "wp-content/*" + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD", "OPTIONS"] + target_origin_id = "alb" + + forwarded_values { + query_string = true + headers = ["Host"] + + cookies { + forward = "all" + } + } + + min_ttl = 900 + default_ttl = 900 + max_ttl = 900 + compress = true + viewer_protocol_policy = "redirect-to-https" + } + + # Cache behavior with precedence 1 + ordered_cache_behavior { + path_pattern = "wp-includes/*" + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD", "OPTIONS"] + target_origin_id = "alb" + + forwarded_values { + query_string = true + headers = ["Host"] + + cookies { + forward = "all" + } + } + + min_ttl = 3600 + default_ttl = 3600 + max_ttl = 3600 + compress = true + viewer_protocol_policy = "redirect-to-https" + } + price_class = var.cf_price_class + tags = var.tags + restrictions { + geo_restriction { + restriction_type = "none" + } + } + + + viewer_certificate { + acm_certificate_arn = module.acm.this_acm_certificate_arn + ssl_support_method = "sni-only" + minimum_protocol_version = "TLSv1.1_2016" + } + + # By default, cloudfront caches error for five minutes. There can be situation when a developer has accidentally broken the website and you would not want to wait for five minutes for the error response to be cached. + # https://docs.aws.amazon.com/AmazonS3/latest/dev/CustomErrorDocSupport.html + custom_error_response { + error_code = 400 + error_caching_min_ttl = var.error_ttl + } + + custom_error_response { + error_code = 403 + error_caching_min_ttl = var.error_ttl + } + + custom_error_response { + error_code = 404 + error_caching_min_ttl = var.error_ttl + } + + custom_error_response { + error_code = 405 + error_caching_min_ttl = var.error_ttl + } + + depends_on = [ + aws_ecs_service.this + ] +} + + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + + +module "acm" { + source = "terraform-aws-modules/acm/aws" + version = "~> v2.0" + domain_name = var.site_domain + zone_id = data.aws_route53_zone.this.zone_id + tags = var.tags + + providers = { + aws = aws.us_east_1 # cloudfront needs acm certificate to be from "us-east-1" region + } +} + +resource "aws_cloudfront_distribution" "negative1" { + origin { + domain_name = var.public_alb_domain + origin_id = "alb" + + custom_origin_config { + http_port = 80 + https_port = 443 + origin_protocol_policy = "https-only" + origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"] + } + } + + enabled = true + is_ipv6_enabled = true + comment = var.site_domain + web_acl_id = "test" + + aliases = [var.site_domain] + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD", "OPTIONS"] + target_origin_id = "alb" + + forwarded_values { + query_string = true + headers = ["*"] + + cookies { + forward = "all" + } + + } + + viewer_protocol_policy = "redirect-to-https" + min_ttl = 0 + default_ttl = 0 + max_ttl = 0 + compress = true + } + + # Cache behavior with precedence 0 + ordered_cache_behavior { + path_pattern = "wp-content/*" + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD", "OPTIONS"] + target_origin_id = "alb" + + forwarded_values { + query_string = true + headers = ["Host"] + + cookies { + forward = "all" + } + } + + min_ttl = 900 + default_ttl = 900 + max_ttl = 900 + compress = true + viewer_protocol_policy = "redirect-to-https" + } + + # Cache behavior with precedence 1 + ordered_cache_behavior { + path_pattern = "wp-includes/*" + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD", "OPTIONS"] + target_origin_id = "alb" + + forwarded_values { + query_string = true + headers = ["Host"] + + cookies { + forward = "all" + } + } + + min_ttl = 3600 + default_ttl = 3600 + max_ttl = 3600 + compress = true + viewer_protocol_policy = "redirect-to-https" + } + price_class = var.cf_price_class + tags = var.tags + restrictions { + geo_restriction { + restriction_type = "none" + } + } + + + viewer_certificate { + acm_certificate_arn = module.acm.this_acm_certificate_arn + ssl_support_method = "sni-only" + minimum_protocol_version = "TLSv1.1_2016" + } + + # By default, cloudfront caches error for five minutes. There can be situation when a developer has accidentally broken the website and you would not want to wait for five minutes for the error response to be cached. + # https://docs.aws.amazon.com/AmazonS3/latest/dev/CustomErrorDocSupport.html + custom_error_response { + error_code = 400 + error_caching_min_ttl = var.error_ttl + } + + custom_error_response { + error_code = 403 + error_caching_min_ttl = var.error_ttl + } + + custom_error_response { + error_code = 404 + error_caching_min_ttl = var.error_ttl + } + + custom_error_response { + error_code = 405 + error_caching_min_ttl = var.error_ttl + } + + depends_on = [ + aws_ecs_service.this + ] +} + + + + +``` diff --git a/docs/queries/terraform-queries/aws/151187cb-0efc-481c-babd-ad24e3c9bc22.md b/docs/queries/terraform-queries/aws/151187cb-0efc-481c-babd-ad24e3c9bc22.md new file mode 100644 index 00000000000..a6b253d89b0 --- /dev/null +++ b/docs/queries/terraform-queries/aws/151187cb-0efc-481c-babd-ad24e3c9bc22.md @@ -0,0 +1,98 @@ +--- +title: Remote Desktop Port Open To Internet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 151187cb-0efc-481c-babd-ad24e3c9bc22 +- **Query name:** Remote Desktop Port Open To Internet +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/remote_desktop_port_open_to_internet) + +### Description +The Remote Desktop port is open to the internet in a Security Group
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 14" +resource "aws_security_group" "positive1" { + name = "rdp_positive_tcp_1" + description = "Gets the remote desktop port open with the tcp protocol" + + ingress { + description = "Remote desktop port open" + from_port = 3380 + to_port = 3450 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_security_group" "positive2" { + name = "rdp_positive_tcp_2" + description = "Gets the remote desktop port open with the tcp protocol" + + ingress { + description = "Remote desktop port open" + from_port = 3381 + to_port = 3445 + protocol = "tcp" + cidr_blocks = ["1.0.0.0/0"] + } + + ingress { + description = "Remote desktop port open" + from_port = 3000 + to_port = 4000 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_security_group" "negative1" { + name = "Dont open remote desktop port" + description = "Doesn't enable the remote desktop port" + +} + +resource "aws_security_group" "negative2" { + + ingress { + description = "Remote desktop open private" + from_port = 3380 + to_port = 3450 + protocol = "tcp" + } +} + +resource "aws_security_group" "negative_rdp_2" { + + ingress { + description = "Remote desktop open private" + from_port = 3380 + to_port = 3450 + protocol = "tcp" + cidr_blocks = ["0.1.0.0/0"] + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/15ccec05-5476-4890-ad19-53991eba1db8.md b/docs/queries/terraform-queries/aws/15ccec05-5476-4890-ad19-53991eba1db8.md new file mode 100644 index 00000000000..593cc9cbf6a --- /dev/null +++ b/docs/queries/terraform-queries/aws/15ccec05-5476-4890-ad19-53991eba1db8.md @@ -0,0 +1,61 @@ +--- +title: API Gateway With Open Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 15ccec05-5476-4890-ad19-53991eba1db8 +- **Query name:** API Gateway With Open Access +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_with_open_access) + +### Description +API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "aws_api_gateway_method" "positive1" { + rest_api_id = aws_api_gateway_rest_api.this.id + resource_id = aws_api_gateway_resource.this.id + http_method = "GET" + authorization = "NONE" + authorizer_id = aws_api_gateway_authorizer.this.id + + request_parameters = { + "method.request.path.proxy" = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_method" "negative1" { + rest_api_id = aws_api_gateway_rest_api.this.id + resource_id = aws_api_gateway_resource.this.id + http_method = "OPTIONS" + authorization = "NONE" + authorizer_id = aws_api_gateway_authorizer.this.id + + request_parameters = { + "method.request.path.proxy" = true + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/15e6ad8c-f420-49a6-bafb-074f5eb1ec74.md b/docs/queries/terraform-queries/aws/15e6ad8c-f420-49a6-bafb-074f5eb1ec74.md new file mode 100644 index 00000000000..357ab1b06ef --- /dev/null +++ b/docs/queries/terraform-queries/aws/15e6ad8c-f420-49a6-bafb-074f5eb1ec74.md @@ -0,0 +1,107 @@ +--- +title: Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 15e6ad8c-f420-49a6-bafb-074f5eb1ec74 +- **Query name:** Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances) + +### Description +Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:RunInstances", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + groups = [aws_iam_group.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/15ffbacc-fa42-4f6f-a57d-2feac7365caa.md b/docs/queries/terraform-queries/aws/15ffbacc-fa42-4f6f-a57d-2feac7365caa.md new file mode 100644 index 00000000000..fa65513dbf4 --- /dev/null +++ b/docs/queries/terraform-queries/aws/15ffbacc-fa42-4f6f-a57d-2feac7365caa.md @@ -0,0 +1,69 @@ +--- +title: Redshift Cluster Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 15ffbacc-fa42-4f6f-a57d-2feac7365caa +- **Query name:** Redshift Cluster Logging Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/redshift_cluster_logging_disabled) + +### Description +Make sure Logging is enabled for Redshift Cluster
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#enable) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9 13" +resource "aws_redshift_cluster" "positive1" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + logging { + enable = false + } +} + +resource "aws_redshift_cluster" "positive2" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_redshift_cluster" "negative1" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + logging { + enable = true + bucket_name = "nameOfAnExistingS3Bucket" + } +} +``` diff --git a/docs/queries/terraform-queries/aws/16c4216a-50d3-4785-bfb2-4adb5144a8ba.md b/docs/queries/terraform-queries/aws/16c4216a-50d3-4785-bfb2-4adb5144a8ba.md new file mode 100644 index 00000000000..0991a5858dc --- /dev/null +++ b/docs/queries/terraform-queries/aws/16c4216a-50d3-4785-bfb2-4adb5144a8ba.md @@ -0,0 +1,97 @@ +--- +title: Elasticsearch Domain With Vulnerable Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 16c4216a-50d3-4785-bfb2-4adb5144a8ba +- **Query name:** Elasticsearch Domain With Vulnerable Policy +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticsearch_domain_with_vulnerable_policy) + +### Description +Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain_policy#access_policies) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="18" +provider "aws" { + region = "us-east-1" +} + +resource "aws_elasticsearch_domain" "es-not-secure-policy" { + domain_name = "es-not-secure-policy" + + ebs_options { + ebs_enabled = true + volume_size = 10 + volume_type = "gp2" + } +} + +resource "aws_elasticsearch_domain_policy" "main" { + domain_name = aws_elasticsearch_domain.es-not-secure-policy.domain_name + + access_policies = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 1743f5f1-0bb0-4934-acef-c80baa5dadfa +- **Query name:** User With Privilege Escalation By Actions 'iam:CreatePolicyVersion' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_CreatePolicyVersion) + +### Description +User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreatePolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/17b30f8f-8dfb-4597-adf6-57600b6cf25e.md b/docs/queries/terraform-queries/aws/17b30f8f-8dfb-4597-adf6-57600b6cf25e.md new file mode 100644 index 00000000000..31028a7b200 --- /dev/null +++ b/docs/queries/terraform-queries/aws/17b30f8f-8dfb-4597-adf6-57600b6cf25e.md @@ -0,0 +1,186 @@ +--- +title: CloudTrail Not Integrated With CloudWatch +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 17b30f8f-8dfb-4597-adf6-57600b6cf25e +- **Query name:** CloudTrail Not Integrated With CloudWatch +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudtrail_not_integrated_with_cloudwatch) + +### Description +CloudTrail should be integrated with CloudWatch
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudtrail" "positive1" { + name = "tf-trail-foobar" + s3_bucket_name = aws_s3_bucket.foo.id + s3_key_prefix = "prefix" + include_global_service_events = false +} + +data "aws_caller_identity" "current" {} + +resource "aws_s3_bucket" "positive4" { + bucket = "tf-test-trail" + force_destroy = true + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 19ffbe31-9d72-4379-9768-431195eae328 +- **Query name:** User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack) + +### Description +User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "cloudformation:CreateStack", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/1a4bc881-9f69-4d44-8c9a-d37d08f54c50.md b/docs/queries/terraform-queries/aws/1a4bc881-9f69-4d44-8c9a-d37d08f54c50.md new file mode 100644 index 00000000000..cf98986465d --- /dev/null +++ b/docs/queries/terraform-queries/aws/1a4bc881-9f69-4d44-8c9a-d37d08f54c50.md @@ -0,0 +1,175 @@ +--- +title: S3 Bucket Allows Public Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1a4bc881-9f69-4d44-8c9a-d37d08f54c50 +- **Query name:** S3 Bucket Allows Public Policy +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_with_public_policy) + +### Description +S3 bucket allows public policy
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9 18" +resource "aws_s3_bucket" "positive1" { + bucket = "example" +} + +resource "aws_s3_bucket_public_access_block" "positive2" { + bucket = aws_s3_bucket.example.id + + block_public_acls = true + block_public_policy = false + ignore_public_acls = false +} + +// comment +// comment +// comment +// comment +// comment +resource "aws_s3_bucket_public_access_block" "positive3" { + bucket = aws_s3_bucket.example.id + + block_public_acls = true + ignore_public_acls = false +} +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + restrict_public_buckets = true + block_public_acls = true + block_public_policy = false + + versioning = { + enabled = true + } + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 1afbb3fa-cf6c-4a3d-b730-95e9f4df343e +- **Query name:** ElastiCache Replication Group Not Encrypted At Transit +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_transit) + +### Description +ElastiCache Replication Group encryption should be enabled at Transit
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#transit_encryption_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_elasticache_replication_group" "example" { + automatic_failover_enabled = true + availability_zones = ["us-west-2a", "us-west-2b"] + replication_group_id = "tf-rep-group-1" + replication_group_description = "test description" + node_type = "cache.m4.large" + number_cache_clusters = 2 + port = 6379 +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9" +resource "aws_elasticache_replication_group" "example" { + automatic_failover_enabled = true + availability_zones = ["us-west-2a", "us-west-2b"] + replication_group_id = "tf-rep-group-1" + replication_group_description = "test description" + node_type = "cache.m4.large" + number_cache_clusters = 2 + port = 6379 + transit_encryption_enabled = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_elasticache_replication_group" "example3" { + automatic_failover_enabled = true + availability_zones = ["us-west-2a", "us-west-2b"] + replication_group_id = "tf-rep-group-1" + replication_group_description = "test description" + node_type = "cache.m4.large" + number_cache_clusters = 2 + port = 6379 + at_rest_encryption_enabled = true + transit_encryption_enabled = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2.md b/docs/queries/terraform-queries/aws/1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2.md new file mode 100644 index 00000000000..029585d720e --- /dev/null +++ b/docs/queries/terraform-queries/aws/1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2.md @@ -0,0 +1,381 @@ +--- +title: Lambda Function With Privileged Role +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1b3af2f9-af8c-4dfc-a0f1-a03adb70deb2 +- **Query name:** Lambda Function With Privileged Role +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/lambda_function_with_privileged_role) + +### Description +It is not advisable for AWS Lambda Functions to have privileged permissions.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4 23" +resource "aws_lambda_function" "positivefunction1" { + filename = "lambda_function_payload.zip" + function_name = "lambda_function_name" + role = aws_iam_role.positiverole1.arn + handler = "exports.test" + source_code_hash = filebase64sha256("lambda_function_payload.zip") + runtime = "nodejs12.x" + + tags = { + Name = "lambda" + } + + environment = { + variables = { + foo = "bar" + } + } +} + +resource "aws_lambda_function" "positivefunction2" { + filename = "lambda_function_payload.zip" + function_name = "lambda_function_name" + role = aws_iam_role.positiverole2.arn + handler = "exports.test" + source_code_hash = filebase64sha256("lambda_function_payload.zip") + runtime = "nodejs12.x" + + tags = { + Name = "lambda" + } + + environment = { + variables = { + foo = "bar" + } + } +} + +resource "aws_iam_role" "positiverole1" { + name = "positiverole1" + + assume_role_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 1b6799eb-4a7a-4b04-9001-8cceb9999326 +- **Query name:** API Gateway Access Logging Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_access_logging_disabled) + +### Description +API Gateway should have Access Log Settings defined
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#access_log_settings) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 6" +resource "aws_api_gateway_stage" "postive1" { + stage_name = "dev" + rest_api_id = "id" +} + +resource "aws_apigatewayv2_stage" "postive2" { + stage_name = "dev" + rest_api_id = "id" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_stage" "negative1" { + stage_name = "dev" + rest_api_id = "id" + + access_log_settings { + destination_arn = "dest" + } +} + +resource "aws_apigatewayv2_stage" "negative2" { + stage_name = "dev" + rest_api_id = "id" + + access_log_settings { + destination_arn = "dest" + } +} + + +``` diff --git a/docs/queries/terraform-queries/aws/1bc1c685-e593-450e-88fb-19db4c82aa1d.md b/docs/queries/terraform-queries/aws/1bc1c685-e593-450e-88fb-19db4c82aa1d.md new file mode 100644 index 00000000000..485092ef911 --- /dev/null +++ b/docs/queries/terraform-queries/aws/1bc1c685-e593-450e-88fb-19db4c82aa1d.md @@ -0,0 +1,63 @@ +--- +title: IAM Password Without Minimum Length +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1bc1c685-e593-450e-88fb-19db4c82aa1d +- **Query name:** IAM Password Without Minimum Length +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_password_without_minimum_length) + +### Description +IAM password should have the required minimum length
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 10" +resource "aws_iam_account_password_policy" "positive1" { + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true +} + +resource "aws_iam_account_password_policy" "positive2" { + minimum_password_length = 3 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_account_password_policy" "negative1" { + minimum_password_length = 14 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/1bc367f6-901d-4870-ad0c-71d79762ef52.md b/docs/queries/terraform-queries/aws/1bc367f6-901d-4870-ad0c-71d79762ef52.md new file mode 100644 index 00000000000..a1cf574893d --- /dev/null +++ b/docs/queries/terraform-queries/aws/1bc367f6-901d-4870-ad0c-71d79762ef52.md @@ -0,0 +1,208 @@ +--- +title: CDN Configuration Is Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1bc367f6-901d-4870-ad0c-71d79762ef52 +- **Query name:** CDN Configuration Is Missing +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cdn_configuration_is_missing) + +### Description +Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11 61" +resource "aws_cloudfront_distribution" "positive1" { + origin { + domain_name = aws_s3_bucket.b.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = false + is_ipv6_enabled = true + comment = "Some comment" + default_root_object = "index.html" + + logging_config { + include_cookies = false + bucket = "mylogs.s3.amazonaws.com" + prefix = "myprefix" + } + + aliases = ["mysite.example.com", "yoursite.example.com"] + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = local.s3_origin_id + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + price_class = "PriceClass_200" + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + tags = { + Environment = "production" + } + + viewer_certificate { + cloudfront_default_certificate = true + } +} + +resource "aws_cloudfront_distribution" "positive2" { + enabled = true + is_ipv6_enabled = true + comment = "Some comment" + default_root_object = "index.html" + + logging_config { + include_cookies = false + bucket = "mylogs.s3.amazonaws.com" + prefix = "myprefix" + } + + aliases = ["mysite.example.com", "yoursite.example.com"] + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = local.s3_origin_id + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + price_class = "PriceClass_200" + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + tags = { + Environment = "production" + } + + viewer_certificate { + cloudfront_default_certificate = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudfront_distribution" "negative1" { + origin { + domain_name = aws_s3_bucket.b.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + is_ipv6_enabled = true + comment = "Some comment" + default_root_object = "index.html" + + logging_config { + include_cookies = false + bucket = "mylogs.s3.amazonaws.com" + prefix = "myprefix" + } + + aliases = ["mysite.example.com", "yoursite.example.com"] + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = local.s3_origin_id + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + price_class = "PriceClass_200" + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + tags = { + Environment = "production" + } + + viewer_certificate { + cloudfront_default_certificate = true + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/1dc73fb4-5b51-430c-8c5f-25dcf9090b02.md b/docs/queries/terraform-queries/aws/1dc73fb4-5b51-430c-8c5f-25dcf9090b02.md new file mode 100644 index 00000000000..789ff733cc0 --- /dev/null +++ b/docs/queries/terraform-queries/aws/1dc73fb4-5b51-430c-8c5f-25dcf9090b02.md @@ -0,0 +1,319 @@ +--- +title: RDS With Backup Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1dc73fb4-5b51-430c-8c5f-25dcf9090b02 +- **Query name:** RDS With Backup Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/rds_with_backup_disabled) + +### Description +Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="12" +//some comments (used just for resource offset) + +resource "aws_db_instance" "positive1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + backup_retention_period = 0 +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="12" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + auto_minor_version_upgrade = true + backup_retention_period = 0 + + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_db_instance" "positive1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + auto_minor_version_upgrade = true + + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +//some comments (used just for resource offset) + +resource "aws_db_instance" "negative1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + backup_retention_period = 12 +} +``` +```tf title="Negative test num. 2 - tf file" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + auto_minor_version_upgrade = true + backup_retention_period = 12 + + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` diff --git a/docs/queries/terraform-queries/aws/1df37f4b-7197-45ce-83f8-9994d2fcf885.md b/docs/queries/terraform-queries/aws/1df37f4b-7197-45ce-83f8-9994d2fcf885.md new file mode 100644 index 00000000000..2fa65c67ac0 --- /dev/null +++ b/docs/queries/terraform-queries/aws/1df37f4b-7197-45ce-83f8-9994d2fcf885.md @@ -0,0 +1,198 @@ +--- +title: S3 Bucket Allows Get Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1df37f4b-7197-45ce-83f8-9994d2fcf885 +- **Query name:** S3 Bucket Allows Get Action From All Principals +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_allows_get_action_from_all_principals) + +### Description +S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="17 42" +resource "aws_s3_bucket" "positive1" { + bucket = "my_tf_test_bucket" +} + +resource "aws_s3_bucket_policy" "positive2" { + bucket = aws_s3_bucket.b.id + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 1e0ef61b-ad85-4518-a3d3-85eaad164885 +- **Query name:** DB Security Group With Public Scope +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/db_security_group_with_public_scope) + +### Description +The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_db_security_group" "positive1" { + name = "rds_sg" + + ingress { + cidr = "0.0.0.0/0" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_db_security_group" "negative1" { + name = "rds_sg" + + ingress { + cidr = "10.0.0.0/25" + } +} +``` diff --git a/docs/queries/terraform-queries/aws/1ec253ab-c220-4d63-b2de-5b40e0af9293.md b/docs/queries/terraform-queries/aws/1ec253ab-c220-4d63-b2de-5b40e0af9293.md new file mode 100644 index 00000000000..52a4e827408 --- /dev/null +++ b/docs/queries/terraform-queries/aws/1ec253ab-c220-4d63-b2de-5b40e0af9293.md @@ -0,0 +1,168 @@ +--- +title: S3 Bucket Without Restriction Of Public Bucket +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1ec253ab-c220-4d63-b2de-5b40e0af9293 +- **Query name:** S3 Bucket Without Restriction Of Public Bucket +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_without_restriction_of_public_bucket) + +### Description +S3 bucket without restriction of public bucket
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11 14" +resource "aws_s3_bucket" "positive1" { + bucket = "example" +} + +// comment +resource "aws_s3_bucket_public_access_block" "positive2" { + bucket = aws_s3_bucket.example.id + + block_public_acls = true + block_public_policy = true + restrict_public_buckets = false +} + +resource "aws_s3_bucket_public_access_block" "positive3" { + bucket = aws_s3_bucket.example.id + + block_public_acls = true + block_public_policy = true +} +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="8" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + restrict_public_buckets = false + + versioning = { + enabled = true + } + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 20018359-6fd7-4d05-ab26-d4dffccbdf79 +- **Query name:** ELB Access Log Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elb_access_logging_disabled) + +### Description +ELB should have logging enabled to help on error investigation
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elb#enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9" +resource "aws_elb" "postive1" { + name = "foobar-terraform-elb" + availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] + + access_logs { + bucket = "foo" + bucket_prefix = "bar" + interval = 60 + enabled = false + } + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 443 + lb_protocol = "https" + ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName" + } + + health_check { + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 3 + target = "HTTP:8000/" + interval = 30 + } + + instances = [aws_instance.foo.id] + cross_zone_load_balancing = true + idle_timeout = 400 + connection_draining = true + connection_draining_timeout = 400 + + tags = { + Name = "foobar-terraform-elb" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_elb" "postive2" { + name = "foobar-terraform-elb" + availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 443 + lb_protocol = "https" + ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName" + } + + health_check { + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 3 + target = "HTTP:8000/" + interval = 30 + } + + instances = [aws_instance.foo.id] + cross_zone_load_balancing = true + idle_timeout = 400 + connection_draining = true + connection_draining_timeout = 400 + + tags = { + Name = "foobar-terraform-elb" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +module "elb_http" { + source = "terraform-aws-modules/elb/aws" + version = "~> 2.0" + + name = "elb-example" + + subnets = ["subnet-12345678", "subnet-87654321"] + security_groups = ["sg-12345678"] + internal = false + + listener = [ + { + instance_port = 80 + instance_protocol = "HTTP" + lb_port = 80 + lb_protocol = "HTTP" + }, + { + instance_port = 8080 + instance_protocol = "http" + lb_port = 8080 + lb_protocol = "http" + ssl_certificate_id = "arn:aws:acm:eu-west-1:235367859451:certificate/6c270328-2cd5-4b2d-8dfd-ae8d0004ad31" + }, + ] + + health_check = { + target = "HTTP:80/" + interval = 30 + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 5 + } + + // ELB attachments + number_of_instances = 2 + instances = ["i-06ff41a77dfb5349d", "i-4906ff41a77dfb53d"] + + tags = { + Owner = "user" + Environment = "dev" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="39" +module "elb_http" { + source = "terraform-aws-modules/elb/aws" + version = "~> 2.0" + + name = "elb-example" + + subnets = ["subnet-12345678", "subnet-87654321"] + security_groups = ["sg-12345678"] + internal = false + + listener = [ + { + instance_port = 80 + instance_protocol = "HTTP" + lb_port = 80 + lb_protocol = "HTTP" + }, + { + instance_port = 8080 + instance_protocol = "http" + lb_port = 8080 + lb_protocol = "http" + ssl_certificate_id = "arn:aws:acm:eu-west-1:235367859451:certificate/6c270328-2cd5-4b2d-8dfd-ae8d0004ad31" + }, + ] + + health_check = { + target = "HTTP:80/" + interval = 30 + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 5 + } + + access_logs = { + bucket = "foo" + bucket_prefix = "bar" + interval = 60 + enabled = false + } + + // ELB attachments + number_of_instances = 2 + instances = ["i-06ff41a77dfb5349d", "i-4906ff41a77dfb53d"] + + tags = { + Owner = "user" + Environment = "dev" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_elb" "negative1" { + name = "foobar-terraform-elb" + availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] + + access_logs { + bucket = "foo" + bucket_prefix = "bar" + interval = 60 + } + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 443 + lb_protocol = "https" + ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName" + } + + health_check { + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 3 + target = "HTTP:8000/" + interval = 30 + } + + instances = [aws_instance.foo.id] + cross_zone_load_balancing = true + idle_timeout = 400 + connection_draining = true + connection_draining_timeout = 400 + + tags = { + Name = "foobar-terraform-elb" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_elb" "negative2" { + name = "foobar-terraform-elb" + availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] + + access_logs { + bucket = "foo" + bucket_prefix = "bar" + interval = 60 + enabled = true + } + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 443 + lb_protocol = "https" + ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName" + } + + health_check { + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 3 + target = "HTTP:8000/" + interval = 30 + } + + instances = [aws_instance.foo.id] + cross_zone_load_balancing = true + idle_timeout = 400 + connection_draining = true + connection_draining_timeout = 400 + + tags = { + Name = "foobar-terraform-elb" + } +} + +``` +```tf title="Negative test num. 3 - tf file" +module "elb_http" { + source = "terraform-aws-modules/elb/aws" + version = "~> 2.0" + + name = "elb-example" + + subnets = ["subnet-12345678", "subnet-87654321"] + security_groups = ["sg-12345678"] + internal = false + + listener = [ + { + instance_port = 80 + instance_protocol = "HTTP" + lb_port = 80 + lb_protocol = "HTTP" + }, + { + instance_port = 8080 + instance_protocol = "http" + lb_port = 8080 + lb_protocol = "http" + ssl_certificate_id = "arn:aws:acm:eu-west-1:235367859451:certificate/6c270328-2cd5-4b2d-8dfd-ae8d0004ad31" + }, + ] + + health_check = { + target = "HTTP:80/" + interval = 30 + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 5 + } + + access_logs = { + bucket = "foo" + bucket_prefix = "bar" + interval = 60 + } + + // ELB attachments + number_of_instances = 2 + instances = ["i-06ff41a77dfb5349d", "i-4906ff41a77dfb53d"] + + tags = { + Owner = "user" + Environment = "dev" + } +} + +``` +
Negative test num. 4 - tf file + +```tf +module "elb_http" { + source = "terraform-aws-modules/elb/aws" + version = "~> 2.0" + + name = "elb-example" + + subnets = ["subnet-12345678", "subnet-87654321"] + security_groups = ["sg-12345678"] + internal = false + + listener = [ + { + instance_port = 80 + instance_protocol = "HTTP" + lb_port = 80 + lb_protocol = "HTTP" + }, + { + instance_port = 8080 + instance_protocol = "http" + lb_port = 8080 + lb_protocol = "http" + ssl_certificate_id = "arn:aws:acm:eu-west-1:235367859451:certificate/6c270328-2cd5-4b2d-8dfd-ae8d0004ad31" + }, + ] + + health_check = { + target = "HTTP:80/" + interval = 30 + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 5 + } + + access_logs = { + bucket = "foo" + bucket_prefix = "bar" + interval = 60 + enabled = true + } + + // ELB attachments + number_of_instances = 2 + instances = ["i-06ff41a77dfb5349d", "i-4906ff41a77dfb53d"] + + tags = { + Owner = "user" + Environment = "dev" + } +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/2134641d-30a4-4b16-8ffc-2cd4c4ffd15d.md b/docs/queries/terraform-queries/aws/2134641d-30a4-4b16-8ffc-2cd4c4ffd15d.md new file mode 100644 index 00000000000..83cc2515697 --- /dev/null +++ b/docs/queries/terraform-queries/aws/2134641d-30a4-4b16-8ffc-2cd4c4ffd15d.md @@ -0,0 +1,73 @@ +--- +title: DOCDB Cluster Encrypted With AWS Managed Key +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2134641d-30a4-4b16-8ffc-2cd4c4ffd15d +- **Query name:** DOCDB Cluster Encrypted With AWS Managed Key +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/docdb_cluster_encrypted_with_aws_managed_key) + +### Description +DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="16" +provider "aws" { + region = "us-east-1" +} + +data "aws_kms_key" "test" { + key_id = "alias/aws/rds" +} + +resource "aws_docdb_cluster" "test2" { + cluster_identifier = "my-docdb-cluster-test2" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + skip_final_snapshot = true + storage_encrypted = true + kms_key_id = data.aws_kms_key.test.arn +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +data "aws_kms_key" "test2" { + key_id = "alias/myAlias" +} + +resource "aws_docdb_cluster" "test22" { + cluster_identifier = "my-docdb-cluster-test2" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + skip_final_snapshot = true + storage_encrypted = true + kms_key_id = data.aws_kms_key.test2.arn +} + +``` diff --git a/docs/queries/terraform-queries/aws/2285e608-ddbc-47f3-ba54-ce7121e31216.md b/docs/queries/terraform-queries/aws/2285e608-ddbc-47f3-ba54-ce7121e31216.md new file mode 100644 index 00000000000..269f1112bb6 --- /dev/null +++ b/docs/queries/terraform-queries/aws/2285e608-ddbc-47f3-ba54-ce7121e31216.md @@ -0,0 +1,142 @@ +--- +title: CloudWatch Route Table Changes Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2285e608-ddbc-47f3-ba54-ce7121e31216 +- **Query name:** CloudWatch Route Table Changes Alarm Missing +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_route_table_changes_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for route table changes
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" { + name = "CIS-RouteTableChanges" + pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-RouteTableChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" { + alarm_name = "CIS-3.13-RouteTableChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXXX NOT YOUR FILTER XXXX" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { + name = "CIS-UnauthorizedAPICalls" + pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-UnauthorizedAPICalls" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { + alarm_name = "CIS-3.1-UnauthorizedAPICalls" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" { + name = "CIS-RouteTableChanges" + pattern = "{ ($.eventName = CreateRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-RouteTableChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" { + alarm_name = "CIS-3.13-RouteTableChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_route_table_changes_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_log_metric_filter" "cis_route_table_changes_metric_filter" { + name = "CIS-RouteTableChanges" + pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-RouteTableChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "cis_route_table_changes_cw_alarm" { + alarm_name = "CIS-3.13-RouteTableChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_route_table_changes_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` diff --git a/docs/queries/terraform-queries/aws/22fbfeac-7b5a-421a-8a27-7a2178bb910b.md b/docs/queries/terraform-queries/aws/22fbfeac-7b5a-421a-8a27-7a2178bb910b.md new file mode 100644 index 00000000000..5cd4b2e202f --- /dev/null +++ b/docs/queries/terraform-queries/aws/22fbfeac-7b5a-421a-8a27-7a2178bb910b.md @@ -0,0 +1,121 @@ +--- +title: CMK Rotation Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 22fbfeac-7b5a-421a-8a27-7a2178bb910b +- **Query name:** CMK Rotation Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cmk_rotation_disabled) + +### Description +Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_kms_key" "positive1" { + description = "KMS key 1" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_kms_key" "positive2" { + description = "KMS key 2" + is_enabled = true + enable_key_rotation = false +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_kms_key" "positive3" { + description = "KMS key 3" + is_enabled = true + customer_master_key_spec = "SYMMETRIC_DEFAULT" + enable_key_rotation = false +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "aws_kms_key" "positive4" { + description = "KMS key 4" + customer_master_key_spec = "SYMMETRIC_DEFAULT" + enable_key_rotation = false +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="1" +resource "aws_kms_key" "positive5" { + description = "KMS key 5" + customer_master_key_spec = "RSA_2048" + enable_key_rotation = true +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_kms_key" "negative1" { + description = "KMS key 1" + is_enabled = true + enable_key_rotation = true +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_kms_key" "negative2" { + description = "KMS key 2" + customer_master_key_spec = "RSA_4096" +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "aws_kms_key" "negative3" { + description = "KMS key 3" + customer_master_key_spec = "RSA_2048" +} + +``` +
Negative test num. 4 - tf file + +```tf +resource "aws_kms_key" "negative4" { + description = "KMS key 4" + customer_master_key_spec = "RSA_3072" +} + +``` +
+
Negative test num. 5 - tf file + +```tf +resource "aws_kms_key" "negative5" { + description = "KMS key 5" + customer_master_key_spec = "SYMMETRIC_DEFAULT" + enable_key_rotation = true +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/23b70e32-032e-4fa6-ba5c-82f56b9980e6.md b/docs/queries/terraform-queries/aws/23b70e32-032e-4fa6-ba5c-82f56b9980e6.md new file mode 100644 index 00000000000..8c1a7330638 --- /dev/null +++ b/docs/queries/terraform-queries/aws/23b70e32-032e-4fa6-ba5c-82f56b9980e6.md @@ -0,0 +1,283 @@ +--- +title: EC2 Instance Monitoring Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 23b70e32-032e-4fa6-ba5c-82f56b9980e6 +- **Query name:** EC2 Instance Monitoring Disabled +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ec2_instance_monitoring_disabled) + +### Description +EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#monitoring) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="17" +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "monitoring_positive1" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" + + tags = { + Name = "HelloWorld" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="20" +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "monitoring_positive2" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" + monitoring = false + + tags = { + Name = "HelloWorld" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + associate_public_ip_address = false + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="10" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = false + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + associate_public_ip_address = false + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
+
Postitive test num. 5 - json file + +```json hl_lines="28" +{ + "//": { + "metadata": { + "backend": "local", + "stackName": "cdktf-test", + "version": "0.9.0" + }, + "outputs": {} + }, + "provider": { + "aws": [ + { + "region": "us-east-1" + } + ] + }, + "resource": { + "aws_instance": { + "cdktf-test": { + "//": { + "metadata": { + "path": "cdktf-test/cdktf-test", + "uniqueId": "cdktf-test" + } + }, + "ami": "ami-1212f123", + "instance_type": "t2.micro", + "monitoring": false + } + } + }, + "terraform": { + "backend": { + "local": { + "path": "/terraform.cdktf-test.tfstate" + } + }, + "required_providers": { + "aws": { + "source": "aws", + "version": "~> 3.0" + } + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "monitoring_negative1" { + ami = data.aws_ami.ubuntu.id + monitoring = true + instance_type = "t3.micro" + + tags = { + Name = "HelloWorld" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + associate_public_ip_address = false + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +```json title="Negative test num. 3 - json file" +{ + "//": { + "metadata": { + "backend": "local", + "stackName": "cdktf-test", + "version": "0.9.0" + }, + "outputs": {} + }, + "provider": { + "aws": [ + { + "region": "us-east-1" + } + ] + }, + "resource": { + "aws_instance": { + "cdktf-test": { + "//": { + "metadata": { + "path": "cdktf-test/cdktf-test", + "uniqueId": "cdktf-test" + } + }, + "ami": "ami-1212f123", + "instance_type": "t2.micro", + "monitoring": true + } + } + }, + "terraform": { + "backend": { + "local": { + "path": "/terraform.cdktf-test.tfstate" + } + }, + "required_providers": { + "aws": { + "source": "aws", + "version": "~> 3.0" + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/23edf35f-7c22-4ff9-87e6-0ca74261cfbf.md b/docs/queries/terraform-queries/aws/23edf35f-7c22-4ff9-87e6-0ca74261cfbf.md new file mode 100644 index 00000000000..c21eeb010e2 --- /dev/null +++ b/docs/queries/terraform-queries/aws/23edf35f-7c22-4ff9-87e6-0ca74261cfbf.md @@ -0,0 +1,307 @@ +--- +title: BOM - AWS DynamoDB +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 23edf35f-7c22-4ff9-87e6-0ca74261cfbf +- **Query name:** BOM - AWS DynamoDB +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws_bom/dynamo) + +### Description +A list of DynamoDB resources found. Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="21" +resource "aws_vpc_endpoint_policy" "example" { + vpc_endpoint_id = aws_vpc_endpoint.example.id + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "AllowAll", + "Effect" : "Allow", + "Principal" : { + "AWS" : "*" + }, + "Action" : [ + "dynamodb:*" + ], + "Resource" : "*" + } + ] + }) +} + +resource "aws_dynamodb_table" "basic-dynamodb-table" { + name = "GameScores" + billing_mode = "PROVISIONED" + read_capacity = 20 + write_capacity = 20 + hash_key = "UserId" + range_key = "GameTitle" + + attribute { + name = "UserId" + type = "S" + } + + attribute { + name = "GameTitle" + type = "S" + } + + attribute { + name = "TopScore" + type = "N" + } + + ttl { + attribute_name = "TimeToExist" + enabled = false + } + + global_secondary_index { + name = "GameTitleIndex" + hash_key = "GameTitle" + range_key = "TopScore" + write_capacity = 10 + read_capacity = 10 + projection_type = "INCLUDE" + non_key_attributes = ["UserId"] + } + + tags = { + Name = "dynamodb-table-1" + Environment = "production" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="21" +resource "aws_vpc_endpoint_policy" "example2" { + vpc_endpoint_id = aws_vpc_endpoint.example2.id + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "AllowAll", + "Effect" : "Allow", + "Principal" : { + "AWS" : "*" + }, + "Action" : [ + "*" + ], + "Resource" : "arn:aws:dynamodb:ap-southeast-2:123412341234:table/GameScores2", + } + ] + }) +} + +resource "aws_dynamodb_table" "example2-table" { + name = "GameScores2" + billing_mode = "PROVISIONED" + read_capacity = 20 + write_capacity = 20 + hash_key = "UserId" + range_key = "GameTitle" + + attribute { + name = "UserId" + type = "S" + } + + attribute { + name = "GameTitle" + type = "S" + } + + attribute { + name = "TopScore" + type = "N" + } + + ttl { + attribute_name = "TimeToExist" + enabled = false + } + + global_secondary_index { + name = "GameTitleIndex" + hash_key = "GameTitle" + range_key = "TopScore" + write_capacity = 10 + read_capacity = 10 + projection_type = "INCLUDE" + non_key_attributes = ["UserId"] + } + + tags = { + Name = "dynamodb-table-1" + Environment = "production" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="21" +resource "aws_vpc_endpoint_policy" "example3" { + vpc_endpoint_id = aws_vpc_endpoint.example3.id + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "AllowAll", + "Effect" : "Allow", + "Principal" : { + "AWS" : "some" + }, + "Action" : [ + "*" + ], + "Resource" : "*" + } + ] + }) +} + +resource "aws_dynamodb_table" "example3-table" { + name = "GameScores3" + billing_mode = "PROVISIONED" + read_capacity = 20 + write_capacity = 20 + hash_key = "UserId" + range_key = "GameTitle" + + attribute { + name = "UserId" + type = "S" + } + + attribute { + name = "GameTitle" + type = "S" + } + + attribute { + name = "TopScore" + type = "N" + } + + ttl { + attribute_name = "TimeToExist" + enabled = false + } + + global_secondary_index { + name = "GameTitleIndex" + hash_key = "GameTitle" + range_key = "TopScore" + write_capacity = 10 + read_capacity = 10 + projection_type = "INCLUDE" + non_key_attributes = ["UserId"] + } + + tags = { + Name = "dynamodb-table-1" + Environment = "production" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "aws_dynamodb_table" "example3-table" { + name = "GameScores3" + billing_mode = "PROVISIONED" + read_capacity = 20 + write_capacity = 20 + hash_key = "UserId" + range_key = "GameTitle" + + attribute { + name = "UserId" + type = "S" + } + + attribute { + name = "GameTitle" + type = "S" + } + + attribute { + name = "TopScore" + type = "N" + } + + ttl { + attribute_name = "TimeToExist" + enabled = false + } + + global_secondary_index { + name = "GameTitleIndex" + hash_key = "GameTitle" + range_key = "TopScore" + write_capacity = 10 + read_capacity = 10 + projection_type = "INCLUDE" + non_key_attributes = ["UserId"] + } + + sse { + enabled = true + } + + tags = { + Name = "dynamodb-table-1" + Environment = "production" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.mykey.arn + sse_algorithm = "aws:kms" + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/24e16922-4330-4e9d-be8a-caa90299466a.md b/docs/queries/terraform-queries/aws/24e16922-4330-4e9d-be8a-caa90299466a.md new file mode 100644 index 00000000000..877415642e6 --- /dev/null +++ b/docs/queries/terraform-queries/aws/24e16922-4330-4e9d-be8a-caa90299466a.md @@ -0,0 +1,58 @@ +--- +title: ElasticSearch Not Encrypted At Rest +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 24e16922-4330-4e9d-be8a-caa90299466a +- **Query name:** ElasticSearch Not Encrypted At Rest +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticsearch_not_encrypted_at_rest) + +### Description +Check if ElasticSearch encryption is disabled at Rest
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 11" +resource "aws_elasticsearch_domain" "positive1" { + domain_name = "example" + elasticsearch_version = "1.5" +} + +resource "aws_elasticsearch_domain" "positive2" { + domain_name = "example" + elasticsearch_version = "1.5" + + encrypt_at_rest { + enabled = false + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_elasticsearch_domain" "negative1" { + domain_name = "example" + elasticsearch_version = "1.5" + + encrypt_at_rest { + enabled = true + } +} +``` diff --git a/docs/queries/terraform-queries/aws/254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4.md b/docs/queries/terraform-queries/aws/254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4.md new file mode 100644 index 00000000000..1553cf2c247 --- /dev/null +++ b/docs/queries/terraform-queries/aws/254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4.md @@ -0,0 +1,57 @@ +--- +title: Redis Not Compliant +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 254c932d-e3bf-44b2-bc9d-eb5fdb09f8d4 +- **Query name:** Redis Not Compliant +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/redis_not_compliant) + +### Description +Check if the redis version is compliant with the necessary AWS PCI DSS requirements
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine_version) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "redis" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "2.6.13" + port = 6379 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "aws_elasticache_cluster" "negative1" { + cluster_id = "cluster-example" + engine = "redis" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "5.0.0" + port = 6379 +} + +``` diff --git a/docs/queries/terraform-queries/aws/25d251f3-f348-4f95-845c-1090e41a615c.md b/docs/queries/terraform-queries/aws/25d251f3-f348-4f95-845c-1090e41a615c.md new file mode 100644 index 00000000000..eeb2917fc14 --- /dev/null +++ b/docs/queries/terraform-queries/aws/25d251f3-f348-4f95-845c-1090e41a615c.md @@ -0,0 +1,54 @@ +--- +title: EFS Without KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 25d251f3-f348-4f95-845c-1090e41a615c +- **Query name:** EFS Without KMS +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/efs_without_kms) + +### Description +Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system#kms_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_efs_file_system" "positive1" { + creation_token = "my-product" + encrypted = true + + tags = { + Name = "MyProduct" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_efs_file_system" "negative1" { + creation_token = "my-product" + encrypted = true + kms_key_id = "1234abcd-12ab-34cd-56ef-1234567890ab" + + tags = { + Name = "MyProduct" + } +} +``` diff --git a/docs/queries/terraform-queries/aws/25db74bf-fa3b-44da-934e-8c3e005c0453.md b/docs/queries/terraform-queries/aws/25db74bf-fa3b-44da-934e-8c3e005c0453.md new file mode 100644 index 00000000000..b6254019a16 --- /dev/null +++ b/docs/queries/terraform-queries/aws/25db74bf-fa3b-44da-934e-8c3e005c0453.md @@ -0,0 +1,62 @@ +--- +title: Route53 Record Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 25db74bf-fa3b-44da-934e-8c3e005c0453 +- **Query name:** Route53 Record Undefined +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/route53_record_undefined) + +### Description +Check if Record is set
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "aws_route53_record" "example" { + allow_overwrite = true + name = "test.example.com" + ttl = 30 + type = "NS" + zone_id = aws_route53_zone.example.zone_id + + records = [ + + ] +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_route53_record" "example" { + allow_overwrite = true + name = "test.example.com" + ttl = 30 + type = "NS" + zone_id = aws_route53_zone.example.zone_id + + records = [ + aws_route53_zone.example.name_servers[0], + aws_route53_zone.example.name_servers[1], + aws_route53_zone.example.name_servers[2], + aws_route53_zone.example.name_servers[3], + ] +} +``` diff --git a/docs/queries/terraform-queries/aws/27c6a499-895a-4dc7-9617-5c485218db13.md b/docs/queries/terraform-queries/aws/27c6a499-895a-4dc7-9617-5c485218db13.md new file mode 100644 index 00000000000..40272ee9ad2 --- /dev/null +++ b/docs/queries/terraform-queries/aws/27c6a499-895a-4dc7-9617-5c485218db13.md @@ -0,0 +1,229 @@ +--- +title: CloudWatch S3 policy Change Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 27c6a499-895a-4dc7-9617-5c485218db13 +- **Query name:** CloudWatch S3 policy Change Alarm Missing +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_s3_policy_change_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for S3 bucket policy changes
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { + name = "CIS-S3BucketPolicyChanges" + pattern = "{ ($.eventSource = \"s3.amazonaws.com\") || (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-S3BucketPolicyChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_s3_bucket_policy_change_cw_alarm" { + alarm_name = "CIS-3.8-S3BucketPolicyChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXX NOT YOUR FILTER" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + + +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { + name = "CIS-S3BucketPolicyChanges" + pattern = "{ ($.eventSource = \"s3.amazonaws.com\") && (($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-S3BucketPolicyChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "CIS_S3_Bucket_Policy_Change_CW_Alarm" { + alarm_name = "CIS-3.8-S3BucketPolicyChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { + name = "CIS-S3BucketPolicyChanges" + pattern = "{ ($.eventSource = \"s3.amazonaws.com\") && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-S3BucketPolicyChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "CIS_S3_Bucket_Policy_Change_CW_Alarm" { + alarm_name = "CIS-3.8-S3BucketPolicyChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { + name = "CIS-S3BucketPolicyChanges" + pattern = "{ $.eventSource = \"s3.amazonaws.com\" }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-S3BucketPolicyChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "CIS_S3_Bucket_Policy_Change_CW_Alarm" { + alarm_name = "CIS-3.8-S3BucketPolicyChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_log_metric_filter" "cis_s3_bucket_policy_change_metric_filter" { + name = "CIS-S3BucketPolicyChanges" + pattern = "{ ($.eventSource = \"s3.amazonaws.com\") && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-S3BucketPolicyChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_s3_bucket_policy_change_cw_alarm" { + alarm_name = "CIS-3.8-S3BucketPolicyChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_s3_bucket_policy_change_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` diff --git a/docs/queries/terraform-queries/aws/28545147-2fc6-42d5-a1f9-cf226658e591.md b/docs/queries/terraform-queries/aws/28545147-2fc6-42d5-a1f9-cf226658e591.md new file mode 100644 index 00000000000..de37fa862e6 --- /dev/null +++ b/docs/queries/terraform-queries/aws/28545147-2fc6-42d5-a1f9-cf226658e591.md @@ -0,0 +1,61 @@ +--- +title: SNS Topic Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 28545147-2fc6-42d5-a1f9-cf226658e591 +- **Query name:** SNS Topic Not Encrypted +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sns_topic_not_encrypted) + +### Description +SNS (Simple Notification Service) Topic should be encrypted
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#kms_master_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +resource "aws_sns_topic" "user_updates" { + name = "user-updates-topic" + kms_master_key_id = "" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="5" +provider "aws" { + region = "us-east-1" +} + +resource "aws_sns_topic" "test" { + name = "sns_not_ecnrypted" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws2" { + region = "us-east-1" +} + +resource "aws_sns_topic" "test2" { + name = "sns_ecnrypted" + kms_master_key_id = "alias/MyAlias" +} + +``` diff --git a/docs/queries/terraform-queries/aws/2b3c8a6d-9856-43e6-ab1d-d651094f03b4.md b/docs/queries/terraform-queries/aws/2b3c8a6d-9856-43e6-ab1d-d651094f03b4.md new file mode 100644 index 00000000000..d4f16ef406f --- /dev/null +++ b/docs/queries/terraform-queries/aws/2b3c8a6d-9856-43e6-ab1d-d651094f03b4.md @@ -0,0 +1,48 @@ +--- +title: EMR Without VPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2b3c8a6d-9856-43e6-ab1d-d651094f03b4 +- **Query name:** EMR Without VPC +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/emr_without_vpc) + +### Description +Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/emr_cluster#subnet_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_emr_cluster" "positive1" { + name = "emr-test-arn" + release_label = "emr-4.6.0" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_emr_cluster" "negative1" { + name = "emr-test-arn" + release_label = "emr-4.6.0" + subnet_id = aws_subnet.main.id +} + +``` diff --git a/docs/queries/terraform-queries/aws/2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045.md b/docs/queries/terraform-queries/aws/2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045.md new file mode 100644 index 00000000000..ed6b7e11d4d --- /dev/null +++ b/docs/queries/terraform-queries/aws/2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045.md @@ -0,0 +1,535 @@ +--- +title: BOM - AWS S3 Buckets +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2d16c3fb-35ba-4ec0-b4e4-06ee3cbd4045 +- **Query name:** BOM - AWS S3 Buckets +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws_bom/s3_bucket) + +### Description +A list of S3 resources found. Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="14" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + mfa_delete = true + } +} + +resource "aws_lb_listener" "listener5" { + load_balancer_arn = aws_lb.test3.arn + port = 80 + default_action { + type = "redirect" + + redirect { + port = "80" + protocol = "HTTP" + status_code = "HTTP_301" + } + } +} + +resource "aws_lb" "test3" { + name = "test123" + load_balancer_type = "application" + subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id] + internal = true +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="14" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive2" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = "some-key" + sse_algorithm = "AES256" + } + } + } + + versioning { + mfa_delete = true + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="14" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive3" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } + } + + versioning { + mfa_delete = true + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="14" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive4" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } + } + + versioning { + mfa_delete = true + } +} + +resource "aws_s3_bucket_public_access_block" "positive4" { + bucket = aws_s3_bucket.positive4.id + + block_public_acls = true + block_public_policy = true +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="14" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive5" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } + } + + versioning { + mfa_delete = true + } +} + +resource "aws_s3_bucket_public_access_block" "positive5" { + bucket = aws_s3_bucket.positive5.id + + block_public_acls = true + block_public_policy = false +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="14" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive6" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } + } + + versioning { + mfa_delete = true + } + + policy = < +
Postitive test num. 7 - tf file + +```tf hl_lines="14" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive7" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } + } + + versioning { + mfa_delete = true + } +} + +resource "aws_s3_bucket_policy" "positive7" { + bucket = aws_s3_bucket.positive7.id + + policy = < +
Postitive test num. 8 - tf file + +```tf hl_lines="14" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive8" { + bucket = "my-tf-test-bucket" + acl = "public-read" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } + } + + versioning { + mfa_delete = true + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.mykey.arn + sse_algorithm = "aws:kms" + } + } + } +} + +resource "aws_s3_bucket_policy" "positive8" { + bucket = aws_s3_bucket.positive8.id + + policy = < +
Postitive test num. 9 - tf file + +```tf hl_lines="14" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "positive9" { + bucket = "my-tf-test-bucket" +} + +``` +
+
Postitive test num. 10 - tf file + +```tf hl_lines="14" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "positive10" { + bucket = "my-tf-test-bucket" +} + + +resource "aws_s3_bucket_server_side_encryption_configuration" "example" { + bucket = aws_s3_bucket.positive10.bucket + + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.mykey.arn + sse_algorithm = "aws:kms" + } + } +} + +resource "aws_s3_bucket_acl" "example_bucket_acl2" { + bucket = aws_s3_bucket.positive10.id + acl = "private" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.mykey.arn + sse_algorithm = "aws:kms" + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/2f01fb2d-828a-499d-b98e-b83747305052.md b/docs/queries/terraform-queries/aws/2f01fb2d-828a-499d-b98e-b83747305052.md new file mode 100644 index 00000000000..7d1beb3e7c6 --- /dev/null +++ b/docs/queries/terraform-queries/aws/2f01fb2d-828a-499d-b98e-b83747305052.md @@ -0,0 +1,71 @@ +--- +title: No Stack Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2f01fb2d-828a-499d-b98e-b83747305052 +- **Query name:** No Stack Policy +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/no_stack_policy) + +### Description +AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudformation_stack" "positive1" { + + name = "networking-stack" + + parameters = { + VPCCidr = "10.0.0.0/16" + } + +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudformation_stack" "negative1" { + + name = "networking-stack" + + parameters = { + VPCCidr = "10.0.0.0/16" + } + + policy_url = "somepolicyurl" +} + + + +resource "aws_cloudformation_stack" "negative2" { + + name = "networking-stack" + + parameters = { + VPCCidr = "10.0.0.0/16" + } + + policy_body = "somepolicy" +} + +``` diff --git a/docs/queries/terraform-queries/aws/2f37c4a3-58b9-4afe-8a87-d7f1d2286f84.md b/docs/queries/terraform-queries/aws/2f37c4a3-58b9-4afe-8a87-d7f1d2286f84.md new file mode 100644 index 00000000000..b078c9d2773 --- /dev/null +++ b/docs/queries/terraform-queries/aws/2f37c4a3-58b9-4afe-8a87-d7f1d2286f84.md @@ -0,0 +1,98 @@ +--- +title: IAM Policies With Full Privileges +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2f37c4a3-58b9-4afe-8a87-d7f1d2286f84 +- **Query name:** IAM Policies With Full Privileges +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_policies_with_full_privileges) + +### Description +IAM policies shouldn't allow full administrative privileges (for all resources)
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="19 5" +resource "aws_iam_role_policy" "positive1" { + name = "apigateway-cloudwatch-logging" + role = aws_iam_role.apigateway_cloudwatch_logging.id + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 2f56b7ab-7fba-4e93-82f0-247e5ddeb239 +- **Query name:** MSK Cluster Logging Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/msk_cluster_logging_disabled) + +### Description +Ensure MSK Cluster Logging is enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#broker_logs) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 5 15" +resource "aws_msk_cluster" "positive1" { + logging_info { + broker_logs { + cloudwatch_logs { + enabled = false + log_group = aws_cloudwatch_log_group.test.name + } + firehose { + delivery_stream = aws_kinesis_firehose_delivery_stream.test_stream.name + } + } + } +} + +resource "aws_msk_cluster" "positive2" { + +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_msk_cluster" "negative1" { + logging_info { + broker_logs { + cloudwatch_logs { + enabled = true + log_group = aws_cloudwatch_log_group.test.name + } + } + } +} +``` diff --git a/docs/queries/terraform-queries/aws/2f737336-b18a-4602-8ea0-b200312e1ac1.md b/docs/queries/terraform-queries/aws/2f737336-b18a-4602-8ea0-b200312e1ac1.md new file mode 100644 index 00000000000..c13bdae28aa --- /dev/null +++ b/docs/queries/terraform-queries/aws/2f737336-b18a-4602-8ea0-b200312e1ac1.md @@ -0,0 +1,138 @@ +--- +title: RDS Associated with Public Subnet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2f737336-b18a-4602-8ea0-b200312e1ac1 +- **Query name:** RDS Associated with Public Subnet +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/rds_associated_with_public_subnet) + +### Description +RDS should not run in public subnet
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#db_subnet_group_name) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +resource "aws_db_instance" "positive1" { + allocated_storage = 10 + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t3.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + parameter_group_name = "positive1.mysql5.7" + skip_final_snapshot = true + db_subnet_group_name = aws_db_subnet_group.subnetGroup.name +} + +resource "aws_db_subnet_group" "subnetGroup" { + name = "main" + subnet_ids = [aws_subnet.frontend.id, aws_subnet.backend.id] + + tags = { + Name = "My DB subnet group" + } +} + +resource "aws_subnet" "frontend" { + vpc_id = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id + cidr_block = "172.2.0.0/24" +} + + +resource "aws_subnet" "backend" { + vpc_id = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id + cidr_block = "0.0.0.0/0" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +resource "aws_db_instance" "positive2" { + allocated_storage = 10 + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t3.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + parameter_group_name = "positive2.mysql5.7" + skip_final_snapshot = true + db_subnet_group_name = "subnetGroup2" +} + +resource "aws_db_subnet_group" "subnetGroup2" { + name = "main" + subnet_ids = [aws_subnet.frontend2.id, aws_subnet.backend2.id] + + tags = { + Name = "My DB subnet group" + } +} + +resource "aws_subnet" "frontend2" { + vpc_id = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id + cidr_block = "172.2.0.0/24" +} + + +resource "aws_subnet" "backend2" { + vpc_id = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id + cidr_block = "0.0.0.0/0" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_db_instance" "negative1" { + allocated_storage = 10 + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t3.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + parameter_group_name = "negative1.mysql5.7" + skip_final_snapshot = true + db_subnet_group_name = aws_db_subnet_group.subnetGroup3.name +} + +resource "aws_db_subnet_group" "subnetGroup3" { + name = "main" + subnet_ids = [aws_subnet.frontend3.id, aws_subnet.backend3.id] + + tags = { + Name = "My DB subnet group" + } +} + +resource "aws_subnet" "frontend3" { + vpc_id = aws_vpc_ipv4_cidr_block_association.secondary_cidr.vpc_id + cidr_block = "172.2.0.0/24" +} + + +resource "aws_subnet" "backend3" { + vpc_id = aws_vpc_ipv4_cidr_block_association.secondary_cidr2.vpc_id + cidr_block = "176.2.0.0/24" +} + +``` diff --git a/docs/queries/terraform-queries/aws/30b88745-eebe-4ecb-a3a9-5cf886e96204.md b/docs/queries/terraform-queries/aws/30b88745-eebe-4ecb-a3a9-5cf886e96204.md new file mode 100644 index 00000000000..be75432baf0 --- /dev/null +++ b/docs/queries/terraform-queries/aws/30b88745-eebe-4ecb-a3a9-5cf886e96204.md @@ -0,0 +1,107 @@ +--- +title: Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 30b88745-eebe-4ecb-a3a9-5cf886e96204 +- **Query name:** Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances) + +### Description +Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:RunInstances", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + roles = [aws_iam_role.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/31245f98-a6a9-4182-9fc1-45482b9d030a.md b/docs/queries/terraform-queries/aws/31245f98-a6a9-4182-9fc1-45482b9d030a.md new file mode 100644 index 00000000000..89ee65bb6cf --- /dev/null +++ b/docs/queries/terraform-queries/aws/31245f98-a6a9-4182-9fc1-45482b9d030a.md @@ -0,0 +1,81 @@ +--- +title: MQ Broker Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 31245f98-a6a9-4182-9fc1-45482b9d030a +- **Query name:** MQ Broker Logging Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/mq_broker_logging_disabled) + +### Description +Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 1 17" +resource "aws_mq_broker" "positive1" { + broker_name = "no-logging" +} + +resource "aws_mq_broker" "positive2" { + broker_name = "partial-logging" + + logs { + general = true + } +} + +resource "aws_mq_broker" "positive3" { + broker_name = "disabled-logging" + + logs { + general = false + audit = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_mq_broker" "negative1" { + broker_name = "example" + + configuration { + id = aws_mq_configuration.test.id + revision = aws_mq_configuration.test.latest_revision + } + + engine_type = "ActiveMQ" + engine_version = "5.15.0" + host_instance_type = "mq.t2.micro" + security_groups = [aws_security_group.test.id] + + user { + username = "ExampleUser" + password = "MindTheGap" + } + + logs { + general = true + audit = true + } +} +``` diff --git a/docs/queries/terraform-queries/aws/3199c26c-7871-4cb3-99c2-10a59244ce7f.md b/docs/queries/terraform-queries/aws/3199c26c-7871-4cb3-99c2-10a59244ce7f.md new file mode 100644 index 00000000000..6aa6ade12c4 --- /dev/null +++ b/docs/queries/terraform-queries/aws/3199c26c-7871-4cb3-99c2-10a59244ce7f.md @@ -0,0 +1,89 @@ +--- +title: RDS Storage Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3199c26c-7871-4cb3-99c2-10a59244ce7f +- **Query name:** RDS Storage Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/rds_storage_not_encrypted) + +### Description +RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#storage_encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_rds_cluster" "positive1" { + cluster_identifier = "aurora-cluster-demo" + engine = "aurora-mysql" + engine_version = "5.7.mysql_aurora.2.03.2" + availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] + database_name = "mydb" + master_username = "foo" + master_password = "bar" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="10" +resource "aws_rds_cluster" "positive3" { + cluster_identifier = "cloudrail-test-non-encrypted" + engine = "aurora-mysql" + engine_version = "5.7.mysql_aurora.2.03.2" + availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + database_name = "cloudrail" + master_username = "administrator" + master_password = "cloudrail-TEST-password" + skip_final_snapshot = true + storage_encrypted = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_rds_cluster" "negative1" { + cluster_identifier = "cloudrail-test-non-encrypted" + engine = "aurora-mysql" + engine_version = "5.7.mysql_aurora.2.03.2" + availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + database_name = "cloudrail" + master_username = "administrator" + master_password = "cloudrail-TEST-password" + skip_final_snapshot = true + storage_encrypted = true +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_rds_cluster" "negative2" { + cluster_identifier = "cloudrail-test-non-encrypted" + engine = "aurora-mysql" + engine_version = "5.7.mysql_aurora.2.03.2" + engine_mode = "serverless" + availability_zones = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + database_name = "cloudrail" + master_username = "administrator" + master_password = "cloudrail-TEST-password" + skip_final_snapshot = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/3206240f-2e87-4e58-8d24-3e19e7c83d7c.md b/docs/queries/terraform-queries/aws/3206240f-2e87-4e58-8d24-3e19e7c83d7c.md new file mode 100644 index 00000000000..79e60114ca9 --- /dev/null +++ b/docs/queries/terraform-queries/aws/3206240f-2e87-4e58-8d24-3e19e7c83d7c.md @@ -0,0 +1,87 @@ +--- +title: ECS Service Admin Role Is Present +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3206240f-2e87-4e58-8d24-3e19e7c83d7c +- **Query name:** ECS Service Admin Role Is Present +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ecs_service_admin_role_is_present) + +### Description +ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +#this is a problematic code where the query should report a result(s) +resource "aws_ecs_service" "positive1" { + name = "mongodb" + cluster = aws_ecs_cluster.foo.id + task_definition = aws_ecs_task_definition.mongo.arn + desired_count = 3 + iam_role = "admin" + depends_on = [aws_iam_role_policy.foo] + + ordered_placement_strategy { + type = "binpack" + field = "cpu" + } + + load_balancer { + target_group_arn = aws_lb_target_group.foo.arn + container_name = "mongo" + container_port = 8080 + } + + placement_constraints { + type = "memberOf" + expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "aws_ecs_service" "negative1" { + name = "mongodb" + cluster = aws_ecs_cluster.foo.id + task_definition = aws_ecs_task_definition.mongo.arn + desired_count = 3 + iam_role = aws_iam_role.foo.arn + depends_on = [aws_iam_role_policy.foo] + + ordered_placement_strategy { + type = "binpack" + field = "cpu" + } + + load_balancer { + target_group_arn = aws_lb_target_group.foo.arn + container_name = "mongo" + container_port = 8080 + } + + placement_constraints { + type = "memberOf" + expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]" + } +} +``` diff --git a/docs/queries/terraform-queries/aws/33627268-1445-4385-988a-318fd9d1a512.md b/docs/queries/terraform-queries/aws/33627268-1445-4385-988a-318fd9d1a512.md new file mode 100644 index 00000000000..edfa792bfab --- /dev/null +++ b/docs/queries/terraform-queries/aws/33627268-1445-4385-988a-318fd9d1a512.md @@ -0,0 +1,109 @@ +--- +title: User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 33627268-1445-4385-988a-318fd9d1a512 +- **Query name:** User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole) + +### Description +User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateAssumeRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "sts:AssumeRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/34b921bd-90a0-402e-a0a5-dc73371fd963.md b/docs/queries/terraform-queries/aws/34b921bd-90a0-402e-a0a5-dc73371fd963.md new file mode 100644 index 00000000000..ca714ccbdb7 --- /dev/null +++ b/docs/queries/terraform-queries/aws/34b921bd-90a0-402e-a0a5-dc73371fd963.md @@ -0,0 +1,79 @@ +--- +title: SES Policy With Allowed IAM Actions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 34b921bd-90a0-402e-a0a5-dc73371fd963 +- **Query name:** SES Policy With Allowed IAM Actions +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ses_policy_with_allowed_iam_actions) + +### Description +SES policy should not allow IAM actions to all principals
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ses_identity_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "aws_ses_identity_policy" "positive1" { + identity = aws_ses_domain_identity.example.arn + name = "example" + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 35113e6f-2c6b-414d-beec-7a9482d3b2d1 +- **Query name:** DB Instance Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/db_instance_publicly_accessible) + +### Description +RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +resource "aws_db_instance" "positive1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + publicly_accessible = true +} +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + publicly_accessible = true + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_db_instance" "negative1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + publicly_accessible = false +} + +``` +```tf title="Negative test num. 2 - tf file" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + publicly_accessible = false + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` diff --git a/docs/queries/terraform-queries/aws/3561130e-9c5f-485b-9e16-2764c82763e5.md b/docs/queries/terraform-queries/aws/3561130e-9c5f-485b-9e16-2764c82763e5.md new file mode 100644 index 00000000000..d03d8d9947e --- /dev/null +++ b/docs/queries/terraform-queries/aws/3561130e-9c5f-485b-9e16-2764c82763e5.md @@ -0,0 +1,68 @@ +--- +title: IAM User Has Too Many Access Keys +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3561130e-9c5f-485b-9e16-2764c82763e5 +- **Query name:** IAM User Has Too Many Access Keys +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_user_too_many_access_keys) + +### Description +Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key#user) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2 7" +resource "aws_iam_access_key" "positive1" { + user = aws_iam_user.lb.name + pgp_key = "keybase:some_person_that_exists" +} + +resource "aws_iam_access_key" "positive2" { + user = aws_iam_user.lb.name + pgp_key = "keybase:some_person_that_exists" +} + + +resource "aws_iam_user" "lb" { + name = "loadbalancer" + path = "/system/" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "userExample" { + name = "loadbalancer" + path = "/system/" + + tags = { + tag-key = "tag-value" + } +} + +resource "aws_iam_access_key" "negative1" { + user = aws_iam_user.userExample.name + pgp_key = "keybase:some_person_that_exists" +} + + +``` diff --git a/docs/queries/terraform-queries/aws/35ccf766-0e4d-41ed-9ec4-2dab155082b4.md b/docs/queries/terraform-queries/aws/35ccf766-0e4d-41ed-9ec4-2dab155082b4.md new file mode 100644 index 00000000000..509817d2195 --- /dev/null +++ b/docs/queries/terraform-queries/aws/35ccf766-0e4d-41ed-9ec4-2dab155082b4.md @@ -0,0 +1,83 @@ +--- +title: Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 35ccf766-0e4d-41ed-9ec4-2dab155082b4 +- **Query name:** Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateLoginProfile) + +### Description +Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/37304d3f-f852-40b8-ae3f-725e87a7cedf.md b/docs/queries/terraform-queries/aws/37304d3f-f852-40b8-ae3f-725e87a7cedf.md new file mode 100644 index 00000000000..0a07c479f40 --- /dev/null +++ b/docs/queries/terraform-queries/aws/37304d3f-f852-40b8-ae3f-725e87a7cedf.md @@ -0,0 +1,59 @@ +--- +title: EKS cluster logging is not enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 37304d3f-f852-40b8-ae3f-725e87a7cedf +- **Query name:** EKS cluster logging is not enabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/eks_cluster_log_disabled) + +### Description +Amazon EKS control plane logging is not enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +variable "cluster_name" { + default = "example" + type = string +} + +resource "aws_eks_cluster" "positive1" { + depends_on = [aws_cloudwatch_log_group.example] + name = var.cluster_name +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +variable "cluster_name" { + default = "example" + type = string +} + +resource "aws_eks_cluster" "negative1" { + depends_on = [aws_cloudwatch_log_group.example] + + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] + name = var.cluster_name +} + +``` diff --git a/docs/queries/terraform-queries/aws/381c3f2a-ef6f-4eff-99f7-b169cda3422c.md b/docs/queries/terraform-queries/aws/381c3f2a-ef6f-4eff-99f7-b169cda3422c.md new file mode 100644 index 00000000000..1b297d590a2 --- /dev/null +++ b/docs/queries/terraform-queries/aws/381c3f2a-ef6f-4eff-99f7-b169cda3422c.md @@ -0,0 +1,244 @@ +--- +title: Sensitive Port Is Exposed To Entire Network +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 381c3f2a-ef6f-4eff-99f7-b169cda3422c +- **Query name:** Sensitive Port Is Exposed To Entire Network +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network) + +### Description +A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="96 66 36 6 111 81 51 21" +resource "aws_security_group" "positive1" { + name = "allow_tls1" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2200 + to_port = 2500 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + + +resource "aws_security_group" "positive2" { + name = "allow_tls2" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 20 + to_port = 60 + protocol = "tcp" + cidr_blocks = ["/0"] + } +} + + +resource "aws_security_group" "positive3" { + name = "allow_tls3" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 5000 + to_port = 6000 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + + +resource "aws_security_group" "positive4" { + name = "allow_tls4" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 20 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["/0"] + } +} + + +resource "aws_security_group" "positive5" { + name = "allow_tls5" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 445 + to_port = 500 + protocol = "udp" + cidr_blocks = ["1.1.1.1/1","0.0.0.0/0", "2.2.3.4/12"] + } +} + + +resource "aws_security_group" "positive6" { + name = "allow_tls6" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 135 + to_port = 170 + protocol = "udp" + cidr_blocks = ["10.68.0.0", "0.0.0.0/0"] + } +} + + +resource "aws_security_group" "positive7" { + name = "allow_tls7" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2383 + to_port = 2383 + protocol = "udp" + cidr_blocks = ["/0", "1.2.3.4/12"] + } +} + + +resource "aws_security_group" "positive8" { + name = "allow_tls8" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["/0"] + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_security_group" "negative1" { + name = "allow_tls1" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2383 + to_port = 2383 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + } +} + + +resource "aws_security_group" "negative2" { + name = "allow_tls2" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2384 + to_port = 2386 + protocol = "tcp" + cidr_blocks = ["/0"] + } +} + + +resource "aws_security_group" "negative3" { + name = "allow_tls3" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 25 + to_port = 2500 + protocol = "tcp" + cidr_blocks = ["1.2.3.4/5"] + } +} + + +resource "aws_security_group" "negative4" { + name = "allow_tls4" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 25 + to_port = 2500 + protocol = "tcp" + cidr_blocks = ["1.2.3.4/5"] + } +} + + +resource "aws_security_group" "negative5" { + name = "allow_tls5" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 25 + to_port = 2500 + protocol = "udp" + cidr_blocks = ["1.2.3.4/5","0.0.0.0/12"] + } +} + + +resource "aws_security_group" "negative6" { + name = "allow_tls6" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["1.2.3.4/5","0.0.0.0/12"] + } +} +``` diff --git a/docs/queries/terraform-queries/aws/38b85c45-e772-4de8-a247-69619ca137b3.md b/docs/queries/terraform-queries/aws/38b85c45-e772-4de8-a247-69619ca137b3.md new file mode 100644 index 00000000000..770931fdebd --- /dev/null +++ b/docs/queries/terraform-queries/aws/38b85c45-e772-4de8-a247-69619ca137b3.md @@ -0,0 +1,150 @@ +--- +title: CloudWatch AWS Organizations Changes Missing Alarm +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 38b85c45-e772-4de8-a247-69619ca137b3 +- **Query name:** CloudWatch AWS Organizations Changes Missing Alarm +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_aws_organizations_changes_missing_alarm) + +### Description +Ensure a log metric filter and alarm exist for AWS organizations changes
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_aws_organizations" { + alarm_name = "CIS-4.15-AWS-Organizations" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "OTHER FILTER" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_aws_organizations" { + name = "CIS-4.15-AWS-Organizations" + pattern = "{ ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = \"AcceptHandshake\") || ($.eventName = 'AttachPolicy') || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.15-AWS-Organizations" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_aws_organizations" { + alarm_name = "CIS-4.15-AWS-Organizations" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_aws_organizations.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_aws_organizations" { + name = "CIS-4.15-AWS-Organizations" + pattern = "{ ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.15-AWS-Organizations" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_aws_organizations" { + alarm_name = "CIS-4.15-AWS-Organizations" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_aws_organizations.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_aws_organizations" { + name = "CIS-4.15-AWS-Organizations" + pattern = "{ ($.eventSource = \"organizations.amazonaws.com\") && (($.eventName = AcceptHandshake) || ($.eventName = AttachPolicy) || ($.eventName = CreateAccount) || ($.eventName = PutBucketLifecycle) || ($.eventName = CreateOrganizationalUnit) || ($.eventName = CreatePolicy) || ($.eventName = DeclineHandshake) || ($.eventName = DeleteOrganization) || ($.eventName = DeleteOrganizationalUnit) || ($.eventName = DeletePolicy) || ($.eventName = DetachPolicy) || ($.eventName = DisablePolicyType) || ($.eventName = EnablePolicyType) || ($.eventName = InviteAccountToOrganization) || ($.eventName = LeaveOrganization) || ($.eventName = MoveAccount) || ($.eventName = RemoveAccountFromOrganization) || ($.eventName = UpdatePolicy) || ($.eventName = UpdateOrganizationalUni)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.15-AWS-Organizations" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/38c5ee0d-7f22-4260-ab72-5073048df100.md b/docs/queries/terraform-queries/aws/38c5ee0d-7f22-4260-ab72-5073048df100.md new file mode 100644 index 00000000000..72085052433 --- /dev/null +++ b/docs/queries/terraform-queries/aws/38c5ee0d-7f22-4260-ab72-5073048df100.md @@ -0,0 +1,242 @@ +--- +title: S3 Bucket ACL Allows Read Or Write to All Users +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 38c5ee0d-7f22-4260-ab72-5073048df100 +- **Query name:** S3 Bucket ACL Allows Read Or Write to All Users +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_acl_allows_read_or_write_to_all_users) + +### Description +S3 Buckets should not be readable and writable to all users
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="15" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} +resource "aws_s3_bucket" "positive1" { + bucket = "my-tf-test-bucket" + acl = "public-read" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + enabled = true + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="16" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive2" { + bucket = "my-tf-test-bucket" + acl = "public-read-write" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + enabled = true + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="6" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "public-read" + + versioning = { + enabled = true + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="6" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "public-read-write" + + versioning = { + enabled = true + } +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="20" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +resource "aws_s3_bucket" "example00" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_acl" "example_bucket_acl" { + bucket = aws_s3_bucket.example00.id + acl = "public-read" +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="20" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +resource "aws_s3_bucket" "example000" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_acl" "example_bucket_acl" { + bucket = aws_s3_bucket.example000.id + acl = "public-read-write" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "negative1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + enabled = true + } +} + +``` +```tf title="Negative test num. 2 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } +} + +``` +```tf title="Negative test num. 3 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +resource "aws_s3_bucket" "example0" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_acl" "example_bucket_acl" { + bucket = aws_s3_bucket.example0.id + acl = "private" +} + +``` diff --git a/docs/queries/terraform-queries/aws/3a1e94df-6847-4c0e-a3b6-6c6af4e128ef.md b/docs/queries/terraform-queries/aws/3a1e94df-6847-4c0e-a3b6-6c6af4e128ef.md new file mode 100644 index 00000000000..5e902d16f68 --- /dev/null +++ b/docs/queries/terraform-queries/aws/3a1e94df-6847-4c0e-a3b6-6c6af4e128ef.md @@ -0,0 +1,227 @@ +--- +title: Vulnerable Default SSL Certificate +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3a1e94df-6847-4c0e-a3b6-6c6af4e128ef +- **Query name:** Vulnerable Default SSL Certificate +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/vulnerable_default_ssl_certificate) + +### Description +CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="88 5 134" +resource "aws_s3_bucket" "positive1" { + # configs +} + +resource "aws_cloudfront_distribution" "positive2" { + origin { + domain_name = aws_s3_bucket.positive1.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + is_ipv6_enabled = true + comment = "Some comment" + default_root_object = "index.html" + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = local.s3_origin_id + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } +} + +resource "aws_cloudfront_distribution" "positive3" { + origin { + domain_name = aws_s3_bucket.positive1.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + is_ipv6_enabled = true + comment = "Some comment" + default_root_object = "index.html" + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = local.s3_origin_id + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + viewer_certificate { + cloudfront_default_certificate = true + } +} + +resource "aws_cloudfront_distribution" "positive4" { + origin { + domain_name = aws_s3_bucket.positive1.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + is_ipv6_enabled = true + comment = "Some comment" + default_root_object = "index.html" + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = local.s3_origin_id + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + viewer_certificate { + acm_certificate_arn = aws_acm_certificate_validation.cert.certificate_arn + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_s3_bucket" "negative1" { + # configs +} + +resource "aws_cloudfront_distribution" "negative2" { + origin { + domain_name = aws_s3_bucket.negative1.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + is_ipv6_enabled = true + comment = "Some comment" + default_root_object = "index.html" + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = local.s3_origin_id + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + viewer_certificate { + acm_certificate_arn = aws_acm_certificate_validation.cert.certificate_arn + ssl_support_method = "sni-only" + minimum_protocol_version = "TLSv1.2_2018" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/3af7f2fd-06e6-4dab-b996-2912bea19ba4.md b/docs/queries/terraform-queries/aws/3af7f2fd-06e6-4dab-b996-2912bea19ba4.md new file mode 100644 index 00000000000..0ddddc4817c --- /dev/null +++ b/docs/queries/terraform-queries/aws/3af7f2fd-06e6-4dab-b996-2912bea19ba4.md @@ -0,0 +1,378 @@ +--- +title: Network ACL With Unrestricted Access To SSH +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3af7f2fd-06e6-4dab-b996-2912bea19ba4 +- **Query name:** Network ACL With Unrestricted Access To SSH +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_ssh) + +### Description +'SSH' (TCP:22) should not be public in AWS Network ACL
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="30" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_network_acl" "positive1" { + vpc_id = aws_vpc.main.id + + egress = [ + { + protocol = "tcp" + rule_no = 200 + action = "allow" + cidr_block = "10.3.0.0/18" + from_port = 443 + to_port = 443 + } + ] + + ingress = [ + { + protocol = "tcp" + rule_no = 100 + action = "allow" + cidr_block = "0.0.0.0/0" + from_port = 22 + to_port = 22 + } + ] + + tags = { + Name = "main" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="22" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_network_acl" "positive2" { + vpc_id = aws_vpc.main.id + + tags = { + Name = "main" + } +} + +resource "aws_network_acl_rule" "postive2" { + network_acl_id = aws_network_acl.positive2.id + rule_number = 100 + egress = false + protocol = "tcp" + rule_action = "allow" + from_port = 22 + to_port = 22 + cidr_block = "0.0.0.0/0" +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="26" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "<= 3.52.0" + } + } +} + +resource "aws_network_acl" "positive3" { + vpc_id = aws_vpc.main.id + + egress { + protocol = "tcp" + rule_no = 200 + action = "allow" + cidr_block = "10.3.0.0/18" + from_port = 443 + to_port = 443 + } + + ingress { + protocol = "tcp" + rule_no = 100 + action = "allow" + cidr_block = "0.0.0.0/0" + from_port = 22 + to_port = 22 + } + + tags = { + Name = "main" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="14" +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + default_network_acl_ingress = [ + { + "action" : "allow", + "cidr_block" : "0.0.0.0/0", + "from_port" : 0, + "protocol" : "tcp", + "rule_no" : 22, + "to_port" : 0 + } + ] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_network_acl" "negative1" { + vpc_id = aws_vpc.main.id + + egress = [ + { + protocol = "tcp" + rule_no = 200 + action = "allow" + cidr_block = "10.3.0.0/18" + from_port = 443 + to_port = 443 + } + ] + + ingress = [ + { + protocol = "tcp" + rule_no = 100 + action = "allow" + cidr_block = "10.3.0.0/18" + from_port = 22 + to_port = 22 + } + ] + + tags = { + Name = "main" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_network_acl" "negative2" { + vpc_id = aws_vpc.main.id + + tags = { + Name = "main" + } +} + +resource "aws_network_acl_rule" "negative2" { + network_acl_id = aws_network_acl.positive1.id + rule_number = 100 + egress = false + protocol = "tcp" + rule_action = "allow" + from_port = 22 + to_port = 22 + cidr_block = "10.3.0.0/18" +} + +``` +```tf title="Negative test num. 3 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "3.52.0" + } + } +} + +resource "aws_network_acl" "negative3" { + vpc_id = aws_vpc.main.id + + egress { + protocol = "tcp" + rule_no = 200 + action = "allow" + cidr_block = "10.3.0.0/18" + from_port = 443 + to_port = 443 + } + + ingress { + protocol = "tcp" + rule_no = 100 + action = "allow" + cidr_block = "10.3.0.0/18" + from_port = 22 + to_port = 22 + } + + tags = { + Name = "main" + } +} + +``` +
Negative test num. 4 - tf file + +```tf +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
+
Negative test num. 5 - tf file + +```tf +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + default_network_acl_ingress = [ + { + "action" : "allow", + "cidr_block" : "0.0.0.0/0", + "from_port" : 0, + "protocol" : "-1", + "rule_no" : 100, + "to_port" : 0 + }, + { + "action" : "allow", + "cidr_block" : "10.3.0.0/18", + "from_port" : 0, + "protocol" : "-1", + "rule_no" : 22, + "to_port" : 0 + } + ] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/3b6d777b-76e3-4133-80a3-0d6f667ade7f.md b/docs/queries/terraform-queries/aws/3b6d777b-76e3-4133-80a3-0d6f667ade7f.md new file mode 100644 index 00000000000..a6d9b78790b --- /dev/null +++ b/docs/queries/terraform-queries/aws/3b6d777b-76e3-4133-80a3-0d6f667ade7f.md @@ -0,0 +1,221 @@ +--- +title: Automatic Minor Upgrades Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3b6d777b-76e3-4133-80a3-0d6f667ade7f +- **Query name:** Automatic Minor Upgrades Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/automatic_minor_upgrades_disabled) + +### Description +RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#auto_minor_version_upgrade) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="13" +resource "aws_db_instance" "positive1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + iam_database_authentication_enabled = true + storage_encrypted = true + ca_cert_identifier = "rds-ca-2019" + auto_minor_version_upgrade = false +} +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + auto_minor_version_upgrade = false + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_db_instance" "negative1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + iam_database_authentication_enabled = true + storage_encrypted = true + ca_cert_identifier = "rds-ca-2019" + auto_minor_version_upgrade = true +} +``` +```tf title="Negative test num. 2 - tf file" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + auto_minor_version_upgrade = true + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` diff --git a/docs/queries/terraform-queries/aws/3d3f6270-546b-443c-adb4-bb6fb2187ca6.md b/docs/queries/terraform-queries/aws/3d3f6270-546b-443c-adb4-bb6fb2187ca6.md new file mode 100644 index 00000000000..decc70ce49f --- /dev/null +++ b/docs/queries/terraform-queries/aws/3d3f6270-546b-443c-adb4-bb6fb2187ca6.md @@ -0,0 +1,47 @@ +--- +title: EBS Default Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3d3f6270-546b-443c-adb4-bb6fb2187ca6 +- **Query name:** EBS Default Encryption Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ebs_default_encryption_disabled) + +### Description +EBS Encryption should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +resource "aws_ebs_encryption_by_default" "positive1" { + enabled = false +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ebs_encryption_by_default" "negative1" { + enabled = true +} + +resource "aws_ebs_encryption_by_default" "negative2" { + +} +``` diff --git a/docs/queries/terraform-queries/aws/3db3f534-e3a3-487f-88c7-0a9fbf64b702.md b/docs/queries/terraform-queries/aws/3db3f534-e3a3-487f-88c7-0a9fbf64b702.md new file mode 100644 index 00000000000..d0b9c067ff0 --- /dev/null +++ b/docs/queries/terraform-queries/aws/3db3f534-e3a3-487f-88c7-0a9fbf64b702.md @@ -0,0 +1,102 @@ +--- +title: AmazonMQ Broker Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3db3f534-e3a3-487f-88c7-0a9fbf64b702 +- **Query name:** AmazonMQ Broker Encryption Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/amazon_mq_broker_encryption_disabled) + +### Description +AmazonMQ Broker should have Encryption Options defined
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_mq_broker" "positive1" { + broker_name = "example" + + configuration { + id = aws_mq_configuration.test.id + revision = aws_mq_configuration.test.latest_revision + } + + engine_type = "ActiveMQ" + engine_version = "5.15.9" + host_instance_type = "mq.t2.micro" + security_groups = [aws_security_group.test.id] + + user { + username = "ExampleUser" + password = "MindTheGap" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_mq_broker" "negative1" { + broker_name = "example" + + configuration { + id = aws_mq_configuration.test.id + revision = aws_mq_configuration.test.latest_revision + } + + engine_type = "ActiveMQ" + engine_version = "5.15.9" + host_instance_type = "mq.t2.micro" + security_groups = [aws_security_group.test.id] + + user { + username = "ExampleUser" + password = "MindTheGap" + } + + encryption_options { + kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + use_aws_owned_key = false + } +} + +resource "aws_mq_broker" "negative2" { + broker_name = "example" + + configuration { + id = aws_mq_configuration.test.id + revision = aws_mq_configuration.test.latest_revision + } + + engine_type = "ActiveMQ" + engine_version = "5.15.9" + host_instance_type = "mq.t2.micro" + security_groups = [aws_security_group.test.id] + + user { + username = "ExampleUser" + password = "MindTheGap" + } + + encryption_options { + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/3dd96caa-0b5f-4a85-b929-acfac4646cc2.md b/docs/queries/terraform-queries/aws/3dd96caa-0b5f-4a85-b929-acfac4646cc2.md new file mode 100644 index 00000000000..ed977c76ec2 --- /dev/null +++ b/docs/queries/terraform-queries/aws/3dd96caa-0b5f-4a85-b929-acfac4646cc2.md @@ -0,0 +1,82 @@ +--- +title: Group With Privilege Escalation By Actions 'iam:AttachRolePolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3dd96caa-0b5f-4a85-b929-acfac4646cc2 +- **Query name:** Group With Privilege Escalation By Actions 'iam:AttachRolePolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachRolePolicy) + +### Description +Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/3ddfa124-6407-4845-a501-179f90c65097.md b/docs/queries/terraform-queries/aws/3ddfa124-6407-4845-a501-179f90c65097.md new file mode 100644 index 00000000000..23f96ce1a05 --- /dev/null +++ b/docs/queries/terraform-queries/aws/3ddfa124-6407-4845-a501-179f90c65097.md @@ -0,0 +1,153 @@ +--- +title: Authentication Without MFA +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3ddfa124-6407-4845-a501-179f90c65097 +- **Query name:** Authentication Without MFA +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/authentication_without_mfa) + +### Description +Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="23" +provider "aws" { + region = "us-east-1" +} + +resource "aws_iam_user" "positive1" { + name = "aws-foundations-benchmark-1-4-0-terraform-user" + path = "/" +} + +resource "aws_iam_user_login_profile" "positive1" { + user = aws_iam_user.positive1.name + pgp_key = "gpgkeybase64gpgkeybase64gpgkeybase64gpgkeybase64" +} + +resource "aws_iam_access_key" "positive1" { + user = aws_iam_user.positive1.name +} + +resource "aws_iam_user_policy" "positive1" { + name = "aws-foundations-benchmark-1-4-0-terraform-user" + user = aws_iam_user.positive1.name + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 3deec14b-03d2-4d27-9670-7d79322e3340 +- **Query name:** CodeBuild Project Encrypted With AWS Managed Key +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/codebuild_project_encrypted_with_aws_managed_key) + +### Description +CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project#encryption_key) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="35" +provider "aws" { + region = "us-east-1" +} + +data "aws_kms_key" "by_alias" { + key_id = "alias/aws/s3" +} + +# No policy attached to this role because it is for testing purposes +resource "aws_iam_role" "codebuild" { + name = "codebuild-cloudrail-test" + + assume_role_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 3ef8696c-e4ae-4872-92c7-520bb44dfe77 +- **Query name:** Public Lambda via API Gateway +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/public_lambda_via_api_gateway) + +### Description +Allowing to run lambda function using public API Gateway
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9" +resource "aws_lambda_permission" "apigw" { + statement_id = "AllowAPIGatewayInvoke" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.example.function_name + principal = "apigateway.amazonaws.com" + + # The "/*/*" portion grants access from any method on any resource + # within the API Gateway REST API. + source_arn = "${aws_api_gateway_rest_api.example.execution_arn}/*/*" +} + +resource "aws_lambda_function" "example" { + function_name = "ServerlessPerson" + + handler = "MyHandler::handleRequest" + runtime = "java11" + + role = aws_iam_role.lambda_exec.arn +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_lambda_permission" "apigw" { + statement_id = "AllowAPIGatewayInvoke" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.example.function_name + principal = "apigateway.amazonaws.com" + + # The "/*/*" portion grants access from any method on any resource + # within the API Gateway REST API. + source_arn = "${aws_api_gateway_rest_api.example.execution_arn}/test/test" +} + +resource "aws_lambda_function" "example" { + function_name = "ServerlessPerson" + + handler = "MyHandler::handleRequest" + runtime = "java11" + + role = aws_iam_role.lambda_exec.arn +} + + +``` diff --git a/docs/queries/terraform-queries/aws/4003118b-046b-4640-b200-b8c7a4c8b89f.md b/docs/queries/terraform-queries/aws/4003118b-046b-4640-b200-b8c7a4c8b89f.md new file mode 100644 index 00000000000..237eed2cf45 --- /dev/null +++ b/docs/queries/terraform-queries/aws/4003118b-046b-4640-b200-b8c7a4c8b89f.md @@ -0,0 +1,86 @@ +--- +title: SSO Identity User Unsafe Creation +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4003118b-046b-4640-b200-b8c7a4c8b89f +- **Query name:** SSO Identity User Unsafe Creation +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sso_policy_with_full_priveleges copy) + +### Description +The use of AWS SSO for creating users may pose a security risk as it does not synchronize with external Identity Providers (IdP) or Active Directory (AD). This can lead to inconsistencies and potential unauthorized access to resources. It is recommended to review and update user creation processes to ensure proper security protocols are in place.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_user) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_identitystore_user" "example" { + identity_store_id = tolist(data.aws_ssoadmin_instances.example.identity_store_ids)[0] + + display_name = "John Doe" + user_name = "johndoe" + + name { + given_name = "John" + family_name = "Doe" + } + + emails { + value = "john@example.com" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ssoadmin_permission_set_inline_policy" "neg1" { + instance_arn = aws_ssoadmin_permission_set.example.instance_arn + permission_set_arn = aws_ssoadmin_permission_set.example.arn + inline_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 41abc6cc-dde1-4217-83d3-fb5f0cc09d8f +- **Query name:** Redshift Using Default Port +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/redshift_using_default_port) + +### Description +Redshift should not use the default port (5439) because an attacker can easily guess the port
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#port) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_redshift_cluster" "positive1" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + publicly_accessible = false +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9" +resource "aws_redshift_cluster" "positive2" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + publicly_accessible = false + port = 5439 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_redshift_cluster" "negative1" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + publicly_accessible = false + port = 1150 +} + +``` diff --git a/docs/queries/terraform-queries/aws/42bb6b7f-6d54-4428-b707-666f669d94fb.md b/docs/queries/terraform-queries/aws/42bb6b7f-6d54-4428-b707-666f669d94fb.md new file mode 100644 index 00000000000..1586b98e5fe --- /dev/null +++ b/docs/queries/terraform-queries/aws/42bb6b7f-6d54-4428-b707-666f669d94fb.md @@ -0,0 +1,182 @@ +--- +title: S3 Static Website Host Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 42bb6b7f-6d54-4428-b707-666f669d94fb +- **Query name:** S3 Static Website Host Enabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_static_website_host_enabled) + +### Description +Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#website) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="18" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive1" { + bucket = "s3-website-test.hashicorp.com" + acl = "public-read" + + website { + index_document = "index.html" + error_document = "error.html" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="12" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } + + website { + index_document = "index.html" + error_document = "error.html" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="15" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + + +resource "aws_s3_bucket" "buc" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +resource "aws_s3_bucket_website_configuration" "example" { + bucket = aws_s3_bucket.buc.bucket + + index_document { + suffix = "index.html" + } + + error_document { + key = "error.html" + } + + routing_rule { + condition { + key_prefix_equals = "docs/" + } + redirect { + replace_key_prefix_with = "documents/" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "negative1" { + bucket = "s3-website-test.hashicorp.com" + acl = "public-read" +} + +``` +```tf title="Negative test num. 2 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } +} + +``` +```tf title="Negative test num. 3 - tf file" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + + +resource "aws_s3_bucket" "bu" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/42f4b905-3736-4213-bfe9-c0660518cda8.md b/docs/queries/terraform-queries/aws/42f4b905-3736-4213-bfe9-c0660518cda8.md new file mode 100644 index 00000000000..a0770bf14d7 --- /dev/null +++ b/docs/queries/terraform-queries/aws/42f4b905-3736-4213-bfe9-c0660518cda8.md @@ -0,0 +1,83 @@ +--- +title: EKS Cluster Has Public Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 42f4b905-3736-4213-bfe9-c0660518cda8 +- **Query name:** EKS Cluster Has Public Access +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/eks_cluster_has_public_access) + +### Description +Amazon EKS public endpoint shoud be set to false
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "aws_eks_cluster" "positive1" { + name = "example" + role_arn = aws_iam_role.example.arn + + vpc_config { + subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id] + endpoint_public_access = true + } + + # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. + # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. + depends_on = [ + aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy, + ] +} + +output "endpoint" { + value = aws_eks_cluster.example.endpoint +} + +output "kubeconfig-certificate-authority-data" { + value = aws_eks_cluster.example.certificate_authority[0].data +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_eks_cluster" "negative1" { + name = "example" + role_arn = aws_iam_role.example.arn + + vpc_config { + subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id] + endpoint_public_access = false + } + + # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. + # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. + depends_on = [ + aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy, + ] +} + +output "endpoint" { + value = aws_eks_cluster.example.endpoint +} + +output "kubeconfig-certificate-authority-data" { + value = aws_eks_cluster.example.certificate_authority[0].data +} +``` diff --git a/docs/queries/terraform-queries/aws/43a41523-386a-4cb1-becb-42af6b414433.md b/docs/queries/terraform-queries/aws/43a41523-386a-4cb1-becb-42af6b414433.md new file mode 100644 index 00000000000..1f086d3e558 --- /dev/null +++ b/docs/queries/terraform-queries/aws/43a41523-386a-4cb1-becb-42af6b414433.md @@ -0,0 +1,90 @@ +--- +title: User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 43a41523-386a-4cb1-becb-42af6b414433 +- **Query name:** User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion) + +### Description +User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:SetDefaultPolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/443488f5-c734-460b-a36d-5b3f330174dc.md b/docs/queries/terraform-queries/aws/443488f5-c734-460b-a36d-5b3f330174dc.md new file mode 100644 index 00000000000..30344b80c20 --- /dev/null +++ b/docs/queries/terraform-queries/aws/443488f5-c734-460b-a36d-5b3f330174dc.md @@ -0,0 +1,196 @@ +--- +title: User Data Contains Encoded Private Key +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 443488f5-c734-460b-a36d-5b3f330174dc +- **Query name:** User Data Contains Encoded Private Key +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_data_contains_encoded_private_key) + +### Description +User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#user_data_base64) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_launch_configuration" "positive1" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + user_data_base64 = "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5" # someKey + + lifecycle { + create_before_destroy = true + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +module "positive2" { + source = "terraform-aws-modules/autoscaling/aws" + version = "1.0.4" + + # Launch configuration + lc_name = "example-lc" + + image_id = "ami-ebd02392" + instance_type = "t2.micro" + security_groups = ["sg-12345678"] + user_data_base64 = "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpzb21lS2V5" + + ebs_block_device = [ + { + device_name = "/dev/xvdz" + volume_type = "gp2" + volume_size = "50" + delete_on_termination = true + }, + ] + + root_block_device = [ + { + volume_size = "50" + volume_type = "gp2" + }, + ] + + # Auto scaling group + asg_name = "example-asg" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + health_check_type = "EC2" + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="11" +module "positive3" { + source = "terraform-aws-modules/autoscaling/aws" + version = "1.0.4" + + # Launch configuration + lc_name = "example-lc" + + image_id = "ami-ebd02392" + instance_type = "t2.micro" + security_groups = ["sg-12345678"] + user_data_base64 = "LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZIEJMT0NLLS0tLS0=" + + ebs_block_device = [ + { + device_name = "/dev/xvdz" + volume_type = "gp2" + volume_size = "50" + delete_on_termination = true + }, + ] + + root_block_device = [ + { + volume_size = "50" + volume_type = "gp2" + }, + ] + + # Auto scaling group + asg_name = "example-asg" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + health_check_type = "EC2" + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_launch_configuration" "negative1" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_launch_configuration" "negative2" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + user_data_base64 = "" + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_launch_configuration" "negative3" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + user_data_base64 = "dGVzdA==" + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_launch_configuration" "negative4" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + user_data_base64 = null + + lifecycle { + create_before_destroy = true + } +} +``` diff --git a/docs/queries/terraform-queries/aws/44ceb4fa-0897-4fd2-b676-30e7a58f2933.md b/docs/queries/terraform-queries/aws/44ceb4fa-0897-4fd2-b676-30e7a58f2933.md new file mode 100644 index 00000000000..9a5f7de3be0 --- /dev/null +++ b/docs/queries/terraform-queries/aws/44ceb4fa-0897-4fd2-b676-30e7a58f2933.md @@ -0,0 +1,227 @@ +--- +title: CloudWatch Console Sign-in Without MFA Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 44ceb4fa-0897-4fd2-b676-30e7a58f2933 +- **Query name:** CloudWatch Console Sign-in Without MFA Alarm Missing +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_management_console_sign_in_without_mfa_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for management console sign-in without MFA
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { + name = "CIS-UnauthorizedAPICalls" + pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-UnauthorizedAPICalls" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { + alarm_name = "CIS-3.1-UnauthorizedAPICalls" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXXX NOT YOUR FILTER XXXX" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { + name = "CIS-UnauthorizedAPICalls" + pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-UnauthorizedAPICalls" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { + alarm_name = "CIS-3.1-UnauthorizedAPICalls" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ $.additionalEventData.MFAUsed != \"Yes\" }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") || ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { + name = "CIS-UnauthorizedAPICalls" + pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" + log_group_name = aws_cloudwatch_log_group.cis_cloudwatch_logsgroup.name + + metric_transformation { + name = "CIS-UnauthorizedAPICalls" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { + alarm_name = "CIS-3.1-UnauthorizedAPICalls" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.cis_cloudwatch_logsgroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +``` diff --git a/docs/queries/terraform-queries/aws/45cff7b6-3b80-40c1-ba7b-2cf480678bb8.md b/docs/queries/terraform-queries/aws/45cff7b6-3b80-40c1-ba7b-2cf480678bb8.md new file mode 100644 index 00000000000..61242b71457 --- /dev/null +++ b/docs/queries/terraform-queries/aws/45cff7b6-3b80-40c1-ba7b-2cf480678bb8.md @@ -0,0 +1,95 @@ +--- +title: Neptune Logging Is Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 45cff7b6-3b80-40c1-ba7b-2cf480678bb8 +- **Query name:** Neptune Logging Is Disabled +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/neptune_logging_disabled) + +### Description +Neptune logging should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#enable_cloudwatch_logs_exports) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_neptune_cluster" "postive1" { + cluster_identifier = "neptune-cluster" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "10:10-11:11" + skip_final_snapshot = true + iam_database_authentication_enabled = true + apply_immediately = true +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9" +resource "aws_neptune_cluster" "postive2" { + cluster_identifier = "neptune-cluster" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "10:10-11:11" + skip_final_snapshot = true + iam_database_authentication_enabled = true + apply_immediately = true + enable_cloudwatch_logs_exports = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="9" +resource "aws_neptune_cluster" "postive3" { + cluster_identifier = "neptune-cluster" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "10:10-11:11" + skip_final_snapshot = true + iam_database_authentication_enabled = true + apply_immediately = true + enable_cloudwatch_logs_exports = ["error"] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_neptune_cluster" "negative1" { + cluster_identifier = "neptune-cluster" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "10:10-11:11" + skip_final_snapshot = true + iam_database_authentication_enabled = true + apply_immediately = true + enable_cloudwatch_logs_exports = ["audit"] +} + +resource "aws_neptune_cluster" "negative2" { + cluster_identifier = "neptune-cluster" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "10:10-11:11" + skip_final_snapshot = true + iam_database_authentication_enabled = true + apply_immediately = true + enable_cloudwatch_logs_exports = ["audit", "error"] +} + +``` diff --git a/docs/queries/terraform-queries/aws/46883ce1-dc3e-4b17-9195-c6a601624c73.md b/docs/queries/terraform-queries/aws/46883ce1-dc3e-4b17-9195-c6a601624c73.md new file mode 100644 index 00000000000..c3db328f430 --- /dev/null +++ b/docs/queries/terraform-queries/aws/46883ce1-dc3e-4b17-9195-c6a601624c73.md @@ -0,0 +1,98 @@ +--- +title: Default Security Groups With Unrestricted Traffic +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 46883ce1-dc3e-4b17-9195-c6a601624c73 +- **Query name:** Default Security Groups With Unrestricted Traffic +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/default_security_groups_with_unrestricted_traffic) + +### Description +Check if default security group does not restrict all inbound and outbound traffic.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="24 1 13" +resource "aws_default_security_group" "positive1" { + vpc_id = aws_vpc.mainvpc.id + + ingress { + protocol = -1 + self = true + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_default_security_group" "positive2" { + vpc_id = aws_vpc.mainvpc.id + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_blocks = ["::/0"] + } +} + +resource "aws_default_security_group" "positive3" { + vpc_id = aws_vpc.mainvpc.id + + ingress { + protocol = -1 + self = true + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_blocks = ["::/0"] + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_default_security_group" "negative1" { + vpc_id = aws_vpc.mainvpc.id + + ingress { + protocol = -1 + self = true + from_port = 0 + to_port = 0 + cidr_blocks = ["10.1.0.0/16"] + ipv6_cidr_blocks = ["250.250.250.1:8451"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["10.1.0.0/16"] + ipv6_cidr_blocks = ["250.250.250.1:8451"] + } +} +``` diff --git a/docs/queries/terraform-queries/aws/4728cd65-a20c-49da-8b31-9c08b423e4db.md b/docs/queries/terraform-queries/aws/4728cd65-a20c-49da-8b31-9c08b423e4db.md new file mode 100644 index 00000000000..56f692e3c51 --- /dev/null +++ b/docs/queries/terraform-queries/aws/4728cd65-a20c-49da-8b31-9c08b423e4db.md @@ -0,0 +1,313 @@ +--- +title: Unrestricted Security Group Ingress +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4728cd65-a20c-49da-8b31-9c08b423e4db +- **Query name:** Unrestricted Security Group Ingress +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/unrestricted_security_group_ingress) + +### Description +Security groups allow ingress from 0.0.0.0:0 and/or ::/0
+[Documentation](https://www.terraform.io/docs/providers/aws/r/security_group.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "aws_security_group_rule" "positive1" { + type = "ingress" + from_port = 3306 + to_port = 3306 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.default.id +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="6" +resource "aws_security_group" "positive2" { + ingress { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.default.id + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="13" +resource "aws_security_group" "positive3" { + ingress { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + cidr_blocks = ["1.0.0.0/0"] + } + + ingress { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="9" +module "web_server_sg" { + source = "terraform-aws-modules/security-group/aws" + version = "4.3.0" + + name = "web-server" + description = "Security group for web-server with HTTP ports open within VPC" + vpc_id = "vpc-12345678" + + ingress_cidr_blocks = ["0.0.0.0/0"] +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="9" +module "web_server_sg" { + source = "terraform-aws-modules/security-group/aws" + version = "4.3.0" + + name = "web-server" + description = "Security group for web-server with HTTP ports open within VPC" + vpc_id = "vpc-12345678" + + ingress_cidr_blocks = ["10.10.0.0/16", "0.0.0.0/0"] +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="6" +resource "aws_security_group_rule" "positive6" { + type = "ingress" + from_port = 3306 + to_port = 3306 + protocol = "tcp" + ipv6_cidr_blocks = ["::/0"] + security_group_id = aws_security_group.default.id +} + +``` +
+
Postitive test num. 7 - tf file + +```tf hl_lines="6" +resource "aws_security_group" "positive7" { + ingress { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + ipv6_cidr_blocks = ["::/0"] + security_group_id = aws_security_group.default.id + } +} + +``` +
+
Postitive test num. 8 - tf file + +```tf hl_lines="13" +resource "aws_security_group" "positive8" { + ingress { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + ipv6_cidr_blocks = ["fc00::/8"] + } + + ingress { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + ipv6_cidr_blocks = ["::/0"] + } +} + +``` +
+
Postitive test num. 9 - tf file + +```tf hl_lines="9" +module "web_server_sg" { + source = "terraform-aws-modules/security-group/aws" + version = "4.3.0" + + name = "web-server" + description = "Security group for web-server with HTTP ports open within VPC" + vpc_id = "vpc-12345678" + + ingress_ipv6_cidr_blocks = ["::/0"] +} + +``` +
+
Postitive test num. 10 - tf file + +```tf hl_lines="9" +module "web_server_sg" { + source = "terraform-aws-modules/security-group/aws" + version = "4.3.0" + + name = "web-server" + description = "Security group for web-server with HTTP ports open within VPC" + vpc_id = "vpc-12345678" + + ingress_ipv6_cidr_blocks = ["fc00::/8", "::/0"] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_security_group_rule" "negative1" { + type = "ingress" + from_port = 3306 + to_port = 3306 + protocol = "tcp" + cidr_blocks = ["0.0.2.0/0"] + security_group_id = aws_security_group.default.id +} + + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_security_group" "negative2" { + ingress { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + cidr_blocks = ["0.0.2.0/0"] + security_group_id = aws_security_group.default.id + } +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "aws_security_group" "negative3" { + ingress { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + cidr_blocks = ["1.0.0.0/0"] + } + + ingress { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + cidr_blocks = ["0.0.1.0/0"] + } +} + +``` +
Negative test num. 4 - tf file + +```tf +module "web_server_sg" { + source = "terraform-aws-modules/security-group/aws" + version = "4.3.0" + + name = "web-server" + description = "Security group for web-server with HTTP ports open within VPC" + vpc_id = "vpc-12345678" + + ingress_cidr_blocks = ["10.10.0.0/16"] +} + +``` +
+
Negative test num. 5 - tf file + +```tf +resource "aws_security_group_rule" "negative5" { + type = "ingress" + from_port = 3306 + to_port = 3306 + protocol = "tcp" + ipv6_cidr_blocks = ["fc00::/8"] + security_group_id = aws_security_group.default.id +} + + +``` +
+
Negative test num. 6 - tf file + +```tf +resource "aws_security_group" "negative6" { + ingress { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + ipv6_cidr_blocks = ["fc00::/8"] + security_group_id = aws_security_group.default.id + } +} + +``` +
+
Negative test num. 7 - tf file + +```tf +resource "aws_security_group" "negative7" { + ingress { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + ipv6_cidr_blocks = ["fc00::/9"] + } + + ingress { + from_port = 3306 + to_port = 3306 + protocol = "tcp" + ipv6_cidr_blocks = ["fc00::/8"] + } +} + +``` +
+
Negative test num. 8 - tf file + +```tf +module "web_server_sg" { + source = "terraform-aws-modules/security-group/aws" + version = "4.3.0" + + name = "web-server" + description = "Security group for web-server with HTTP ports open within VPC" + vpc_id = "vpc-12345678" + + ingress_ipv6_cidr_blocks = ["fc00::/8"] +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/4766d3ea-241c-4ee6-93ff-c380c996bd1a.md b/docs/queries/terraform-queries/aws/4766d3ea-241c-4ee6-93ff-c380c996bd1a.md new file mode 100644 index 00000000000..19233213df0 --- /dev/null +++ b/docs/queries/terraform-queries/aws/4766d3ea-241c-4ee6-93ff-c380c996bd1a.md @@ -0,0 +1,59 @@ +--- +title: DOCDB Cluster Without KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4766d3ea-241c-4ee6-93ff-c380c996bd1a +- **Query name:** DOCDB Cluster Without KMS +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/docdb_cluster_without_kms) + +### Description +AWS DOCDB Cluster should be encrypted with a KMS encryption key
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_docdb_cluster" "docdb" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_docdb_cluster" "docdb" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + storage_encrypted = true + kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" +} + +``` diff --git a/docs/queries/terraform-queries/aws/48207659-729f-4b5c-9402-f884257d794f.md b/docs/queries/terraform-queries/aws/48207659-729f-4b5c-9402-f884257d794f.md new file mode 100644 index 00000000000..74bfd1d7b62 --- /dev/null +++ b/docs/queries/terraform-queries/aws/48207659-729f-4b5c-9402-f884257d794f.md @@ -0,0 +1,61 @@ +--- +title: EFS Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 48207659-729f-4b5c-9402-f884257d794f +- **Query name:** EFS Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/efs_not_encrypted) + +### Description +Elastic File System (EFS) must be encrypted
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system#encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 11" +resource "aws_efs_file_system" "positive1" { + creation_token = "my-product" + + tags = { + Name = "MyProduct" + } +} + +resource "aws_efs_file_system" "positive2" { + creation_token = "my-product" + encrypted = false + + tags = { + Name = "MyProduct" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_efs_file_system" "negative1" { + creation_token = "my-product" + encrypted = true + + tags = { + Name = "MyProduct" + } +} +``` diff --git a/docs/queries/terraform-queries/aws/482b7d26-0bdb-4b5f-bf6f-545826c0a3dd.md b/docs/queries/terraform-queries/aws/482b7d26-0bdb-4b5f-bf6f-545826c0a3dd.md new file mode 100644 index 00000000000..61f1f20fba1 --- /dev/null +++ b/docs/queries/terraform-queries/aws/482b7d26-0bdb-4b5f-bf6f-545826c0a3dd.md @@ -0,0 +1,51 @@ +--- +title: CloudTrail SNS Topic Name Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 482b7d26-0bdb-4b5f-bf6f-545826c0a3dd +- **Query name:** CloudTrail SNS Topic Name Undefined +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudtrail_sns_topic_name_undefined) + +### Description +Check if SNS topic name is set for CloudTrail
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 5" +resource "aws_cloudtrail" "positive1" { + # ... other configuration ... +} + +resource "aws_cloudtrail" "positive2" { + # ... other configuration ... + + sns_topic_name = null +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudtrail" "negative1" { + # ... other configuration ... + + sns_topic_name = "some-topic" +} +``` diff --git a/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md b/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md new file mode 100644 index 00000000000..aa5e678b29c --- /dev/null +++ b/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md @@ -0,0 +1,524 @@ +--- +title: Security Group Not Used +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4849211b-ac39-479e-ae78-5694d506cb24 +- **Query name:** Security Group Not Used +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/security_groups_not_used) + +### Description +Security group must be used or not declared
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "aws_lb" "test" { + name = "test" + load_balancer_type = "application" + subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id] + internal = true +} + +resource "aws_security_group" "allow_tls" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + + tags = { + Name = "allow_tls" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="15" +# given: +# - unused security group +# - aws_instance +# when: +# - no security group attached to aws_instance +# then: +# - detect unused security group as unused + +resource "aws_instance" "positive1" { + ami = "ami-003634241a8fcdec0" + + instance_type = "t2.micro" +} + +resource "aws_security_group" "unused-sg" { + name = "unused-sg" + description = "Unused security group" + vpc_id = aws_vpc.main.id + + ingress { + description = "Some port" + from_port = 42 + to_port = 42 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="19" +# given: +# - unused security group +# - used security group +# - aws_instance +# when: +# - used security group attached to aws_instance +# - unused security group not attached to aws_instance +# then: +# - detect only unused security group as unused + +resource "aws_instance" "positive1" { + ami = "ami-003634241a8fcdec0" + + instance_type = "t2.micro" + + vpc_security_group_ids = [ aws_security_group.used_sg.id ] +} + +resource "aws_security_group" "unused_sg" { + name = "unused-sg" + description = "Unused security group" + vpc_id = aws_vpc.main.id + + ingress { + description = "Some port" + from_port = 42 + to_port = 42 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + +} + +resource "aws_security_group" "used_sg" { + name = "used-sg" + description = "Used security group" + vpc_id = aws_vpc.main.id + + ingress { + description = "Some port" + from_port = 43 + to_port = 43 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + +} + + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="21" +# given: +# - unused security group +# - used security group +# - aws_eks_cluster +# when: +# - used security group attached to aws_eks_cluster +# - unused security group not attached to aws_eks_cluster +# then: +# - detect only unused security group as unused + +resource "aws_eks_cluster" "positive4" { + name = "beautiful-eks" + + role_arn = aws_iam_role.example.arn + + vpc_config { + security_group_ids = [ aws_security_group.used_sg.id ] + } +} + +resource "aws_security_group" "unused_sg" { + name = "unused-sg" + description = "Unused security group" + vpc_id = aws_vpc.main.id + + ingress { + description = "Some port" + from_port = 42 + to_port = 42 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + +} + +resource "aws_security_group" "used_sg" { + name = "used-sg" + description = "Used security group" + vpc_id = aws_vpc.main.id + + ingress { + description = "Some port" + from_port = 43 + to_port = 43 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_security_group" "allow_tls" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + + tags = { + Name = "allow_tls" + } +} + +resource "aws_lb" "test" { + name = "test" + load_balancer_type = "application" + subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id] + internal = true + security_groups = [aws_security_group.allow_tls.id] +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_security_group" "allow_tls" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + + tags = { + Name = "allow_tls" + } +} + +module "security_groups_test" { + source = "terraform-aws-modules/security-group/aws//modules/http-80" + version = "4.3.0" + + name = "web-server" + + security_group_id = aws_security_group.allow_tls.id +} + +``` +```tf title="Negative test num. 3 - tf file" +# given: +# - used security group +# - aws_instance +# when: +# - used security group attached to aws_instance +# then: +# - do not detect any unused security group + +resource "aws_security_group" "used_sg" { + name = "used-sg" + description = "Used security group" + vpc_id = aws_vpc.main.id + + ingress { + description = "Some port" + from_port = 43 + to_port = 43 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + +} + +resource "aws_instance" "negative3" { + ami = "ami-003634241a8fcdec0" + + instance_type = "t2.micro" + + vpc_security_group_ids = [ "aws_security_group.used_sg.id" ] + +} + + +``` +
Negative test num. 4 - tf file + +```tf +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } + + required_version = ">= 1.1.0" +} + +variable "iam_role" { + type = string + default = "AmazonSSMRoleForInstancesQuickSetup" + description = "Set AWS IAM role." +} + +variable "ami_owner" { + type = string + default = "self" + description = "Set AWS image owner." +} + +variable "region" { + type = string + default = "eu-west-3" + description = "Set AWS region." +} + +variable "secgroups" { + type = list(string) + default = ["CowrieSSH"] + description = "Set AWS security groups." +} + +data "aws_ami" "cowrie" { + most_recent = true + owners = ["var.ami_owner"] + + filter { + name = "name" + values = ["cowrie-packer-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } +} + +provider "aws" { + profile = "default" + region = var.region +} + +resource "aws_security_group" "cowrie" { + name = "CowrieSSH" + description = "CowrieSSH Terraform security group" + + ingress { + description = "Allow anyone to connect to the honeypot." + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + description = "Allow all outgoing traffic." + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + + tags = { + Name = "cowrie_ssh_sg" + purpose = "honeypot" + } +} + +resource "aws_instance" "cowrie_server" { + ami = data.aws_ami.cowrie.id + instance_type = "t3.nano" + security_groups = var.secgroups + iam_instance_profile = var.iam_role + + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + } + + tags = { + Name = "cowrie", + author = "konstruktoid" + vcs-url = "https://github.com/konstruktoid/ansible-cowrie-rootless" + purpose = "honeypot" + } +} + +``` +
+
Negative test num. 5 - tf file + +```tf +# given: +# - used security group +# - aws_eks_cluster +# when: +# - used security group attached to aws_eks_cluster +# then: +# - do not detect any unused security group + +resource "aws_security_group" "used_sg" { + name = "used-sg" + description = "Used security group" + vpc_id = aws_vpc.main.id + + ingress { + description = "Some port" + from_port = 43 + to_port = 43 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + +} + +resource "aws_eks_cluster" "negative3" { + name = "beautiful-eks" + + role_arn = aws_iam_role.example.arn + + vpc_config { + security_group_ids = [ "aws_security_group.used_sg.id" ] + } +} + + +``` +
diff --git a/docs/queries/terraform-queries/aws/4a800e14-c94a-442d-9067-5a2e9f6c0a4c.md b/docs/queries/terraform-queries/aws/4a800e14-c94a-442d-9067-5a2e9f6c0a4c.md new file mode 100644 index 00000000000..08b666e2ecd --- /dev/null +++ b/docs/queries/terraform-queries/aws/4a800e14-c94a-442d-9067-5a2e9f6c0a4c.md @@ -0,0 +1,229 @@ +--- +title: ELB Using Weak Ciphers +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4a800e14-c94a-442d-9067-5a2e9f6c0a4c +- **Query name:** ELB Using Weak Ciphers +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elb_using_weak_ciphers) + +### Description +ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/load_balancer_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="41 74 63" +#this is a problematic code where the query should report a result(s) +resource "aws_elb" "positive1" { + name = "wu-tang" + availability_zones = ["us-east-1a"] + + listener { + instance_port = 443 + instance_protocol = "http" + lb_port = 443 + lb_protocol = "https" + ssl_certificate_id = "arn:aws:iam::000000000000:server-certificate/wu-tang.net" + } + + tags = { + Name = "wu-tang" + } +} + +resource "aws_load_balancer_policy" "positive2" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ca-pubkey-policy" + policy_type_name = "PublicKeyPolicyType" + + policy_attribute { + name = "PublicKey" + value = file("wu-tang-pubkey") + } +} + +resource "aws_load_balancer_policy" "positive3" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-root-ca-backend-auth-policy" + policy_type_name = "BackendServerAuthenticationPolicyType" + + policy_attribute { + name = "PublicKeyPolicyName" + value = aws_load_balancer_policy.wu-tang-root-ca-pubkey-policy.policy_name + } +} + +resource "aws_load_balancer_policy" "positive4" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ssl" + policy_type_name = "SSLNegotiationPolicyType" + + policy_attribute { + name = "Protocol-TLSv1.2" + value = "true" + } + + policy_attribute { + name = "TLS_RSA_ARCFOUR_128_SHA1" + value = "true" + } +} + +resource "aws_load_balancer_policy" "positive5" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ssl" + policy_type_name = "SSLNegotiationPolicyType" + + policy_attribute { + name = "DES-CBC3-SHA" + value = "true" + } +} + +resource "aws_load_balancer_policy" "positive6" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ssl" + policy_type_name = "SSLNegotiationPolicyType" + + policy_attribute { + name = "TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384" + value = "true" + } +} + +resource "aws_load_balancer_policy" "positive7" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ssl" + policy_type_name = "SSLNegotiationPolicyType" + + policy_attribute { + name = "Reference-Security-Policy" + value = "ELBSecurityPolicy-TLS-1-1-2017-01" + } +} + +resource "aws_load_balancer_backend_server_policy" "positive8" { + load_balancer_name = aws_elb.wu-tang.name + instance_port = 443 + + policy_names = [ + aws_load_balancer_policy.wu-tang-root-ca-backend-auth-policy.policy_name, + ] +} + +resource "aws_load_balancer_listener_policy" "positive9" { + load_balancer_name = aws_elb.wu-tang.name + load_balancer_port = 443 + + policy_names = [ + aws_load_balancer_policy.wu-tang-ssl.policy_name, + ] +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "aws_elb" "negative1" { + name = "wu-tang" + availability_zones = ["us-east-1a"] + + listener { + instance_port = 443 + instance_protocol = "http" + lb_port = 443 + lb_protocol = "https" + ssl_certificate_id = "arn:aws:iam::000000000000:server-certificate/wu-tang.net" + } + + tags = { + Name = "wu-tang" + } +} + +resource "aws_load_balancer_policy" "negative2" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ca-pubkey-policy" + policy_type_name = "PublicKeyPolicyType" + + policy_attribute { + name = "PublicKey" + value = file("wu-tang-pubkey") + } +} + +resource "aws_load_balancer_policy" "negative3" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-root-ca-backend-auth-policy" + policy_type_name = "BackendServerAuthenticationPolicyType" + + policy_attribute { + name = "PublicKeyPolicyName" + value = aws_load_balancer_policy.wu-tang-root-ca-pubkey-policy.policy_name + } +} + +resource "aws_load_balancer_policy" "negative4" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ssl" + policy_type_name = "SSLNegotiationPolicyType" + + policy_attribute { + name = "ECDHE-ECDSA-AES128-GCM-SHA256" + value = "true" + } + + policy_attribute { + name = "Protocol-TLSv1.2" + value = "true" + } +} + +resource "aws_load_balancer_policy" "negative5" { + load_balancer_name = aws_elb.wu-tang.name + policy_name = "wu-tang-ssl" + policy_type_name = "SSLNegotiationPolicyType" + + policy_attribute { + name = "Reference-Security-Policy" + value = "ELBSecurityPolicy-TLS-1-1-2017-01" + } +} + +resource "aws_load_balancer_backend_server_policy" "negative6" { + load_balancer_name = aws_elb.wu-tang.name + instance_port = 443 + + policy_names = [ + aws_load_balancer_policy.wu-tang-root-ca-backend-auth-policy.policy_name, + ] +} + +resource "aws_load_balancer_listener_policy" "negative7" { + load_balancer_name = aws_elb.wu-tang.name + load_balancer_port = 443 + + policy_names = [ + aws_load_balancer_policy.wu-tang-ssl.policy_name, + ] +} +``` diff --git a/docs/queries/terraform-queries/aws/4bb76f17-3d63-4529-bdca-2b454529d774.md b/docs/queries/terraform-queries/aws/4bb76f17-3d63-4529-bdca-2b454529d774.md new file mode 100644 index 00000000000..55f2f810b27 --- /dev/null +++ b/docs/queries/terraform-queries/aws/4bb76f17-3d63-4529-bdca-2b454529d774.md @@ -0,0 +1,53 @@ +--- +title: CloudTrail Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4bb76f17-3d63-4529-bdca-2b454529d774 +- **Query name:** CloudTrail Logging Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudtrail_logging_disabled) + +### Description +Checks if logging is enabled for CloudTrail.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_logging) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +#this is a problematic code where the query should report a result(s) +resource "aws_cloudtrail" "positive1" { + name = "positive" + s3_bucket_name = "bucketlog" + enable_logging = false +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudtrail" "negative1" { + name = "negative_1" + s3_bucket_name = "bucketlog" + enable_logging = true +} + +resource "aws_cloudtrail" "negative2" { + name = "negative_2" + s3_bucket_name = "bucketlog" +} +``` diff --git a/docs/queries/terraform-queries/aws/4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9.md b/docs/queries/terraform-queries/aws/4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9.md new file mode 100644 index 00000000000..3139b368be7 --- /dev/null +++ b/docs/queries/terraform-queries/aws/4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9.md @@ -0,0 +1,494 @@ +--- +title: S3 Bucket Policy Accepts HTTP Requests +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4bc4dd4c-7d8d-405e-a0fb-57fa4c31b4d9 +- **Query name:** S3 Bucket Policy Accepts HTTP Requests +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_policy_accepts_http_requests) + +### Description +S3 Bucket policy should not accept HTTP Requests
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "aws_s3_bucket" "b" { + bucket = "my-tf-test-bucket" +} + +resource "aws_s3_bucket_policy" "b" { + bucket = aws_s3_bucket.b.id + + policy = <Postitive test num. 4 - tf file + +```tf hl_lines="32" + +data "aws_iam_policy_document" "pos4" { + + statement { + effect = "Deny" + + principals { + type = "*" + identifiers = ["*"] + } + + actions = [ + "s3:*", + ] + + + resources = [ + "arn:aws:s3:::a/*", + "arn:aws:s3:::a", + ] + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["true"] + } + } +} + + +resource "aws_s3_bucket" "pos4" { + bucket = "a" + policy = data.aws_iam_policy_document.pos4.json +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="32" + +data "aws_iam_policy_document" "pos5" { + + statement { + effect = "Allow" + + principals { + type = "*" + identifiers = ["*"] + } + + actions = [ + "s3:*", + ] + + + resources = [ + "arn:aws:s3:::a/*", + "arn:aws:s3:::a", + ] + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] + } + } +} + + +resource "aws_s3_bucket" "pos5" { + bucket = "a" + policy = data.aws_iam_policy_document.pos5.json +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_s3_bucket" "b" { + bucket = "my-tf-test-bucket" +} + +resource "aws_s3_bucket_policy" "b" { + bucket = aws_s3_bucket.b.id + + policy = <Negative test num. 4 - tf file + +```tf +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } + + policy = < +
Negative test num. 5 - tf file + +```tf + +data "aws_iam_policy_document" "neg5" { + + statement { + effect = "Deny" + + principals { + type = "*" + identifiers = ["*"] + } + + actions = [ + "s3:*", + ] + + + resources = [ + "arn:aws:s3:::a/*", + "arn:aws:s3:::a", + ] + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] + } + } +} + + +resource "aws_s3_bucket" "neg5" { + bucket = "a" + policy = data.aws_iam_policy_document.neg5.json +} + +``` +
+
Negative test num. 6 - tf file + +```tf + +data "aws_iam_policy_document" "neg6" { + + statement { + effect = "Allow" + + principals { + type = "*" + identifiers = ["*"] + } + + actions = [ + "s3:*", + ] + + + resources = [ + "arn:aws:s3:::a/*", + "arn:aws:s3:::a", + ] + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["true"] + } + } +} + + +resource "aws_s3_bucket" "neg6" { + bucket = "a" + policy = data.aws_iam_policy_document.neg6.json +} + +``` +
+
Negative test num. 7 - tf file + +```tf +resource "aws_s3_bucket" "negative7" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +data "aws_iam_policy_document" "policy" { + statement { + sid = "https" + effect = "Deny" + principals { + type = "*" + identifiers = ["*"] + } + actions = [ + "s3:*" + ] + resources = [ + aws_s3_bucket.negative7.arn, + "${aws_s3_bucket.negative7.arn}/*" + ] + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = [ + "false" + ] + } + } +} + + +resource "aws_s3_bucket_policy" "bucket_policy" { + bucket = aws_s3_bucket.negative7.id + policy = data.aws_iam_policy_document.policy.json +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/4bd15dd9-8d5e-4008-8532-27eb0c3706d3.md b/docs/queries/terraform-queries/aws/4bd15dd9-8d5e-4008-8532-27eb0c3706d3.md new file mode 100644 index 00000000000..d35fe06b8ac --- /dev/null +++ b/docs/queries/terraform-queries/aws/4bd15dd9-8d5e-4008-8532-27eb0c3706d3.md @@ -0,0 +1,56 @@ +--- +title: Redis Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4bd15dd9-8d5e-4008-8532-27eb0c3706d3 +- **Query name:** Redis Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/redis_disabled) + +### Description +ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#engine) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +#this is a problematic code where the query should report a result(s) +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 1 + engine_version = "3.2.10" + port = 6379 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "aws_elasticache_cluster" "negative1" { + cluster_id = "cluster-example" + engine = "redis" + node_type = "cache.m4.large" + num_cache_nodes = 2 + port = 11211 +} + +``` diff --git a/docs/queries/terraform-queries/aws/4beaf898-9f8b-4237-89e2-5ffdc7ee6006.md b/docs/queries/terraform-queries/aws/4beaf898-9f8b-4237-89e2-5ffdc7ee6006.md new file mode 100644 index 00000000000..ebd2f111c60 --- /dev/null +++ b/docs/queries/terraform-queries/aws/4beaf898-9f8b-4237-89e2-5ffdc7ee6006.md @@ -0,0 +1,142 @@ +--- +title: Cloudwatch Security Group Changes Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4beaf898-9f8b-4237-89e2-5ffdc7ee6006 +- **Query name:** Cloudwatch Security Group Changes Alarm Missing +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_security_group_changes_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for security group changes
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "CIS_Security_Group_Changes_Metric_Filter" { + name = "CIS-SecurityGroupChanges" + pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-SecurityGroupChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "CIS_Security_Group_Changes_CW_Alarm" { + alarm_name = "CIS-3.10-SecurityGroupChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXXX NOT YOUR FILTER XXXX" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { + name = "CIS-UnauthorizedAPICalls" + pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-UnauthorizedAPICalls" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { + alarm_name = "CIS-3.1-UnauthorizedAPICalls" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "CIS_Security_Group_Changes_Metric_Filter" { + name = "CIS-SecurityGroupChanges" + pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-SecurityGroupChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "CIS_Security_Group_Changes_CW_Alarm" { + alarm_name = "CIS-3.10-SecurityGroupChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.CIS_Security_Group_Changes_Metric_Filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_log_metric_filter" "CIS_Security_Group_Changes_Metric_Filter" { + name = "CIS-SecurityGroupChanges" + pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-SecurityGroupChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "CIS_Security_Group_Changes_CW_Alarm" { + alarm_name = "CIS-3.10-SecurityGroupChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.CIS_Security_Group_Changes_Metric_Filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` diff --git a/docs/queries/terraform-queries/aws/4c18a45b-4ab1-4790-9f83-399ac695f1e5.md b/docs/queries/terraform-queries/aws/4c18a45b-4ab1-4790-9f83-399ac695f1e5.md new file mode 100644 index 00000000000..c08926c6b77 --- /dev/null +++ b/docs/queries/terraform-queries/aws/4c18a45b-4ab1-4790-9f83-399ac695f1e5.md @@ -0,0 +1,228 @@ +--- +title: CloudWatch Unauthorized Access Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4c18a45b-4ab1-4790-9f83-399ac695f1e5 +- **Query name:** CloudWatch Unauthorized Access Alarm Missing +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_unauthorized_access_defined_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for unauthorized API calls
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { + alarm_name = "CIS-3.1-UnauthorizedAPICalls" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXXX NOT YOUR FILTER XXXX" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { + name = "CIS-UnauthorizedAPICalls" + pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-UnauthorizedAPICalls" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { + alarm_name = "CIS-3.1-UnauthorizedAPICalls" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { + name = "CIS-UnauthorizedAPICalls" + pattern = "{ $.errorCode = \"AccessDenied*\" }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-UnauthorizedAPICalls" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { + alarm_name = "CIS-3.1-UnauthorizedAPICalls" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { + name = "CIS-UnauthorizedAPICalls" + pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") && ($.errorCode = \"AccessDenied*\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-UnauthorizedAPICalls" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { + alarm_name = "CIS-3.1-UnauthorizedAPICalls" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { + name = "CIS-UnauthorizedAPICalls" + pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-UnauthorizedAPICalls" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = ["aws_sns_topic.CIS_Alerts_SNS_Topic.arn"] + insufficient_data_actions = [] +} + +``` diff --git a/docs/queries/terraform-queries/aws/4d46ff3b-7160-41d1-a310-71d6d370b08f.md b/docs/queries/terraform-queries/aws/4d46ff3b-7160-41d1-a310-71d6d370b08f.md new file mode 100644 index 00000000000..92df23d1668 --- /dev/null +++ b/docs/queries/terraform-queries/aws/4d46ff3b-7160-41d1-a310-71d6d370b08f.md @@ -0,0 +1,98 @@ +--- +title: ECS Task Definition Volume Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4d46ff3b-7160-41d1-a310-71d6d370b08f +- **Query name:** ECS Task Definition Volume Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ecs_task_definition_volume_not_encrypted) + +### Description +AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#transit_encryption) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +resource "aws_ecs_task_definition" "service" { + family = "service" + container_definitions = file("task-definitions/service.json") + + volume { + name = "service-storage" + + efs_volume_configuration { + file_system_id = aws_efs_file_system.fs.id + root_directory = "/opt/data" + transit_encryption = "DISABLED" + transit_encryption_port = 2999 + authorization_config { + access_point_id = aws_efs_access_point.test.id + iam = "ENABLED" + } + } + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="8" +resource "aws_ecs_task_definition" "service_2" { + family = "service" + container_definitions = file("task-definitions/service.json") + + volume { + name = "service-storage" + + efs_volume_configuration { + file_system_id = aws_efs_file_system.fs.id + root_directory = "/opt/data" + transit_encryption_port = 2999 + authorization_config { + access_point_id = aws_efs_access_point.test.id + iam = "ENABLED" + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ecs_task_definition" "service" { + family = "service" + container_definitions = file("task-definitions/service.json") + + volume { + name = "service-storage" + + efs_volume_configuration { + file_system_id = aws_efs_file_system.fs.id + root_directory = "/opt/data" + transit_encryption = "ENABLED" + transit_encryption_port = 2999 + authorization_config { + access_point_id = aws_efs_access_point.test.id + iam = "ENABLED" + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/4de9de27-254e-424f-bd70-4c1e95790838.md b/docs/queries/terraform-queries/aws/4de9de27-254e-424f-bd70-4c1e95790838.md new file mode 100644 index 00000000000..98e8e678c8a --- /dev/null +++ b/docs/queries/terraform-queries/aws/4de9de27-254e-424f-bd70-4c1e95790838.md @@ -0,0 +1,315 @@ +--- +title: Launch Configuration Is Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4de9de27-254e-424f-bd70-4c1e95790838 +- **Query name:** Launch Configuration Is Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/launch_configuration_is_not_encrypted) + +### Description +Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11 28 36" +resource "aws_launch_configuration" "positive1" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + user_data_base64 = "c29tZUtleQ==" # someKey + + lifecycle { + create_before_destroy = true + } + + ebs_block_device { + device_name = "/dev/xvda1" + } +} + +resource "aws_launch_configuration" "positive2" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + user_data_base64 = "c29tZUtleQ==" # someKey + + lifecycle { + create_before_destroy = true + } + + ebs_block_device { + device_name = "/dev/xvda1" + encrypted = false + } +} + +resource "aws_launch_configuration" "positive3" { + name = "test-launch-config" + + root_block_device { + encrypted = false + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="14 23" +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "1.0.4" + + # Launch configuration + lc_name = "example-lc" + + image_id = "ami-ebd02392" + instance_type = "t2.micro" + security_groups = ["sg-12345678"] + + ebs_block_device = [ + { + device_name = "/dev/xvdz" + volume_type = "gp2" + volume_size = "50" + delete_on_termination = true + } + ] + + root_block_device = [ + { + volume_size = "50" + volume_type = "gp2" + } + ] + + # Auto scaling group + asg_name = "example-asg" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + health_check_type = "EC2" + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="24 18" +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "1.0.4" + + # Launch configuration + lc_name = "example-lc" + + image_id = "ami-ebd02392" + instance_type = "t2.micro" + security_groups = ["sg-12345678"] + + ebs_block_device = [ + { + device_name = "/dev/xvdz" + volume_type = "gp2" + volume_size = "50" + delete_on_termination = true + encrypted = false + } + ] + + root_block_device = [ + { + volume_size = "50" + volume_type = "gp2" + } + ] + + # Auto scaling group + asg_name = "example-asg" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + health_check_type = "EC2" + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="25 14" +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "1.0.4" + + # Launch configuration + lc_name = "example-lc" + + image_id = "ami-ebd02392" + instance_type = "t2.micro" + security_groups = ["sg-12345678"] + + ebs_block_device = [ + { + device_name = "/dev/xvdz" + volume_type = "gp2" + volume_size = "50" + delete_on_termination = true + } + ] + + root_block_device = [ + { + volume_size = "50" + volume_type = "gp2" + encrypted = false + } + ] + + # Auto scaling group + asg_name = "example-asg" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + health_check_type = "EC2" + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_launch_configuration" "negative1" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + user_data_base64 = "c29tZUtleQ==" # someKey + + lifecycle { + create_before_destroy = true + } + + ebs_block_device { + device_name = "/dev/xvda1" + encrypted = true + } +} + +resource "aws_launch_configuration" "negative2" { + name = "test-launch-config" + + ephemeral_block_device { + encrypted = false + } +} + +``` +```tf title="Negative test num. 2 - tf file" +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "1.0.4" + + # Launch configuration + lc_name = "example-lc" + + image_id = "ami-ebd02392" + instance_type = "t2.micro" + security_groups = ["sg-12345678"] + + ebs_block_device = [ + { + device_name = "/dev/xvdz" + volume_type = "gp2" + volume_size = "50" + delete_on_termination = true + encrypted = true + } + ] + + root_block_device = [ + { + volume_size = "50" + volume_type = "gp2" + encrypted = true + } + ] + + # Auto scaling group + asg_name = "example-asg" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + health_check_type = "EC2" + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] +} + +``` diff --git a/docs/queries/terraform-queries/aws/4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b.md b/docs/queries/terraform-queries/aws/4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b.md new file mode 100644 index 00000000000..5cee25c5af3 --- /dev/null +++ b/docs/queries/terraform-queries/aws/4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b.md @@ -0,0 +1,53 @@ +--- +title: API Gateway Without Security Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4e1cc5d3-2811-4fb2-861c-ee9b3cb7f90b +- **Query name:** API Gateway Without Security Policy +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_without_security_policy) + +### Description +API Gateway should have a Security Policy defined and use TLS 1.2.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_domain_name#security_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_api_gateway_domain_name" "example" { + domain_name = "api.example.com" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="3" +resource "aws_api_gateway_domain_name" "example2" { + domain_name = "api.example.com" + security_policy = "TLS_1_0" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_domain_name" "example4" { + domain_name = "api.example.com" + security_policy = "TLS_1_2" +} + +``` diff --git a/docs/queries/terraform-queries/aws/4eb5f791-c861-4afd-9f94-f2a6a3fe49cb.md b/docs/queries/terraform-queries/aws/4eb5f791-c861-4afd-9f94-f2a6a3fe49cb.md new file mode 100644 index 00000000000..3fca8ed429b --- /dev/null +++ b/docs/queries/terraform-queries/aws/4eb5f791-c861-4afd-9f94-f2a6a3fe49cb.md @@ -0,0 +1,75 @@ +--- +title: MQ Broker Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4eb5f791-c861-4afd-9f94-f2a6a3fe49cb +- **Query name:** MQ Broker Is Publicly Accessible +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/mq_broker_is_publicly_accessible) + +### Description +Check if any MQ Broker is not publicly accessible
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="19" +resource "aws_mq_broker" "positive1" { + broker_name = "example" + + configuration { + id = aws_mq_configuration.test.id + revision = aws_mq_configuration.test.latest_revision + } + + engine_type = "ActiveMQ" + engine_version = "5.15.0" + host_instance_type = "mq.t2.micro" + security_groups = [aws_security_group.test.id] + + user { + username = "ExampleUser" + password = "MindTheGap" + } + + publicly_accessible = true +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_mq_broker" "negative1" { + broker_name = "example" + + configuration { + id = aws_mq_configuration.test.id + revision = aws_mq_configuration.test.latest_revision + } + + engine_type = "ActiveMQ" + engine_version = "5.15.0" + host_instance_type = "mq.t2.micro" + security_groups = [aws_security_group.test.id] + + user { + username = "ExampleUser" + password = "MindTheGap" + } +} +``` diff --git a/docs/queries/terraform-queries/aws/4f615f3e-fb9c-4fad-8b70-2e9f781806ce.md b/docs/queries/terraform-queries/aws/4f615f3e-fb9c-4fad-8b70-2e9f781806ce.md new file mode 100644 index 00000000000..763cce41955 --- /dev/null +++ b/docs/queries/terraform-queries/aws/4f615f3e-fb9c-4fad-8b70-2e9f781806ce.md @@ -0,0 +1,51 @@ +--- +title: DB Security Group Open To Large Scope +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4f615f3e-fb9c-4fad-8b70-2e9f781806ce +- **Query name:** DB Security Group Open To Large Scope +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/db_security_group_open_to_large_scope) + +### Description +The IP address in a DB Security Group must not have more than 256 hosts.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_db_security_group" "positive1" { + name = "rds_sg" + + ingress { + cidr = "10.0.0.0/24" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_db_security_group" "negative1" { + name = "rds_sg" + + ingress { + cidr = "10.0.0.0/25" + } +} +``` diff --git a/docs/queries/terraform-queries/aws/4fa66806-0dd9-4f8d-9480-3174d39c7c91.md b/docs/queries/terraform-queries/aws/4fa66806-0dd9-4f8d-9480-3174d39c7c91.md new file mode 100644 index 00000000000..cb7c304c1ef --- /dev/null +++ b/docs/queries/terraform-queries/aws/4fa66806-0dd9-4f8d-9480-3174d39c7c91.md @@ -0,0 +1,121 @@ +--- +title: S3 Bucket Without Ignore Public ACL +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4fa66806-0dd9-4f8d-9480-3174d39c7c91 +- **Query name:** S3 Bucket Without Ignore Public ACL +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_without_ignore_public_acl) + +### Description +S3 bucket without ignore public ACL
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +resource "aws_s3_bucket" "positive1" { + bucket = "example" +} + +resource "aws_s3_bucket_public_access_block" "positive2" { + bucket = aws_s3_bucket.example.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = false +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="7" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + ignore_public_acls = false + + versioning = { + enabled = true + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="5" +resource "aws_s3_bucket" "positive1" { + bucket = "example" +} + +resource "aws_s3_bucket_public_access_block" "positive2" { + bucket = aws_s3_bucket.example.id + + block_public_acls = true + block_public_policy = true +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_s3_bucket" "negative1" { + bucket = "example" +} + +resource "aws_s3_bucket_public_access_block" "negative2" { + bucket = aws_s3_bucket.example.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true +} + +``` +```tf title="Negative test num. 2 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + ignore_public_acls = true + + versioning = { + enabled = true + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/52f04a44-6bfa-4c41-b1d3-4ae99a2de05c.md b/docs/queries/terraform-queries/aws/52f04a44-6bfa-4c41-b1d3-4ae99a2de05c.md new file mode 100644 index 00000000000..704183cfa1e --- /dev/null +++ b/docs/queries/terraform-queries/aws/52f04a44-6bfa-4c41-b1d3-4ae99a2de05c.md @@ -0,0 +1,147 @@ +--- +title: VPC Subnet Assigns Public IP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 52f04a44-6bfa-4c41-b1d3-4ae99a2de05c +- **Query name:** VPC Subnet Assigns Public IP +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/vpc_subnet_assigns_public_ip) + +### Description +VPC Subnet should not assign public IP
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="13" +resource "aws_vpc" "main" { + cidr_block = "10.0.0.0/16" +} + +resource "aws_subnet" "positive" { + vpc_id = aws_vpc.main.id + cidr_block = "10.0.1.0/24" + + tags = { + Name = "Positive" + } + + map_public_ip_on_launch = true +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + + map_public_ip_on_launch = true + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_vpc" "main2" { + cidr_block = "10.0.0.0/16" +} + +resource "aws_subnet" "negative1" { + vpc_id = aws_vpc.main2.id + cidr_block = "10.0.1.0/24" + + tags = { + Name = "Negative1" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_vpc" "main3" { + cidr_block = "10.0.0.0/16" +} + +resource "aws_subnet" "negative2" { + vpc_id = aws_vpc.main3.id + cidr_block = "10.0.1.0/24" + + tags = { + Name = "Negative2" + } + + map_public_ip_on_launch = false +} + +``` +```tf title="Negative test num. 3 - tf file" +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + + map_public_ip_on_launch = false + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/52ffcfa6-6c70-4ea6-8376-d828d3961669.md b/docs/queries/terraform-queries/aws/52ffcfa6-6c70-4ea6-8376-d828d3961669.md new file mode 100644 index 00000000000..fde84a55c20 --- /dev/null +++ b/docs/queries/terraform-queries/aws/52ffcfa6-6c70-4ea6-8376-d828d3961669.md @@ -0,0 +1,54 @@ +--- +title: CloudTrail Log File Validation Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 52ffcfa6-6c70-4ea6-8376-d828d3961669 +- **Query name:** CloudTrail Log File Validation Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudtrail_log_file_validation_disabled) + +### Description +CloudTrail log file validation should be enabled to determine whether a log file has not been tampered
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_log_file_validation) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 9" +resource "aws_cloudtrail" "positive1" { + name = "positive1" + s3_bucket_name = "bucketlog1" +} + +resource "aws_cloudtrail" "positive2" { + name = "positive2" + s3_bucket_name = "bucketlog2" + enable_log_file_validation = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudtrail" "negative1" { + name = "negative1" + s3_bucket_name = "bucketlog1" + enable_log_file_validation = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/54229498-850b-4f78-b3a7-218d24ef2c37.md b/docs/queries/terraform-queries/aws/54229498-850b-4f78-b3a7-218d24ef2c37.md new file mode 100644 index 00000000000..90a0f29e020 --- /dev/null +++ b/docs/queries/terraform-queries/aws/54229498-850b-4f78-b3a7-218d24ef2c37.md @@ -0,0 +1,262 @@ +--- +title: BOM - AWS Elasticache +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 54229498-850b-4f78-b3a7-218d24ef2c37 +- **Query name:** BOM - AWS Elasticache +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws_bom/elasticache) + +### Description +A list of Elasticache resources found. Amazon ElastiCache is a fully managed, in-memory caching service supporting flexible, real-time use cases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 2 + parameter_group_name = aws_elasticache_parameter_group.default_1 + port = 11211 +} + +resource "aws_elasticache_parameter_group" "default_1" { + name = "cache-params" + family = "memcached1.4" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_elasticache_cluster" "positive2" { + cluster_id = "cluster-example" + engine = "redis" + node_type = "cache.m4.large" + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default_2 + engine_version = "3.2.10" + port = 6379 +} + +resource "aws_elasticache_parameter_group" "default_2" { + name = "cache-params" + family = "redis3.2" +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="33" +resource "aws_security_group" "sg1" { + name = "sg1" + description = "sg1" + + ingress { + from_port = 0 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_security_group" "sg2" { + name = "sg2" + description = "positive3" + + ingress { + from_port = 0 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_elasticache_security_group" "positive3" { + name = "positive3" + security_group_names = [ + aws_security_group.sg1.name, + aws_security_group.sg2.name, + ] +} + +resource "aws_elasticache_cluster" "positive3" { + cluster_id = "test-cache" + engine = "redis" + node_type = "cache.m4.large" + port = 6379 + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id + security_group_names = [aws_elasticache_security_group.positive3.name] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="33" +resource "aws_security_group" "sg11" { + name = "sg1" + description = "sg11" + + ingress { + from_port = 0 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.2.0/0"] + } +} + +resource "aws_security_group" "sg22" { + name = "sg22" + description = "positive3" + + ingress { + from_port = 0 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.2.0/0"] + } +} + +resource "aws_elasticache_security_group" "positive4" { + name = "positive4" + security_group_names = [ + aws_security_group.sg11.name, + aws_security_group.sg22.name, + ] +} + +resource "aws_elasticache_cluster" "positive4" { + cluster_id = "test-cache" + engine = "redis" + node_type = "cache.m4.large" + port = 6379 + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id + security_group_names = [aws_elasticache_security_group.positive4.name] +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="13" +resource "aws_security_group" "sgg" { + name = "sgg" + description = "sgg" + + ingress { + from_port = 0 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.2.0/0"] + } +} + +resource "aws_elasticache_cluster" "positive5" { + cluster_id = "test-cache" + engine = "redis" + node_type = "cache.m4.large" + port = 6379 + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id + security_group_names = [aws_security_group.sgg.name] +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="13" +resource "aws_security_group" "sg6" { + name = "sg6" + description = "sg6" + + ingress { + from_port = 0 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_elasticache_cluster" "positive6" { + cluster_id = "test-cache" + engine = "redis" + node_type = "cache.m4.large" + port = 6379 + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id + security_group_ids = [aws_security_group.sg6.id] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +module "redis" { + source = "cloudposse/elasticache-redis/aws" + version = "0.40.1" + + availability_zones = var.availability_zones + namespace = var.namespace + stage = var.stage + name = var.name + zone_id = var.zone_id + vpc_id = module.vpc.vpc_id + subnets = module.subnets.private_subnet_ids + cluster_size = var.cluster_size + instance_type = var.instance_type + apply_immediately = true + automatic_failover_enabled = false + engine_version = var.engine_version + family = var.family + at_rest_encryption_enabled = var.at_rest_encryption_enabled + transit_encryption_enabled = var.transit_encryption_enabled + + security_group_rules = [ + { + type = "egress" + from_port = 0 + to_port = 65535 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + source_security_group_id = null + description = "Allow all outbound traffic" + }, + { + type = "ingress" + from_port = 0 + to_port = 65535 + protocol = "-1" + cidr_blocks = [] + source_security_group_id = module.vpc.vpc_default_security_group_id + description = "Allow all inbound traffic from trusted Security Groups" + }, + ] + + parameter = [ + { + name = "notify-keyspace-events" + value = "lK" + } + ] +} + +``` diff --git a/docs/queries/terraform-queries/aws/54378d69-dd7c-4b08-a43e-80d563396857.md b/docs/queries/terraform-queries/aws/54378d69-dd7c-4b08-a43e-80d563396857.md new file mode 100644 index 00000000000..f7a7bc58d8b --- /dev/null +++ b/docs/queries/terraform-queries/aws/54378d69-dd7c-4b08-a43e-80d563396857.md @@ -0,0 +1,124 @@ +--- +title: MSK Broker Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 54378d69-dd7c-4b08-a43e-80d563396857 +- **Query name:** MSK Broker Is Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/msk_broker_is_publicly_accessible) + +### Description +Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#public_access) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9" +resource "aws_msk_cluster" "positive1" { + cluster_name = "example" + kafka_version = "2.7.1" + number_of_broker_nodes = 3 + + broker_node_group_info { + connectivity_info { + public_access { + type = "SERVICE_PROVIDED_EIPS" + } + } + instance_type = "kafka.m5.4xlarge" + client_subnets = [ + aws_subnet.subnet_az1.id, + aws_subnet.subnet_az2.id, + aws_subnet.subnet_az3.id, + ] + storage_info { + ebs_storage_info { + provisioned_throughput { + enabled = true + volume_throughput = 250 + } + volume_size = 1000 + } + } + security_groups = [aws_security_group.sg.id] + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_msk_cluster" "negative1" { + cluster_name = "example" + kafka_version = "2.7.1" + number_of_broker_nodes = 3 + + broker_node_group_info { + connectivity_info { + public_access { + type = "DISABLED" + } + } + instance_type = "kafka.m5.4xlarge" + client_subnets = [ + aws_subnet.subnet_az1.id, + aws_subnet.subnet_az2.id, + aws_subnet.subnet_az3.id, + ] + storage_info { + ebs_storage_info { + provisioned_throughput { + enabled = true + volume_throughput = 250 + } + volume_size = 1000 + } + } + security_groups = [aws_security_group.sg.id] + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_msk_cluster" "negative2" { + cluster_name = "example" + kafka_version = "2.7.1" + number_of_broker_nodes = 3 + + broker_node_group_info { + instance_type = "kafka.m5.4xlarge" + client_subnets = [ + aws_subnet.subnet_az1.id, + aws_subnet.subnet_az2.id, + aws_subnet.subnet_az3.id, + ] + storage_info { + ebs_storage_info { + provisioned_throughput { + enabled = true + volume_throughput = 250 + } + volume_size = 1000 + } + } + security_groups = [aws_security_group.sg.id] + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/54c417bf-c762-48b9-9d31-b3d87047e3f0.md b/docs/queries/terraform-queries/aws/54c417bf-c762-48b9-9d31-b3d87047e3f0.md new file mode 100644 index 00000000000..f779b061e17 --- /dev/null +++ b/docs/queries/terraform-queries/aws/54c417bf-c762-48b9-9d31-b3d87047e3f0.md @@ -0,0 +1,86 @@ +--- +title: SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 54c417bf-c762-48b9-9d31-b3d87047e3f0 +- **Query name:** SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sql_analysis_services_port_2383_is_publicly_accessible) + +### Description +Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="19 6" +resource "aws_security_group" "positive1" { + name = "allow_tls_1" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2300 + to_port = 2400 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } +} +resource "aws_security_group" "positive2" { + name = "allow_tls_2" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2380 + to_port = 2390 + protocol = "tcp" + cidr_blocks = ["0.1.0.0/0"] + } + + ingress { + description = "TLS from VPC" + from_port = 2350 + to_port = 2384 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_security_group" "negative1" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2383 + to_port = 2383 + protocol = "tcp" + cidr_blocks = ["0.1.0.0/0"] + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/55af1353-2f62-4fa0-a8e1-a210ca2708f5.md b/docs/queries/terraform-queries/aws/55af1353-2f62-4fa0-a8e1-a210ca2708f5.md new file mode 100644 index 00000000000..9af4739c294 --- /dev/null +++ b/docs/queries/terraform-queries/aws/55af1353-2f62-4fa0-a8e1-a210ca2708f5.md @@ -0,0 +1,191 @@ +--- +title: Cloudfront Viewer Protocol Policy Allows HTTP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 55af1353-2f62-4fa0-a8e1-a210ca2708f5 +- **Query name:** Cloudfront Viewer Protocol Policy Allows HTTP +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudfront_viewer_protocol_policy_allows_http) + +### Description +Checks if the connection between CloudFront and the viewer is encrypted
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="96 27" +#this is a problematic code where the query should report a result(s) +resource "aws_cloudfront_distribution" "positive1" { + origin { + domain_name = "mybucket" + origin_id = "myS3Origin" + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = "myS3Origin" + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + viewer_certificate { + cloudfront_default_certificate = false + minimum_protocol_version = "SSLv3" + } +} + +resource "aws_cloudfront_distribution" "positive2" { + origin { + domain_name = "mybucket" + origin_id = "myS3Origin" + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = "myS3Origin" + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "https-only" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + ordered_cache_behavior { + path_pattern = "/content/immutable/*" + allowed_methods = ["GET", "HEAD", "OPTIONS"] + cached_methods = ["GET", "HEAD", "OPTIONS"] + target_origin_id = "myS3Origin" + + forwarded_values { + query_string = false + headers = ["Origin"] + + cookies { + forward = "none" + } + } + + min_ttl = 0 + default_ttl = 86400 + max_ttl = 31536000 + compress = true + viewer_protocol_policy = "allow-all" + } + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + viewer_certificate { + cloudfront_default_certificate = false + minimum_protocol_version = "SSLv3" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "aws_cloudfront_distribution" "negative1" { + origin { + domain_name = "mybucket" + origin_id = "myS3Origin" + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = "myS3Origin" + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "https-only" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + viewer_certificate { + cloudfront_default_certificate = false + minimum_protocol_version = "SSLv3" + } +} +``` diff --git a/docs/queries/terraform-queries/aws/568a4d22-3517-44a6-a7ad-6a7eed88722c.md b/docs/queries/terraform-queries/aws/568a4d22-3517-44a6-a7ad-6a7eed88722c.md new file mode 100644 index 00000000000..fb14e243ef3 --- /dev/null +++ b/docs/queries/terraform-queries/aws/568a4d22-3517-44a6-a7ad-6a7eed88722c.md @@ -0,0 +1,308 @@ +--- +title: S3 Bucket Without Versioning +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 568a4d22-3517-44a6-a7ad-6a7eed88722c +- **Query name:** S3 Bucket Without Versioning +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_without_versioning) + +### Description +S3 bucket should have versioning enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="24" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + enabled = false + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="14" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive2" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="23" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive3" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + mfa_delete = true + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="10" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = false + } + +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="9" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + mfa_delete = true + } + +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="1" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + +} + +``` +
+
Postitive test num. 7 - tf file + +```tf hl_lines="27" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "b0" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +resource "aws_s3_bucket_versioning" "example" { + bucket = aws_s3_bucket.b0.id + + versioning_configuration { + status = "Suspended" + } +} + +``` +
+
Postitive test num. 8 - tf file + +```tf hl_lines="14" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "b2" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "negative1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + enabled = true + } +} + +``` +```tf title="Negative test num. 2 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } + +} + +``` +```tf title="Negative test num. 3 - tf file" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "b" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +resource "aws_s3_bucket_versioning" "example" { + bucket = aws_s3_bucket.b.id + + versioning_configuration { + status = "Enabled" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/56a585f5-555c-48b2-8395-e64e4740a9cf.md b/docs/queries/terraform-queries/aws/56a585f5-555c-48b2-8395-e64e4740a9cf.md new file mode 100644 index 00000000000..72b897e222b --- /dev/null +++ b/docs/queries/terraform-queries/aws/56a585f5-555c-48b2-8395-e64e4740a9cf.md @@ -0,0 +1,189 @@ +--- +title: CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 56a585f5-555c-48b2-8395-e64e4740a9cf +- **Query name:** CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_disabling_or_scheduled_deletion_of_customer_created_cmk_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_disable_delete_cmk" { + alarm_name = "CIS-4.7-Disable-Scheduled-Delete-CMK" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "OTHER FILTER" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" { + name = "CIS-4.7-Disable-Scheduled-Delete-CMK" + pattern = "{ ($.eventSource = \"kms.amazonaws.com\") && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.7-Disable-Scheduled-Delete-CMK" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_disable_delete_cmk" { + alarm_name = "CIS-4.7-Disable-Scheduled-Delete-CMK" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_disable_delete_cmk.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" { + name = "CIS-4.7-Disable-Scheduled-Delete-CMK" + pattern = "{ ($.eventSource = \"kms.amazonaws.com\") || (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.7-Disable-Scheduled-Delete-CMK" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_disable_delete_cmk" { + alarm_name = "CIS-4.7-Disable-Scheduled-Delete-CMK" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_disable_delete_cmk.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" { + name = "CIS-4.7-Disable-Scheduled-Delete-CMK" + pattern = "{ ($.eventSource = \"kms.amazonaws.com\") && (($.eventName = ScheduleKeyDeletion)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.7-Disable-Scheduled-Delete-CMK" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_disable_delete_cmk" { + alarm_name = "CIS-4.7-Disable-Scheduled-Delete-CMK" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_disable_delete_cmk.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_disable_delete_cmk" { + name = "CIS-4.7-Disable-Scheduled-Delete-CMK" + pattern = "{ ($.eventSource = \"kms.amazonaws.com\") && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.7-Disable-Scheduled-Delete-CMK" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/56f6a008-1b14-4af4-b9b2-ab7cf7e27641.md b/docs/queries/terraform-queries/aws/56f6a008-1b14-4af4-b9b2-ab7cf7e27641.md new file mode 100644 index 00000000000..6b6f6b976ee --- /dev/null +++ b/docs/queries/terraform-queries/aws/56f6a008-1b14-4af4-b9b2-ab7cf7e27641.md @@ -0,0 +1,104 @@ +--- +title: DocDB Logging Is Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 56f6a008-1b14-4af4-b9b2-ab7cf7e27641 +- **Query name:** DocDB Logging Is Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/docdb_logging_disabled) + +### Description +DocDB logging should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_docdb_cluster" "positive1" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="10" +resource "aws_docdb_cluster" "positive2" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + + enabled_cloudwatch_logs_exports = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="10" +resource "aws_docdb_cluster" "positive3" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + + enabled_cloudwatch_logs_exports = ["profiler"] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="10" +resource "aws_docdb_cluster" "positive4" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + + enabled_cloudwatch_logs_exports = ["audit"] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_docdb_cluster" "negative1" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + + enabled_cloudwatch_logs_exports = ["profiler", "audit"] +} + +``` diff --git a/docs/queries/terraform-queries/aws/571254d8-aa6a-432e-9725-535d3ef04d69.md b/docs/queries/terraform-queries/aws/571254d8-aa6a-432e-9725-535d3ef04d69.md new file mode 100644 index 00000000000..dea030bdd36 --- /dev/null +++ b/docs/queries/terraform-queries/aws/571254d8-aa6a-432e-9725-535d3ef04d69.md @@ -0,0 +1,81 @@ +--- +title: Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 571254d8-aa6a-432e-9725-535d3ef04d69 +- **Query name:** Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode) + +### Description +Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:UpdateFunctionCode", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/575a2155-6af1-4026-b1af-d5bc8fe2a904.md b/docs/queries/terraform-queries/aws/575a2155-6af1-4026-b1af-d5bc8fe2a904.md new file mode 100644 index 00000000000..36ef35f399c --- /dev/null +++ b/docs/queries/terraform-queries/aws/575a2155-6af1-4026-b1af-d5bc8fe2a904.md @@ -0,0 +1,191 @@ +--- +title: IAM Policy Grants Full Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 575a2155-6af1-4026-b1af-d5bc8fe2a904 +- **Query name:** IAM Policy Grants Full Permissions +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_policy_grants_full_permissions) + +### Description +IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="20" +resource "aws_iam_user" "positive1" { + name = "${local.resource_prefix.value}-user" + force_destroy = true + + tags = { + Name = "${local.resource_prefix.value}-user" + Environment = local.resource_prefix.value + } + +} + +resource "aws_iam_access_key" "positive2" { + user = aws_iam_user.user.name +} + +resource "aws_iam_user_policy" "positive3" { + name = "excess_policy" + user = aws_iam_user.user.name + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 57b9893d-33b1-4419-bcea-a717ea87e139 +- **Query name:** S3 Bucket ACL Allows Read to Any Authenticated User +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_acl_allows_read_to_any_authenticated_user) + +### Description +S3 Buckets should not be readable to any authenticated user
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#acl) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="16" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive1" { + bucket = "my-tf-test-bucket" + acl = "authenticated-read" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="6" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "authenticated-read" + + versioning = { + enabled = true + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="20" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +resource "aws_s3_bucket" "example1" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_acl" "example_bucket_acl" { + bucket = aws_s3_bucket.example1.id + acl = "authenticated-read" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "negative1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } +} + +``` +```tf title="Negative test num. 3 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +resource "aws_s3_bucket" "example0" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_acl" "example_bucket_acl" { + bucket = aws_s3_bucket.example0.id + acl = "private" +} + +``` diff --git a/docs/queries/terraform-queries/aws/5813ef56-fa94-406a-b35d-977d4a56ff2b.md b/docs/queries/terraform-queries/aws/5813ef56-fa94-406a-b35d-977d4a56ff2b.md new file mode 100644 index 00000000000..01bec327b38 --- /dev/null +++ b/docs/queries/terraform-queries/aws/5813ef56-fa94-406a-b35d-977d4a56ff2b.md @@ -0,0 +1,55 @@ +--- +title: API Gateway X-Ray Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5813ef56-fa94-406a-b35d-977d4a56ff2b +- **Query name:** API Gateway X-Ray Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_xray_disabled) + +### Description +API Gateway should have X-Ray Tracing enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#xray_tracing_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 5" +resource "aws_api_gateway_stage" "positive1" { + stage_name = "prod" + rest_api_id = aws_api_gateway_rest_api.test.id + deployment_id = aws_api_gateway_deployment.test.id + xray_tracing_enabled = false +} + +resource "aws_api_gateway_stage" "positive2" { + stage_name = "prod" + rest_api_id = aws_api_gateway_rest_api.test.id + deployment_id = aws_api_gateway_deployment.test.id +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_stage" "negative1" { + stage_name = "prod" + rest_api_id = aws_api_gateway_rest_api.test.id + deployment_id = aws_api_gateway_deployment.test.id + xray_tracing_enabled = true +} +``` diff --git a/docs/queries/terraform-queries/aws/5864d189-ee9a-4009-ac0c-8a582e6b7919.md b/docs/queries/terraform-queries/aws/5864d189-ee9a-4009-ac0c-8a582e6b7919.md new file mode 100644 index 00000000000..412a177c179 --- /dev/null +++ b/docs/queries/terraform-queries/aws/5864d189-ee9a-4009-ac0c-8a582e6b7919.md @@ -0,0 +1,225 @@ +--- +title: CloudWatch Management Console Auth Failed Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5864d189-ee9a-4009-ac0c-8a582e6b7919 +- **Query name:** CloudWatch Management Console Auth Failed Alarm Missing +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_management_console_auth_failed_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { + name = "CIS-ConsoleAuthenticationFailure" + pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleAuthenticationFailure" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "cis_console_authn_failure_cw_alarm" { + alarm_name = "CIS-3.6-ConsoleAuthenticationFailure" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXX NOT YOUR FILTER" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { + name = "CIS-ConsoleAuthenticationFailure" + pattern = "{ (($.eventName = ConsoleLogin)) && ($.errorMessage != \"Failed authentication\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleAuthenticationFailure" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "cis_console_authn_failure_cw_alarm" { + alarm_name = "CIS-3.6-ConsoleAuthenticationFailure" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_console_authn_failure_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { + name = "CIS-ConsoleAuthenticationFailure" + pattern = "{ $.eventName != ConsoleLogin && $.errorMessage = \"Failed authentication\" }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleAuthenticationFailure" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_console_authn_failure_cw_alarm" { + alarm_name = "CIS-3.6-ConsoleAuthenticationFailure" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_console_authn_failure_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { + name = "CIS-ConsoleAuthenticationFailure" + pattern = "{ $.eventName = ConsoleLogin || $.errorMessage = \"Failed authentication\" }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleAuthenticationFailure" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_console_authn_failure_cw_alarm" { + alarm_name = "CIS-3.6-ConsoleAuthenticationFailure" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_console_authn_failure_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_log_metric_filter" "cis_console_authn_failure_metric_filter" { + name = "CIS-ConsoleAuthenticationFailure" + pattern = "{ (($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\")) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleAuthenticationFailure" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "cis_console_authn_failure_cw_alarm" { + alarm_name = "CIS-3.6-ConsoleAuthenticationFailure" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_console_authn_failure_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = ["aws_sns_topic.CIS_Alerts_SNS_Topic.arn"] + insufficient_data_actions = [] +} + +``` diff --git a/docs/queries/terraform-queries/aws/58b35504-0287-4154-bf69-02c0573deab8.md b/docs/queries/terraform-queries/aws/58b35504-0287-4154-bf69-02c0573deab8.md new file mode 100644 index 00000000000..fc87616f5bc --- /dev/null +++ b/docs/queries/terraform-queries/aws/58b35504-0287-4154-bf69-02c0573deab8.md @@ -0,0 +1,69 @@ +--- +title: Sagemaker Endpoint Configuration Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 58b35504-0287-4154-bf69-02c0573deab8 +- **Query name:** Sagemaker Endpoint Configuration Encryption Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sagemaker_endpoint_configuration_encryption_disabled) + +### Description +Sagemaker endpoint configuration should encrypt data
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_endpoint_configuration#kms_key_arn) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_sagemaker_endpoint_configuration" "positive" { + name = "my-endpoint-config" + + production_variants { + variant_name = "variant-1" + model_name = aws_sagemaker_model.m.name + initial_instance_count = 1 + instance_type = "ml.t2.medium" + } + + tags = { + Name = "foo" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_sagemaker_endpoint_configuration" "negative" { + name = "my-endpoint-config" + + production_variants { + variant_name = "variant-1" + model_name = aws_sagemaker_model.m.name + initial_instance_count = 1 + instance_type = "ml.t2.medium" + } + + tags = { + Name = "foo" + } + + kms_key_arn = "aws_kms_key.example.arn" +} + +``` diff --git a/docs/queries/terraform-queries/aws/590d878b-abdc-428f-895a-e2b68a0e1998.md b/docs/queries/terraform-queries/aws/590d878b-abdc-428f-895a-e2b68a0e1998.md new file mode 100644 index 00000000000..3c2e955140d --- /dev/null +++ b/docs/queries/terraform-queries/aws/590d878b-abdc-428f-895a-e2b68a0e1998.md @@ -0,0 +1,112 @@ +--- +title: Unknown Port Exposed To Internet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 590d878b-abdc-428f-895a-e2b68a0e1998 +- **Query name:** Unknown Port Exposed To Internet +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/unknown_port_exposed_to_internet) + +### Description +AWS Security Group should not have an unknown port exposed to the entire Internet
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11 36" +resource "aws_security_group" "positive1" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 44 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "allow_tls" + } +} + +resource "aws_security_group" "positive2" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 44 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["192.168.0.0/24", "0.0.0.0/0"] + } + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["192.168.0.0/24", "0.0.0.0/0"] + } + + tags = { + Name = "allow_tls" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_security_group" "negative1" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["192.168.0.0/24", "192.162.0.0/24"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "allow_tls" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/5a2486aa-facf-477d-a5c1-b010789459ce.md b/docs/queries/terraform-queries/aws/5a2486aa-facf-477d-a5c1-b010789459ce.md new file mode 100644 index 00000000000..f75416e46b1 --- /dev/null +++ b/docs/queries/terraform-queries/aws/5a2486aa-facf-477d-a5c1-b010789459ce.md @@ -0,0 +1,199 @@ +--- +title: EC2 Instance Has Public IP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5a2486aa-facf-477d-a5c1-b010789459ce +- **Query name:** EC2 Instance Has Public IP +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ec2_instance_has_public_ip) + +### Description +EC2 Instance should not have a public IP address.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="17 28" +data "aws_ami" "ubuntu1" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "web2" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" + + tags = { + Name = "HelloWorld" + } +} + +resource "aws_instance" "web3" { + ami = data.aws_ami.ubuntu.id + associate_public_ip_address = true + instance_type = "t3.micro" + + tags = { + Name = "HelloWorld" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="13" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + associate_public_ip_address = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "web" { + ami = data.aws_ami.ubuntu.id + associate_public_ip_address = false + instance_type = "t3.micro" + + tags = { + Name = "HelloWorld" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + associate_public_ip_address = false + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +```tf title="Negative test num. 3 - tf file" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + + network_interface { + network_interface_id = aws_network_interface.this.id + device_index = 0 + } + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +resource "aws_network_interface" "this" { + subnet_id = var.private_subnet_id + security_groups = [aws_security_group.this.id] +} + +resource "aws_security_group" "this" { + name = "example" + description = "Example Security Group" +} + +``` diff --git a/docs/queries/terraform-queries/aws/5b4d4aee-ac94-4810-9611-833636e5916d.md b/docs/queries/terraform-queries/aws/5b4d4aee-ac94-4810-9611-833636e5916d.md new file mode 100644 index 00000000000..6c98b99d50e --- /dev/null +++ b/docs/queries/terraform-queries/aws/5b4d4aee-ac94-4810-9611-833636e5916d.md @@ -0,0 +1,82 @@ +--- +title: Role With Privilege Escalation By Actions 'iam:CreateAccessKey' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5b4d4aee-ac94-4810-9611-833636e5916d +- **Query name:** Role With Privilege Escalation By Actions 'iam:CreateAccessKey' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateAccessKey) + +### Description +Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateAccessKey", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/5b8d7527-de8e-4114-b9dd-9d988f1f418f.md b/docs/queries/terraform-queries/aws/5b8d7527-de8e-4114-b9dd-9d988f1f418f.md new file mode 100644 index 00000000000..6acf6dc7207 --- /dev/null +++ b/docs/queries/terraform-queries/aws/5b8d7527-de8e-4114-b9dd-9d988f1f418f.md @@ -0,0 +1,172 @@ +--- +title: CloudWatch AWS Config Configuration Changes Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5b8d7527-de8e-4114-b9dd-9d988f1f418f +- **Query name:** CloudWatch AWS Config Configuration Changes Alarm Missing +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_aws_config_configuration_changes_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for AWS Config configuration changes
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" { + name = "CIS-AWSConfigChanges" + pattern = "{ ($.eventSource = \"config.amazonaws.com\") && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-AWSConfigChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" { + alarm_name = "CIS-3.9-AWSConfigChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXXX NOT YOUR FILTER XXXX" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" { + name = "CIS-AWSConfigChanges" + pattern = "{ ($.eventSource = \"config.amazonaws.com\") && (($.eventName=StopConfigurationRecorder)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-AWSConfigChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" { + alarm_name = "CIS-3.9-AWSConfigChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXXX NOT YOUR FILTER XXXX" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" { + name = "CIS-AWSConfigChanges" + pattern = "{ ($.eventSource = \"config.amazonaws.com\") || (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-AWSConfigChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" { + alarm_name = "CIS-3.9-AWSConfigChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXXX NOT YOUR FILTER XXXX" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_log_metric_filter" "CIS_AWS_Config_Change_Metric_Filter" { + name = "CIS-AWSConfigChanges" + pattern = "{ ($.eventSource = \"config.amazonaws.com\") && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-AWSConfigChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "CIS_AWS_Config_Change_CW_Alarm" { + alarm_name = "CIS-3.9-AWSConfigChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.CIS_AWS_Config_Change_Metric_Filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` diff --git a/docs/queries/terraform-queries/aws/5ba6229c-8057-433e-91d0-21cf13569ca9.md b/docs/queries/terraform-queries/aws/5ba6229c-8057-433e-91d0-21cf13569ca9.md new file mode 100644 index 00000000000..7966bc9d609 --- /dev/null +++ b/docs/queries/terraform-queries/aws/5ba6229c-8057-433e-91d0-21cf13569ca9.md @@ -0,0 +1,55 @@ +--- +title: Service Control Policies Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5ba6229c-8057-433e-91d0-21cf13569ca9 +- **Query name:** Service Control Policies Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/service_control_policies_disabled) + +### Description +Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "aws_organizations_organization" "positive1" { + aws_service_access_principals = [ + "cloudtrail.amazonaws.com", + "config.amazonaws.com", + ] + + feature_set = "CONSOLIDATED_BILLING" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_organizations_organization" "negative1" { + aws_service_access_principals = [ + "cloudtrail.amazonaws.com", + "config.amazonaws.com", + ] + + feature_set = "ALL" +} + +``` diff --git a/docs/queries/terraform-queries/aws/5c0003fb-9aa0-42c1-9da3-eb0e332bef21.md b/docs/queries/terraform-queries/aws/5c0003fb-9aa0-42c1-9da3-eb0e332bef21.md new file mode 100644 index 00000000000..bfcb9face2b --- /dev/null +++ b/docs/queries/terraform-queries/aws/5c0003fb-9aa0-42c1-9da3-eb0e332bef21.md @@ -0,0 +1,171 @@ +--- +title: Secure Ciphers Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5c0003fb-9aa0-42c1-9da3-eb0e332bef21 +- **Query name:** Secure Ciphers Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/secure_ciphers_disabled) + +### Description +Check if secure ciphers aren't used in CloudFront
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="42" +#this is a problematic code where the query should report a result(s) +resource "aws_cloudfront_distribution" "positive1" { + origin { + domain_name = "mybucket" + origin_id = "myS3Origin" + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = "myS3Origin" + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + viewer_certificate { + cloudfront_default_certificate = false + minimum_protocol_version = "SSLv3" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "aws_cloudfront_distribution" "negative1" { + origin { + domain_name = "mybucket" + origin_id = "myS3Origin" + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = "myS3Origin" + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + viewer_certificate { + cloudfront_default_certificate = true + } +} +``` +```tf title="Negative test num. 2 - tf file" +#this code is a correct code for which the query should not find any result +resource "aws_cloudfront_distribution" "negative1" { + origin { + domain_name = "mybucket" + origin_id = "myS3Origin" + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + + default_cache_behavior { + allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] + cached_methods = ["GET", "HEAD"] + target_origin_id = "myS3Origin" + + forwarded_values { + query_string = false + + cookies { + forward = "none" + } + } + + viewer_protocol_policy = "allow-all" + min_ttl = 0 + default_ttl = 3600 + max_ttl = 86400 + } + + restrictions { + geo_restriction { + restriction_type = "whitelist" + locations = ["US", "CA", "GB", "DE"] + } + } + + viewer_certificate { + cloudfront_default_certificate = true + minimum_protocol_version = "TLSv1.2_2019" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/5c6dd5e7-1fe0-4cae-8f81-4c122717cef3.md b/docs/queries/terraform-queries/aws/5c6dd5e7-1fe0-4cae-8f81-4c122717cef3.md new file mode 100644 index 00000000000..8c78a2829cd --- /dev/null +++ b/docs/queries/terraform-queries/aws/5c6dd5e7-1fe0-4cae-8f81-4c122717cef3.md @@ -0,0 +1,110 @@ +--- +title: Kinesis SSE Not Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5c6dd5e7-1fe0-4cae-8f81-4c122717cef3 +- **Query name:** Kinesis SSE Not Configured +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/kinesis_sse_not_configured) + +### Description +AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream#server_side_encryption) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="34 12 42 23" +resource "aws_kinesis_firehose_delivery_stream" "positive1" { + name = "${aws_s3_bucket.logs.bucket}-firehose" + destination = "extended_s3" + + kinesis_source_configuration { + kinesis_stream_arn = aws_kinesis_stream.cloudwatch-logs.arn + role_arn = aws_iam_role.firehose_role.arn + } +} + + +resource "aws_kinesis_firehose_delivery_stream" "positive2" { + name = "${aws_s3_bucket.logs.bucket}-firehose" + destination = "extended_s3" +} + + +resource "aws_kinesis_firehose_delivery_stream" "positive3" { + name = "${aws_s3_bucket.logs.bucket}-firehose" + destination = "extended_s3" + + server_side_encryption { + enabled = false + } +} + + +resource "aws_kinesis_firehose_delivery_stream" "positive4" { + name = "${aws_s3_bucket.logs.bucket}-firehose" + destination = "extended_s3" + + server_side_encryption { + enabled = true + key_type = "AWS_OWN" + } +} + +resource "aws_kinesis_firehose_delivery_stream" "positive5" { + name = "${aws_s3_bucket.logs.bucket}-firehose" + destination = "extended_s3" + + server_side_encryption { + enabled = true + key_type = "CUSTOMER_MANAGED_CMK" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "aws_kinesis_firehose_delivery_stream" "negative1" { + name = "${aws_s3_bucket.logs.bucket}-firehose" + destination = "extended_s3" + + server_side_encryption { + enabled = true + key_type = "CUSTOMER_MANAGED_CMK" + key_arn = "qwewewre" + } +} + + + + +resource "aws_kinesis_firehose_delivery_stream" "negative2" { + name = "${aws_s3_bucket.logs.bucket}-firehose" + destination = "extended_s3" + + server_side_encryption { + enabled = true + key_type = "AWS_OWNED_CMK" + } +} + + +``` diff --git a/docs/queries/terraform-queries/aws/5d89db57-8b51-4b38-bb76-b9bd42bd40f0.md b/docs/queries/terraform-queries/aws/5d89db57-8b51-4b38-bb76-b9bd42bd40f0.md new file mode 100644 index 00000000000..dfacb4b47d6 --- /dev/null +++ b/docs/queries/terraform-queries/aws/5d89db57-8b51-4b38-bb76-b9bd42bd40f0.md @@ -0,0 +1,100 @@ +--- +title: ElastiCache Using Default Port +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5d89db57-8b51-4b38-bb76-b9bd42bd40f0 +- **Query name:** ElastiCache Using Default Port +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticache_using_default_port) + +### Description +ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#port) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster" + engine = "redis" + node_type = "cache.m5.large" + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_elasticache_cluster" "positive2" { + cluster_id = "cluster" + engine = "memcached" + node_type = "cache.m5.large" + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="7" +resource "aws_elasticache_cluster" "positive3" { + cluster_id = "cluster" + engine = "redis" + node_type = "cache.m5.large" + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id + port = 6379 +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="7" +resource "aws_elasticache_cluster" "positive2" { + cluster_id = "cluster" + engine = "memcached" + node_type = "cache.m5.large" + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id + port = 11211 +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_elasticache_cluster" "negative1" { + cluster_id = "cluster" + engine = "redis" + node_type = "cache.m5.large" + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id + port = 6380 +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_elasticache_cluster" "negative2" { + cluster_id = "cluster" + engine = "memcached" + node_type = "cache.m5.large" + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id + port = 11212 +} + +``` diff --git a/docs/queries/terraform-queries/aws/5d9e3164-9265-470c-9a10-57ae454ac0c7.md b/docs/queries/terraform-queries/aws/5d9e3164-9265-470c-9a10-57ae454ac0c7.md new file mode 100644 index 00000000000..ac76fe9d2f7 --- /dev/null +++ b/docs/queries/terraform-queries/aws/5d9e3164-9265-470c-9a10-57ae454ac0c7.md @@ -0,0 +1,48 @@ +--- +title: CloudTrail Log Files Not Encrypted With KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5d9e3164-9265-470c-9a10-57ae454ac0c7 +- **Query name:** CloudTrail Log Files Not Encrypted With KMS +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudtrail_log_files_not_encrypted_with_kms) + +### Description +Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudtrail" "positive1" { + name = "npositive_1" + s3_bucket_name = "bucketlog_1" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudtrail" "negative1" { + name = "negative1" + s3_bucket_name = "bucketlog1" + kms_key_id = "arn:aws:kms:us-east-2:123456789012:key/12345678-1234-1234-1234-123456789012" +} + +``` diff --git a/docs/queries/terraform-queries/aws/5ea624e4-c8b1-4bb3-87a4-4235a776adcc.md b/docs/queries/terraform-queries/aws/5ea624e4-c8b1-4bb3-87a4-4235a776adcc.md new file mode 100644 index 00000000000..ec1149a3d0c --- /dev/null +++ b/docs/queries/terraform-queries/aws/5ea624e4-c8b1-4bb3-87a4-4235a776adcc.md @@ -0,0 +1,159 @@ +--- +title: SNS Topic Publicity Has Allow and NotAction Simultaneously +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5ea624e4-c8b1-4bb3-87a4-4235a776adcc +- **Query name:** SNS Topic Publicity Has Allow and NotAction Simultaneously +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sns_topic_publicity_has_allow_and_not_action_simultaneously) + +### Description +SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "aws_sns_topic" "positive1" { + name = "my-topic-with-policy" +} + +resource "aws_sns_topic_policy" "positive2" { + arn = aws_sns_topic.test.arn + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 5fb49a69-8d46-4495-a2f8-9c8c622b2b6e +- **Query name:** S3 Bucket Object Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_object_not_encrypted) + +### Description +S3 Bucket Object should have server-side encryption enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_object#server_side_encryption) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="14" +resource "aws_s3_bucket" "examplebucket" { + bucket = "examplebuckettftest" + acl = "private" + + versioning { + enabled = true + } + + object_lock_configuration { + object_lock_enabled = "Enabled" + } +} + +resource "aws_s3_bucket_object" "examplebucket_object" { + key = "someobject" + bucket = aws_s3_bucket.examplebucket.id + source = "index.html" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_s3_bucket" "examplebucket" { + bucket = "examplebuckettftest" + acl = "private" + + versioning { + enabled = true + } + + object_lock_configuration { + object_lock_enabled = "Enabled" + } +} + +resource "aws_s3_bucket_object" "examplebucket_object" { + key = "someobject" + bucket = aws_s3_bucket.examplebucket.id + source = "index.html" + server_side_encryption = "AES256" +} + +``` diff --git a/docs/queries/terraform-queries/aws/60224630-175a-472a-9e23-133827040766.md b/docs/queries/terraform-queries/aws/60224630-175a-472a-9e23-133827040766.md new file mode 100644 index 00000000000..b3c0f3d69a2 --- /dev/null +++ b/docs/queries/terraform-queries/aws/60224630-175a-472a-9e23-133827040766.md @@ -0,0 +1,296 @@ +--- +title: EC2 Not EBS Optimized +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 60224630-175a-472a-9e23-133827040766 +- **Query name:** EC2 Not EBS Optimized +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ec2_not_ebs_optimized) + +### Description +It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs_optimized) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="17" +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "web" { + ami = data.aws_ami.ubuntu.id + instance_type = "t2.small" + + tags = { + Name = "HelloWorld" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="20" +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "web" { + ami = data.aws_ami.ubuntu.id + instance_type = "t2.micro" + ebs_optimized = false + + tags = { + Name = "HelloWorld" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + associate_public_ip_address = false + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="9" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + ebs_optimized = false + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + associate_public_ip_address = false + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "web" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" + ebs_optimized = true + + tags = { + Name = "HelloWorld" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "web" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.nano" + + tags = { + Name = "HelloWorld" + } +} + +``` +```tf title="Negative test num. 3 - tf file" +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "web" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.nano" + ebs_optimized = false + + tags = { + Name = "HelloWorld" + } +} + +``` +
Negative test num. 4 - tf file + +```tf +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + ebs_optimized = true + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + associate_public_ip_address = false + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
+
Negative test num. 5 - tf file + +```tf +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t3.nano" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + associate_public_ip_address = false + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
+
Negative test num. 6 - tf file + +```tf +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t3.nano" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + associate_public_ip_address = false + ebs_optimized = false + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/60263b4a-6801-4587-911d-919c37ed733b.md b/docs/queries/terraform-queries/aws/60263b4a-6801-4587-911d-919c37ed733b.md new file mode 100644 index 00000000000..dc9df575c43 --- /dev/null +++ b/docs/queries/terraform-queries/aws/60263b4a-6801-4587-911d-919c37ed733b.md @@ -0,0 +1,83 @@ +--- +title: Group With Privilege Escalation By Actions 'iam:PutUserPolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 60263b4a-6801-4587-911d-919c37ed733b +- **Query name:** Group With Privilege Escalation By Actions 'iam:PutUserPolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutUserPolicy) + +### Description +Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/61cf9883-1752-4768-b18c-0d57f2737709.md b/docs/queries/terraform-queries/aws/61cf9883-1752-4768-b18c-0d57f2737709.md new file mode 100644 index 00000000000..65c01b0f4c9 --- /dev/null +++ b/docs/queries/terraform-queries/aws/61cf9883-1752-4768-b18c-0d57f2737709.md @@ -0,0 +1,101 @@ +--- +title: EKS Cluster Has Public Access CIDRs +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 61cf9883-1752-4768-b18c-0d57f2737709 +- **Query name:** EKS Cluster Has Public Access CIDRs +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/eks_cluster_has_public_access_cidrs) + +### Description +Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 30" +resource "aws_eks_cluster" "positive1" { + name = "example" + role_arn = aws_iam_role.example.arn + + vpc_config { + subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id] + endpoint_public_access = true + public_access_cidrs = ["0.0.0.0/0"] + } + + # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. + # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. + depends_on = [ + aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy, + ] +} + +output "endpoint" { + value = aws_eks_cluster.example.endpoint +} + +output "kubeconfig-certificate-authority-data" { + value = aws_eks_cluster.example.certificate_authority[0].data +} + +resource "aws_eks_cluster" "positive2" { + name = "without_example" + role_arn = aws_iam_role.example.arn + + vpc_config { + subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id] + endpoint_public_access = true + } + + # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. + # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. + depends_on = [ + aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy, + ] +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_eks_cluster" "negative1" { + name = "example" + role_arn = aws_iam_role.example.arn + + vpc_config { + subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id] + endpoint_public_access = true + public_access_cidrs = ["1.1.1.1/1"] + } + + # Ensure that IAM Role permissions are created before and deleted after EKS Cluster handling. + # Otherwise, EKS will not be able to properly delete EKS managed EC2 infrastructure such as Security Groups. + depends_on = [ + aws_iam_role_policy_attachment.example-AmazonEKSClusterPolicy, + ] +} + +output "endpoint" { + value = aws_eks_cluster.example.endpoint +} + +output "kubeconfig-certificate-authority-data" { + value = aws_eks_cluster.example.certificate_authority[0].data +} +``` diff --git a/docs/queries/terraform-queries/aws/625abc0e-f980-4ac9-a775-f7519ee34296.md b/docs/queries/terraform-queries/aws/625abc0e-f980-4ac9-a775-f7519ee34296.md new file mode 100644 index 00000000000..8e280581a14 --- /dev/null +++ b/docs/queries/terraform-queries/aws/625abc0e-f980-4ac9-a775-f7519ee34296.md @@ -0,0 +1,109 @@ +--- +title: API Gateway Deployment Without Access Log Setting +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 625abc0e-f980-4ac9-a775-f7519ee34296 +- **Query name:** API Gateway Deployment Without Access Log Setting +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_deployment_without_access_log_setting) + +### Description +API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_api_gateway_deployment" "examplee" { + rest_api_id = "some rest api id" + stage_name = "some name" + tags { + project = "ProjectName" + } +} + +resource "aws_api_gateway_stage" "example00" { + deployment_id = aws_api_gateway_deployment.example.id + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = "example" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_api_gateway_deployment" "example3" { + rest_api_id = "some rest api id" + stage_name = "some name" + tags { + project = "ProjectName" + } +} + +resource "aws_api_gateway_stage" "example000" { + deployment_id = aws_api_gateway_deployment.example3.id + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = "example" +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_api_gateway_deployment" "example4" { + rest_api_id = "some rest api id" + stage_name = "some name" + tags { + project = "ProjectName" + } +} + +resource "aws_api_gateway_stage" "example0000" { + deployment_id = aws_api_gateway_deployment.example4.id + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = "example" + + access_log_settings { + destination_arn = "dest" + format = "format" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_deployment" "example5" { + rest_api_id = "some rest api id" + stage_name = "some name" + stage_description = "some description" + + tags { + project = "ProjectName" + } +} + +resource "aws_api_gateway_stage" "example0" { + deployment_id = aws_api_gateway_deployment.example5.id + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = "example" + + access_log_settings { + destination_arn = "dest" + format = "format" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/63ebcb19-2739-4d3f-aa5c-e8bbb9b85281.md b/docs/queries/terraform-queries/aws/63ebcb19-2739-4d3f-aa5c-e8bbb9b85281.md new file mode 100644 index 00000000000..96ac700e9db --- /dev/null +++ b/docs/queries/terraform-queries/aws/63ebcb19-2739-4d3f-aa5c-e8bbb9b85281.md @@ -0,0 +1,83 @@ +--- +title: EKS Cluster Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 63ebcb19-2739-4d3f-aa5c-e8bbb9b85281 +- **Query name:** EKS Cluster Encryption Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/eks_cluster_encryption_disabled) + +### Description +EKS Cluster should be encrypted
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#encryption_config) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +variable "cluster_name" { + default = "example" + type = string +} + +resource "aws_eks_cluster" "positive1" { + depends_on = [aws_cloudwatch_log_group.example] + name = var.cluster_name +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +variable "cluster_name" { + default = "example" + type = string +} + +resource "aws_eks_cluster" "positive2" { + depends_on = [aws_cloudwatch_log_group.example] + name = var.cluster_name + + encryption_config { + resources = ["s"] + provider { + key_arn = "test" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +variable "cluster_name" { + default = "example" + type = string +} + +resource "aws_eks_cluster" "negative1" { + depends_on = [aws_cloudwatch_log_group.example] + name = var.cluster_name + + encryption_config { + resources = ["secrets"] + provider { + key_arn = "test" + } + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/64a222aa-7793-4e40-915f-4b302c76e4d4.md b/docs/queries/terraform-queries/aws/64a222aa-7793-4e40-915f-4b302c76e4d4.md new file mode 100644 index 00000000000..d1f8c7b50f5 --- /dev/null +++ b/docs/queries/terraform-queries/aws/64a222aa-7793-4e40-915f-4b302c76e4d4.md @@ -0,0 +1,125 @@ +--- +title: S3 Bucket ACL Grants WRITE_ACP Permission +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 64a222aa-7793-4e40-915f-4b302c76e4d4 +- **Query name:** S3 Bucket ACL Grants WRITE_ACP Permission +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_acl_grants_write_acp_permission) + +### Description +S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="16" +data "aws_canonical_user_id" "current" {} + +resource "aws_s3_bucket" "example" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_acl" "example" { + bucket = aws_s3_bucket.example.id + access_control_policy { + + grant { + grantee { + type = "Group" + uri = "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + permission = "WRITE_ACP" + } + + owner { + id = data.aws_canonical_user_id.current.id + } + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="23" +data "aws_canonical_user_id" "current" {} + +resource "aws_s3_bucket" "example" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_acl" "example" { + bucket = aws_s3_bucket.example.id + access_control_policy { + grant { + grantee { + id = data.aws_canonical_user_id.current.id + type = "CanonicalUser" + } + permission = "READ" + } + + grant { + grantee { + type = "Group" + uri = "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + permission = "WRITE_ACP" + } + + owner { + id = data.aws_canonical_user_id.current.id + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +data "aws_canonical_user_id" "current" {} + +resource "aws_s3_bucket" "example" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_acl" "example" { + bucket = aws_s3_bucket.example.id + access_control_policy { + grant { + grantee { + id = data.aws_canonical_user_id.current.id + type = "CanonicalUser" + } + permission = "READ" + } + + grant { + grantee { + type = "Group" + uri = "http://acs.amazonaws.com/groups/s3/LogDelivery" + } + permission = "READ_ACP" + } + + owner { + id = data.aws_canonical_user_id.current.id + } + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/656880aa-1388-488f-a6d4-8f73c23149b2.md b/docs/queries/terraform-queries/aws/656880aa-1388-488f-a6d4-8f73c23149b2.md new file mode 100644 index 00000000000..d0ac4684cb8 --- /dev/null +++ b/docs/queries/terraform-queries/aws/656880aa-1388-488f-a6d4-8f73c23149b2.md @@ -0,0 +1,83 @@ +--- +title: RDS Database Cluster not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 656880aa-1388-488f-a6d4-8f73c23149b2 +- **Query name:** RDS Database Cluster not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/rds_database_cluster_not_encrypted) + +### Description +RDS Database Cluster Encryption should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_cluster_snapshot) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_db_cluster_snapshot" "positive1" { + db_cluster_identifier = aws_rds_cluster.example2.id + db_cluster_snapshot_identifier = "resourcetestsnapshot1234" +} + +resource "aws_rds_cluster" "example2" { + cluster_identifier = "example" + db_subnet_group_name = aws_db_subnet_group.example.name + engine_mode = "multimaster" + master_password = "barbarbarbar" + master_username = "foo" + skip_final_snapshot = true +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_db_cluster_snapshot" "positive2" { + db_cluster_identifier = aws_rds_cluster.example3.id + db_cluster_snapshot_identifier = "resourcetestsnapshot1234" +} + +resource "aws_rds_cluster" "example3" { + cluster_identifier = "example" + db_subnet_group_name = aws_db_subnet_group.example.name + engine_mode = "multimaster" + master_password = "barbarbarbar" + master_username = "foo" + skip_final_snapshot = true + storage_encrypted = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_db_cluster_snapshot" "negative" { + db_cluster_identifier = aws_rds_cluster.example.id + db_cluster_snapshot_identifier = "resourcetestsnapshot1234" +} + +resource "aws_rds_cluster" "example" { + cluster_identifier = "example" + db_subnet_group_name = aws_db_subnet_group.example.name + engine_mode = "multimaster" + master_password = "barbarbarbar" + master_username = "foo" + skip_final_snapshot = true + storage_encrypted = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/65905cec-d691-4320-b320-2000436cb696.md b/docs/queries/terraform-queries/aws/65905cec-d691-4320-b320-2000436cb696.md new file mode 100644 index 00000000000..725c378bcd5 --- /dev/null +++ b/docs/queries/terraform-queries/aws/65905cec-d691-4320-b320-2000436cb696.md @@ -0,0 +1,204 @@ +--- +title: Security Group With Unrestricted Access To SSH +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 65905cec-d691-4320-b320-2000436cb696 +- **Query name:** Security Group With Unrestricted Access To SSH +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/security_group_with_unrestricted_access_to_ssh) + +### Description +'SSH' (TCP:22) should not be public in AWS Security Group
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +resource "aws_security_group" "positive1" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "allow_tls" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +resource "aws_security_group" "positive2" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["192.120.0.0/16", "0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "allow_tls" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="13" +module "vote_service_sg" { + source = "terraform-aws-modules/security-group/aws" + version = "4.3.0" + name = "user-service" + description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open" + vpc_id = "vpc-12345678" + + ingress { + description = "TLS from VPC" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "allow_tls" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="13" +module "vote_service_sg" { + source = "terraform-aws-modules/security-group/aws" + version = "4.3.0" + name = "user-service" + description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open" + vpc_id = "vpc-12345678" + + ingress { + description = "TLS from VPC" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["192.120.0.0/16", "0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "allow_tls" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "aws_security_group" "negative1" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["192.120.0.0/16", "75.132.0.0/16"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "allow_tls" + } +} +``` +```tf title="Negative test num. 2 - tf file" +module "vote_service_sg" { + source = "terraform-aws-modules/security-group/aws" + version = "4.3.0" + name = "user-service" + description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open" + vpc_id = "vpc-12345678" + + ingress { + description = "TLS from VPC" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["192.120.0.0/16", "75.132.0.0/16"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "allow_tls" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/66c6f96f-2d9e-417e-a998-9058aeeecd44.md b/docs/queries/terraform-queries/aws/66c6f96f-2d9e-417e-a998-9058aeeecd44.md new file mode 100644 index 00000000000..77064471af1 --- /dev/null +++ b/docs/queries/terraform-queries/aws/66c6f96f-2d9e-417e-a998-9058aeeecd44.md @@ -0,0 +1,176 @@ +--- +title: S3 Bucket Allows List Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 66c6f96f-2d9e-417e-a998-9058aeeecd44 +- **Query name:** S3 Bucket Allows List Action From All Principals +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_allows_list_action_from_all_principals) + +### Description +S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "aws_s3_bucket_policy" "positive1" { + bucket = aws_s3_bucket.b.id + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 66cd88ac-9ddf-424a-b77e-e55e17630bee +- **Query name:** Batch Job Definition With Privileged Container Properties +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/batch_job_definition_with_privileged_container_properties) + +### Description +Batch Job Definition should not have Privileged Container Properties
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/batch_job_definition) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +resource "aws_batch_job_definition" "positive1" { + name = "tf_test_batch_job_definition" + type = "container" + + container_properties = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 66f130d9-b81d-4e8e-9b08-da74b9c891df +- **Query name:** Missing Cluster Log Types +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/missing_cluster_log_types) + +### Description +Amazon EKS control plane logging don't enabled for all log types
+[Documentation](https://www.terraform.io/docs/providers/aws/r/eks_cluster.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9" +variable "cluster_name" { + default = "example" + type = string +} + +resource "aws_eks_cluster" "positive1" { + depends_on = [aws_cloudwatch_log_group.example] + + enabled_cluster_log_types = ["api", "audit"] + name = var.cluster_name + + # ... other configuration ... +} + +resource "aws_cloudwatch_log_group" "positive2" { + name = "/aws/eks/${var.cluster_name}/cluster" + retention_in_days = 7 + + # ... potentially other configuration ... +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +variable "cluster_name" { + default = "example" + type = string +} + +resource "aws_eks_cluster" "negative1" { + depends_on = [aws_cloudwatch_log_group.example] + + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] + name = var.cluster_name + + # ... other configuration ... +} + +resource "aws_cloudwatch_log_group" "negative2" { + name = "/aws/eks/${var.cluster_name}/cluster" + retention_in_days = 7 + + # ... potentially other configuration ... +} + +``` diff --git a/docs/queries/terraform-queries/aws/671211c5-5d2a-4e97-8867-30fc28b02216.md b/docs/queries/terraform-queries/aws/671211c5-5d2a-4e97-8867-30fc28b02216.md new file mode 100644 index 00000000000..307bfb14926 --- /dev/null +++ b/docs/queries/terraform-queries/aws/671211c5-5d2a-4e97-8867-30fc28b02216.md @@ -0,0 +1,62 @@ +--- +title: API Gateway Method Does Not Contains An API Key +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 671211c5-5d2a-4e97-8867-30fc28b02216 +- **Query name:** API Gateway Method Does Not Contains An API Key +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_method_does_not_contains_an_api_key) + +### Description +An API Key should be required on a method request.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 13" +resource "aws_api_gateway_method" "positive1" { + rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id + resource_id = aws_api_gateway_resource.MyDemoResource.id + http_method = "GET" + authorization = "NONE" +} + +resource "aws_api_gateway_method" "positive2" { + rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id + resource_id = aws_api_gateway_resource.MyDemoResource.id + http_method = "GET" + authorization = "NONE" + api_key_required = false +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_method" "negative1" { + rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id + resource_id = aws_api_gateway_resource.MyDemoResource.id + http_method = "GET" + authorization = "NONE" + api_key_required = true +} + + +``` diff --git a/docs/queries/terraform-queries/aws/6726dcc0-5ff5-459d-b473-a780bef7665c.md b/docs/queries/terraform-queries/aws/6726dcc0-5ff5-459d-b473-a780bef7665c.md new file mode 100644 index 00000000000..fcce355d075 --- /dev/null +++ b/docs/queries/terraform-queries/aws/6726dcc0-5ff5-459d-b473-a780bef7665c.md @@ -0,0 +1,449 @@ +--- +title: S3 Bucket SSE Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6726dcc0-5ff5-459d-b473-a780bef7665c +- **Query name:** S3 Bucket SSE Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_sse_disabled) + +### Description +If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="14" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + mfa_delete = true + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="26" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = "some-key" + sse_algorithm = "AES256" + } + } + } + + versioning { + mfa_delete = true + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="26" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } + } + + versioning { + mfa_delete = true + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } + +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="15" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = "some-key" + sse_algorithm = "AES256" + } + } + } +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="15" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } + } +} + +``` +
+
Postitive test num. 7 - tf file + +```tf hl_lines="14" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "mybucket0" { + bucket = "my-tf-example-bucket" +} + + +``` +
+
Postitive test num. 8 - tf file + +```tf hl_lines="23" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "mybucket1" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "example2" { + bucket = aws_s3_bucket.mybucket1.bucket + + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = "some-key" + sse_algorithm = "AES256" + } + } +} + +``` +
+
Postitive test num. 9 - tf file + +```tf hl_lines="23" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "mybucket2" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "example3" { + bucket = aws_s3_bucket.mybucket2.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } +} + +``` +
+
Postitive test num. 10 - tf file + +```tf hl_lines="21" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "mybucket22" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "example33" { + bucket = aws_s3_bucket.mybucket22.bucket + + rule { + bucket_key_enabled = false + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "negative1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.mykey.arn + sse_algorithm = "aws:kms" + } + } + } + + versioning { + mfa_delete = true + } +} + +``` +```tf title="Negative test num. 2 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.mykey.arn + sse_algorithm = "aws:kms" + } + } + } +} + +``` +```tf title="Negative test num. 3 - tf file" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "mybucket" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "example" { + bucket = aws_s3_bucket.mybucket.bucket + + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.mykey.arn + sse_algorithm = "aws:kms" + } + } +} + +``` +
Negative test num. 4 - tf file + +```tf +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "mybucket22" { + count = 1 + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "example33" { + count = 1 + bucket = aws_s3_bucket.mybucket22[count.index].bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/68eb4bf3-f9bf-463d-b5cf-e029bb446d2e.md b/docs/queries/terraform-queries/aws/68eb4bf3-f9bf-463d-b5cf-e029bb446d2e.md new file mode 100644 index 00000000000..b4fcd2c34c8 --- /dev/null +++ b/docs/queries/terraform-queries/aws/68eb4bf3-f9bf-463d-b5cf-e029bb446d2e.md @@ -0,0 +1,208 @@ +--- +title: Security Group Rule Without Description +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 68eb4bf3-f9bf-463d-b5cf-e029bb446d2e +- **Query name:** Security Group Rule Without Description +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/security_group_rules_without_description) + +### Description +It's considered a best practice for all rules in AWS Security Group to have a description
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6 14" +resource "aws_security_group" "allow_tls" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + + tags = { + Name = "allow_tls" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="15" +resource "aws_security_group" "positive2" { + + name = "${var.prefix}-external-http-https" + description = "Allow main HTTP / HTTPS" + vpc_id = local.vpc_id + + ingress { + description = "Enable HTTP access for select VMs" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.prefix}-external-http-https" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="23" +resource "aws_security_group" "positive3" { + + name = "${var.prefix}-external-http-https" + description = "Allow main HTTP / HTTPS" + vpc_id = local.vpc_id + + tags = { + Name = "${var.prefix}-external-http-https" + } +} + +resource "aws_security_group_rule" "positive3a" { + + description = "Enable HTTP access for select VMs" + from_port = 80 + to_port = 80 + cidr_blocks = ["0.0.0.0/0"] + protocol = "tcp" + security_group_id = aws_security_group.positive3.id + type = "ingress" +} + +resource "aws_security_group_rule" "positive3b" { + + from_port = 443 + to_port = 443 + cidr_blocks = ["0.0.0.0/0"] + protocol = "tcp" + security_group_id = aws_security_group.positive3.id + type = "ingress" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_security_group" "allow_tls" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + tags = { + Name = "allow_tls" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_security_group" "negative2" { + + name = "${var.prefix}-external-http-https" + description = "Allow main HTTP / HTTPS" + vpc_id = local.vpc_id + + ingress { + description = "Enable HTTP access for select VMs" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + description = "Enable HTTPS access for select VMs" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.prefix}-external-http-https" + } +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "aws_security_group" "negative3" { + + name = "${var.prefix}-external-http-https" + description = "Allow main HTTP / HTTPS" + vpc_id = local.vpc_id + + tags = { + Name = "${var.prefix}-external-http-https" + } +} + +resource "aws_security_group_rule" "negative3a" { + + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.negative3.id + type = "ingress" + description = "Enable HTTP access for select VMs" +} + +resource "aws_security_group_rule" "negative3b" { + + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.negative3.id + type = "ingress" + description = "Enable HTTPS access for select VMs" +} + +``` diff --git a/docs/queries/terraform-queries/aws/69e7c320-b65d-41bb-be02-d63ecc0bcc9d.md b/docs/queries/terraform-queries/aws/69e7c320-b65d-41bb-be02-d63ecc0bcc9d.md new file mode 100644 index 00000000000..f12f64a4053 --- /dev/null +++ b/docs/queries/terraform-queries/aws/69e7c320-b65d-41bb-be02-d63ecc0bcc9d.md @@ -0,0 +1,119 @@ +--- +title: ECR Repository Without Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 69e7c320-b65d-41bb-be02-d63ecc0bcc9d +- **Query name:** ECR Repository Without Policy +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ecr_repository_without_policy) + +### Description +ECR Repository should have Policies attached to it
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_ecr_repository" "foo" { + name = "bar" +} + + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_ecr_repository" "foo2" { + name = "bar" +} + + +resource "aws_ecr_repository_policy" "foopolicy" { + repository = aws_ecr_repository.foo.name + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 6b2739db-9c49-4db7-b980-7816e0c248c1 +- **Query name:** API Gateway Endpoint Config is Not Private +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_endpoint_config_is_not_private) + +### Description +The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_api_gateway_rest_api" "positive1" { + name = "regional-example" + + endpoint_configuration { + types = ["REGIONAL"] + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_rest_api" "negative1" { + name = "regional-example" + + endpoint_configuration { + types = ["PRIVATE"] + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/6b6874fe-4c2f-4eea-8b90-7cceaa4a125e.md b/docs/queries/terraform-queries/aws/6b6874fe-4c2f-4eea-8b90-7cceaa4a125e.md new file mode 100644 index 00000000000..d075ccca939 --- /dev/null +++ b/docs/queries/terraform-queries/aws/6b6874fe-4c2f-4eea-8b90-7cceaa4a125e.md @@ -0,0 +1,143 @@ +--- +title: CloudWatch Network Gateways Changes Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6b6874fe-4c2f-4eea-8b90-7cceaa4a125e +- **Query name:** CloudWatch Network Gateways Changes Alarm Missing +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_network_gateways_changes_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for network gateways changes
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_network_gateway_changes_metric_filter" { + name = "CIS-NetworkGatewayChanges" + pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-NetworkGatewayChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "cis_network_gateway_changes_cw_alarm" { + alarm_name = "CIS-3.12-NetworkGatewayChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXXX NOT YOUR FILTER XXXX" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { + name = "CIS-UnauthorizedAPICalls" + pattern = "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-UnauthorizedAPICalls" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { + alarm_name = "CIS-3.1-UnauthorizedAPICalls" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_network_gateway_changes_metric_filter" { + name = "CIS-NetworkGatewayChanges" + pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DetachInternetGateway) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-NetworkGatewayChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "cis_network_gateway_changes_cw_alarm" { + alarm_name = "CIS-3.12-NetworkGatewayChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_network_gateway_changes_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_log_metric_filter" "cis_network_gateway_changes_metric_filter" { + name = "CIS-NetworkGatewayChanges" + pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-NetworkGatewayChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "cis_network_gateway_changes_cw_alarm" { + alarm_name = "CIS-3.12-NetworkGatewayChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_network_gateway_changes_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` diff --git a/docs/queries/terraform-queries/aws/6d23d87e-1c5b-4308-b224-92624300f29b.md b/docs/queries/terraform-queries/aws/6d23d87e-1c5b-4308-b224-92624300f29b.md new file mode 100644 index 00000000000..cc57b997662 --- /dev/null +++ b/docs/queries/terraform-queries/aws/6d23d87e-1c5b-4308-b224-92624300f29b.md @@ -0,0 +1,91 @@ +--- +title: User With Privilege Escalation By Actions 'iam:AttachGroupPolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6d23d87e-1c5b-4308-b224-92624300f29b +- **Query name:** User With Privilege Escalation By Actions 'iam:AttachGroupPolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachGroupPolicy) + +### Description +User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/6db03a91-f933-4f13-ab38-a8b87a7de54d.md b/docs/queries/terraform-queries/aws/6db03a91-f933-4f13-ab38-a8b87a7de54d.md new file mode 100644 index 00000000000..4848a817603 --- /dev/null +++ b/docs/queries/terraform-queries/aws/6db03a91-f933-4f13-ab38-a8b87a7de54d.md @@ -0,0 +1,58 @@ +--- +title: ElastiCache Nodes Not Created Across Multi AZ +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6db03a91-f933-4f13-ab38-a8b87a7de54d +- **Query name:** ElastiCache Nodes Not Created Across Multi AZ +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticache_nodes_not_created_across_multi_az) + +### Description +ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 12" +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + num_cache_nodes = 3 +} + +resource "aws_elasticache_cluster" "positive2" { + cluster_id = "cluster-example" + engine = "memcached" + num_cache_nodes = 3 + + az_mode = "single-az" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_elasticache_cluster" "negative1" { + cluster_id = "cluster-example" + engine = "memcached" + + num_cache_nodes = 3 + + az_mode = "cross-az" +} +``` diff --git a/docs/queries/terraform-queries/aws/6db52fa6-d4da-4608-908a-89f0c59e743e.md b/docs/queries/terraform-queries/aws/6db52fa6-d4da-4608-908a-89f0c59e743e.md new file mode 100644 index 00000000000..f7c2eba5d95 --- /dev/null +++ b/docs/queries/terraform-queries/aws/6db52fa6-d4da-4608-908a-89f0c59e743e.md @@ -0,0 +1,112 @@ +--- +title: MSK Cluster Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6db52fa6-d4da-4608-908a-89f0c59e743e +- **Query name:** MSK Cluster Encryption Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/msk_cluster_encryption_disabled) + +### Description +Ensure MSK Cluster encryption in rest and transit is enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#encryption_info) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 26 37 14" +resource "aws_msk_cluster" "positive1" { + cluster_name = "example" + kafka_version = "2.4.1" + number_of_broker_nodes = 3 +} + +resource "aws_msk_cluster" "positive2" { + cluster_name = "example" + kafka_version = "2.4.1" + number_of_broker_nodes = 3 + + encryption_info { + encryption_in_transit { + client_broker = "PLAINTEXT" + } + } +} + +resource "aws_msk_cluster" "positive3" { + cluster_name = "example" + kafka_version = "2.4.1" + number_of_broker_nodes = 3 + + encryption_info { + encryption_in_transit { + in_cluster = false + } + } +} + +resource "aws_msk_cluster" "positive4" { + cluster_name = "example" + kafka_version = "2.4.1" + number_of_broker_nodes = 3 + + encryption_info { + encryption_in_transit { + client_broker = "PLAINTEXT" + in_cluster = false + } + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_msk_cluster" "negative1" { + encryption_info { + encryption_at_rest_kms_key_arn = aws_kms_key.kms.arn + } +} + +resource "aws_msk_cluster" "negative2" { + encryption_info { + encryption_at_rest_kms_key_arn = aws_kms_key.kms.arn + encryption_in_transit { + client_broker = "TLS" + in_cluster = true + } + } +} + +resource "aws_msk_cluster" "negative3" { + encryption_info { + encryption_at_rest_kms_key_arn = aws_kms_key.kms.arn + encryption_in_transit { + client_broker = "TLS" + } + } +} + +resource "aws_msk_cluster" "negative4" { + encryption_info { + encryption_at_rest_kms_key_arn = aws_kms_key.kms.arn + encryption_in_transit { + in_cluster = true + } + } +} +``` diff --git a/docs/queries/terraform-queries/aws/6deb34e2-5d9c-499a-801b-ea6d9eda894f.md b/docs/queries/terraform-queries/aws/6deb34e2-5d9c-499a-801b-ea6d9eda894f.md new file mode 100644 index 00000000000..65a3dcc20e1 --- /dev/null +++ b/docs/queries/terraform-queries/aws/6deb34e2-5d9c-499a-801b-ea6d9eda894f.md @@ -0,0 +1,90 @@ +--- +title: User With Privilege Escalation By Actions 'iam:UpdateLoginProfile' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6deb34e2-5d9c-499a-801b-ea6d9eda894f +- **Query name:** User With Privilege Escalation By Actions 'iam:UpdateLoginProfile' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_UpdateLoginProfile) + +### Description +User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97.md b/docs/queries/terraform-queries/aws/6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97.md new file mode 100644 index 00000000000..e6b498094fd --- /dev/null +++ b/docs/queries/terraform-queries/aws/6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97.md @@ -0,0 +1,55 @@ +--- +title: Stack Retention Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6e0e2f68-3fd9-4cd8-a5e4-e2213ef0df97 +- **Query name:** Stack Retention Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/stack_retention_disabled) + +### Description +Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance#stack_set_name) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 5" +resource "aws_cloudformation_stack_set_instance" "positive1" { + account_id = "123456789012" + region = "us-east-1" + stack_set_name = aws_cloudformation_stack_set.example.name + retain_stack = false +} + +resource "aws_cloudformation_stack_set_instance" "positive2" { + account_id = "123456789012" + region = "us-east-1" + stack_set_name = aws_cloudformation_stack_set.example.name +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudformation_stack_set_instance" "negative1" { + account_id = "123456789012" + region = "us-east-1" + stack_set_name = aws_cloudformation_stack_set.example.name + retain_stack = true +} +``` diff --git a/docs/queries/terraform-queries/aws/6e3fd2ed-5c83-4c68-9679-7700d224d379.md b/docs/queries/terraform-queries/aws/6e3fd2ed-5c83-4c68-9679-7700d224d379.md new file mode 100644 index 00000000000..62fb95990dd --- /dev/null +++ b/docs/queries/terraform-queries/aws/6e3fd2ed-5c83-4c68-9679-7700d224d379.md @@ -0,0 +1,435 @@ +--- +title: ALB Not Dropping Invalid Headers +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6e3fd2ed-5c83-4c68-9679-7700d224d379 +- **Query name:** ALB Not Dropping Invalid Headers +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/alb_not_dropping_invalid_headers) + +### Description +It's considered a best practice when using Application Load Balancers to drop invalid header fields
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 14" +resource "aws_alb" "disabled_1" { + internal = false + load_balancer_type = "application" + name = "alb" + subnets = module.vpc.public_subnets +} + +resource "aws_alb" "disabled_2" { + internal = false + load_balancer_type = "application" + name = "alb" + subnets = module.vpc.public_subnets + + drop_invalid_header_fields = false +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1 14" +resource "aws_lb" "disabled_1" { + internal = false + load_balancer_type = "application" + name = "alb" + subnets = module.vpc.public_subnets +} + +resource "aws_lb" "disabled_2" { + internal = false + load_balancer_type = "application" + name = "alb" + subnets = module.vpc.public_subnets + + drop_invalid_header_fields = false +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1 12" +resource "aws_alb" "disabled_1" { + internal = false + name = "alb" + subnets = module.vpc.public_subnets +} + +resource "aws_lb" "disabled_2" { + internal = false + name = "alb" + subnets = module.vpc.public_subnets + + drop_invalid_header_fields = false +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="8" +module "alb" { + source = "terraform-aws-modules/alb/aws" + version = "~> 6.0" + + name = "my-alb" + + load_balancer_type = "application" + drop_invalid_header_fields = false + + vpc_id = "vpc-abcde012" + subnets = ["subnet-abcde012", "subnet-bcde012a"] + security_groups = ["sg-edcd9784", "sg-edcd9785"] + + access_logs = { + bucket = "my-alb-logs" + } + + target_groups = [ + { + name_prefix = "pref-" + backend_protocol = "HTTP" + backend_port = 80 + target_type = "instance" + targets = [ + { + target_id = "i-0123456789abcdefg" + port = 80 + }, + { + target_id = "i-a1b2c3d4e5f6g7h8i" + port = 8080 + } + ] + } + ] + + https_listeners = [ + { + port = 443 + protocol = "HTTPS" + certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012" + target_group_index = 0 + } + ] + + http_tcp_listeners = [ + { + port = 80 + protocol = "HTTP" + target_group_index = 0 + } + ] + + tags = { + Environment = "Test" + } +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="1" +module "alb" { + source = "terraform-aws-modules/alb/aws" + version = "~> 6.0" + + name = "my-alb" + + load_balancer_type = "application" + + vpc_id = "vpc-abcde012" + subnets = ["subnet-abcde012", "subnet-bcde012a"] + security_groups = ["sg-edcd9784", "sg-edcd9785"] + + access_logs = { + bucket = "my-alb-logs" + } + + target_groups = [ + { + name_prefix = "pref-" + backend_protocol = "HTTP" + backend_port = 80 + target_type = "instance" + targets = [ + { + target_id = "i-0123456789abcdefg" + port = 80 + }, + { + target_id = "i-a1b2c3d4e5f6g7h8i" + port = 8080 + } + ] + } + ] + + https_listeners = [ + { + port = 443 + protocol = "HTTPS" + certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012" + target_group_index = 0 + } + ] + + http_tcp_listeners = [ + { + port = 80 + protocol = "HTTP" + target_group_index = 0 + } + ] + + tags = { + Environment = "Test" + } +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="1" +module "alb" { + source = "terraform-aws-modules/alb/aws" + version = "~> 6.0" + + name = "my-alb" + + vpc_id = "vpc-abcde012" + subnets = ["subnet-abcde012", "subnet-bcde012a"] + security_groups = ["sg-edcd9784", "sg-edcd9785"] + + access_logs = { + bucket = "my-alb-logs" + } + + target_groups = [ + { + name_prefix = "pref-" + backend_protocol = "HTTP" + backend_port = 80 + target_type = "instance" + targets = [ + { + target_id = "i-0123456789abcdefg" + port = 80 + }, + { + target_id = "i-a1b2c3d4e5f6g7h8i" + port = 8080 + } + ] + } + ] + + https_listeners = [ + { + port = 443 + protocol = "HTTPS" + certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012" + target_group_index = 0 + } + ] + + http_tcp_listeners = [ + { + port = 80 + protocol = "HTTP" + target_group_index = 0 + } + ] + + tags = { + Environment = "Test" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_alb" "enabled" { + internal = false + load_balancer_type = "application" + name = "alb" + subnets = module.vpc.public_subnets + + drop_invalid_header_fields = true +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_lb" "enabled" { + internal = false + load_balancer_type = "application" + name = "alb" + subnets = module.vpc.public_subnets + + drop_invalid_header_fields = true +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "aws_alb" "enabled" { + internal = false + name = "alb" + subnets = module.vpc.public_subnets + + drop_invalid_header_fields = true +} + +resource "aws_lb" "enabled" { + internal = false + name = "alb" + subnets = module.vpc.public_subnets + + drop_invalid_header_fields = true +} + +``` +
Negative test num. 4 - tf file + +```tf +module "alb" { + source = "terraform-aws-modules/alb/aws" + version = "~> 6.0" + + name = "my-alb" + + load_balancer_type = "application" + drop_invalid_header_fields = true + + vpc_id = "vpc-abcde012" + subnets = ["subnet-abcde012", "subnet-bcde012a"] + security_groups = ["sg-edcd9784", "sg-edcd9785"] + + access_logs = { + bucket = "my-alb-logs" + } + + target_groups = [ + { + name_prefix = "pref-" + backend_protocol = "HTTP" + backend_port = 80 + target_type = "instance" + targets = [ + { + target_id = "i-0123456789abcdefg" + port = 80 + }, + { + target_id = "i-a1b2c3d4e5f6g7h8i" + port = 8080 + } + ] + } + ] + + https_listeners = [ + { + port = 443 + protocol = "HTTPS" + certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012" + target_group_index = 0 + } + ] + + http_tcp_listeners = [ + { + port = 80 + protocol = "HTTP" + target_group_index = 0 + } + ] + + tags = { + Environment = "Test" + } +} + +``` +
+
Negative test num. 5 - tf file + +```tf +module "alb" { + source = "terraform-aws-modules/alb/aws" + version = "~> 6.0" + + name = "my-alb" + + drop_invalid_header_fields = true + + vpc_id = "vpc-abcde012" + subnets = ["subnet-abcde012", "subnet-bcde012a"] + security_groups = ["sg-edcd9784", "sg-edcd9785"] + + access_logs = { + bucket = "my-alb-logs" + } + + target_groups = [ + { + name_prefix = "pref-" + backend_protocol = "HTTP" + backend_port = 80 + target_type = "instance" + targets = [ + { + target_id = "i-0123456789abcdefg" + port = 80 + }, + { + target_id = "i-a1b2c3d4e5f6g7h8i" + port = 8080 + } + ] + } + ] + + https_listeners = [ + { + port = 443 + protocol = "HTTPS" + certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012" + target_group_index = 0 + } + ] + + http_tcp_listeners = [ + { + port = 80 + protocol = "HTTP" + target_group_index = 0 + } + ] + + tags = { + Environment = "Test" + } +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/6e8849c1-3aa7-40e3-9063-b85ee300f29f.md b/docs/queries/terraform-queries/aws/6e8849c1-3aa7-40e3-9063-b85ee300f29f.md new file mode 100644 index 00000000000..79db4538696 --- /dev/null +++ b/docs/queries/terraform-queries/aws/6e8849c1-3aa7-40e3-9063-b85ee300f29f.md @@ -0,0 +1,155 @@ +--- +title: SQS With SSE Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6e8849c1-3aa7-40e3-9063-b85ee300f29f +- **Query name:** SQS With SSE Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sqs_with_sse_disabled) + +### Description +Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_sqs_queue" "positive1" { + name = "terraform-example-queue" + kms_data_key_reuse_period_seconds = 300 +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="3" +resource "aws_sqs_queue" "positive2" { + name = "terraform-example-queue" + kms_master_key_id = "" + kms_data_key_reuse_period_seconds = 300 +} + + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_sqs_queue" "positive3" { + name = "terraform-example-queue" + kms_master_key_id = null + kms_data_key_reuse_period_seconds = 300 +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +module "user_queue" { + source = "terraform-aws-modules/sqs/aws" + version = "~> 2.0" + + name = "user" + + tags = { + Service = "user" + Environment = "dev" + } +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="12" +module "user_queue" { + source = "terraform-aws-modules/sqs/aws" + version = "~> 2.0" + + name = "user" + + tags = { + Service = "user" + Environment = "dev" + } + + kms_master_key_id = "" +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="1" +module "user_queue" { + source = "terraform-aws-modules/sqs/aws" + version = "~> 2.0" + + name = "user" + + tags = { + Service = "user" + Environment = "dev" + } + + kms_master_key_id = null + +} + +``` +
+
Postitive test num. 7 - tf file + +```tf hl_lines="3" +resource "aws_sqs_queue" "positive7" { + name = "terraform-example-queue" + sqs_managed_sse_enabled = false +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_sqs_queue" "negative1" { + name = "terraform-example-queue" + kms_master_key_id = "alias/aws/sqs" + kms_data_key_reuse_period_seconds = 300 +} + +``` +```tf title="Negative test num. 2 - tf file" +module "user_queue" { + source = "terraform-aws-modules/sqs/aws" + version = "~> 2.0" + + name = "user" + + tags = { + Service = "user" + Environment = "dev" + } + + kms_master_key_id = "alias/aws/sqs" + +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "aws_sqs_queue" "negative3" { + name = "terraform-example-queue" + sqs_managed_sse_enabled = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/704dadd3-54fc-48ac-b6a0-02f170011473.md b/docs/queries/terraform-queries/aws/704dadd3-54fc-48ac-b6a0-02f170011473.md new file mode 100644 index 00000000000..05f35c44f3a --- /dev/null +++ b/docs/queries/terraform-queries/aws/704dadd3-54fc-48ac-b6a0-02f170011473.md @@ -0,0 +1,46 @@ +--- +title: GuardDuty Detector Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 704dadd3-54fc-48ac-b6a0-02f170011473 +- **Query name:** GuardDuty Detector Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/guardduty_detector_disabled) + +### Description +Make sure that Amazon GuardDuty is Enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_detector#example-usage) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +resource "aws_guardduty_detector" "positive1" { + enable = false +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_guardduty_detector" "negative1" { + enable = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/7081f85c-b94d-40fd-8b45-a4f1cac75e46.md b/docs/queries/terraform-queries/aws/7081f85c-b94d-40fd-8b45-a4f1cac75e46.md new file mode 100644 index 00000000000..b7dc53dc9fe --- /dev/null +++ b/docs/queries/terraform-queries/aws/7081f85c-b94d-40fd-8b45-a4f1cac75e46.md @@ -0,0 +1,60 @@ +--- +title: IAM Access Key Is Exposed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7081f85c-b94d-40fd-8b45-a4f1cac75e46 +- **Query name:** IAM Access Key Is Exposed +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_access_key_is_exposed) + +### Description +IAM Access Key should not be active for root users
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2 7" +resource "aws_iam_access_key" "positive1" { + user = "root" + status = "Active" +} + +resource "aws_iam_access_key" "positive2" { + user = "root" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_access_key" "negative1" { + user = "some-user" +} + +resource "aws_iam_access_key" "negative2" { + user = "some-user" + status = "Active" +} + +resource "aws_iam_access_key" "negative3" { + user = "root" + status = "Inactive" +} + +``` diff --git a/docs/queries/terraform-queries/aws/70b42736-efee-4bce-80d5-50358ed94990.md b/docs/queries/terraform-queries/aws/70b42736-efee-4bce-80d5-50358ed94990.md new file mode 100644 index 00000000000..34f29b48f3f --- /dev/null +++ b/docs/queries/terraform-queries/aws/70b42736-efee-4bce-80d5-50358ed94990.md @@ -0,0 +1,83 @@ +--- +title: Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 70b42736-efee-4bce-80d5-50358ed94990 +- **Query name:** Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachGroupPolicy) + +### Description +Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/70cb518c-d990-46f6-bc05-44a5041493d6.md b/docs/queries/terraform-queries/aws/70cb518c-d990-46f6-bc05-44a5041493d6.md new file mode 100644 index 00000000000..6f70feab7fe --- /dev/null +++ b/docs/queries/terraform-queries/aws/70cb518c-d990-46f6-bc05-44a5041493d6.md @@ -0,0 +1,89 @@ +--- +title: User With Privilege Escalation By Actions 'iam:AttachUserPolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 70cb518c-d990-46f6-bc05-44a5041493d6 +- **Query name:** User With Privilege Escalation By Actions 'iam:AttachUserPolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachUserPolicy) + +### Description +User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/730675f9-52ed-49b6-8ead-0acb5dd7df7f.md b/docs/queries/terraform-queries/aws/730675f9-52ed-49b6-8ead-0acb5dd7df7f.md new file mode 100644 index 00000000000..25a5a700303 --- /dev/null +++ b/docs/queries/terraform-queries/aws/730675f9-52ed-49b6-8ead-0acb5dd7df7f.md @@ -0,0 +1,148 @@ +--- +title: SQS Policy With Public Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 730675f9-52ed-49b6-8ead-0acb5dd7df7f +- **Query name:** SQS Policy With Public Access +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sqs_policy_with_public_access) + +### Description +Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 64 39" +resource "aws_sqs_queue" "q" { + name = "examplequeue" +} + +resource "aws_sqs_queue_policy" "test" { + queue_url = aws_sqs_queue.q.id + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 7350fa23-dcf7-4938-916d-6a60b0c73b50 +- **Query name:** CMK Is Unusable +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cmk_is_unusable) + +### Description +AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#is_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +resource "aws_kms_key" "a" { + description = "KMS key 1" + is_enabled = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_kms_key" "a3" { + description = "KMS key 1" + is_enabled = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md b/docs/queries/terraform-queries/aws/741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md new file mode 100644 index 00000000000..43f746d519e --- /dev/null +++ b/docs/queries/terraform-queries/aws/741f1291-47ac-4a85-a07b-3d32a9d6bd3e.md @@ -0,0 +1,179 @@ +--- +title: DynamoDB Table Point In Time Recovery Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 741f1291-47ac-4a85-a07b-3d32a9d6bd3e +- **Query name:** DynamoDB Table Point In Time Recovery Disabled +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/dynamodb_table_point_in_time_recovery_disabled) + +### Description +It's considered a best practice to have point in time recovery enabled for DynamoDB Table
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#point_in_time_recovery) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +resource "aws_dynamodb_table" "basic-dynamodb-table" { + name = "GameScores" + billing_mode = "PROVISIONED" + read_capacity = 20 + write_capacity = 20 + hash_key = "UserId" + range_key = "GameTitle" + + point_in_time_recovery { + enabled = false + } + + attribute { + name = "UserId" + type = "S" + } + + attribute { + name = "GameTitle" + type = "S" + } + + attribute { + name = "TopScore" + type = "N" + } + + ttl { + attribute_name = "TimeToExist" + enabled = false + } + + global_secondary_index { + name = "GameTitleIndex" + hash_key = "GameTitle" + range_key = "TopScore" + write_capacity = 10 + read_capacity = 10 + projection_type = "INCLUDE" + non_key_attributes = ["UserId"] + } + + tags = { + Name = "dynamodb-table-1" + Environment = "production" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_dynamodb_table" "basic-dynamodb-table" { + name = "GameScores" + billing_mode = "PROVISIONED" + read_capacity = 20 + write_capacity = 20 + hash_key = "UserId" + range_key = "GameTitle" + + attribute { + name = "UserId" + type = "S" + } + + attribute { + name = "GameTitle" + type = "S" + } + + attribute { + name = "TopScore" + type = "N" + } + + ttl { + attribute_name = "TimeToExist" + enabled = false + } + + global_secondary_index { + name = "GameTitleIndex" + hash_key = "GameTitle" + range_key = "TopScore" + write_capacity = 10 + read_capacity = 10 + projection_type = "INCLUDE" + non_key_attributes = ["UserId"] + } + + tags = { + Name = "dynamodb-table-1" + Environment = "production" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_dynamodb_table" "basic-dynamodb-table" { + name = "GameScores" + billing_mode = "PROVISIONED" + read_capacity = 20 + write_capacity = 20 + hash_key = "UserId" + range_key = "GameTitle" + + point_in_time_recovery { + enabled = true + } + + attribute { + name = "UserId" + type = "S" + } + + attribute { + name = "GameTitle" + type = "S" + } + + attribute { + name = "TopScore" + type = "N" + } + + ttl { + attribute_name = "TimeToExist" + enabled = false + } + + global_secondary_index { + name = "GameTitleIndex" + hash_key = "GameTitle" + range_key = "TopScore" + write_capacity = 10 + read_capacity = 10 + projection_type = "INCLUDE" + non_key_attributes = ["UserId"] + } + + tags = { + Name = "dynamodb-table-1" + Environment = "production" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/75ec6890-83af-4bf1-9f16-e83726df0bd0.md b/docs/queries/terraform-queries/aws/75ec6890-83af-4bf1-9f16-e83726df0bd0.md new file mode 100644 index 00000000000..ca90e556009 --- /dev/null +++ b/docs/queries/terraform-queries/aws/75ec6890-83af-4bf1-9f16-e83726df0bd0.md @@ -0,0 +1,51 @@ +--- +title: Lambda Permission Misconfigured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 75ec6890-83af-4bf1-9f16-e83726df0bd0 +- **Query name:** Lambda Permission Misconfigured +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/lambda_permission_misconfigured) + +### Description +Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +resource "aws_lambda_permission" "positive1" { + action = "lambda:DeleteFunction" + function_name = aws_lambda_function.logging.function_name + principal = "logs.eu-west-1.amazonaws.com" + source_arn = "${aws_cloudwatch_log_group.default.arn}:*" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_lambda_permission" "negative1" { + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.logging.function_name + principal = "logs.eu-west-1.amazonaws.com" + source_arn = "${aws_cloudwatch_log_group.default.arn}:*" +} + +``` diff --git a/docs/queries/terraform-queries/aws/76976de7-c7b1-4f64-a94f-90c1345914c2.md b/docs/queries/terraform-queries/aws/76976de7-c7b1-4f64-a94f-90c1345914c2.md new file mode 100644 index 00000000000..ae7ccc8a2b1 --- /dev/null +++ b/docs/queries/terraform-queries/aws/76976de7-c7b1-4f64-a94f-90c1345914c2.md @@ -0,0 +1,71 @@ +--- +title: ElastiCache Replication Group Not Encrypted At Rest +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 76976de7-c7b1-4f64-a94f-90c1345914c2 +- **Query name:** ElastiCache Replication Group Not Encrypted At Rest +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticache_replication_group_not_encrypted_at_rest) + +### Description +ElastiCache Replication Group encryption should be enabled at Rest
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#at_rest_encryption_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" +resource "aws_elasticache_replication_group" "example" { + automatic_failover_enabled = true + availability_zones = ["us-west-2a", "us-west-2b"] + replication_group_id = "tf-rep-group-1" + replication_group_description = "test description" + node_type = "cache.m4.large" + number_cache_clusters = 2 + port = 6379 +} + +``` +```tf title="Postitive test num. 2 - tf file" +resource "aws_elasticache_replication_group" "example2" { + automatic_failover_enabled = true + availability_zones = ["us-west-2a", "us-west-2b"] + replication_group_id = "tf-rep-group-1" + replication_group_description = "test description" + node_type = "cache.m4.large" + number_cache_clusters = 2 + port = 6379 + at_rest_encryption_enabled = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_elasticache_replication_group" "example3" { + automatic_failover_enabled = true + availability_zones = ["us-west-2a", "us-west-2b"] + replication_group_id = "tf-rep-group-1" + replication_group_description = "test description" + node_type = "cache.m4.large" + number_cache_clusters = 2 + port = 6379 + at_rest_encryption_enabled = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/7782d4b3-e23e-432b-9742-d9528432e771.md b/docs/queries/terraform-queries/aws/7782d4b3-e23e-432b-9742-d9528432e771.md new file mode 100644 index 00000000000..475a994d250 --- /dev/null +++ b/docs/queries/terraform-queries/aws/7782d4b3-e23e-432b-9742-d9528432e771.md @@ -0,0 +1,82 @@ +--- +title: Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7782d4b3-e23e-432b-9742-d9528432e771 +- **Query name:** Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_SetDefaultPolicyVersion) + +### Description +Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:SetDefaultPolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/78f1ec6f-5659-41ea-bd48-d0a142dce4f2.md b/docs/queries/terraform-queries/aws/78f1ec6f-5659-41ea-bd48-d0a142dce4f2.md new file mode 100644 index 00000000000..2d5b20df551 --- /dev/null +++ b/docs/queries/terraform-queries/aws/78f1ec6f-5659-41ea-bd48-d0a142dce4f2.md @@ -0,0 +1,107 @@ +--- +title: Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 78f1ec6f-5659-41ea-bd48-d0a142dce4f2 +- **Query name:** Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole) + +### Description +Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateAssumeRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + groups = [aws_iam_group.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "sts:AssumeRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/7a70eed6-de3a-4da2-94da-a2bbc8fe2a48.md b/docs/queries/terraform-queries/aws/7a70eed6-de3a-4da2-94da-a2bbc8fe2a48.md new file mode 100644 index 00000000000..cf2a585b08e --- /dev/null +++ b/docs/queries/terraform-queries/aws/7a70eed6-de3a-4da2-94da-a2bbc8fe2a48.md @@ -0,0 +1,61 @@ +--- +title: IAM Password Without Symbol +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7a70eed6-de3a-4da2-94da-a2bbc8fe2a48 +- **Query name:** IAM Password Without Symbol +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_password_without_symbol) + +### Description +IAM password should have the required symbols
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9 5" +resource "aws_iam_account_password_policy" "positive1" { + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = false + allow_users_to_change_password = true +} + +resource "aws_iam_account_password_policy" "positive2" { + minimum_password_length = 3 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + allow_users_to_change_password = true +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_account_password_policy" "negative1" { + minimum_password_length = 8 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2.md b/docs/queries/terraform-queries/aws/7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2.md new file mode 100644 index 00000000000..11ea815182e --- /dev/null +++ b/docs/queries/terraform-queries/aws/7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2.md @@ -0,0 +1,54 @@ +--- +title: ElasticSearch Encryption With KMS Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7af2f4a3-00d9-47f3-8d15-ca0888f4e5b2 +- **Query name:** ElasticSearch Encryption With KMS Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticsearch_encryption_with_kms_is_disabled) + +### Description +Check if any ElasticSearch domain isn't encrypted with KMS.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_elasticsearch_domain" "positive1" { + domain_name = "example" + elasticsearch_version = "1.5" + + encrypt_at_rest { + enabled = true + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_elasticsearch_domain" "negative1" { + domain_name = "example" + elasticsearch_version = "1.5" + + encrypt_at_rest { + enabled = true + kms_key_id = "some-key-id" + } +} +``` diff --git a/docs/queries/terraform-queries/aws/7af43613-6bb9-4a0e-8c4d-1314b799425e.md b/docs/queries/terraform-queries/aws/7af43613-6bb9-4a0e-8c4d-1314b799425e.md new file mode 100644 index 00000000000..37485c4b8e6 --- /dev/null +++ b/docs/queries/terraform-queries/aws/7af43613-6bb9-4a0e-8c4d-1314b799425e.md @@ -0,0 +1,151 @@ +--- +title: S3 Bucket Access to Any Principal +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7af43613-6bb9-4a0e-8c4d-1314b799425e +- **Query name:** S3 Bucket Access to Any Principal +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_access_to_any_principal) + +### Description +S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "aws_s3_bucket_policy" "positive1" { + bucket = aws_s3_bucket.b.id + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 7c96920c-6fd0-449d-9a52-0aa431b6beaf +- **Query name:** Role With Privilege Escalation By Actions 'iam:AttachUserPolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachUserPolicy) + +### Description +Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/7d544dad-8a6c-431c-84c1-5f07fe9afc0e.md b/docs/queries/terraform-queries/aws/7d544dad-8a6c-431c-84c1-5f07fe9afc0e.md new file mode 100644 index 00000000000..6c2e6d2b55c --- /dev/null +++ b/docs/queries/terraform-queries/aws/7d544dad-8a6c-431c-84c1-5f07fe9afc0e.md @@ -0,0 +1,107 @@ +--- +title: Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7d544dad-8a6c-431c-84c1-5f07fe9afc0e +- **Query name:** Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint) + +### Description +Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:CreateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + groups = [aws_iam_group.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/7dbba512-e244-42dc-98bb-422339827967.md b/docs/queries/terraform-queries/aws/7dbba512-e244-42dc-98bb-422339827967.md new file mode 100644 index 00000000000..a16b21a8352 --- /dev/null +++ b/docs/queries/terraform-queries/aws/7dbba512-e244-42dc-98bb-422339827967.md @@ -0,0 +1,58 @@ +--- +title: CloudWatch Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7dbba512-e244-42dc-98bb-422339827967 +- **Query name:** CloudWatch Logging Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_logging_disabled) + +### Description +Check if CloudWatch logging is disabled for Route53 hosted zones
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_query_log) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 10" +resource "aws_route53_zone" "no_query_log" { + name = "example.com" +} + +resource "aws_route53_zone" "log_group_mismatch" { + name = "example.com" +} + +resource "aws_route53_query_log" "log_group_mismatch" { + cloudwatch_log_group_arn = aws_cloudwatch_log_group.aws_route53_log_mismatch.arn +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_route53_zone" "example_com" { + name = "example.com" +} + +resource "aws_route53_query_log" "example_com" { + depends_on = [aws_cloudwatch_log_resource_policy.route53-query-logging-policy] + + cloudwatch_log_group_arn = aws_cloudwatch_log_group.aws_route53_example_com.arn + zone_id = aws_route53_zone.example_com.zone_id +} +``` diff --git a/docs/queries/terraform-queries/aws/7e4a6e76-568d-43ef-8c4e-36dea481bff1.md b/docs/queries/terraform-queries/aws/7e4a6e76-568d-43ef-8c4e-36dea481bff1.md new file mode 100644 index 00000000000..c73c5c87c24 --- /dev/null +++ b/docs/queries/terraform-queries/aws/7e4a6e76-568d-43ef-8c4e-36dea481bff1.md @@ -0,0 +1,73 @@ +--- +title: EC2 Instance Using Default VPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7e4a6e76-568d-43ef-8c4e-36dea481bff1 +- **Query name:** EC2 Instance Using Default VPC +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ec2_instance_using_default_vpc) + +### Description +EC2 Instances should not be configured under a default VPC network
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#subnet_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "aws_instance" "positive1" { + ami = "ami-003634241a8fcdec0" + + instance_type = "t2.micro" + + subnet_id = aws_subnet.my_subnet.id + +} + +resource "aws_subnet" "my_subnet" { + vpc_id = aws_vpc.default.id + cidr_block = "10.0.1.0/24" + + tags = { + Name = "Main" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_instance" "negative1" { + ami = "ami-003634241a8fcdec0" + + instance_type = "t2.micro" + + subnet_id = aws_subnet.my_subnet2.id + +} + +resource "aws_subnet" "my_subnet2" { + vpc_id = aws_vpc.main.id + cidr_block = "10.0.1.0/24" + + tags = { + Name = "Main" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/7ebc9038-0bde-479a-acc4-6ed7b6758899.md b/docs/queries/terraform-queries/aws/7ebc9038-0bde-479a-acc4-6ed7b6758899.md new file mode 100644 index 00000000000..e8a5d3ffe1d --- /dev/null +++ b/docs/queries/terraform-queries/aws/7ebc9038-0bde-479a-acc4-6ed7b6758899.md @@ -0,0 +1,114 @@ +--- +title: KMS Key With Vulnerable Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7ebc9038-0bde-479a-acc4-6ed7b6758899 +- **Query name:** KMS Key With Vulnerable Policy +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/kms_key_with_vulnerable_policy) + +### Description +Checks if the policy is vulnerable and needs updating.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_kms_key" "positive1" { + description = "KMS key 1" + deletion_window_in_days = 10 + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 8055dec2-efb8-4fe6-8837-d9bed6ff202a +- **Query name:** User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_and_lambda_InvokeFunction) + +### Description +User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:CreateFunction", + "lambda:InvokeFunction" + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/8152e0cf-d2f0-47ad-96d5-d003a76eabd1.md b/docs/queries/terraform-queries/aws/8152e0cf-d2f0-47ad-96d5-d003a76eabd1.md new file mode 100644 index 00000000000..0b12050e558 --- /dev/null +++ b/docs/queries/terraform-queries/aws/8152e0cf-d2f0-47ad-96d5-d003a76eabd1.md @@ -0,0 +1,146 @@ +--- +title: Lambda Functions Without X-Ray Tracing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8152e0cf-d2f0-47ad-96d5-d003a76eabd1 +- **Query name:** Lambda Functions Without X-Ray Tracing +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/lambda_functions_without_x-ray_tracing) + +### Description +AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#tracing_config) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="28 45" +resource "aws_iam_role" "iam_for_lambda2" { + name = "iam_for_lambda" + + assume_role_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 816ea8cf-d589-442d-a917-2dd0ce0e45e3 +- **Query name:** SQS Policy Allows All Actions +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sqs_policy_allows_all_actions) + +### Description +SQS policy allows ALL (*) actions
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "aws_sqs_queue" "positive1" { + name = "examplequeue" +} + +resource "aws_sqs_queue_policy" "positive2" { + queue_url = aws_sqs_queue.q.id + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 8173d5eb-96b5-4aa6-a71b-ecfa153c123d +- **Query name:** CloudTrail Multi Region Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudtrail_multi_region_disabled) + +### Description +CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#is_multi_region_trail) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +#this is a problematic code where the query should report a result(s) +resource "aws_cloudtrail" "positive1" { + name = "npositive_1" + s3_bucket_name = "bucketlog_1" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="4" +resource "aws_cloudtrail" "positive2" { + name = "npositive_2" + s3_bucket_name = "bucketlog_2" + is_multi_region_trail = false +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="5" +resource "aws_cloudtrail" "positive3" { + name = "npositive_3" + s3_bucket_name = "bucketlog_3" + is_multi_region_trail = true + include_global_service_events = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "aws_cloudtrail" "negative1" { + name = "negative" + s3_bucket_name = "bucketlog" + is_multi_region_trail = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/846646e3-2af1-428c-ac5d-271eccfa6faf.md b/docs/queries/terraform-queries/aws/846646e3-2af1-428c-ac5d-271eccfa6faf.md new file mode 100644 index 00000000000..ac810588cea --- /dev/null +++ b/docs/queries/terraform-queries/aws/846646e3-2af1-428c-ac5d-271eccfa6faf.md @@ -0,0 +1,83 @@ +--- +title: Group With Privilege Escalation By Actions 'iam:CreateAccessKey' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 846646e3-2af1-428c-ac5d-271eccfa6faf +- **Query name:** Group With Privilege Escalation By Actions 'iam:CreateAccessKey' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreateAccessKey) + +### Description +Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateAccessKey", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/862fe4bf-3eec-4767-a517-40f378886b88.md b/docs/queries/terraform-queries/aws/862fe4bf-3eec-4767-a517-40f378886b88.md new file mode 100644 index 00000000000..6dcc7ee6c4d --- /dev/null +++ b/docs/queries/terraform-queries/aws/862fe4bf-3eec-4767-a517-40f378886b88.md @@ -0,0 +1,118 @@ +--- +title: Kinesis Not Encrypted With KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 862fe4bf-3eec-4767-a517-40f378886b88 +- **Query name:** Kinesis Not Encrypted With KMS +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/kinesis_not_encrypted_with_kms) + +### Description +AWS Kinesis Streams and metadata should be protected with KMS
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 34 41" +resource "aws_kinesis_stream" "positive1" { + name = "terraform-kinesis-test" + shard_count = 1 + retention_period = 48 + + shard_level_metrics = [ + "IncomingBytes", + "OutgoingBytes", + ] + + tags = { + Environment = "test" + } +} + + + + +resource "aws_kinesis_stream" "positive2" { + name = "terraform-kinesis-test" + shard_count = 1 + retention_period = 48 + + shard_level_metrics = [ + "IncomingBytes", + "OutgoingBytes", + ] + + tags = { + Environment = "test" + } + + + encryption_type = "NONE" +} + + + + + +resource "aws_kinesis_stream" "positive3" { + name = "terraform-kinesis-test" + shard_count = 1 + retention_period = 48 + + shard_level_metrics = [ + "IncomingBytes", + "OutgoingBytes", + ] + + tags = { + Environment = "test" + } + + + encryption_type = "KMS" +} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_kinesis_stream" "negative1" { + name = "terraform-kinesis-test" + shard_count = 1 + retention_period = 48 + + shard_level_metrics = [ + "IncomingBytes", + "OutgoingBytes", + ] + + tags = { + Environment = "test" + } + + + encryption_type = "KMS" + + kms_key_id = "alias/aws/kinesis" +} + + +``` diff --git a/docs/queries/terraform-queries/aws/86571149-eef3-4280-a645-01e60df854b0.md b/docs/queries/terraform-queries/aws/86571149-eef3-4280-a645-01e60df854b0.md new file mode 100644 index 00000000000..806d366dfa9 --- /dev/null +++ b/docs/queries/terraform-queries/aws/86571149-eef3-4280-a645-01e60df854b0.md @@ -0,0 +1,76 @@ +--- +title: BOM - AWS EBS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 86571149-eef3-4280-a645-01e60df854b0 +- **Query name:** BOM - AWS EBS +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws_bom/ebs) + +### Description +A list of EBS resources found. Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_ebs_volume" "positive1" { + availability_zone = "us-west-2a" + size = 40 + + tags = { + Name = "HelloWorld" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_ebs_volume" "positive2" { + availability_zone = "us-west-2a" + size = 40 + + tags = { + Name = "HelloWorld2" + } + + encrypted = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +variable "web_type" { + description = "Size/type of the host." + default = "m5.large" +} + +module "ebs_optimized" { + source = "terraform-aws-modules/ebs-optimized/aws" + version = "~> 2.0" + instance_type = var.web_type +} + +resource "aws_instance" "web" { + ami = data.aws_ami.ubuntu.id + instance_type = var.web_type + ebs_optimized = module.ebs_optimized.answer +} + +``` diff --git a/docs/queries/terraform-queries/aws/874d68a3-bfbe-4a4b-aaa0-9e74d7da634b.md b/docs/queries/terraform-queries/aws/874d68a3-bfbe-4a4b-aaa0-9e74d7da634b.md new file mode 100644 index 00000000000..3ba6c7b0b07 --- /dev/null +++ b/docs/queries/terraform-queries/aws/874d68a3-bfbe-4a4b-aaa0-9e74d7da634b.md @@ -0,0 +1,72 @@ +--- +title: Certificate RSA Key Bytes Lower Than 256 +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 874d68a3-bfbe-4a4b-aaa0-9e74d7da634b +- **Query name:** Certificate RSA Key Bytes Lower Than 256 +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/certificate_rsa_key_bytes_lower_than_256) + +### Description +The certificate should use a RSA key with a length equal to or higher than 256 bytes
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +resource "aws_api_gateway_domain_name" "example" { + certificate_body = file("./rsa1024.pem") + domain_name = "api.example.com" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="3" +resource "aws_iam_server_certificate" "test_cert2" { + name = "some_test_cert" + certificate_body = file("./rsa1024.pem") + private_key = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 88fd05e0-ac0e-43d2-ba6d-fc0ba60ae1a6 +- **Query name:** IAM Database Auth Not Enabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_database_auth_not_enabled) + +### Description +IAM Database Auth Enabled should be configured to true when using compatible engine and version
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#iam_database_authentication_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +resource "aws_db_instance" "positive1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "8.0" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + iam_database_authentication_enabled = false +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_db_instance" "positive1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "8.0" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "8.0" + instance_class = "db.t2.large" + allocated_storage = 5 + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="17" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "8.0.28" + instance_class = "db.t2.large" + allocated_storage = 5 + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = false + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_db_instance" "negative1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + iam_database_authentication_enabled = true +} +``` +```tf title="Negative test num. 2 - tf file" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` +```tf title="Negative test num. 3 - tf file" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "aurora" + engine_version = "11.10" + instance_class = "db.t2.small" + allocated_storage = 5 + + name = "demodb" + username = "user" + port = "3306" + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } +} + +``` +
Negative test num. 4 - tf file + +```tf +resource "aws_db_instance" "positive1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mariadb" + engine_version = "10.2.43" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/89561b03-cb35-44a9-a7e9-8356e71606f4.md b/docs/queries/terraform-queries/aws/89561b03-cb35-44a9-a7e9-8356e71606f4.md new file mode 100644 index 00000000000..771b4867134 --- /dev/null +++ b/docs/queries/terraform-queries/aws/89561b03-cb35-44a9-a7e9-8356e71606f4.md @@ -0,0 +1,109 @@ +--- +title: User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 89561b03-cb35-44a9-a7e9-8356e71606f4 +- **Query name:** User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_ec2_RunInstances) + +### Description +User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:RunInstances", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a.md b/docs/queries/terraform-queries/aws/89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a.md new file mode 100644 index 00000000000..f4fbd57510b --- /dev/null +++ b/docs/queries/terraform-queries/aws/89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a.md @@ -0,0 +1,65 @@ +--- +title: Password Without Reuse Prevention +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 89806cdc-9c2e-4bd1-a0dc-53f339bcfb2a +- **Query name:** Password Without Reuse Prevention +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/password_without_reuse_prevention) + +### Description +Check if IAM account password has the reuse password configured with 24
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy#password_reuse_prevention) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10 7" +resource "aws_iam_account_password_policy" "positive1" { + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true + password_reuse_prevention = 20 +} + +resource "aws_iam_account_password_policy" "positive2" { + minimum_password_length = 3 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_account_password_policy" "negative1" { + minimum_password_length = 8 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true + password_reuse_prevention = 24 +} + +``` diff --git a/docs/queries/terraform-queries/aws/8b1b1e67-6248-4dca-bbad-93486bb181c0.md b/docs/queries/terraform-queries/aws/8b1b1e67-6248-4dca-bbad-93486bb181c0.md new file mode 100644 index 00000000000..28a9eddb23f --- /dev/null +++ b/docs/queries/terraform-queries/aws/8b1b1e67-6248-4dca-bbad-93486bb181c0.md @@ -0,0 +1,229 @@ +--- +title: CloudWatch Root Account Use Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8b1b1e67-6248-4dca-bbad-93486bb181c0 +- **Query name:** CloudWatch Root Account Use Missing +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_root_account_use_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for root acount usage
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { + name = "CIS-RootAccountUsage" + pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-RootAccountUsage" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" { + alarm_name = "CIS-3.3-RootAccountUsage" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXX NOT YOUR FILTER XXX" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + + +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { + name = "CIS-RootAccountUsage" + pattern = "{ $.userIdentity.type = \"Root\" && $.eventType != \"AwsServiceEvent\" }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-RootAccountUsage" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" { + alarm_name = "CIS-3.3-RootAccountUsage" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_root_account_use_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { + name = "CIS-RootAccountUsage" + pattern = "{ $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-RootAccountUsage" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_root_account_use_cw_alarm" { + alarm_name = "CIS-3.3-RootAccountUsage" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_root_account_use_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "aws_cloudwatch_metric_alarm" "cis_unauthorized_api_calls_cw_alarm" { + alarm_name = "CIS-3.1-UnauthorizedAPICalls" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_unauthorized_api_calls_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_unauthorized_api_calls_metric_filter" { + name = "CIS-UnauthorizedAPICalls" + pattern = "{ $.userIdentity.type = \"Root\" || $.eventType != \"AwsServiceEvent\" }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-UnauthorizedAPICalls" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_log_metric_filter" "cis_root_account_use_metric_filter" { + name = "CIS-RootAccountUsage" + pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-RootAccountUsage" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "CIS_Root_Account_Use_CW_Alarm" { + alarm_name = "CIS-3.3-RootAccountUsage" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_root_account_use_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = ["aws_sns_topic.CIS_Alerts_SNS_Topic.arn"] + insufficient_data_actions = [] +} + +``` diff --git a/docs/queries/terraform-queries/aws/8bbb242f-6e38-4127-86d4-d8f0b2687ae2.md b/docs/queries/terraform-queries/aws/8bbb242f-6e38-4127-86d4-d8f0b2687ae2.md new file mode 100644 index 00000000000..9ab600affbc --- /dev/null +++ b/docs/queries/terraform-queries/aws/8bbb242f-6e38-4127-86d4-d8f0b2687ae2.md @@ -0,0 +1,84 @@ +--- +title: AMI Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8bbb242f-6e38-4127-86d4-d8f0b2687ae2 +- **Query name:** AMI Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ami_not_encrypted) + +### Description +AWS AMI Encryption is not enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="25 29 7" + +resource "aws_ami" "positive1" { + name = "terraform-example" + virtualization_type = "hvm" + root_device_name = "/dev/xvda" + + ebs_block_device { + device_name = "/dev/xvda" + snapshot_id = "snap-xxxxxxxx" + volume_size = 8 + } +} + + +resource "aws_ami" "positive2" { + name = "terraform-example" + virtualization_type = "hvm" + root_device_name = "/dev/xvda1" + + + ebs_block_device { + device_name = "/dev/xvda1" + snapshot_id = "snap-xxxxxxxx" + volume_size = 8 + encrypted = false + } +} + +resource "aws_ami" "positive3" { + name = "terraform-example" + virtualization_type = "hvm" + root_device_name = "/dev/xvda1" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "aws_ami" "negative1" { + name = "terraform-example" + virtualization_type = "hvm" + root_device_name = "/dev/xvda2" + + ebs_block_device { + device_name = "/dev/xvda2" + snapshot_id = "snap-xxxxxxxx" + volume_size = 8 + encrypted = true + } +} +``` diff --git a/docs/queries/terraform-queries/aws/8bfbf7ab-d5e8-4100-8618-798956e101e0.md b/docs/queries/terraform-queries/aws/8bfbf7ab-d5e8-4100-8618-798956e101e0.md new file mode 100644 index 00000000000..62c84788fe6 --- /dev/null +++ b/docs/queries/terraform-queries/aws/8bfbf7ab-d5e8-4100-8618-798956e101e0.md @@ -0,0 +1,90 @@ +--- +title: User With Privilege Escalation By Actions 'iam:PutGroupPolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8bfbf7ab-d5e8-4100-8618-798956e101e0 +- **Query name:** User With Privilege Escalation By Actions 'iam:PutGroupPolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutGroupPolicy) + +### Description +User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/8c849af7-a399-46f7-a34c-32d3dc96f1fc.md b/docs/queries/terraform-queries/aws/8c849af7-a399-46f7-a34c-32d3dc96f1fc.md new file mode 100644 index 00000000000..2c939ffc757 --- /dev/null +++ b/docs/queries/terraform-queries/aws/8c849af7-a399-46f7-a34c-32d3dc96f1fc.md @@ -0,0 +1,56 @@ +--- +title: ElastiCache Without VPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8c849af7-a399-46f7-a34c-32d3dc96f1fc +- **Query name:** ElastiCache Without VPC +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticache_without_vpc) + +### Description +ElastiCache should be launched in a Virtual Private Cloud (VPC)
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#subnet_group_name) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 2 + parameter_group_name = aws_elasticache_parameter_group.default.id + port = 11211 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_elasticache_cluster" "negative1" { + cluster_id = "cluster-example" + engine = "memcached" + node_type = "cache.m4.large" + num_cache_nodes = 2 + parameter_group_name = aws_elasticache_parameter_group.default.id + port = 11211 + subnet_group_name = var.subnet_group_name +} + +``` diff --git a/docs/queries/terraform-queries/aws/8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56.md b/docs/queries/terraform-queries/aws/8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56.md new file mode 100644 index 00000000000..821e3bf2567 --- /dev/null +++ b/docs/queries/terraform-queries/aws/8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56.md @@ -0,0 +1,390 @@ +--- +title: RDS Without Logging +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8d7f7b8c-6c7c-40f8-baa6-62006c6c7b56 +- **Query name:** RDS Without Logging +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/rds_without_logging) + +### Description +RDS does not have any kind of logger
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#enabled_cloudwatch_logs_exports) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_db_instance" "positive1" { + allocated_storage = 5 + engine = "postgres" + instance_class = "db.t3.small" + password = "admin" + username = "admin" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="7" +resource "aws_db_instance" "positive2" { + allocated_storage = 5 + engine = "postgres" + instance_class = "db.t3.small" + password = "admin" + username = "admin" + enabled_cloudwatch_logs_exports = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="11" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + enabled_cloudwatch_logs_exports = [] + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_db_instance" "negative1" { + allocated_storage = 5 + engine = "postgres" + instance_class = "db.t3.small" + password = "admin" + username = "admin" + + enabled_cloudwatch_logs_exports = ["upgrade"] +} + +resource "aws_db_instance" "negative2" { + allocated_storage = 5 + engine = "mariadb" + instance_class = "db.t3.small" + password = "admin" + username = "admin" + + enabled_cloudwatch_logs_exports = ["general", "error"] +} + +``` +```tf title="Negative test num. 2 - tf file" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + enabled_cloudwatch_logs_exports = ["general", "error"] + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` +```tf title="Negative test num. 3 - tf file" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + enabled_cloudwatch_logs_exports = ["upgrade"] + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` diff --git a/docs/queries/terraform-queries/aws/8e94dced-9bcc-4203-8eb7-7e41202b2505.md b/docs/queries/terraform-queries/aws/8e94dced-9bcc-4203-8eb7-7e41202b2505.md new file mode 100644 index 00000000000..fa4b9bf3c71 --- /dev/null +++ b/docs/queries/terraform-queries/aws/8e94dced-9bcc-4203-8eb7-7e41202b2505.md @@ -0,0 +1,633 @@ +--- +title: Auto Scaling Group With No Associated ELB +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8e94dced-9bcc-4203-8eb7-7e41202b2505 +- **Query name:** Auto Scaling Group With No Associated ELB +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/auto_scaling_group_with_no_associated_elb) + +### Description +AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#load_balancers) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_autoscaling_group" "bar" { + availability_zones = ["us-east-1a"] + desired_capacity = 1 + max_size = 1 + min_size = 1 + + launch_template { + id = aws_launch_template.foobar.id + version = "$Latest" + } +} + + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="12" +resource "aws_autoscaling_group" "positive2" { + availability_zones = ["us-east-1a"] + desired_capacity = 1 + max_size = 1 + min_size = 1 + + launch_template { + id = aws_launch_template.foobar.id + version = "$Latest" + } + + load_balancers = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +module "positive3" { + source = "terraform-aws-modules/autoscaling/aws" + version = "~> 4.0" + + # Autoscaling group + name = "example-asg" + + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + health_check_type = "EC2" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + + initial_lifecycle_hooks = [ + { + name = "ExampleStartupLifeCycleHook" + default_result = "CONTINUE" + heartbeat_timeout = 60 + lifecycle_transition = "autoscaling:EC2_INSTANCE_LAUNCHING" + notification_metadata = jsonencode({ "hello" = "world" }) + }, + { + name = "ExampleTerminationLifeCycleHook" + default_result = "CONTINUE" + heartbeat_timeout = 180 + lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" + notification_metadata = jsonencode({ "goodbye" = "world" }) + } + ] + + instance_refresh = { + strategy = "Rolling" + preferences = { + min_healthy_percentage = 50 + } + triggers = ["tag"] + } + + # Launch template + lt_name = "example-asg" + description = "Launch template example" + update_default_version = true + + use_lt = true + create_lt = true + + image_id = "ami-ebd02392" + instance_type = "t3.micro" + ebs_optimized = true + enable_monitoring = true + + block_device_mappings = [ + { + # Root volume + device_name = "/dev/xvda" + no_device = 0 + ebs = { + delete_on_termination = true + encrypted = true + volume_size = 20 + volume_type = "gp2" + } + }, { + device_name = "/dev/sda1" + no_device = 1 + ebs = { + delete_on_termination = true + encrypted = true + volume_size = 30 + volume_type = "gp2" + } + } + ] + + capacity_reservation_specification = { + capacity_reservation_preference = "open" + } + + cpu_options = { + core_count = 1 + threads_per_core = 1 + } + + credit_specification = { + cpu_credits = "standard" + } + + instance_market_options = { + market_type = "spot" + spot_options = { + block_duration_minutes = 60 + } + } + + metadata_options = { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 32 + } + + network_interfaces = [ + { + delete_on_termination = true + description = "eth0" + device_index = 0 + security_groups = ["sg-12345678"] + }, + { + delete_on_termination = true + description = "eth1" + device_index = 1 + security_groups = ["sg-12345678"] + } + ] + + placement = { + availability_zone = "us-west-1b" + } + + tag_specifications = [ + { + resource_type = "instance" + tags = { WhatAmI = "Instance" } + }, + { + resource_type = "volume" + tags = { WhatAmI = "Volume" } + }, + { + resource_type = "spot-instances-request" + tags = { WhatAmI = "SpotInstanceRequest" } + } + ] + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] + + tags_as_map = { + extra_tag1 = "extra_value1" + extra_tag2 = "extra_value2" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="14" +module "positive4" { + source = "terraform-aws-modules/autoscaling/aws" + version = "~> 4.0" + + # Autoscaling group + name = "example-asg" + + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + health_check_type = "EC2" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + load_balancers = [] + + initial_lifecycle_hooks = [ + { + name = "ExampleStartupLifeCycleHook" + default_result = "CONTINUE" + heartbeat_timeout = 60 + lifecycle_transition = "autoscaling:EC2_INSTANCE_LAUNCHING" + notification_metadata = jsonencode({ "hello" = "world" }) + }, + { + name = "ExampleTerminationLifeCycleHook" + default_result = "CONTINUE" + heartbeat_timeout = 180 + lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" + notification_metadata = jsonencode({ "goodbye" = "world" }) + } + ] + + instance_refresh = { + strategy = "Rolling" + preferences = { + min_healthy_percentage = 50 + } + triggers = ["tag"] + } + + # Launch template + lt_name = "example-asg" + description = "Launch template example" + update_default_version = true + + use_lt = true + create_lt = true + + image_id = "ami-ebd02392" + instance_type = "t3.micro" + ebs_optimized = true + enable_monitoring = true + + block_device_mappings = [ + { + # Root volume + device_name = "/dev/xvda" + no_device = 0 + ebs = { + delete_on_termination = true + encrypted = true + volume_size = 20 + volume_type = "gp2" + } + }, { + device_name = "/dev/sda1" + no_device = 1 + ebs = { + delete_on_termination = true + encrypted = true + volume_size = 30 + volume_type = "gp2" + } + } + ] + + capacity_reservation_specification = { + capacity_reservation_preference = "open" + } + + cpu_options = { + core_count = 1 + threads_per_core = 1 + } + + credit_specification = { + cpu_credits = "standard" + } + + instance_market_options = { + market_type = "spot" + spot_options = { + block_duration_minutes = 60 + } + } + + metadata_options = { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 32 + } + + network_interfaces = [ + { + delete_on_termination = true + description = "eth0" + device_index = 0 + security_groups = ["sg-12345678"] + }, + { + delete_on_termination = true + description = "eth1" + device_index = 1 + security_groups = ["sg-12345678"] + } + ] + + placement = { + availability_zone = "us-west-1b" + } + + tag_specifications = [ + { + resource_type = "instance" + tags = { WhatAmI = "Instance" } + }, + { + resource_type = "volume" + tags = { WhatAmI = "Volume" } + }, + { + resource_type = "spot-instances-request" + tags = { WhatAmI = "SpotInstanceRequest" } + } + ] + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] + + tags_as_map = { + extra_tag1 = "extra_value1" + extra_tag2 = "extra_value2" + } +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="1" +resource "aws_autoscaling_group" "foo" { + name_prefix = "bar-" + vpc_zone_identifier = ["subnet-abcd1234", "subnet-1a2b3c4d"] + launch_configuration = aws_launch_configuration.foobar.name + target_group_arns = [] + min_size = 1 + max_size = 3 + desired_capacity = 2 + instance_refresh { + strategy = "Rolling" + preferences { + min_healthy_percentage = 50 + } + } +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="1" +resource "aws_autoscaling_group" "foo" { + name_prefix = "bar-" + vpc_zone_identifier = ["subnet-abcd1234", "subnet-1a2b3c4d"] + launch_configuration = aws_launch_configuration.foobar.name + min_size = 1 + max_size = 3 + desired_capacity = 2 + instance_refresh { + strategy = "Rolling" + preferences { + min_healthy_percentage = 50 + } + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_autoscaling_group" "bar3" { + availability_zones = ["us-east-1a"] + desired_capacity = 1 + max_size = 1 + min_size = 1 + + launch_template { + id = aws_launch_template.foobar.id + version = "$Latest" + } + + load_balancers = ["elb_1"] +} + +``` +```tf title="Negative test num. 2 - tf file" +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "~> 4.0" + + # Autoscaling group + name = "example-asg" + + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + health_check_type = "EC2" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + load_balancers = ["elb_1"] + + initial_lifecycle_hooks = [ + { + name = "ExampleStartupLifeCycleHook" + default_result = "CONTINUE" + heartbeat_timeout = 60 + lifecycle_transition = "autoscaling:EC2_INSTANCE_LAUNCHING" + notification_metadata = jsonencode({ "hello" = "world" }) + }, + { + name = "ExampleTerminationLifeCycleHook" + default_result = "CONTINUE" + heartbeat_timeout = 180 + lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" + notification_metadata = jsonencode({ "goodbye" = "world" }) + } + ] + + instance_refresh = { + strategy = "Rolling" + preferences = { + min_healthy_percentage = 50 + } + triggers = ["tag"] + } + + # Launch template + lt_name = "example-asg" + description = "Launch template example" + update_default_version = true + + use_lt = true + create_lt = true + + image_id = "ami-ebd02392" + instance_type = "t3.micro" + ebs_optimized = true + enable_monitoring = true + + block_device_mappings = [ + { + # Root volume + device_name = "/dev/xvda" + no_device = 0 + ebs = { + delete_on_termination = true + encrypted = true + volume_size = 20 + volume_type = "gp2" + } + }, { + device_name = "/dev/sda1" + no_device = 1 + ebs = { + delete_on_termination = true + encrypted = true + volume_size = 30 + volume_type = "gp2" + } + } + ] + + capacity_reservation_specification = { + capacity_reservation_preference = "open" + } + + cpu_options = { + core_count = 1 + threads_per_core = 1 + } + + credit_specification = { + cpu_credits = "standard" + } + + instance_market_options = { + market_type = "spot" + spot_options = { + block_duration_minutes = 60 + } + } + + metadata_options = { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 32 + } + + network_interfaces = [ + { + delete_on_termination = true + description = "eth0" + device_index = 0 + security_groups = ["sg-12345678"] + }, + { + delete_on_termination = true + description = "eth1" + device_index = 1 + security_groups = ["sg-12345678"] + } + ] + + placement = { + availability_zone = "us-west-1b" + } + + tag_specifications = [ + { + resource_type = "instance" + tags = { WhatAmI = "Instance" } + }, + { + resource_type = "volume" + tags = { WhatAmI = "Volume" } + }, + { + resource_type = "spot-instances-request" + tags = { WhatAmI = "SpotInstanceRequest" } + } + ] + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] + + tags_as_map = { + extra_tag1 = "extra_value1" + extra_tag2 = "extra_value2" + } +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "aws_autoscaling_group" "my_asg" { + name_prefix = format("%s-", var.name) + vpc_zone_identifier = var.private_zone_identifiers + launch_configuration = aws_launch_configuration.config.name + target_group_arns = [var.target_group_arns] + min_size = 1 + max_size = 2 + desired_capacity = 1 + instance_refresh { + strategy = "Rolling" + preferences { + min_healthy_percentage = 50 + } + } +} + +``` +
Negative test num. 4 - tf file + +```tf +resource "aws_autoscaling_group" "foo" { + name_prefix = "bar-" + vpc_zone_identifier = ["subnet-abcd1234", "subnet-1a2b3c4d"] + launch_configuration = aws_launch_configuration.foobar.name + target_group_arns = ["bar", "baz", "qux"] + min_size = 1 + max_size = 3 + desired_capacity = 2 + instance_refresh { + strategy = "Rolling" + preferences { + min_healthy_percentage = 50 + } + } +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/8f3c16b3-354d-45db-8ad5-5066778a9485.md b/docs/queries/terraform-queries/aws/8f3c16b3-354d-45db-8ad5-5066778a9485.md new file mode 100644 index 00000000000..3db9fbcf838 --- /dev/null +++ b/docs/queries/terraform-queries/aws/8f3c16b3-354d-45db-8ad5-5066778a9485.md @@ -0,0 +1,81 @@ +--- +title: Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8f3c16b3-354d-45db-8ad5-5066778a9485 +- **Query name:** Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint) + +### Description +Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:UpdateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/8f75840d-9ee7-42f3-b203-b40e3979eb12.md b/docs/queries/terraform-queries/aws/8f75840d-9ee7-42f3-b203-b40e3979eb12.md new file mode 100644 index 00000000000..a86ade85bb7 --- /dev/null +++ b/docs/queries/terraform-queries/aws/8f75840d-9ee7-42f3-b203-b40e3979eb12.md @@ -0,0 +1,82 @@ +--- +title: Role With Privilege Escalation By Actions 'iam:PutUserPolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8f75840d-9ee7-42f3-b203-b40e3979eb12 +- **Query name:** Role With Privilege Escalation By Actions 'iam:PutUserPolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutUserPolicy) + +### Description +Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/8fdb08a0-a868-4fdf-9c27-ccab0237f1ab.md b/docs/queries/terraform-queries/aws/8fdb08a0-a868-4fdf-9c27-ccab0237f1ab.md new file mode 100644 index 00000000000..cdc4be3263e --- /dev/null +++ b/docs/queries/terraform-queries/aws/8fdb08a0-a868-4fdf-9c27-ccab0237f1ab.md @@ -0,0 +1,95 @@ +--- +title: ElastiCache Redis Cluster Without Backup +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8fdb08a0-a868-4fdf-9c27-ccab0237f1ab +- **Query name:** ElastiCache Redis Cluster Without Backup +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticache_redis_cluster_without_backup) + +### Description +ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#snapshot_retention_limit) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="16 1" +resource "aws_elasticache_cluster" "positive1" { + cluster_id = "cluster" + engine = "redis" + node_type = "cache.m5.large" + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id +} + +resource "aws_elasticache_cluster" "positive2" { + cluster_id = "cluster" + engine = "redis" + node_type = "cache.m5.large" + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id + + snapshot_retention_limit = 0 +} + +resource "aws_elasticache_parameter_group" "default" { + name = "cache-params" + family = "redis2.8" + + parameter { + name = "activerehashing" + value = "yes" + } + + parameter { + name = "min-slaves-to-write" + value = "2" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_elasticache_cluster" "negative1" { + cluster_id = "cluster" + engine = "redis" + node_type = "cache.m5.large" + num_cache_nodes = 1 + parameter_group_name = aws_elasticache_parameter_group.default.id + + snapshot_retention_limit = 5 +} + +resource "aws_elasticache_parameter_group" "default" { + name = "cache-params" + family = "redis2.8" + + parameter { + name = "activerehashing" + value = "yes" + } + + parameter { + name = "min-slaves-to-write" + value = "2" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/91bea7b8-0c31-4863-adc9-93f6177266c4.md b/docs/queries/terraform-queries/aws/91bea7b8-0c31-4863-adc9-93f6177266c4.md new file mode 100644 index 00000000000..35aa89419e9 --- /dev/null +++ b/docs/queries/terraform-queries/aws/91bea7b8-0c31-4863-adc9-93f6177266c4.md @@ -0,0 +1,71 @@ +--- +title: Stack Without Template +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 91bea7b8-0c31-4863-adc9-93f6177266c4 +- **Query name:** Stack Without Template +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/stack_without_template) + +### Description +AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudformation_stack" "positive1" { + + name = "networking-stack" + + parameters = { + VPCCidr = "10.0.0.0/16" + } + +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudformation_stack" "negative1" { + + name = "networking-stack" + + parameters = { + VPCCidr = "10.0.0.0/16" + } + + template_url = "sometemplateurl" +} + + + +resource "aws_cloudformation_stack" "negative2" { + + name = "networking-stack" + + parameters = { + VPCCidr = "10.0.0.0/16" + } + + template_body = "sometemplatebody" +} + +``` diff --git a/docs/queries/terraform-queries/aws/91f16d09-689e-4926-aca7-155157f634ed.md b/docs/queries/terraform-queries/aws/91f16d09-689e-4926-aca7-155157f634ed.md new file mode 100644 index 00000000000..3d999f75d7c --- /dev/null +++ b/docs/queries/terraform-queries/aws/91f16d09-689e-4926-aca7-155157f634ed.md @@ -0,0 +1,72 @@ +--- +title: ECS Service Without Running Tasks +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 91f16d09-689e-4926-aca7-155157f634ed +- **Query name:** ECS Service Without Running Tasks +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ecs_service_without_running_tasks) + +### Description +ECS Service should have at least 1 task running
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_ecs_service" "positive1" { + name = "positive1" + cluster = aws_ecs_cluster.example.id + desired_count = 0 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ecs_service" "negative1" { + name = "negative1" + cluster = aws_ecs_cluster.example.id + + deployment_maximum_percent = 200 + deployment_minimum_healthy_percent = 100 +} + +resource "aws_ecs_service" "km_ecs_service" { + name = "km_ecs_service_${var.environment}" + cluster = aws_ecs_cluster.km_ecs_cluster.id + task_definition = aws_ecs_task_definition.km_ecs_task.arn + desired_count = 1 + launch_type = "FARGATE" + + load_balancer { + target_group_arn = var.elb_target_group_arn + container_name = "km-frontend" + container_port = 80 + } + network_configuration { + assign_public_ip = true + subnets = var.private_subnet + security_groups = [ var.elb_sg ] + } + tags = merge(var.default_tags, { + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/92d65c51-5d82-4507-a2a1-d252e9706855.md b/docs/queries/terraform-queries/aws/92d65c51-5d82-4507-a2a1-d252e9706855.md new file mode 100644 index 00000000000..2e5d3ab319c --- /dev/null +++ b/docs/queries/terraform-queries/aws/92d65c51-5d82-4507-a2a1-d252e9706855.md @@ -0,0 +1,71 @@ +--- +title: ROS Stack Without Template +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 92d65c51-5d82-4507-a2a1-d252e9706855 +- **Query name:** ROS Stack Without Template +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/alicloud/ros_stack_without_template) + +### Description +Alicloud ROS Stack should have a template defined through the attribute template_url or attribute template_body
+[Documentation](https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/ros_stack) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "alicloud_ros_stack" "example" { + stack_name = "tf-testaccstack" + + stack_policy_body = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 92fe237e-074c-4262-81a4-2077acb928c1 +- **Query name:** Sensitive Port Is Exposed To Wide Private Network +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sensitive_port_is_exposed_to_wide_private_network) + +### Description +A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "aws_security_group" "positive1" { + name = "allow_tls1" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2200 + to_port = 2500 + protocol = "-1" + cidr_blocks = ["10.0.0.0/8"] + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="6" +resource "aws_security_group" "positive2" { + name = "allow_tls2" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 20 + to_port = 60 + protocol = "tcp" + cidr_blocks = ["192.168.0.0/16"] + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="6" +resource "aws_security_group" "positive3" { + name = "allow_tls3" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 5000 + to_port = 6000 + protocol = "-1" + cidr_blocks = ["172.16.0.0/12"] + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="6" +resource "aws_security_group" "positive4" { + name = "allow_tls4" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 20 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["10.0.0.0/8"] + } +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="6" +resource "aws_security_group" "positive5" { + name = "allow_tls5" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 445 + to_port = 500 + protocol = "udp" + cidr_blocks = ["192.168.0.0/16", "0.0.0.0/0", "2.2.3.4/12"] + } +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="6" +resource "aws_security_group" "positive6" { + name = "allow_tls6" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 135 + to_port = 170 + protocol = "udp" + cidr_blocks = ["10.68.0.0", "172.16.0.0/12"] + } +} + +``` +
+
Postitive test num. 7 - tf file + +```tf hl_lines="6" +resource "aws_security_group" "positive7" { + name = "allow_tls7" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2383 + to_port = 2383 + protocol = "udp" + cidr_blocks = ["192.168.0.0/16", "10.0.0.0/8"] + } +} + +``` +
+
Postitive test num. 8 - tf file + +```tf hl_lines="6" +resource "aws_security_group" "positive8" { + name = "allow_tls8" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["172.16.0.0/12"] + } +} + +``` +
+
Postitive test num. 9 - tf file + +```tf hl_lines="9" +module "vote_service_sg" { + source = "terraform-aws-modules/security-group/aws" + version = "4.3.0" + + name = "user-service" + description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open" + vpc_id = "vpc-12345678" + + ingress_with_cidr_blocks = [ + { + description = "TLS from VPC" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["172.16.0.0/12"] + } + ] +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_security_group" "negative1" { + name = "allow_tls1" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2383 + to_port = 2383 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_security_group" "negative2" { + name = "allow_tls2" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2384 + to_port = 2386 + protocol = "tcp" + cidr_blocks = ["/0"] + } +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "aws_security_group" "negative3" { + name = "allow_tls3" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 25 + to_port = 2500 + protocol = "tcp" + cidr_blocks = ["1.2.3.4/0"] + } +} + +``` +
Negative test num. 4 - tf file + +```tf +resource "aws_security_group" "negative4" { + name = "allow_tls4" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 25 + to_port = 2500 + protocol = "tcp" + cidr_blocks = ["1.2.3.4/5"] + } +} + +``` +
+
Negative test num. 5 - tf file + +```tf +resource "aws_security_group" "negative5" { + name = "allow_tls5" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 25 + to_port = 2500 + protocol = "udp" + cidr_blocks = ["1.2.3.4/5", "0.0.0.0/12"] + } +} + +``` +
+
Negative test num. 6 - tf file + +```tf +resource "aws_security_group" "negative6" { + name = "allow_tls6" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["1.2.3.4", "0.0.0.0/0"] + } +} + +``` +
+
Negative test num. 7 - tf file + +```tf +module "vote_service_sg" { + source = "terraform-aws-modules/security-group/aws" + version = "4.3.0" + + name = "user-service" + description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open" + vpc_id = "vpc-12345678" + + ingress_with_cidr_blocks = [ + { + description = "TLS from VPC" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["1.2.3.4", "0.0.0.0/0"] + } + ] +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/94690d79-b3b0-43de-b656-84ebef5753e5.md b/docs/queries/terraform-queries/aws/94690d79-b3b0-43de-b656-84ebef5753e5.md new file mode 100644 index 00000000000..f04581c79d3 --- /dev/null +++ b/docs/queries/terraform-queries/aws/94690d79-b3b0-43de-b656-84ebef5753e5.md @@ -0,0 +1,76 @@ +--- +title: CloudFront Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 94690d79-b3b0-43de-b656-84ebef5753e5 +- **Query name:** CloudFront Logging Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudfront_logging_disabled) + +### Description +AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudfront_distribution" "positive1" { + origin { + domain_name = aws_s3_bucket.b.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + is_ipv6_enabled = true + comment = "Some comment" + default_root_object = "index.html" + + } + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudfront_distribution" "negative1" { + origin { + domain_name = aws_s3_bucket.b.bucket_regional_domain_name + origin_id = local.s3_origin_id + + s3_origin_config { + origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" + } + } + + enabled = true + is_ipv6_enabled = true + comment = "Some comment" + default_root_object = "index.html" + + logging_config { + include_cookies = false + bucket = "mylogs.s3.amazonaws.com" + prefix = "myprefix" + } + +} +``` diff --git a/docs/queries/terraform-queries/aws/94fbe150-27e3-4eba-9ca6-af32865e4503.md b/docs/queries/terraform-queries/aws/94fbe150-27e3-4eba-9ca6-af32865e4503.md new file mode 100644 index 00000000000..55d77915363 --- /dev/null +++ b/docs/queries/terraform-queries/aws/94fbe150-27e3-4eba-9ca6-af32865e4503.md @@ -0,0 +1,109 @@ +--- +title: User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 94fbe150-27e3-4eba-9ca6-af32865e4503 +- **Query name:** User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PassRole_and_glue_CreateDevEndpoint) + +### Description +User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:CreateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/9630336b-3fed-4096-8173-b9afdfe346a7.md b/docs/queries/terraform-queries/aws/9630336b-3fed-4096-8173-b9afdfe346a7.md new file mode 100644 index 00000000000..bb560a4e8e5 --- /dev/null +++ b/docs/queries/terraform-queries/aws/9630336b-3fed-4096-8173-b9afdfe346a7.md @@ -0,0 +1,58 @@ +--- +title: Unscanned ECR Image +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9630336b-3fed-4096-8173-b9afdfe346a7 +- **Query name:** Unscanned ECR Image +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/unscanned_ecr_image) + +### Description +Checks if the ECR Image has been scanned
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#scan_on_push) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 11" +resource "aws_ecr_repository" "positive1" { + name = "img_p_2" + image_tag_mutability = "MUTABLE" +} + +resource "aws_ecr_repository" "positive2" { + name = "img_p_1" + image_tag_mutability = "MUTABLE" + + image_scanning_configuration { + scan_on_push = false + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ecr_repository" "negative1" { + name = "bar" + image_tag_mutability = "MUTABLE" + + image_scanning_configuration { + scan_on_push = true + } +} +``` diff --git a/docs/queries/terraform-queries/aws/967eb3e6-26fc-497d-8895-6428beb6e8e2.md b/docs/queries/terraform-queries/aws/967eb3e6-26fc-497d-8895-6428beb6e8e2.md new file mode 100644 index 00000000000..5d823e07c57 --- /dev/null +++ b/docs/queries/terraform-queries/aws/967eb3e6-26fc-497d-8895-6428beb6e8e2.md @@ -0,0 +1,98 @@ +--- +title: Elasticsearch Domain Not Encrypted Node To Node +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 967eb3e6-26fc-497d-8895-6428beb6e8e2 +- **Query name:** Elasticsearch Domain Not Encrypted Node To Node +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticsearch_domain_not_encrypted_node_to_node) + +### Description +Elasticsearch Domain encryption should be enabled node to node
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#node_to_node_encryption) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" +resource "aws_elasticsearch_domain" "positive1" { + domain_name = "example" + elasticsearch_version = "1.5" + + cluster_config { + instance_type = "r4.large.elasticsearch" + } + + snapshot_options { + automated_snapshot_start_hour = 23 + } + + tags = { + Domain = "TestDomain" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" +resource "aws_elasticsearch_domain" "positive1" { + domain_name = "example" + elasticsearch_version = "1.5" + + cluster_config { + instance_type = "r4.large.elasticsearch" + } + + snapshot_options { + automated_snapshot_start_hour = 23 + } + + node_to_node_encryption { + enabled = false + } + + tags = { + Domain = "TestDomain" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_elasticsearch_domain" "negative1" { + domain_name = "example" + elasticsearch_version = "1.5" + + cluster_config { + instance_type = "r4.large.elasticsearch" + } + + snapshot_options { + automated_snapshot_start_hour = 23 + } + + node_to_node_encryption { + enabled = true + } + + tags = { + Domain = "TestDomain" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/96e8183b-e985-457b-90cd-61c0503a3369.md b/docs/queries/terraform-queries/aws/96e8183b-e985-457b-90cd-61c0503a3369.md new file mode 100644 index 00000000000..c96e793c9d8 --- /dev/null +++ b/docs/queries/terraform-queries/aws/96e8183b-e985-457b-90cd-61c0503a3369.md @@ -0,0 +1,80 @@ +--- +title: Global Accelerator Flow Logs Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 96e8183b-e985-457b-90cd-61c0503a3369 +- **Query name:** Global Accelerator Flow Logs Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/global_accelerator_flow_logs_disabled) + +### Description +Global Accelerator should have flow logs enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/globalaccelerator_accelerator#flow_logs_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_globalaccelerator_accelerator" "positive1" { + name = "Example" + ip_address_type = "IPV4" + enabled = true +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="6" +resource "aws_globalaccelerator_accelerator" "positive2" { + name = "Example" + ip_address_type = "IPV4" + enabled = true + + attributes { + flow_logs_s3_bucket = "example-bucket" + flow_logs_s3_prefix = "flow-logs/" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="7" +resource "aws_globalaccelerator_accelerator" "positive3" { + name = "Example" + ip_address_type = "IPV4" + enabled = true + + attributes { + flow_logs_enabled = false + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_globalaccelerator_accelerator" "negative1" { + name = "Example" + ip_address_type = "IPV4" + enabled = true + + attributes { + flow_logs_enabled = true + flow_logs_s3_bucket = "example-bucket" + flow_logs_s3_prefix = "flow-logs/" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/96ed3526-0179-4c73-b1b2-372fde2e0d13.md b/docs/queries/terraform-queries/aws/96ed3526-0179-4c73-b1b2-372fde2e0d13.md new file mode 100644 index 00000000000..c12ce87b6cf --- /dev/null +++ b/docs/queries/terraform-queries/aws/96ed3526-0179-4c73-b1b2-372fde2e0d13.md @@ -0,0 +1,99 @@ +--- +title: Default VPC Exists +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 96ed3526-0179-4c73-b1b2-372fde2e0d13 +- **Query name:** Default VPC Exists +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/default_vpc_exists) + +### Description +It isn't recommended to use resources in default VPC
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_default_vpc" "positive1" { + tags = { + Name = "Default VPC" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="14" +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + default_vpc_name = "my-default-vpc" + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_vpc" "negative1" { + cidr_block = "10.0.0.0/16" + instance_tenancy = "default" + + tags = { + Name = "main" + } +} + + + +``` +```tf title="Negative test num. 2 - tf file" +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/970d224d-b42a-416b-81f9-8f4dfe70c4bc.md b/docs/queries/terraform-queries/aws/970d224d-b42a-416b-81f9-8f4dfe70c4bc.md new file mode 100644 index 00000000000..c6dba6c1001 --- /dev/null +++ b/docs/queries/terraform-queries/aws/970d224d-b42a-416b-81f9-8f4dfe70c4bc.md @@ -0,0 +1,144 @@ +--- +title: Root Account Has Active Access Keys +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 970d224d-b42a-416b-81f9-8f4dfe70c4bc +- **Query name:** Root Account Has Active Access Keys +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/root_account_has_active_access_keys) + +### Description +The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +#this is a problematic code where the query should report a result(s) +resource "aws_iam_access_key" "positive1" { + user = "root" + pgp_key = "keybase:some_person_that_exists" +} + +resource "aws_iam_user" "positive3" { + name = "loadbalancer" + path = "/system/" +} + +resource "aws_iam_user_policy" "positive4" { + name = "test" + user = aws_iam_user.lb.name + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 970ed7a2-0aca-4425-acf1-0453c9ecbca1 +- **Query name:** Group With Privilege Escalation By Actions 'iam:AddUserToGroup' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AddUserToGroup) + +### Description +Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AddUserToGroup", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/97cb0688-369a-4d26-b1f7-86c4c91231bc.md b/docs/queries/terraform-queries/aws/97cb0688-369a-4d26-b1f7-86c4c91231bc.md new file mode 100644 index 00000000000..37863af92f6 --- /dev/null +++ b/docs/queries/terraform-queries/aws/97cb0688-369a-4d26-b1f7-86c4c91231bc.md @@ -0,0 +1,55 @@ +--- +title: ECS Cluster with Container Insights Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 97cb0688-369a-4d26-b1f7-86c4c91231bc +- **Query name:** ECS Cluster with Container Insights Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ecs_cluster_container_insights_disabled) + +### Description +ECS Cluster should enable container insights
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster#setting) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_ecs_cluster" "foo" { + name = "white-hart" + +# setting { +# name = "containerInsights" +# value = "enabled" +# } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ecs_cluster" "foo" { + name = "white-hart" + + setting { + name = "containerInsights" + value = "enabled" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/982aa526-6970-4c59-8b9b-2ce7e019fe36.md b/docs/queries/terraform-queries/aws/982aa526-6970-4c59-8b9b-2ce7e019fe36.md new file mode 100644 index 00000000000..91d246d18a5 --- /dev/null +++ b/docs/queries/terraform-queries/aws/982aa526-6970-4c59-8b9b-2ce7e019fe36.md @@ -0,0 +1,85 @@ +--- +title: API Gateway With CloudWatch Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 982aa526-6970-4c59-8b9b-2ce7e019fe36 +- **Query name:** API Gateway With CloudWatch Logging Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled) + +### Description +AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#managing-the-api-logging-cloudwatch-log-group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="14" +variable "stage_name" { + default = "example" + type = string +} +variable "stage_names" { + default = "examples" + type = string +} + +resource "aws_api_gateway_rest_api" "example" { + # ... other configuration ... +} + +resource "aws_api_gateway_stage" "example" { + depends_on = [aws_cloudwatch_log_group.example] + + stage_name = var.stage_name + # ... other configuration ... +} + +resource "aws_cloudwatch_log_group" "example" { + name = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${var.stage_names}" + retention_in_days = 7 + # ... potentially other configuration ... +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +variable "stage_name" { + default = "example" + type = string +} + +resource "aws_api_gateway_rest_api" "example" { + # ... other configuration ... +} + +resource "aws_api_gateway_stage" "example" { + depends_on = [aws_cloudwatch_log_group.example] + + stage_name = var.stage_name + # ... other configuration ... +} + +resource "aws_cloudwatch_log_group" "example" { + name = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${var.stage_name}" + retention_in_days = 7 + # ... potentially other configuration ... +} + +``` diff --git a/docs/queries/terraform-queries/aws/98a8f708-121b-455b-ae2f-da3fb59d17e1.md b/docs/queries/terraform-queries/aws/98a8f708-121b-455b-ae2f-da3fb59d17e1.md new file mode 100644 index 00000000000..b5b33b097c4 --- /dev/null +++ b/docs/queries/terraform-queries/aws/98a8f708-121b-455b-ae2f-da3fb59d17e1.md @@ -0,0 +1,288 @@ +--- +title: S3 Bucket with Unsecured CORS Rule +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 98a8f708-121b-455b-ae2f-da3fb59d17e1 +- **Query name:** S3 Bucket with Unsecured CORS Rule +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_with_unsecured_cors_rule) + +### Description +If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#cors_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="27" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive1" { + bucket = "my-tf-test-bucket" + acl = "public-read" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + enabled = false + } + + cors_rule { + allowed_headers = ["*"] + allowed_methods = ["PUT", "POST"] + allowed_origins = ["https://s3-website-test.hashicorp.com"] + expose_headers = ["ETag"] + max_age_seconds = 3000 + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="27" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive2" { + bucket = "my-tf-test-bucket" + acl = "public-read" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + enabled = false + } + + cors_rule { + allowed_headers = ["*"] + allowed_methods = ["GET", "PUT", "POST", "DELETE", "HEAD"] + allowed_origins = ["*"] + expose_headers = ["ETag"] + max_age_seconds = 3000 + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="16" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + bucket = "s3-tf-example-versioning" + acl = "private" + version = "0.0.1" + + versioning = [ + { + enabled = true + mfa_delete = null + }, + ] + + cors_rule = [ + { + allowed_headers = ["*"] + allowed_methods = ["PUT", "POST"] + allowed_origins = ["https://s3-website-test.hashicorp.com"] + expose_headers = ["ETag"] + max_age_seconds = 3000 + } + ] +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="16" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + bucket = "s3-tf-example-versioning" + acl = "private" + version = "0.0.1" + + versioning = [ + { + enabled = true + mfa_delete = null + }, + ] + + cors_rule = [ + { + allowed_headers = ["*"] + allowed_methods = ["GET", "PUT", "POST", "DELETE", "HEAD"] + allowed_origins = ["*"] + expose_headers = ["ETag"] + max_age_seconds = 3000 + } + ] +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="26" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "bbb" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +resource "aws_s3_bucket_cors_configuration" "example" { + bucket = aws_s3_bucket.bbb.bucket + + cors_rule { + allowed_headers = ["*"] + allowed_methods = ["GET", "PUT", "POST", "DELETE", "HEAD"] + allowed_origins = ["*"] + expose_headers = ["ETag"] + max_age_seconds = 3000 + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "negative1" { + bucket = "s3-website-test.hashicorp.com" + acl = "public-read" + + cors_rule { + allowed_methods = ["PUT", "POST"] + allowed_origins = ["https://s3-website-test.hashicorp.com"] + expose_headers = ["ETag"] + max_age_seconds = 3000 + } +} + +``` +```tf title="Negative test num. 2 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + bucket = "s3-tf-example-versioning" + acl = "private" + version = "0.0.1" + + versioning = [ + { + enabled = true + mfa_delete = null + }, + ] + + cors_rule = [ + { + allowed_methods = ["PUT", "POST"] + allowed_origins = ["https://s3-website-test.hashicorp.com"] + expose_headers = ["ETag"] + max_age_seconds = 3000 + } + ] +} + +``` +```tf title="Negative test num. 3 - tf file" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "b" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +resource "aws_s3_bucket_cors_configuration" "example" { + bucket = aws_s3_bucket.b.bucket + + cors_rule { + allowed_methods = ["PUT", "POST"] + allowed_origins = ["https://s3-website-test.hashicorp.com"] + expose_headers = ["ETag"] + max_age_seconds = 3000 + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/98d59056-f745-4ef5-8613-32bca8d40b7e.md b/docs/queries/terraform-queries/aws/98d59056-f745-4ef5-8613-32bca8d40b7e.md new file mode 100644 index 00000000000..170caac2692 --- /dev/null +++ b/docs/queries/terraform-queries/aws/98d59056-f745-4ef5-8613-32bca8d40b7e.md @@ -0,0 +1,67 @@ +--- +title: Neptune Database Cluster Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 98d59056-f745-4ef5-8613-32bca8d40b7e +- **Query name:** Neptune Database Cluster Encryption Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/neptune_database_cluster_encryption_disabled) + +### Description +Neptune database cluster storage should have encryption enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#storage_encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 19" +resource "aws_neptune_cluster" "positive1" { + cluster_identifier = "neptune-cluster-demo" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + iam_database_authentication_enabled = true + apply_immediately = true +} + +resource "aws_neptune_cluster" "positive2" { + cluster_identifier = "neptune-cluster-demo" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + iam_database_authentication_enabled = true + apply_immediately = true + storage_encrypted = false +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_neptune_cluster" "negative1" { + cluster_identifier = "neptune-cluster-demo" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + iam_database_authentication_enabled = true + apply_immediately = true + storage_encrypted = true +} +``` diff --git a/docs/queries/terraform-queries/aws/9a205ba3-0dd1-42eb-8d54-2ffec836b51a.md b/docs/queries/terraform-queries/aws/9a205ba3-0dd1-42eb-8d54-2ffec836b51a.md new file mode 100644 index 00000000000..c1c98dc8e28 --- /dev/null +++ b/docs/queries/terraform-queries/aws/9a205ba3-0dd1-42eb-8d54-2ffec836b51a.md @@ -0,0 +1,83 @@ +--- +title: Role With Privilege Escalation By Actions 'iam:CreateLoginProfile' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9a205ba3-0dd1-42eb-8d54-2ffec836b51a +- **Query name:** Role With Privilege Escalation By Actions 'iam:CreateLoginProfile' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreateLoginProfile) + +### Description +Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/9a4ef195-74b9-4c58-b8ed-2b2fe4353a75.md b/docs/queries/terraform-queries/aws/9a4ef195-74b9-4c58-b8ed-2b2fe4353a75.md new file mode 100644 index 00000000000..f08a3dce185 --- /dev/null +++ b/docs/queries/terraform-queries/aws/9a4ef195-74b9-4c58-b8ed-2b2fe4353a75.md @@ -0,0 +1,99 @@ +--- +title: VPC Default Security Group Accepts All Traffic +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9a4ef195-74b9-4c58-b8ed-2b2fe4353a75 +- **Query name:** VPC Default Security Group Accepts All Traffic +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/vpc_default_security_group_accepts_all_traffic) + +### Description +Default Security Group attached to every VPC should restrict all traffic
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 17" +resource "aws_vpc" "mainvpc" { + cidr_block = "10.1.0.0/16" +} + +resource "aws_default_security_group" "default" { + vpc_id = aws_vpc.mainvpc.id + + ingress = [ + { + protocol = -1 + self = true + from_port = 0 + to_port = 0 + } + ] + + egress = [ + { + from_port = 0 + to_port = 0 + protocol = "-1" + } + ] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="8 18 14 23" +resource "aws_vpc" "mainvpc3" { + cidr_block = "10.1.0.0/16" +} + +resource "aws_default_security_group" "default3" { + vpc_id = aws_vpc.mainvpc3.id + + ingress = [ + { + protocol = -1 + self = true + from_port = 0 + to_port = 0 + ipv6_cidr_blocks = ["::/0"] + } + ] + + egress = [ + { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + ] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_vpc" "mainvpc2" { + cidr_block = "10.1.0.0/16" +} + +resource "aws_default_security_group" "default2" { + vpc_id = aws_vpc.mainvpc2.id +} + +``` diff --git a/docs/queries/terraform-queries/aws/9b0ffadc-a61f-4c2a-b1e6-68fab60f6267.md b/docs/queries/terraform-queries/aws/9b0ffadc-a61f-4c2a-b1e6-68fab60f6267.md new file mode 100644 index 00000000000..9ecec4bdc15 --- /dev/null +++ b/docs/queries/terraform-queries/aws/9b0ffadc-a61f-4c2a-b1e6-68fab60f6267.md @@ -0,0 +1,107 @@ +--- +title: Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9b0ffadc-a61f-4c2a-b1e6-68fab60f6267 +- **Query name:** Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack) + +### Description +Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "cloudformation:CreateStack", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + groups = [aws_iam_group.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/9b877bd8-94b4-4c10-a060-8e0436cc09fa.md b/docs/queries/terraform-queries/aws/9b877bd8-94b4-4c10-a060-8e0436cc09fa.md new file mode 100644 index 00000000000..0d544cf6241 --- /dev/null +++ b/docs/queries/terraform-queries/aws/9b877bd8-94b4-4c10-a060-8e0436cc09fa.md @@ -0,0 +1,88 @@ +--- +title: User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9b877bd8-94b4-4c10-a060-8e0436cc09fa +- **Query name:** User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint) + +### Description +User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:UpdateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/9ba198e0-fef4-464a-8a4d-75ea55300de7.md b/docs/queries/terraform-queries/aws/9ba198e0-fef4-464a-8a4d-75ea55300de7.md new file mode 100644 index 00000000000..7338b404587 --- /dev/null +++ b/docs/queries/terraform-queries/aws/9ba198e0-fef4-464a-8a4d-75ea55300de7.md @@ -0,0 +1,55 @@ +--- +title: Neptune Cluster Instance is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9ba198e0-fef4-464a-8a4d-75ea55300de7 +- **Query name:** Neptune Cluster Instance is Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/neptune_cluster_instance_is_publicly_accessible) + +### Description +Neptune Cluster Instance should not be publicly accessible
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster_instance#publicly_accessible) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "aws_neptune_cluster_instance" "example" { + count = 2 + cluster_identifier = aws_neptune_cluster.default.id + engine = "neptune" + instance_class = "db.r4.large" + apply_immediately = true + publicly_accessible = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_neptune_cluster_instance" "negative" { + count = 2 + cluster_identifier = aws_neptune_cluster.default.id + engine = "neptune" + instance_class = "db.r4.large" + apply_immediately = true + publicly_accessible = false +} + +``` diff --git a/docs/queries/terraform-queries/aws/9cf718ce-46f9-430e-89ec-c456f8b469ee.md b/docs/queries/terraform-queries/aws/9cf718ce-46f9-430e-89ec-c456f8b469ee.md new file mode 100644 index 00000000000..621024d9952 --- /dev/null +++ b/docs/queries/terraform-queries/aws/9cf718ce-46f9-430e-89ec-c456f8b469ee.md @@ -0,0 +1,375 @@ +--- +title: User Data Shell Script Is Encoded +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9cf718ce-46f9-430e-89ec-c456f8b469ee +- **Query name:** User Data Shell Script Is Encoded +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_data_shell_script_is_encoded) + +### Description +User Data Shell Script must be encoded
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#user_data_base64) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_launch_configuration" "positive1" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + user_data_base64 = "IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg==" # #!/bin/sh echo "Hello world" + + lifecycle { + create_before_destroy = true + } +} +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "1.0.4" + + # Launch configuration + lc_name = "example-lc" + + image_id = "ami-ebd02392" + instance_type = "t2.micro" + security_groups = ["sg-12345678"] + user_data_base64 = "IyEvYmluL3NoCmVjaG8gIkhlbGxvIHdvcmxkIg==" # #!/bin/sh echo "Hello world" + + ebs_block_device = [ + { + device_name = "/dev/xvdz" + volume_type = "gp2" + volume_size = "50" + delete_on_termination = true + }, + ] + + root_block_device = [ + { + volume_size = "50" + volume_type = "gp2" + }, + ] + + # Auto scaling group + asg_name = "example-asg" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + health_check_type = "EC2" + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_launch_configuration" "negative1" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + + lifecycle { + create_before_destroy = true + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_launch_configuration" "negative2" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + user_data_base64 = "" + + lifecycle { + create_before_destroy = true + } +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "aws_launch_configuration" "negative3" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + user_data_base64 = null + + lifecycle { + create_before_destroy = true + } +} + +``` +
Negative test num. 4 - tf file + +```tf +resource "aws_launch_configuration" "negative4" { + image_id = data.aws_ami.ubuntu.id + instance_type = "m4.large" + spot_price = "0.001" + user_data_base64 = "ZWNobyAiSGVsbG8gd29ybGQi" + + lifecycle { + create_before_destroy = true + } +} + +``` +
+
Negative test num. 5 - tf file + +```tf +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "1.0.4" + + # Launch configuration + lc_name = "example-lc" + + image_id = "ami-ebd02392" + instance_type = "t2.micro" + security_groups = ["sg-12345678"] + + ebs_block_device = [ + { + device_name = "/dev/xvdz" + volume_type = "gp2" + volume_size = "50" + delete_on_termination = true + }, + ] + + root_block_device = [ + { + volume_size = "50" + volume_type = "gp2" + }, + ] + + # Auto scaling group + asg_name = "example-asg" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + health_check_type = "EC2" + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] +} + +``` +
+
Negative test num. 6 - tf file + +```tf +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "1.0.4" + + # Launch configuration + lc_name = "example-lc" + + image_id = "ami-ebd02392" + instance_type = "t2.micro" + security_groups = ["sg-12345678"] + user_data_base64 = "" + + ebs_block_device = [ + { + device_name = "/dev/xvdz" + volume_type = "gp2" + volume_size = "50" + delete_on_termination = true + }, + ] + + root_block_device = [ + { + volume_size = "50" + volume_type = "gp2" + }, + ] + + # Auto scaling group + asg_name = "example-asg" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + health_check_type = "EC2" + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] +} + +``` +
+
Negative test num. 7 - tf file + +```tf +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "1.0.4" + + # Launch configuration + lc_name = "example-lc" + + image_id = "ami-ebd02392" + instance_type = "t2.micro" + security_groups = ["sg-12345678"] + user_data_base64 = null + + ebs_block_device = [ + { + device_name = "/dev/xvdz" + volume_type = "gp2" + volume_size = "50" + delete_on_termination = true + }, + ] + + root_block_device = [ + { + volume_size = "50" + volume_type = "gp2" + }, + ] + + # Auto scaling group + asg_name = "example-asg" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + health_check_type = "EC2" + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] +} + +``` +
+
Negative test num. 8 - tf file + +```tf +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "1.0.4" + + # Launch configuration + lc_name = "example-lc" + + image_id = "ami-ebd02392" + instance_type = "t2.micro" + security_groups = ["sg-12345678"] + user_data_base64 = "ZWNobyAiSGVsbG8gd29ybGQi" + + ebs_block_device = [ + { + device_name = "/dev/xvdz" + volume_type = "gp2" + volume_size = "50" + delete_on_termination = true + }, + ] + + root_block_device = [ + { + volume_size = "50" + volume_type = "gp2" + }, + ] + + # Auto scaling group + asg_name = "example-asg" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + health_check_type = "EC2" + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/9d0d4512-1959-43a2-a17f-72360ff06d1b.md b/docs/queries/terraform-queries/aws/9d0d4512-1959-43a2-a17f-72360ff06d1b.md new file mode 100644 index 00000000000..3a1947b4466 --- /dev/null +++ b/docs/queries/terraform-queries/aws/9d0d4512-1959-43a2-a17f-72360ff06d1b.md @@ -0,0 +1,142 @@ +--- +title: CloudWatch VPC Changes Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9d0d4512-1959-43a2-a17f-72360ff06d1b +- **Query name:** CloudWatch VPC Changes Alarm Missing +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_vpc_changes_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for VPC changes
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "CIS_VPC_Changes_Metric_Filter" { + name = "CIS-VPCChanges" + pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-VPCChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "CIS_VPC_Changes_CW_Alarm" { + alarm_name = "CIS-3.14-VPCChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXXX NOT YOUR FILTER XXXX" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to VPC will help ensure that all VPC traffic flows through an expected path." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "cis_no_mfa_console_signin_metric_filter" { + name = "CIS-ConsoleSigninWithoutMFA" + pattern = "{ ($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-ConsoleSigninWithoutMFA" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +resource "aws_cloudwatch_metric_alarm" "cis_no_mfa_console_signin_cw_alarm" { + alarm_name = "CIS-3.2-ConsoleSigninWithoutMFA" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_no_mfa_console_signin_metric_filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="1" +resource "aws_cloudwatch_log_metric_filter" "CIS_VPC_Changes_Metric_Filter" { + name = "CIS-VPCChanges" + pattern = "{ ($.eventName = CreateVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = EnableVpcClassicLink) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-VPCChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "CIS_VPC_Changes_CW_Alarm" { + alarm_name = "CIS-3.14-VPCChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.CIS_VPC_Changes_Metric_Filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to VPC will help ensure that all VPC traffic flows through an expected path." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_log_metric_filter" "CIS_VPC_Changes_Metric_Filter" { + name = "CIS-VPCChanges" + pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-VPCChanges" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} +resource "aws_cloudwatch_metric_alarm" "CIS_VPC_Changes_CW_Alarm" { + alarm_name = "CIS-3.14-VPCChanges" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.CIS_VPC_Changes_Metric_Filter.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_description = "Monitoring changes to VPC will help ensure that all VPC traffic flows through an expected path." + alarm_actions = [aws_sns_topic.CIS_Alerts_SNS_Topic.arn] + insufficient_data_actions = [] +} + +``` diff --git a/docs/queries/terraform-queries/aws/9ec311bf-dfd9-421f-8498-0b063c8bc552.md b/docs/queries/terraform-queries/aws/9ec311bf-dfd9-421f-8498-0b063c8bc552.md new file mode 100644 index 00000000000..07f582a64ff --- /dev/null +++ b/docs/queries/terraform-queries/aws/9ec311bf-dfd9-421f-8498-0b063c8bc552.md @@ -0,0 +1,54 @@ +--- +title: IAM User With Access To Console +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9ec311bf-dfd9-421f-8498-0b063c8bc552 +- **Query name:** IAM User With Access To Console +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_user_with_access_to_console) + +### Description +AWS IAM Users should not have access to console
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +resource "aws_iam_user" "example" { + name = "example" + path = "/" + force_destroy = true +} + +resource "aws_iam_user_login_profile" "example_login" { + user = aws_iam_user.example.name + pgp_key = "keybase:some_person_that_exists" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "example" { + name = "example" + path = "/" + force_destroy = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/9ef7d25d-9764-4224-9968-fa321c56ef76.md b/docs/queries/terraform-queries/aws/9ef7d25d-9764-4224-9968-fa321c56ef76.md new file mode 100644 index 00000000000..a0a0fee2c58 --- /dev/null +++ b/docs/queries/terraform-queries/aws/9ef7d25d-9764-4224-9968-fa321c56ef76.md @@ -0,0 +1,63 @@ +--- +title: AWS Password Policy With Unchangeable Passwords +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9ef7d25d-9764-4224-9968-fa321c56ef76 +- **Query name:** AWS Password Policy With Unchangeable Passwords +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/aws_password_policy_with_unchangeable_passwords) + +### Description +Unchangeable passwords in AWS password policy
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="12" +resource "aws_sqs_queue" "positive1" { + name = "examplequeue" +} + +// comment +resource "aws_iam_account_password_policy" "positive2" { + minimum_password_length = 8 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = false +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_sqs_queue" "negative1" { + name = "examplequeue" +} + +// comment +resource "aws_iam_account_password_policy" "negative2" { + minimum_password_length = 10 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true +} +``` diff --git a/docs/queries/terraform-queries/aws/9f40c07e-699e-4410-8856-3ba0f2e3a2dd.md b/docs/queries/terraform-queries/aws/9f40c07e-699e-4410-8856-3ba0f2e3a2dd.md new file mode 100644 index 00000000000..3522e80b4e8 --- /dev/null +++ b/docs/queries/terraform-queries/aws/9f40c07e-699e-4410-8856-3ba0f2e3a2dd.md @@ -0,0 +1,221 @@ +--- +title: CA Certificate Identifier Is Outdated +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9f40c07e-699e-4410-8856-3ba0f2e3a2dd +- **Query name:** CA Certificate Identifier Is Outdated +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ca_certificate_identifier_is_outdated) + +### Description +The CA certificate Identifier must be 'rds-ca-2019'.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="12" +resource "aws_db_instance" "positive1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + iam_database_authentication_enabled = true + storage_encrypted = true + ca_cert_identifier = "rds-ca-2015" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + ca_cert_identifier = "rds-ca-2015" + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_db_instance" "negative1" { + allocated_storage = 20 + storage_type = "gp2" + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + iam_database_authentication_enabled = true + storage_encrypted = true + ca_cert_identifier = "rds-ca-2019" +} + +``` +```tf title="Negative test num. 2 - tf file" +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.19" + instance_class = "db.t2.large" + allocated_storage = 5 + ca_cert_identifier = "rds-ca-2019" + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + + iam_database_authentication_enabled = true + + vpc_security_group_ids = ["sg-12345678"] + + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + + # Enhanced Monitoring - see example for details on how to create the role + # by yourself, in case you don't want to create it automatically + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" + create_monitoring_role = true + + tags = { + Owner = "user" + Environment = "dev" + } + + # DB subnet group + subnet_ids = ["subnet-12345678", "subnet-87654321"] + + # DB parameter group + family = "mysql5.7" + + # DB option group + major_engine_version = "5.7" + + # Database Deletion Protection + deletion_protection = true + + parameters = [ + { + name = "character_set_client" + value = "utf8mb4" + }, + { + name = "character_set_server" + value = "utf8mb4" + } + ] + + options = [ + { + option_name = "MARIADB_AUDIT_PLUGIN" + + option_settings = [ + { + name = "SERVER_AUDIT_EVENTS" + value = "CONNECT" + }, + { + name = "SERVER_AUDIT_FILE_ROTATIONS" + value = "37" + }, + ] + }, + ] +} + +``` diff --git a/docs/queries/terraform-queries/aws/9f4a9409-9c60-4671-be96-9716dbf63db1.md b/docs/queries/terraform-queries/aws/9f4a9409-9c60-4671-be96-9716dbf63db1.md new file mode 100644 index 00000000000..41faecd97e5 --- /dev/null +++ b/docs/queries/terraform-queries/aws/9f4a9409-9c60-4671-be96-9716dbf63db1.md @@ -0,0 +1,65 @@ +--- +title: ECS Task Definition Network Mode Not Recommended +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9f4a9409-9c60-4671-be96-9716dbf63db1 +- **Query name:** ECS Task Definition Network Mode Not Recommended +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ecs_task_definition_network_mode_not_recommended) + +### Description +Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#network_mode) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +resource "aws_ecs_task_definition" "positive1" { + family = "service" + network_mode = "none" + + volume { + name = "service-storage" + host_path = "/ecs/service-storage" + } + + placement_constraints { + type = "memberOf" + expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ecs_task_definition" "negative1" { + family = "service" + network_mode = "awsvpc" + + volume { + name = "service-storage" + host_path = "/ecs/service-storage" + } + + placement_constraints { + type = "memberOf" + expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]" + } +} +``` diff --git a/docs/queries/terraform-queries/aws/a186e82c-1078-4a7b-85d8-579561fde884.md b/docs/queries/terraform-queries/aws/a186e82c-1078-4a7b-85d8-579561fde884.md new file mode 100644 index 00000000000..f64df975293 --- /dev/null +++ b/docs/queries/terraform-queries/aws/a186e82c-1078-4a7b-85d8-579561fde884.md @@ -0,0 +1,207 @@ +--- +title: API Gateway without WAF +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a186e82c-1078-4a7b-85d8-579561fde884 +- **Query name:** API Gateway without WAF +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_without_waf) + +### Description +API Gateway should have WAF (Web Application Firewall) enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association#resource_arn) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="75" +resource "aws_wafregional_ipset" "ipset" { + name = "tfIPSet" + + ip_set_descriptor { + type = "IPV4" + value = "192.0.7.0/24" + } +} + +resource "aws_wafregional_rule" "foo" { + name = "tfWAFRule" + metric_name = "tfWAFRule" + + predicate { + data_id = aws_wafregional_ipset.ipset.id + negated = false + type = "IPMatch" + } +} + +resource "aws_wafregional_web_acl" "foo" { + name = "foo" + metric_name = "foo" + + default_action { + type = "ALLOW" + } + + rule { + action { + type = "BLOCK" + } + + priority = 1 + rule_id = aws_wafregional_rule.foo.id + } +} + +resource "aws_api_gateway_rest_api" "example" { + body = jsonencode({ + openapi = "3.0.1" + info = { + title = "example" + version = "1.0" + } + paths = { + "/path1" = { + get = { + x-amazon-apigateway-integration = { + httpMethod = "GET" + payloadFormatVersion = "1.0" + type = "HTTP_PROXY" + uri = "https://ip-ranges.amazonaws.com/ip-ranges.json" + } + } + } + } + }) + + name = "example" +} + +resource "aws_api_gateway_deployment" "example" { + rest_api_id = aws_api_gateway_rest_api.example.id + + triggers = { + redeployment = sha1(jsonencode(aws_api_gateway_rest_api.example.body)) + } + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_api_gateway_stage" "positive1" { + deployment_id = aws_api_gateway_deployment.example.id + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = "example" +} + +resource "aws_wafregional_web_acl_association" "association" { + resource_arn = aws_api_gateway_stage.positive.arn + web_acl_id = aws_wafregional_web_acl.foo.id +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_wafregional_ipset" "ipset" { + name = "tfIPSet" + + ip_set_descriptor { + type = "IPV4" + value = "192.0.7.0/24" + } +} + +resource "aws_wafregional_rule" "foo" { + name = "tfWAFRule" + metric_name = "tfWAFRule" + + predicate { + data_id = aws_wafregional_ipset.ipset.id + negated = false + type = "IPMatch" + } +} + +resource "aws_wafregional_web_acl" "foo" { + name = "foo" + metric_name = "foo" + + default_action { + type = "ALLOW" + } + + rule { + action { + type = "BLOCK" + } + + priority = 1 + rule_id = aws_wafregional_rule.foo.id + } +} + +resource "aws_api_gateway_rest_api" "example" { + body = jsonencode({ + openapi = "3.0.1" + info = { + title = "example" + version = "1.0" + } + paths = { + "/path1" = { + get = { + x-amazon-apigateway-integration = { + httpMethod = "GET" + payloadFormatVersion = "1.0" + type = "HTTP_PROXY" + uri = "https://ip-ranges.amazonaws.com/ip-ranges.json" + } + } + } + } + }) + + name = "example" +} + +resource "aws_api_gateway_deployment" "example" { + rest_api_id = aws_api_gateway_rest_api.example.id + + triggers = { + redeployment = sha1(jsonencode(aws_api_gateway_rest_api.example.body)) + } + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_api_gateway_stage" "negative1" { + deployment_id = aws_api_gateway_deployment.example.id + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = "example" +} + +resource "aws_wafregional_web_acl_association" "association" { + resource_arn = aws_api_gateway_stage.negative1.arn + web_acl_id = aws_wafregional_web_acl.foo.id +} + +``` diff --git a/docs/queries/terraform-queries/aws/a20be318-cac7-457b-911d-04cc6e812c25.md b/docs/queries/terraform-queries/aws/a20be318-cac7-457b-911d-04cc6e812c25.md new file mode 100644 index 00000000000..cb76d73b864 --- /dev/null +++ b/docs/queries/terraform-queries/aws/a20be318-cac7-457b-911d-04cc6e812c25.md @@ -0,0 +1,378 @@ +--- +title: Network ACL With Unrestricted Access To RDP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a20be318-cac7-457b-911d-04cc6e812c25 +- **Query name:** Network ACL With Unrestricted Access To RDP +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/network_acl_with_unrestricted_access_to_rdp) + +### Description +'RDP' (TCP:3389) should not be public in AWS Network ACL
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="30" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_network_acl" "positive1" { + vpc_id = aws_vpc.main.id + + egress = [ + { + protocol = "tcp" + rule_no = 200 + action = "allow" + cidr_block = "10.3.0.0/18" + from_port = 443 + to_port = 443 + } + ] + + ingress = [ + { + protocol = "tcp" + rule_no = 100 + action = "allow" + cidr_block = "0.0.0.0/0" + from_port = 3389 + to_port = 3389 + } + ] + + tags = { + Name = "main" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="22" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_network_acl" "positive2" { + vpc_id = aws_vpc.main.id + + tags = { + Name = "main" + } +} + +resource "aws_network_acl_rule" "postive2" { + network_acl_id = aws_network_acl.positive2.id + rule_number = 100 + egress = false + protocol = "tcp" + rule_action = "allow" + from_port = 3389 + to_port = 3389 + cidr_block = "0.0.0.0/0" +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="26" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "<= 3.52.0" + } + } +} + +resource "aws_network_acl" "positive3" { + vpc_id = aws_vpc.main.id + + egress { + protocol = "tcp" + rule_no = 200 + action = "allow" + cidr_block = "10.3.0.0/18" + from_port = 443 + to_port = 443 + } + + ingress { + protocol = "tcp" + rule_no = 100 + action = "allow" + cidr_block = "0.0.0.0/0" + from_port = 3389 + to_port = 3389 + } + + tags = { + Name = "main" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="14" +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + default_network_acl_ingress = [ + { + "action" : "allow", + "cidr_block" : "0.0.0.0/0", + "from_port" : 0, + "protocol" : "tcp", + "rule_no" : 3389, + "to_port" : 0 + } + ] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_network_acl" "negative1" { + vpc_id = aws_vpc.main.id + + egress = [ + { + protocol = "tcp" + rule_no = 200 + action = "allow" + cidr_block = "10.3.0.0/18" + from_port = 443 + to_port = 443 + } + ] + + ingress = [ + { + protocol = "tcp" + rule_no = 100 + action = "allow" + cidr_block = "10.3.0.0/18" + from_port = 3389 + to_port = 3389 + } + ] + + tags = { + Name = "main" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_network_acl" "negative2" { + vpc_id = aws_vpc.main.id + + tags = { + Name = "main" + } +} + +resource "aws_network_acl_rule" "negative2" { + network_acl_id = aws_network_acl.negative2.id + rule_number = 100 + egress = false + protocol = "tcp" + rule_action = "allow" + from_port = 3389 + to_port = 3389 + cidr_block = "10.3.0.0/18" +} + +``` +```tf title="Negative test num. 3 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "3.52.0" + } + } +} + +resource "aws_network_acl" "negative3" { + vpc_id = aws_vpc.main.id + + egress { + protocol = "tcp" + rule_no = 200 + action = "allow" + cidr_block = "10.3.0.0/18" + from_port = 443 + to_port = 443 + } + + ingress { + protocol = "tcp" + rule_no = 100 + action = "allow" + cidr_block = "10.3.0.0/18" + from_port = 3389 + to_port = 3389 + } + + tags = { + Name = "main" + } +} + +``` +
Negative test num. 4 - tf file + +```tf +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
+
Negative test num. 5 - tf file + +```tf +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + default_network_acl_ingress = [ + { + "action" : "allow", + "cidr_block" : "0.0.0.0/0", + "from_port" : 0, + "protocol" : "-1", + "rule_no" : 100, + "to_port" : 0 + }, + { + "action" : "allow", + "cidr_block" : "10.3.0.0/18", + "from_port" : 0, + "protocol" : "-1", + "rule_no" : 3389, + "to_port" : 0 + } + ] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/a2f548f2-188c-4fff-b172-e9a6acb216bd.md b/docs/queries/terraform-queries/aws/a2f548f2-188c-4fff-b172-e9a6acb216bd.md new file mode 100644 index 00000000000..16f3578b0e9 --- /dev/null +++ b/docs/queries/terraform-queries/aws/a2f548f2-188c-4fff-b172-e9a6acb216bd.md @@ -0,0 +1,46 @@ +--- +title: Secretsmanager Secret Without KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a2f548f2-188c-4fff-b172-e9a6acb216bd +- **Query name:** Secretsmanager Secret Without KMS +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/secretsmanager_secret_without_kms) + +### Description +AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#kms_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_secretsmanager_secret" "example" { + name = "example" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_secretsmanager_secret" "example" { + name = "example" + kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" +} + +``` diff --git a/docs/queries/terraform-queries/aws/a31a5a29-718a-4ff4-8001-a69e5e4d029e.md b/docs/queries/terraform-queries/aws/a31a5a29-718a-4ff4-8001-a69e5e4d029e.md new file mode 100644 index 00000000000..f537dedcf46 --- /dev/null +++ b/docs/queries/terraform-queries/aws/a31a5a29-718a-4ff4-8001-a69e5e4d029e.md @@ -0,0 +1,93 @@ +--- +title: Instance With No VPC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a31a5a29-718a-4ff4-8001-a69e5e4d029e +- **Query name:** Instance With No VPC +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/instance_with_no_vpc) + +### Description +EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_instance" "positive1" { + ami = "ami-003634241a8fcdec0" + + instance_type = "t2.micro" + +} +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + subnet_id = "subnet-eddcdzz4" + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_instance" "negative1" { + ami = "ami-003634241a8fcdec0" + + instance_type = "t2.micro" + + vpc_security_group_ids = ["aws_security_group.instance.id"] + +} + +``` +```tf title="Negative test num. 2 - tf file" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/a4966c4f-9141-48b8-a564-ffe9959945bc.md b/docs/queries/terraform-queries/aws/a4966c4f-9141-48b8-a564-ffe9959945bc.md new file mode 100644 index 00000000000..ded22b11b6e --- /dev/null +++ b/docs/queries/terraform-queries/aws/a4966c4f-9141-48b8-a564-ffe9959945bc.md @@ -0,0 +1,143 @@ +--- +title: S3 Bucket With All Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a4966c4f-9141-48b8-a564-ffe9959945bc +- **Query name:** S3 Bucket With All Permissions +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_with_all_permissions) + +### Description +S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_s3_bucket" "positive1" { + bucket = "S3B_181355" + acl = "private" + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** a8fc2180-b3ac-4c93-bd0d-a55b974e4b07 +- **Query name:** S3 Bucket Object Level CloudTrail Logging Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_object_level_cloudtrail_logging_disabled) + +### Description +S3 Bucket object-level CloudTrail logging should be enabled for read and write events
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#event_selector) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9" +data "aws_caller_identity" "current" {} + +resource "aws_cloudtrail" "example" { + name = "tf-trail-foobar" + s3_bucket_name = aws_s3_bucket.foo.id + s3_key_prefix = "prefix" + include_global_service_events = false + + event_selector { + include_management_events = true + + data_resource { + type = "AWS::S3::Object" + values = ["arn:aws:s3:::"] + } + } +} + +resource "aws_s3_bucket" "foo" { + bucket = "tf-test-trail" + force_destroy = true + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** abb06e5f-ef9a-4a99-98c6-376d396bfcdf +- **Query name:** SQS Queue Exposed +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sqs_queue_exposed) + +### Description +Checks if the SQS Queue is exposed
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "aws_sqs_queue" "positive1" { + name = "examplequeue" + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** abdb29d4-5ca1-4e91-800b-b3569bbd788c +- **Query name:** Config Rule For Encrypted Volumes Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/config_rule_for_encrypted_volumes_is_disabled) + +### Description +Check if AWS config rules do not identify Encrypted Volumes as a source.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_config_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_config_config_rule" "positive1" { + name = "some_rule" + + source { + owner = "AWS" + source_identifier = "IAM_PASSWORD_POLICY" + } +} + +resource "aws_config_config_rule" "positive2" { + name = "another_rule" + + source { + owner = "AWS" + source_identifier = "IAM_PASSWORD_POLICY" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_config_config_rule" "negative1" { + name = "encrypted_vols_rule" + + source { + owner = "AWS" + source_identifier = "ENCRYPTED_VOLUMES" + } +} + +resource "aws_config_config_rule" "negative2" { + name = "another_rule" + + source { + owner = "AWS" + source_identifier = "IAM_PASSWORD_POLICY" + } +} +``` diff --git a/docs/queries/terraform-queries/aws/ac5a0bc0-a54c-45aa-90c3-15f7703b9132.md b/docs/queries/terraform-queries/aws/ac5a0bc0-a54c-45aa-90c3-15f7703b9132.md new file mode 100644 index 00000000000..5a2021b4244 --- /dev/null +++ b/docs/queries/terraform-queries/aws/ac5a0bc0-a54c-45aa-90c3-15f7703b9132.md @@ -0,0 +1,76 @@ +--- +title: Configuration Aggregator to All Regions Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ac5a0bc0-a54c-45aa-90c3-15f7703b9132 +- **Query name:** Configuration Aggregator to All Regions Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/config_configuration_aggregator_to_all_regions_disabled) + +### Description +AWS Config Configuration Aggregator All Regions must be set to True
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_aggregator#all_regions) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="16 4" +resource "aws_config_configuration_aggregator" "positive1" { + name = "example" + + account_aggregation_source { + account_ids = ["123456789012"] + regions = ["us-east-2", "us-east-1", "us-west-1", "us-west-2"] + } +} + +resource "aws_config_configuration_aggregator" "positive2" { + depends_on = [aws_iam_role_policy_attachment.organization] + + name = "example" # Required + + organization_aggregation_source { + all_regions = false + role_arn = aws_iam_role.organization.arn + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_config_configuration_aggregator" "negative1" { + name = "example" + + account_aggregation_source { + all_regions = true + + } +} + +resource "aws_config_configuration_aggregator" "negative2" { + depends_on = [aws_iam_role_policy_attachment.organization] + + name = "example" # Required + + organization_aggregation_source { + all_regions = true + role_arn = aws_iam_role.organization.arn + } +} +``` diff --git a/docs/queries/terraform-queries/aws/acb6b4e2-a086-4f35-aefd-4db6ea51ada2.md b/docs/queries/terraform-queries/aws/acb6b4e2-a086-4f35-aefd-4db6ea51ada2.md new file mode 100644 index 00000000000..dfb8ddb5643 --- /dev/null +++ b/docs/queries/terraform-queries/aws/acb6b4e2-a086-4f35-aefd-4db6ea51ada2.md @@ -0,0 +1,74 @@ +--- +title: Elasticsearch Log Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** acb6b4e2-a086-4f35-aefd-4db6ea51ada2 +- **Query name:** Elasticsearch Log Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticsearch_logs_disabled) + +### Description +AWS Elasticsearch should have logs enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#log_publishing_options) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "aws_elasticsearch_domain" "positive1" { + + log_publishing_options { + cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn + log_type = "INDEX_SLOW_LOGS" + enabled = false + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_elasticsearch_domain" "positive2" { + domain_name = "example" + elasticsearch_version = "1.5" + + cluster_config { + instance_type = "r4.large.elasticsearch" + } + + snapshot_options { + automated_snapshot_start_hour = 23 + } + + tags = { + Domain = "TestDomain" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_elasticsearch_domain" "negative1" { + + log_publishing_options { + cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn + log_type = "INDEX_SLOW_LOGS" + enabled = true //for default its true + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/ad296c0d-8131-4d6b-b030-1b0e73a99ad3.md b/docs/queries/terraform-queries/aws/ad296c0d-8131-4d6b-b030-1b0e73a99ad3.md new file mode 100644 index 00000000000..b14901d6edc --- /dev/null +++ b/docs/queries/terraform-queries/aws/ad296c0d-8131-4d6b-b030-1b0e73a99ad3.md @@ -0,0 +1,82 @@ +--- +title: Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ad296c0d-8131-4d6b-b030-1b0e73a99ad3 +- **Query name:** Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_UpdateLoginProfile) + +### Description +Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateLoginProfile", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/ad5b4e97-2850-4adf-be17-1d293e0b85ee.md b/docs/queries/terraform-queries/aws/ad5b4e97-2850-4adf-be17-1d293e0b85ee.md new file mode 100644 index 00000000000..9c9920d8701 --- /dev/null +++ b/docs/queries/terraform-queries/aws/ad5b4e97-2850-4adf-be17-1d293e0b85ee.md @@ -0,0 +1,123 @@ +--- +title: Glue Security Configuration Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ad5b4e97-2850-4adf-be17-1d293e0b85ee +- **Query name:** Glue Security Configuration Encryption Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/glue_security_configuration_encryption_disabled) + +### Description +Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_security_configuration#encryption_configuration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_glue_security_configuration" "positive1" { + name = "example" + + encryption_configuration { + cloudwatch_encryption { + cloudwatch_encryption_mode = "SSE-KMS" + } + + job_bookmarks_encryption { + job_bookmarks_encryption_mode = "CSE-KMS" + kms_key_arn = data.aws_kms_key.example.arn + } + + s3_encryption { + kms_key_arn = data.aws_kms_key.example.arn + s3_encryption_mode = "SSE-KMS" + } + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +resource "aws_glue_security_configuration" "positive2" { + name = "example" + + encryption_configuration { + cloudwatch_encryption { + cloudwatch_encryption_mode = "SSE-KMS" + kms_key_arn = data.aws_kms_key.example.arn + } + + job_bookmarks_encryption { + job_bookmarks_encryption_mode = "DISABLED" + kms_key_arn = data.aws_kms_key.example.arn + } + + s3_encryption { + kms_key_arn = data.aws_kms_key.example.arn + s3_encryption_mode = "SSE-KMS" + } + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="10" +resource "aws_glue_security_configuration" "positive2" { + name = "example" + + encryption_configuration { + cloudwatch_encryption { + cloudwatch_encryption_mode = "SSE-KMS" + kms_key_arn = data.aws_kms_key.example.arn + } + + job_bookmarks_encryption { + kms_key_arn = data.aws_kms_key.example.arn + } + + s3_encryption { + kms_key_arn = data.aws_kms_key.example.arn + s3_encryption_mode = "SSE-KMS" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_glue_security_configuration" "negative1" { + name = "example" + + encryption_configuration { + cloudwatch_encryption { + cloudwatch_encryption_mode = "SSE-KMS" + kms_key_arn = data.aws_kms_key.example.arn + } + + job_bookmarks_encryption { + job_bookmarks_encryption_mode = "CSE-KMS" + kms_key_arn = data.aws_kms_key.example.arn + } + + s3_encryption { + kms_key_arn = data.aws_kms_key.example.arn + s3_encryption_mode = "SSE-KMS" + } + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/ad9dabc7-7839-4bae-a957-aa9120013f39.md b/docs/queries/terraform-queries/aws/ad9dabc7-7839-4bae-a957-aa9120013f39.md new file mode 100644 index 00000000000..5211d69ca83 --- /dev/null +++ b/docs/queries/terraform-queries/aws/ad9dabc7-7839-4bae-a957-aa9120013f39.md @@ -0,0 +1,131 @@ +--- +title: Lambda With Vulnerable Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ad9dabc7-7839-4bae-a957-aa9120013f39 +- **Query name:** Lambda With Vulnerable Policy +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/lambda_with_vulnerable_policy) + +### Description +The attribute 'action' should not have wildcard
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission#action) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="35" +provider "aws" { + region = "us-east-1" +} + +resource "aws_lambda_function" "my-lambda" { + filename = "~/Downloads/lambda.json.zip" + function_name = "my-lambda" + role = aws_iam_role.lambda-role.arn + handler = "lambda_function.lambda_handler" + runtime = "python3.8" +} + +resource "aws_iam_role" "lambda-role" { + name = "lambda-role" + + assume_role_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** af173fde-95ea-4584-b904-bb3923ac4bda +- **Query name:** Redshift Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/redshift_publicly_accessible) + +### Description +AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 17" +resource "aws_redshift_cluster" "positive1" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" +} + +resource "aws_redshift_cluster" "positive2" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + publicly_accessible = true +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_redshift_cluster" "negative1" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + publicly_accessible = false +} +``` diff --git a/docs/queries/terraform-queries/aws/afecd1f1-6378-4f7e-bb3b-60c35801fdd4.md b/docs/queries/terraform-queries/aws/afecd1f1-6378-4f7e-bb3b-60c35801fdd4.md new file mode 100644 index 00000000000..db0eca56856 --- /dev/null +++ b/docs/queries/terraform-queries/aws/afecd1f1-6378-4f7e-bb3b-60c35801fdd4.md @@ -0,0 +1,310 @@ +--- +title: ALB Deletion Protection Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** afecd1f1-6378-4f7e-bb3b-60c35801fdd4 +- **Query name:** ALB Deletion Protection Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/alb_deletion_protection_disabled) + +### Description +Application Load Balancer should have deletion protection enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#enable_deletion_protection) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "aws_alb" "positive1" { + name = "test-lb-tf" + internal = false + load_balancer_type = "network" + subnets = aws_subnet.public.*.id + + enable_deletion_protection = false + + tags = { + Environment = "production" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_alb" "positive2" { + name = "test-lb-tf" + internal = false + load_balancer_type = "network" + subnets = aws_subnet.public.*.id + + + tags = { + Environment = "production" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="7" +resource "aws_lb" "positive3" { + name = "test-lb-tf" + internal = false + load_balancer_type = "network" + subnets = aws_subnet.public.*.id + + enable_deletion_protection = false + + tags = { + Environment = "production" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "aws_lb" "positive4" { + name = "test-lb-tf" + internal = false + load_balancer_type = "network" + subnets = aws_subnet.public.*.id + + tags = { + Environment = "production" + } +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="9" +module "alb" { + source = "terraform-aws-modules/alb/aws" + version = "~> 6.0" + + name = "my-alb" + + load_balancer_type = "application" + + enable_deletion_protection = false + + vpc_id = "vpc-abcde012" + subnets = ["subnet-abcde012", "subnet-bcde012a"] + security_groups = ["sg-edcd9784", "sg-edcd9785"] + + access_logs = { + bucket = "my-alb-logs" + } + + target_groups = [ + { + name_prefix = "pref-" + backend_protocol = "HTTP" + backend_port = 80 + target_type = "instance" + targets = [ + { + target_id = "i-0123456789abcdefg" + port = 80 + }, + { + target_id = "i-a1b2c3d4e5f6g7h8i" + port = 8080 + } + ] + } + ] + + https_listeners = [ + { + port = 443 + protocol = "HTTPS" + certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012" + target_group_index = 0 + } + ] + + http_tcp_listeners = [ + { + port = 80 + protocol = "HTTP" + target_group_index = 0 + } + ] + + tags = { + Environment = "Test" + } +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="1" +module "alb" { + source = "terraform-aws-modules/alb/aws" + version = "~> 6.0" + + name = "my-alb" + + load_balancer_type = "application" + + vpc_id = "vpc-abcde012" + subnets = ["subnet-abcde012", "subnet-bcde012a"] + security_groups = ["sg-edcd9784", "sg-edcd9785"] + + access_logs = { + bucket = "my-alb-logs" + } + + target_groups = [ + { + name_prefix = "pref-" + backend_protocol = "HTTP" + backend_port = 80 + target_type = "instance" + targets = [ + { + target_id = "i-0123456789abcdefg" + port = 80 + }, + { + target_id = "i-a1b2c3d4e5f6g7h8i" + port = 8080 + } + ] + } + ] + + https_listeners = [ + { + port = 443 + protocol = "HTTPS" + certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012" + target_group_index = 0 + } + ] + + http_tcp_listeners = [ + { + port = 80 + protocol = "HTTP" + target_group_index = 0 + } + ] + + tags = { + Environment = "Test" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_alb" "negative1" { + name = "test-lb-tf" + internal = false + load_balancer_type = "network" + subnets = aws_subnet.public.*.id + + enable_deletion_protection = true + + tags = { + Environment = "production" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_lb" "negative2" { + name = "test-lb-tf" + internal = false + load_balancer_type = "network" + subnets = aws_subnet.public.*.id + + enable_deletion_protection = true + + tags = { + Environment = "production" + } +} + +``` +```tf title="Negative test num. 3 - tf file" +module "alb" { + source = "terraform-aws-modules/alb/aws" + version = "~> 6.0" + + name = "my-alb" + + load_balancer_type = "application" + + enable_deletion_protection = true + + vpc_id = "vpc-abcde012" + subnets = ["subnet-abcde012", "subnet-bcde012a"] + security_groups = ["sg-edcd9784", "sg-edcd9785"] + + access_logs = { + bucket = "my-alb-logs" + } + + target_groups = [ + { + name_prefix = "pref-" + backend_protocol = "HTTP" + backend_port = 80 + target_type = "instance" + targets = [ + { + target_id = "i-0123456789abcdefg" + port = 80 + }, + { + target_id = "i-a1b2c3d4e5f6g7h8i" + port = 8080 + } + ] + } + ] + + https_listeners = [ + { + port = 443 + protocol = "HTTPS" + certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012" + target_group_index = 0 + } + ] + + http_tcp_listeners = [ + { + port = 80 + protocol = "HTTP" + target_group_index = 0 + } + ] + + tags = { + Environment = "Test" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/b0d3ef3f-845d-4b1b-83d6-63a5a380375f.md b/docs/queries/terraform-queries/aws/b0d3ef3f-845d-4b1b-83d6-63a5a380375f.md new file mode 100644 index 00000000000..033f7ec907a --- /dev/null +++ b/docs/queries/terraform-queries/aws/b0d3ef3f-845d-4b1b-83d6-63a5a380375f.md @@ -0,0 +1,63 @@ +--- +title: Secretsmanager Secret Encrypted With AWS Managed Key +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b0d3ef3f-845d-4b1b-83d6-63a5a380375f +- **Query name:** Secretsmanager Secret Encrypted With AWS Managed Key +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/secretsmanager_secret_encrypted_with_aws_managed_key) + +### Description +Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#kms_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +resource "aws_secretsmanager_secret" "test2" { + name = "test-cloudrail-1" + kms_key_id = "alias/aws/secretsmanager" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +provider "aws" { + region = "us-east-1" +} + +data "aws_kms_key" "by_alias" { + key_id = "alias/aws/secretsmanager" +} + +resource "aws_secretsmanager_secret" "test" { + name = "test-cloudrail-1" + kms_key_id = data.aws_kms_key.by_alias.arn +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_secretsmanager_secret" "test222" { + name = "test-cloudrail-1" + kms_key_id = "alias/MyAlias" +} + + +``` diff --git a/docs/queries/terraform-queries/aws/b161c11b-a59b-4431-9a29-4e19f63e6b27.md b/docs/queries/terraform-queries/aws/b161c11b-a59b-4431-9a29-4e19f63e6b27.md new file mode 100644 index 00000000000..d2e2cc19b04 --- /dev/null +++ b/docs/queries/terraform-queries/aws/b161c11b-a59b-4431-9a29-4e19f63e6b27.md @@ -0,0 +1,152 @@ +--- +title: REST API With Vulnerable Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b161c11b-a59b-4431-9a29-4e19f63e6b27 +- **Query name:** REST API With Vulnerable Policy +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/rest_api_with_vulnerable_policy) + +### Description +REST API policy should avoid wildcard in 'Action' and 'Principal'
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="15" +provider "aws" { + region = "us-east-1" +} + +resource "aws_api_gateway_rest_api" "api_gw" { + name = "api-gw-cache-encrypted" + description = "API GW test" +} + + + +resource "aws_api_gateway_rest_api_policy" "test" { + rest_api_id = aws_api_gateway_rest_api.api_gw.id + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** b1a72f66-2236-4f3b-87ba-0da1b366956f +- **Query name:** SNS Topic Encrypted With AWS Managed Key +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sns_topic_encrypted_with_aws_managed_key) + +### Description +SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#kms_master_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +resource "aws_sns_topic" "user_updates" { + name = "user-updates-topic" + kms_master_key_id = "alias/aws/sns" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="11" +provider "aws" { + region = "us-east-1" +} + +data "aws_kms_key" "by_alias" { + key_id = "alias/aws/sns" +} + +resource "aws_sns_topic" "test" { + name = "sns_ecnrypted" + kms_master_key_id = data.aws_kms_key.by_alias.arn +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws2" { + region = "us-east-1" +} + +resource "aws_sns_topic" "test2" { + name = "sns_ecnrypted" + kms_master_key_id = "alias/MyAlias" +} + +``` diff --git a/docs/queries/terraform-queries/aws/b1ffa705-19a3-4b73-b9d0-0c97d0663842.md b/docs/queries/terraform-queries/aws/b1ffa705-19a3-4b73-b9d0-0c97d0663842.md new file mode 100644 index 00000000000..0383b81c66b --- /dev/null +++ b/docs/queries/terraform-queries/aws/b1ffa705-19a3-4b73-b9d0-0c97d0663842.md @@ -0,0 +1,110 @@ +--- +title: IAM Role With Full Privileges +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b1ffa705-19a3-4b73-b9d0-0c97d0663842 +- **Query name:** IAM Role With Full Privileges +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_role_with_full_privileges) + +### Description +IAM role policy that allow full administrative privileges (for all resources)
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4 29" +resource "aws_iam_role" "positive1" { + name = "test_role" + + assume_role_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** b2315cae-b110-4426-81e0-80bb8640cdd3 +- **Query name:** Athena Database Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/athena_database_not_encrypted) + +### Description +AWS Athena Database data in S3 should be encrypted
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database#encryption_configuration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_s3_bucket" "hoge" { + bucket = "hoge" +} + +resource "aws_athena_database" "hoge" { + name = "database_name" + bucket = aws_s3_bucket.hoge.bucket +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_s3_bucket" "hoge" { + bucket = "hoge" +} + +resource "aws_athena_database" "hoge" { + name = "database_name" + bucket = aws_s3_bucket.hoge.bucket + + encryption_configuration { + encryption_option = "SSE_KMS" + kms_key = "SSE_KMS" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/b26d2b7e-60f6-413d-a3a1-a57db24aa2b3.md b/docs/queries/terraform-queries/aws/b26d2b7e-60f6-413d-a3a1-a57db24aa2b3.md new file mode 100644 index 00000000000..c5d804d85d1 --- /dev/null +++ b/docs/queries/terraform-queries/aws/b26d2b7e-60f6-413d-a3a1-a57db24aa2b3.md @@ -0,0 +1,74 @@ +--- +title: SNS Topic is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b26d2b7e-60f6-413d-a3a1-a57db24aa2b3 +- **Query name:** SNS Topic is Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sns_topic_is_publicly_accessible) + +### Description +SNS Topic Policy should not allow any principal to access
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +resource "aws_sns_topic" "positive1" { +policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** b3a41501-f712-4c4f-81e5-db9a7dc0e34e +- **Query name:** VPC Peering Route Table with Unrestricted CIDR +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/vpc_peering_route_table_with_unrestricted_cidr) + +### Description +VPC Peering Route Table should restrict CIDR
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="118" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "<= 3.49.0" + } + } +} + +provider "aws" { + region = "us-east-1" +} + +variable vpc_1_cidr_block { + type = string + default = "10.0.0.0/16" + description = "vpc default CIDR block" +} + +variable vpc_2_cidr_block { + type = string + default = "10.2.0.0/16" + description = "vpc default CIDR block" +} + +variable vpc_cidr_public_block { + type = string + default = "10.0.1.0/24" + description = "public CIDR block" +} + +variable vpc_cidr_private_block { + type = string + default = "10.0.2.0/24" + description = "private CIDR block" +} + +resource "aws_vpc" "vpc1" { + cidr_block = var.vpc_1_cidr_block + + tags = { + Name = "tf-test-vpc-1" + Project = "CIS Certification" + } +} + +resource "aws_subnet" "public" { + vpc_id = aws_vpc.vpc1.id + cidr_block = var.vpc_cidr_public_block + availability_zone = "us-east-1a" + + tags = { + Name = "public-subnet-1" + Project = "CIS Certification" + } +} + +resource "aws_subnet" "private" { + vpc_id = aws_vpc.vpc1.id + cidr_block = var.vpc_cidr_private_block + availability_zone = "us-east-1a" + + tags = { + Name = "private-subnet-1" + Project = "CIS Certification" + } +} + +resource "aws_vpc" "vpc2" { + cidr_block = var.vpc_2_cidr_block + + tags = { + Name = "tf-test-vpc-2" + Project = "CIS Certification" + } +} + +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.vpc1.id + + tags = { + Name = "igw" + Project = "CIS Certification" + } +} + +resource "aws_eip" "nat" {} + +resource "aws_nat_gateway" "nat" { + allocation_id = aws_eip.nat.id + subnet_id = aws_subnet.public.*.id[0] + + tags = { + Name = "nat" + Project = "CIS Certification" + } + + depends_on = [aws_internet_gateway.igw] +} + +data "aws_caller_identity" "current" {} + +resource "aws_vpc_peering_connection" "my_peering" { + peer_owner_id = data.aws_caller_identity.current.account_id + peer_vpc_id = aws_vpc.vpc1.id + vpc_id = aws_vpc.vpc2.id + auto_accept = true + + tags = { + Name = "VPC Peering between vpc1 and vpc2" + Project = "CIS Certification" + } +} + +resource "aws_route_table" "public_route_table" { + vpc_id = aws_vpc.vpc1.id + + route { + cidr_block = "0.0.0.0/0" + vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id + } + + tags = { + Name = "public_route_table" + Project = "CIS Certification" + } +} + +resource "aws_route_table" "private_route_table" { + vpc_id = aws_vpc.vpc1.id + + route { + cidr_block = aws_vpc.vpc2.cidr_block + vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id + } + + tags = { + Name = "private_route_table" + Project = "CIS Certification" + } +} + +resource "aws_route_table_association" "private_route_table_association" { + subnet_id = aws_subnet.private.id + route_table_id = aws_route_table.private_route_table.id +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="132" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "<= 3.49.0" + } + } +} + +provider "aws" { + region = "us-east-1" +} + +variable vpc_1_cidr_block { + type = string + default = "10.0.0.0/16" + description = "vpc default CIDR block" +} + +variable vpc_2_cidr_block { + type = string + default = "10.2.0.0/16" + description = "vpc default CIDR block" +} + +variable vpc_cidr_public_block { + type = string + default = "10.0.1.0/24" + description = "public CIDR block" +} + +variable vpc_cidr_private_block { + type = string + default = "10.0.2.0/24" + description = "private CIDR block" +} + +resource "aws_vpc" "vpc1" { + cidr_block = var.vpc_1_cidr_block + tags = { + Name = "tf-test-vpc-2" + Project = "CIS Certification" + } +} + +resource "aws_subnet" "public" { + vpc_id = aws_vpc.vpc1.id + cidr_block = var.vpc_cidr_public_block + availability_zone = "us-east-1a" + + + tags = { + Name = "public-subnet-1" + Project = "CIS Certification" + } +} + +resource "aws_subnet" "private" { + vpc_id = aws_vpc.vpc1.id + cidr_block = var.vpc_cidr_private_block + availability_zone = "us-east-1a" + + tags = { + Name = "private-subnet-1" + Project = "CIS Certification" + } +} + +resource "aws_vpc" "vpc2" { + cidr_block = var.vpc_2_cidr_block + tags = { + Name = "tf-test-vpc-2" + Project = "CIS Certification" + } +} + +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.vpc1.id + + tags = { + Name = "igw" + Project = "CIS Certification" + } +} + +resource "aws_eip" "nat" {} + +resource "aws_nat_gateway" "nat" { + allocation_id = aws_eip.nat.id + subnet_id = aws_subnet.public.*.id[0] + + tags = { + Name = "nat" + Project = "CIS Certification" + } + + depends_on = [aws_internet_gateway.igw] +} + +data "aws_caller_identity" "current" {} + +resource "aws_vpc_peering_connection" "my_peering" { + peer_owner_id = data.aws_caller_identity.current.account_id + peer_vpc_id = aws_vpc.vpc1.id + vpc_id = aws_vpc.vpc2.id + auto_accept = true + + tags = { + Name = "VPC Peering between vpc1 and vpc2" + Project = "CIS Certification" + } +} + + +resource "aws_route_table" "public_route_table9" { + vpc_id = aws_vpc.vpc1.id + + tags = { + Name = "public-route-table" + Project = "CIS Certification" + } +} + +resource "aws_route_table" "private_route_table" { + vpc_id = aws_vpc.vpc1.id + + tags = { + Project = "CIS Certification" + } +} + +resource "aws_route" "private_route2" { + route_table_id = aws_route_table.public_route_table9.id + destination_cidr_block = "0.0.0.0/0" + vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id + depends_on = [aws_route_table.public_route_table9] +} + +resource "aws_route_table_association" "private_route_table_association" { + subnet_id = aws_subnet.private.*.id[0] + route_table_id = aws_route_table.private_route_table.id +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="118" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.55.0" + } + } +} + +provider "aws" { + region = "us-east-1" +} + +variable vpc_1_cidr_block { + type = string + default = "10.0.0.0/16" + description = "vpc default CIDR block" +} + +variable vpc_2_cidr_block { + type = string + default = "10.2.0.0/16" + description = "vpc default CIDR block" +} + +variable vpc_cidr_public_block { + type = string + default = "10.0.1.0/24" + description = "public CIDR block" +} + +variable vpc_cidr_private_block { + type = string + default = "10.0.2.0/24" + description = "private CIDR block" +} + +resource "aws_vpc" "vpc1" { + cidr_block = var.vpc_1_cidr_block + + tags = { + Name = "tf-test-vpc-1" + Project = "CIS Certification" + } +} + +resource "aws_subnet" "public" { + vpc_id = aws_vpc.vpc1.id + cidr_block = var.vpc_cidr_public_block + availability_zone = "us-east-1a" + + tags = { + Name = "public-subnet-1" + Project = "CIS Certification" + } +} + +resource "aws_subnet" "private" { + vpc_id = aws_vpc.vpc1.id + cidr_block = var.vpc_cidr_private_block + availability_zone = "us-east-1a" + + tags = { + Name = "private-subnet-1" + Project = "CIS Certification" + } +} + +resource "aws_vpc" "vpc2" { + cidr_block = var.vpc_2_cidr_block + + tags = { + Name = "tf-test-vpc-2" + Project = "CIS Certification" + } +} + +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.vpc1.id + + tags = { + Name = "igw" + Project = "CIS Certification" + } +} + +resource "aws_eip" "nat" {} + +resource "aws_nat_gateway" "nat" { + allocation_id = aws_eip.nat.id + subnet_id = aws_subnet.public.*.id[0] + + tags = { + Name = "nat" + Project = "CIS Certification" + } + + depends_on = [aws_internet_gateway.igw] +} + +data "aws_caller_identity" "current" {} + +resource "aws_vpc_peering_connection" "my_peering" { + peer_owner_id = data.aws_caller_identity.current.account_id + peer_vpc_id = aws_vpc.vpc1.id + vpc_id = aws_vpc.vpc2.id + auto_accept = true + + tags = { + Name = "VPC Peering between vpc1 and vpc2" + Project = "CIS Certification" + } +} + +resource "aws_route_table" "public_route_table" { + vpc_id = aws_vpc.vpc1.id + + route = [ + + { + cidr_block = "0.0.0.0/0" + vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id + gateway_id = "" + instance_id = "" + ipv6_cidr_block = "" + egress_only_gateway_id = "" + nat_gateway_id = "" + network_interface_id = "" + transit_gateway_id = "" + carrier_gateway_id = "" + destination_prefix_list_id = "" + local_gateway_id = "" + vpc_endpoint_id = "" + + } + ] + + + tags = { + Name = "public_route_table" + Project = "CIS Certification" + } +} + +resource "aws_route_table" "private_route_table" { + vpc_id = aws_vpc.vpc1.id + + route { + cidr_block = aws_vpc.vpc2.cidr_block + vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id + } + + tags = { + Name = "private_route_table" + Project = "CIS Certification" + } +} + +resource "aws_route_table_association" "private_route_table_association" { + subnet_id = aws_subnet.private.id + route_table_id = aws_route_table.private_route_table.id +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "<= 3.49.0" + } + } +} + +provider "aws" { + region = "us-east-1" +} + +variable vpc_1_cidr_block { + type = string + default = "10.0.0.0/16" + description = "vpc default CIDR block" +} + +variable vpc_2_cidr_block { + type = string + default = "10.2.0.0/16" + description = "vpc default CIDR block" +} + +variable vpc_cidr_public_block { + type = string + default = "10.0.1.0/24" + description = "public CIDR block" +} + +variable vpc_cidr_private_block { + type = string + default = "10.0.2.0/24" + description = "private CIDR block" +} + +resource "aws_vpc" "vpc1" { + cidr_block = var.vpc_1_cidr_block + + tags = { + Name = "tf-test-vpc-1" + Project = "CIS Certification" + } +} + +resource "aws_subnet" "public" { + vpc_id = aws_vpc.vpc1.id + cidr_block = var.vpc_cidr_public_block + availability_zone = "us-east-1a" + + tags = { + Name = "public-subnet-1" + Project = "CIS Certification" + } +} + +resource "aws_subnet" "private" { + vpc_id = aws_vpc.vpc1.id + cidr_block = var.vpc_cidr_private_block + availability_zone = "us-east-1a" + + tags = { + Name = "private-subnet-1" + Project = "CIS Certification" + } +} + +resource "aws_vpc" "vpc2" { + cidr_block = var.vpc_2_cidr_block + + tags = { + Name = "tf-test-vpc-2" + Project = "CIS Certification" + } +} + +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.vpc1.id + + tags = { + Name = "igw" + Project = "CIS Certification" + } +} + +resource "aws_eip" "nat" {} + +resource "aws_nat_gateway" "nat" { + allocation_id = aws_eip.nat.id + subnet_id = aws_subnet.public.*.id[0] + + tags = { + Name = "nat" + Project = "CIS Certification" + } + + depends_on = [aws_internet_gateway.igw] +} + +data "aws_caller_identity" "current" {} + +resource "aws_vpc_peering_connection" "my_peering" { + peer_owner_id = data.aws_caller_identity.current.account_id + peer_vpc_id = aws_vpc.vpc1.id + vpc_id = aws_vpc.vpc2.id + auto_accept = true + + tags = { + Name = "VPC Peering between vpc1 and vpc2" + Project = "CIS Certification" + } +} + +resource "aws_route_table" "public_route_table" { + vpc_id = aws_vpc.vpc1.id + + route { + cidr_block = "10.0.0.0/8" + vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id + } + + tags = { + Name = "public_route_table" + Project = "CIS Certification" + } +} + +resource "aws_route_table" "private_route_table" { + vpc_id = aws_vpc.vpc1.id + + route { + cidr_block = aws_vpc.vpc2.cidr_block + vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id + } + + tags = { + Name = "private_route_table" + Project = "CIS Certification" + } +} + +resource "aws_route_table_association" "private_route_table_association" { + subnet_id = aws_subnet.private.id + route_table_id = aws_route_table.private_route_table.id +} + +``` +```tf title="Negative test num. 2 - tf file" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "<= 3.49.0" + } + } +} + +provider "aws" { + region = "us-east-1" +} + +variable vpc_1_cidr_block { + type = string + default = "10.0.0.0/16" + description = "vpc default CIDR block" +} + +variable vpc_2_cidr_block { + type = string + default = "10.2.0.0/16" + description = "vpc default CIDR block" +} + +variable vpc_cidr_public_block { + type = string + default = "10.0.1.0/24" + description = "public CIDR block" +} + +variable vpc_cidr_private_block { + type = string + default = "10.0.2.0/24" + description = "private CIDR block" +} + +resource "aws_vpc" "vpc1" { + cidr_block = var.vpc_1_cidr_block + tags = { + Name = "tf-test-vpc-2" + Project = "CIS Certification" + } +} + +resource "aws_subnet" "public" { + vpc_id = aws_vpc.vpc1.id + cidr_block = var.vpc_cidr_public_block + availability_zone = "us-east-1a" + + + tags = { + Name = "public-subnet-1" + Project = "CIS Certification" + } +} + +resource "aws_subnet" "private" { + vpc_id = aws_vpc.vpc1.id + cidr_block = var.vpc_cidr_private_block + availability_zone = "us-east-1a" + + tags = { + Name = "private-subnet-1" + Project = "CIS Certification" + } +} + +resource "aws_vpc" "vpc2" { + cidr_block = var.vpc_2_cidr_block + tags = { + Name = "tf-test-vpc-2" + Project = "CIS Certification" + } +} + +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.vpc1.id + + tags = { + Name = "igw" + Project = "CIS Certification" + } +} + +resource "aws_eip" "nat" {} + +resource "aws_nat_gateway" "nat" { + allocation_id = aws_eip.nat.id + subnet_id = aws_subnet.public.*.id[0] + + tags = { + Name = "nat" + Project = "CIS Certification" + } + + depends_on = [aws_internet_gateway.igw] +} + +data "aws_caller_identity" "current" {} + +resource "aws_vpc_peering_connection" "my_peering" { + peer_owner_id = data.aws_caller_identity.current.account_id + peer_vpc_id = aws_vpc.vpc1.id + vpc_id = aws_vpc.vpc2.id + auto_accept = true + + tags = { + Name = "VPC Peering between vpc1 and vpc2" + Project = "CIS Certification" + } +} + + +resource "aws_route_table" "public_route_table2" { + vpc_id = aws_vpc.vpc1.id + + tags = { + Name = "public-route-table" + Project = "CIS Certification" + } +} + +resource "aws_route_table" "private_route_table" { + vpc_id = aws_vpc.vpc1.id + + tags = { + Project = "CIS Certification" + } +} + +resource "aws_route" "private_route2" { + route_table_id = aws_route_table.public_route_table2.id + destination_cidr_block = "10.0.0.0/8" + vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id + depends_on = [aws_route_table.public_route_table2] +} + +resource "aws_route_table_association" "private_route_table_association" { + subnet_id = aws_subnet.private.*.id[0] + route_table_id = aws_route_table.private_route_table.id +} + +``` +```tf title="Negative test num. 3 - tf file" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.55.0" + } + } +} + +provider "aws" { + region = "us-east-1" +} + +variable vpc_1_cidr_block { + type = string + default = "10.0.0.0/16" + description = "vpc default CIDR block" +} + +variable vpc_2_cidr_block { + type = string + default = "10.2.0.0/16" + description = "vpc default CIDR block" +} + +variable vpc_cidr_public_block { + type = string + default = "10.0.1.0/24" + description = "public CIDR block" +} + +variable vpc_cidr_private_block { + type = string + default = "10.0.2.0/24" + description = "private CIDR block" +} + +resource "aws_vpc" "vpc1" { + cidr_block = var.vpc_1_cidr_block + + tags = { + Name = "tf-test-vpc-1" + Project = "CIS Certification" + } +} + +resource "aws_subnet" "public" { + vpc_id = aws_vpc.vpc1.id + cidr_block = var.vpc_cidr_public_block + availability_zone = "us-east-1a" + + tags = { + Name = "public-subnet-1" + Project = "CIS Certification" + } +} + +resource "aws_subnet" "private" { + vpc_id = aws_vpc.vpc1.id + cidr_block = var.vpc_cidr_private_block + availability_zone = "us-east-1a" + + tags = { + Name = "private-subnet-1" + Project = "CIS Certification" + } +} + +resource "aws_vpc" "vpc2" { + cidr_block = var.vpc_2_cidr_block + + tags = { + Name = "tf-test-vpc-2" + Project = "CIS Certification" + } +} + +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.vpc1.id + + tags = { + Name = "igw" + Project = "CIS Certification" + } +} + +resource "aws_eip" "nat" {} + +resource "aws_nat_gateway" "nat" { + allocation_id = aws_eip.nat.id + subnet_id = aws_subnet.public.*.id[0] + + tags = { + Name = "nat" + Project = "CIS Certification" + } + + depends_on = [aws_internet_gateway.igw] +} + +data "aws_caller_identity" "current" {} + +resource "aws_vpc_peering_connection" "my_peering" { + peer_owner_id = data.aws_caller_identity.current.account_id + peer_vpc_id = aws_vpc.vpc1.id + vpc_id = aws_vpc.vpc2.id + auto_accept = true + + tags = { + Name = "VPC Peering between vpc1 and vpc2" + Project = "CIS Certification" + } +} + +resource "aws_route_table" "public_route_table" { + vpc_id = aws_vpc.vpc1.id + + route = [ + + { + cidr_block = "10.0.0.0/8" + vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id + gateway_id = "" + instance_id = "" + ipv6_cidr_block = "" + egress_only_gateway_id = "" + nat_gateway_id = "" + network_interface_id = "" + transit_gateway_id = "" + carrier_gateway_id = "" + destination_prefix_list_id = "" + local_gateway_id = "" + vpc_endpoint_id = "" + + } + ] + + + tags = { + Name = "public_route_table" + Project = "CIS Certification" + } +} + +resource "aws_route_table" "private_route_table" { + vpc_id = aws_vpc.vpc1.id + + route { + cidr_block = aws_vpc.vpc2.cidr_block + vpc_peering_connection_id = aws_vpc_peering_connection.my_peering.id + } + + tags = { + Name = "private_route_table" + Project = "CIS Certification" + } +} + +resource "aws_route_table_association" "private_route_table_association" { + subnet_id = aws_subnet.private.id + route_table_id = aws_route_table.private_route_table.id +} + +``` diff --git a/docs/queries/terraform-queries/aws/b3a59b8e-94a3-403e-b6e2-527abaf12034.md b/docs/queries/terraform-queries/aws/b3a59b8e-94a3-403e-b6e2-527abaf12034.md new file mode 100644 index 00000000000..2d6d3a9ca35 --- /dev/null +++ b/docs/queries/terraform-queries/aws/b3a59b8e-94a3-403e-b6e2-527abaf12034.md @@ -0,0 +1,520 @@ +--- +title: API Gateway Deployment Without API Gateway UsagePlan Associated +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b3a59b8e-94a3-403e-b6e2-527abaf12034 +- **Query name:** API Gateway Deployment Without API Gateway UsagePlan Associated +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_deployment_without_api_gateway_usage_plan_associated) + +### Description +API Gateway Deployment should have API Gateway UsagePlan defined and associated.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 9" +resource "aws_api_gateway_deployment" "positive1" { + rest_api_id = "some rest api id" + stage_name = "some name" + tags { + project = "ProjectName" + } +} + +resource "aws_api_gateway_deployment" "positive2" { + rest_api_id = "some rest api id" + stage_name = "development" +} + +resource "aws_api_gateway_usage_plan" "positive3" { + name = "my-usage-plan" + description = "my description" + product_code = "MYCODE" + + api_stages { + api_id = "another id" + stage = "development" + } +} + +``` +```json title="Postitive test num. 2 - json file" hl_lines="14 31" +{ + "format_version": "0.2", + "terraform_version": "1.0.5", + "planned_values": { + "root_module": { + "resources": [ + { + "address": "aws_api_gateway_deployment.positive1", + "mode": "managed", + "type": "aws_api_gateway_deployment", + "name": "positive1", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "values": { + "description": null, + "rest_api_id": "some rest api id", + "stage_description": null, + "stage_name": "some name", + "triggers": null, + "variables": null + }, + "sensitive_values": {} + }, + { + "address": "aws_api_gateway_deployment.positive2", + "mode": "managed", + "type": "aws_api_gateway_deployment", + "name": "positive2", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "values": { + "description": null, + "rest_api_id": "some rest api id", + "stage_description": null, + "stage_name": "development", + "triggers": null, + "variables": null + }, + "sensitive_values": {} + }, + { + "address": "aws_api_gateway_usage_plan.positive3", + "mode": "managed", + "type": "aws_api_gateway_usage_plan", + "name": "positive3", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "values": { + "api_stages": [ + { + "api_id": "another id", + "stage": "development" + } + ], + "description": "my description", + "name": "my-usage-plan", + "product_code": "MYCODE", + "quota_settings": [], + "tags": null, + "throttle_settings": [] + }, + "sensitive_values": { + "api_stages": [ + {} + ], + "quota_settings": [], + "tags_all": {}, + "throttle_settings": [] + } + } + ] + } + }, + "resource_changes": [ + { + "address": "aws_api_gateway_deployment.positive1", + "mode": "managed", + "type": "aws_api_gateway_deployment", + "name": "positive1", + "provider_name": "registry.terraform.io/hashicorp/aws", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "description": null, + "rest_api_id": "some rest api id", + "stage_description": null, + "stage_name": "some name", + "triggers": null, + "variables": null + }, + "after_unknown": { + "created_date": true, + "execution_arn": true, + "id": true, + "invoke_url": true + }, + "before_sensitive": false, + "after_sensitive": {} + } + }, + { + "address": "aws_api_gateway_deployment.positive2", + "mode": "managed", + "type": "aws_api_gateway_deployment", + "name": "positive2", + "provider_name": "registry.terraform.io/hashicorp/aws", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "description": null, + "rest_api_id": "some rest api id", + "stage_description": null, + "stage_name": "development", + "triggers": null, + "variables": null + }, + "after_unknown": { + "created_date": true, + "execution_arn": true, + "id": true, + "invoke_url": true + }, + "before_sensitive": false, + "after_sensitive": {} + } + }, + { + "address": "aws_api_gateway_usage_plan.positive3", + "mode": "managed", + "type": "aws_api_gateway_usage_plan", + "name": "positive3", + "provider_name": "registry.terraform.io/hashicorp/aws", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "api_stages": [ + { + "api_id": "another id", + "stage": "development" + } + ], + "description": "my description", + "name": "my-usage-plan", + "product_code": "MYCODE", + "quota_settings": [], + "tags": null, + "throttle_settings": [] + }, + "after_unknown": { + "api_stages": [ + {} + ], + "arn": true, + "id": true, + "quota_settings": [], + "tags_all": true, + "throttle_settings": [] + }, + "before_sensitive": false, + "after_sensitive": { + "api_stages": [ + {} + ], + "quota_settings": [], + "tags_all": {}, + "throttle_settings": [] + } + } + } + ], + "configuration": { + "root_module": { + "resources": [ + { + "address": "aws_api_gateway_deployment.positive1", + "mode": "managed", + "type": "aws_api_gateway_deployment", + "name": "positive1", + "provider_config_key": "aws", + "expressions": { + "rest_api_id": { + "constant_value": "some rest api id" + }, + "stage_name": { + "constant_value": "some name" + } + }, + "schema_version": 0 + }, + { + "address": "aws_api_gateway_deployment.positive2", + "mode": "managed", + "type": "aws_api_gateway_deployment", + "name": "positive2", + "provider_config_key": "aws", + "expressions": { + "rest_api_id": { + "constant_value": "some rest api id" + }, + "stage_name": { + "constant_value": "development" + } + }, + "schema_version": 0 + }, + { + "address": "aws_api_gateway_usage_plan.positive3", + "mode": "managed", + "type": "aws_api_gateway_usage_plan", + "name": "positive3", + "provider_config_key": "aws", + "expressions": { + "api_stages": [ + { + "api_id": { + "constant_value": "another id" + }, + "stage": { + "constant_value": "development" + } + } + ], + "description": { + "constant_value": "my description" + }, + "name": { + "constant_value": "my-usage-plan" + }, + "product_code": { + "constant_value": "MYCODE" + } + }, + "schema_version": 0 + } + ] + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_deployment" "negative1" { + rest_api_id = "rest_api_1" + stage_name = "development" +} + +resource "aws_api_gateway_usage_plan" "negative2" { + name = "my-usage-plan" + description = "my description" + product_code = "MYCODE" + + api_stages { + api_id = "rest_api_1" + stage = "development" + } + + api_stages { + api_id = "rest_api_2" + stage = "development_2" + } +} + +``` +```json title="Negative test num. 2 - json file" +{ + "format_version": "0.2", + "terraform_version": "1.0.5", + "planned_values": { + "root_module": { + "resources": [ + { + "address": "aws_api_gateway_deployment.negative1", + "mode": "managed", + "type": "aws_api_gateway_deployment", + "name": "negative1", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "values": { + "description": null, + "rest_api_id": "rest_api_1", + "stage_description": null, + "stage_name": "development", + "triggers": null, + "variables": null + }, + "sensitive_values": {} + }, + { + "address": "aws_api_gateway_usage_plan.negative2", + "mode": "managed", + "type": "aws_api_gateway_usage_plan", + "name": "negative2", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "values": { + "api_stages": [ + { + "api_id": "rest_api_1", + "stage": "development" + } + ], + "description": "my description", + "name": "my-usage-plan", + "product_code": "MYCODE", + "quota_settings": [], + "tags": null, + "throttle_settings": [] + }, + "sensitive_values": { + "api_stages": [ + {} + ], + "quota_settings": [], + "tags_all": {}, + "throttle_settings": [] + } + } + ] + } + }, + "resource_changes": [ + { + "address": "aws_api_gateway_deployment.negative1", + "mode": "managed", + "type": "aws_api_gateway_deployment", + "name": "negative1", + "provider_name": "registry.terraform.io/hashicorp/aws", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "description": null, + "rest_api_id": "rest_api_1", + "stage_description": null, + "stage_name": "development", + "triggers": null, + "variables": null + }, + "after_unknown": { + "created_date": true, + "execution_arn": true, + "id": true, + "invoke_url": true + }, + "before_sensitive": false, + "after_sensitive": {} + } + }, + { + "address": "aws_api_gateway_usage_plan.negative2", + "mode": "managed", + "type": "aws_api_gateway_usage_plan", + "name": "negative2", + "provider_name": "registry.terraform.io/hashicorp/aws", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "api_stages": [ + { + "api_id": "rest_api_1", + "stage": "development" + } + ], + "description": "my description", + "name": "my-usage-plan", + "product_code": "MYCODE", + "quota_settings": [], + "tags": null, + "throttle_settings": [] + }, + "after_unknown": { + "api_stages": [ + {} + ], + "arn": true, + "id": true, + "quota_settings": [], + "tags_all": true, + "throttle_settings": [] + }, + "before_sensitive": false, + "after_sensitive": { + "api_stages": [ + {} + ], + "quota_settings": [], + "tags_all": {}, + "throttle_settings": [] + } + } + } + ], + "configuration": { + "root_module": { + "resources": [ + { + "address": "aws_api_gateway_deployment.negative1", + "mode": "managed", + "type": "aws_api_gateway_deployment", + "name": "negative1", + "provider_config_key": "aws", + "expressions": { + "rest_api_id": { + "constant_value": "rest_api_1" + }, + "stage_name": { + "constant_value": "development" + } + }, + "schema_version": 0 + }, + { + "address": "aws_api_gateway_usage_plan.negative2", + "mode": "managed", + "type": "aws_api_gateway_usage_plan", + "name": "negative2", + "provider_config_key": "aws", + "expressions": { + "api_stages": [ + { + "api_id": { + "constant_value": "rest_api_1" + }, + "stage": { + "constant_value": "development" + } + } + ], + "description": { + "constant_value": "my description" + }, + "name": { + "constant_value": "my-usage-plan" + }, + "product_code": { + "constant_value": "MYCODE" + } + }, + "schema_version": 0 + } + ] + } + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/b4378389-a9aa-44ee-91e7-ef183f11079e.md b/docs/queries/terraform-queries/aws/b4378389-a9aa-44ee-91e7-ef183f11079e.md new file mode 100644 index 00000000000..7fa86ef588e --- /dev/null +++ b/docs/queries/terraform-queries/aws/b4378389-a9aa-44ee-91e7-ef183f11079e.md @@ -0,0 +1,211 @@ +--- +title: IAM Policies Attached To User +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b4378389-a9aa-44ee-91e7-ef183f11079e +- **Query name:** IAM Policies Attached To User +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_policies_attached_to_user) + +### Description +IAM policies should be attached only to groups or roles
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="18" +resource "aws_iam_user" "positive1_1" { + name = "${local.resource_prefix.value}-user" + force_destroy = true + + tags = { + Name = "${local.resource_prefix.value}-user" + Environment = local.resource_prefix.value + } + +} + +resource "aws_iam_access_key" "positive1_2" { + user = aws_iam_user.user.name +} + +resource "aws_iam_policy_attachment" "positive1_3" { + name = "excess_policy" + users = [aws_iam_user.user.name] + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** b5681959-6c09-4f55-b42b-c40fa12d03ec +- **Query name:** IAM User Policy Without MFA +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_user_policy_without_mfa) + +### Description +Check if the root user is authenticated with MFA
+[Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="18" +resource "aws_iam_user" "positive1" { + name = "root" + path = "/system/" + + tags = { + tag-key = "tag-value" + } +} + +resource "aws_iam_access_key" "positive2" { + user = aws_iam_user.lb.name +} + +resource "aws_iam_user_policy" "positive3" { + name = "test" + user = aws_iam_user.lb.name + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** b592ffd4-0577-44b6-bd35-8c5ee81b5918 +- **Query name:** No Password Policy Enabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/no_password_policy_enabled) + +### Description +IAM password policies should be set through the password minimum length and reset password attributes
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5 16 23 30 31" +resource "aws_iam_user_login_profile" "positive2" { + user = aws_iam_user.example.name + pgp_key = "keybase:some_person_that_exists" + + password_reset_required = false + + password_length = 15 +} + +resource "aws_iam_user_login_profile" "positive3" { + user = aws_iam_user.example.name + pgp_key = "keybase:some_person_that_exists" + + password_reset_required = true + + password_length = 13 +} + +resource "aws_iam_user_login_profile" "positive6" { + user = aws_iam_user.example.name + pgp_key = "keybase:some_person_that_exists" + + password_length = 13 +} + +resource "aws_iam_user_login_profile" "positive7" { + user = aws_iam_user.example.name + pgp_key = "keybase:some_person_that_exists" + + password_reset_required = false + password_length = 13 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user_login_profile" "negative1" { + user = aws_iam_user.example.name + pgp_key = "keybase:some_person_that_exists" + + password_reset_required = true + + password_length = 15 +} +``` diff --git a/docs/queries/terraform-queries/aws/b69247e5-7e73-464e-ba74-ec9b715c6e12.md b/docs/queries/terraform-queries/aws/b69247e5-7e73-464e-ba74-ec9b715c6e12.md new file mode 100644 index 00000000000..9490cbed686 --- /dev/null +++ b/docs/queries/terraform-queries/aws/b69247e5-7e73-464e-ba74-ec9b715c6e12.md @@ -0,0 +1,90 @@ +--- +title: User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b69247e5-7e73-464e-ba74-ec9b715c6e12 +- **Query name:** User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode) + +### Description +User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:UpdateFunctionCode", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/b72d0026-f649-4c91-a9ea-15d8f681ac09.md b/docs/queries/terraform-queries/aws/b72d0026-f649-4c91-a9ea-15d8f681ac09.md new file mode 100644 index 00000000000..90d804266c9 --- /dev/null +++ b/docs/queries/terraform-queries/aws/b72d0026-f649-4c91-a9ea-15d8f681ac09.md @@ -0,0 +1,59 @@ +--- +title: Stack Notifications Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b72d0026-f649-4c91-a9ea-15d8f681ac09 +- **Query name:** Stack Notifications Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/stack_notifications_disabled) + +### Description +AWS CloudFormation should have stack notifications enabled to be notified when an event occurs
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_cloudformation_stack" "positive1" { + + name = "networking-stack" + + parameters = { + VPCCidr = "10.0.0.0/16" + } + + +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudformation_stack" "negative1" { + + name = "networking-stack" + + parameters = { + VPCCidr = "10.0.0.0/16" + } + + + notification_arns = ["a","b"] + +} +``` diff --git a/docs/queries/terraform-queries/aws/b7c9a40c-23e4-4a2d-8d39-a3352f10f288.md b/docs/queries/terraform-queries/aws/b7c9a40c-23e4-4a2d-8d39-a3352f10f288.md new file mode 100644 index 00000000000..29b3ff6a274 --- /dev/null +++ b/docs/queries/terraform-queries/aws/b7c9a40c-23e4-4a2d-8d39-a3352f10f288.md @@ -0,0 +1,157 @@ +--- +title: API Gateway Method Settings Cache Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b7c9a40c-23e4-4a2d-8d39-a3352f10f288 +- **Query name:** API Gateway Method Settings Cache Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_method_settings_cache_not_encrypted) + +### Description +API Gateway Method Settings Cache should be encrypted
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_data_encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="40 48" +resource "aws_api_gateway_rest_api" "example" { + body = jsonencode({ + openapi = "3.0.1" + info = { + title = "example" + version = "1.0" + } + paths = { + "/path1" = { + get = { + x-amazon-apigateway-integration = { + httpMethod = "GET" + payloadFormatVersion = "1.0" + type = "HTTP_PROXY" + uri = "https://ip-ranges.amazonaws.com/ip-ranges.json" + } + } + } + } + }) + + name = "example" +} + +resource "aws_api_gateway_stage" "example" { + deployment_id = aws_api_gateway_deployment.example.id + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = "example" +} + +resource "aws_api_gateway_method_settings" "path_specific" { + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = aws_api_gateway_stage.example.stage_name + method_path = "path1/GET" + + settings { + metrics_enabled = true + logging_level = "INFO" + caching_enabled = true + cache_data_encrypted = false + } +} +resource "aws_api_gateway_method_settings" "path_specific_2" { + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = aws_api_gateway_stage.example.stage_name + method_path = "path1/GET" + + settings { + metrics_enabled = true + logging_level = "INFO" + caching_enabled = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_rest_api" "example" { + body = jsonencode({ + openapi = "3.0.1" + info = { + title = "example" + version = "1.0" + } + paths = { + "/path1" = { + get = { + x-amazon-apigateway-integration = { + httpMethod = "GET" + payloadFormatVersion = "1.0" + type = "HTTP_PROXY" + uri = "https://ip-ranges.amazonaws.com/ip-ranges.json" + } + } + } + } + }) + + name = "example" +} + +resource "aws_api_gateway_stage" "example" { + deployment_id = aws_api_gateway_deployment.example.id + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = "example" +} + +resource "aws_api_gateway_method_settings" "path_specific" { + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = aws_api_gateway_stage.example.stage_name + method_path = "path1/GET" + + settings { + metrics_enabled = true + logging_level = "INFO" + caching_enabled = true + cache_data_encrypted = true + } +} + +resource "aws_api_gateway_method_settings" "path_specific_2" { + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = aws_api_gateway_stage.example.stage_name + method_path = "path1/GET" + + settings { + metrics_enabled = true + logging_level = "INFO" + } +} + +resource "aws_api_gateway_method_settings" "path_specific_3" { + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = aws_api_gateway_stage.example.stage_name + method_path = "path1/GET" + + settings { + metrics_enabled = true + logging_level = "INFO" + caching_enabled = false + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/b8a31292-509d-4b61-bc40-13b167db7e9c.md b/docs/queries/terraform-queries/aws/b8a31292-509d-4b61-bc40-13b167db7e9c.md new file mode 100644 index 00000000000..7360dfd37e2 --- /dev/null +++ b/docs/queries/terraform-queries/aws/b8a31292-509d-4b61-bc40-13b167db7e9c.md @@ -0,0 +1,82 @@ +--- +title: Role With Privilege Escalation By Actions 'iam:AddUserToGroup' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b8a31292-509d-4b61-bc40-13b167db7e9c +- **Query name:** Role With Privilege Escalation By Actions 'iam:AddUserToGroup' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AddUserToGroup) + +### Description +Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AddUserToGroup", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/b9033580-6886-401a-8631-5f19f5bb24c7.md b/docs/queries/terraform-queries/aws/b9033580-6886-401a-8631-5f19f5bb24c7.md new file mode 100644 index 00000000000..6b1ce57da98 --- /dev/null +++ b/docs/queries/terraform-queries/aws/b9033580-6886-401a-8631-5f19f5bb24c7.md @@ -0,0 +1,152 @@ +--- +title: Workspaces Workspace Volume Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b9033580-6886-401a-8631-5f19f5bb24c7 +- **Query name:** Workspaces Workspace Volume Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/workspaces_workspace_volume_not_encrypted) + +### Description +AWS Workspaces Workspace data stored in volumes should be encrypted
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/workspaces_workspace#root_volume_encryption_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +resource "aws_workspaces_workspace" "example" { + directory_id = aws_workspaces_directory.example.id + bundle_id = data.aws_workspaces_bundle.value_windows_10.id + user_name = "john.doe" + + root_volume_encryption_enabled = true + volume_encryption_key = "alias/aws/workspaces" + + workspace_properties { + compute_type_name = "VALUE" + user_volume_size_gib = 10 + root_volume_size_gib = 80 + running_mode = "AUTO_STOP" + running_mode_auto_stop_timeout_in_minutes = 60 + } + + tags = { + Department = "IT" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="12" +resource "aws_workspaces_workspace" "example_2" { + directory_id = aws_workspaces_directory.example.id + bundle_id = data.aws_workspaces_bundle.value_windows_10.id + user_name = "john.doe" + + user_volume_encryption_enabled = true + volume_encryption_key = "alias/aws/workspaces" + + workspace_properties { + compute_type_name = "VALUE" + user_volume_size_gib = 10 + root_volume_size_gib = 80 + running_mode = "AUTO_STOP" + running_mode_auto_stop_timeout_in_minutes = 60 + } + + tags = { + Department = "IT" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="10 11" +resource "aws_workspaces_workspace" "example_3" { + directory_id = aws_workspaces_directory.example.id + bundle_id = data.aws_workspaces_bundle.value_windows_10.id + user_name = "john.doe" + + volume_encryption_key = "alias/aws/workspaces" + + workspace_properties { + compute_type_name = "VALUE" + user_volume_size_gib = 10 + root_volume_size_gib = 80 + running_mode = "AUTO_STOP" + running_mode_auto_stop_timeout_in_minutes = 60 + } + + tags = { + Department = "IT" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="6 7" +resource "aws_workspaces_workspace" "example_4" { + directory_id = aws_workspaces_directory.example.id + bundle_id = data.aws_workspaces_bundle.value_windows_10.id + user_name = "john.doe" + + root_volume_encryption_enabled = false + user_volume_encryption_enabled = false + volume_encryption_key = "alias/aws/workspaces" + + workspace_properties { + compute_type_name = "VALUE" + user_volume_size_gib = 10 + root_volume_size_gib = 80 + running_mode = "AUTO_STOP" + running_mode_auto_stop_timeout_in_minutes = 60 + } + + tags = { + Department = "IT" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_workspaces_workspace" "example" { + directory_id = aws_workspaces_directory.example.id + bundle_id = data.aws_workspaces_bundle.value_windows_10.id + user_name = "john.doe" + + root_volume_encryption_enabled = true + user_volume_encryption_enabled = true + volume_encryption_key = "alias/aws/workspaces" + + workspace_properties { + compute_type_name = "VALUE" + user_volume_size_gib = 10 + root_volume_size_gib = 80 + running_mode = "AUTO_STOP" + running_mode_auto_stop_timeout_in_minutes = 60 + } + + tags = { + Department = "IT" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/ba40ace1-a047-483c-8a8d-bc2d3a67a82d.md b/docs/queries/terraform-queries/aws/ba40ace1-a047-483c-8a8d-bc2d3a67a82d.md new file mode 100644 index 00000000000..51bed6a940d --- /dev/null +++ b/docs/queries/terraform-queries/aws/ba40ace1-a047-483c-8a8d-bc2d3a67a82d.md @@ -0,0 +1,88 @@ +--- +title: EKS node group remote access disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ba40ace1-a047-483c-8a8d-bc2d3a67a82d +- **Query name:** EKS node group remote access disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/eks_node_group_remote_access_disabled) + +### Description +EKS node group remote access is disabled when 'SourceSecurityGroups' is missing
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group#remote_access) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="13" +resource "aws_eks_node_group" "positive" { + cluster_name = aws_eks_cluster.example.name + node_group_name = "example" + node_role_arn = aws_iam_role.example.arn + subnet_ids = aws_subnet.example[*].id + + scaling_config { + desired_size = 1 + max_size = 1 + min_size = 1 + } + + remote_access { + ec2_ssh_key = "my-rsa-key" + } + + # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling. + # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces. + depends_on = [ + aws_iam_role_policy_attachment.example-AmazonEKSWorkerNodePolicy, + aws_iam_role_policy_attachment.example-AmazonEKS_CNI_Policy, + aws_iam_role_policy_attachment.example-AmazonEC2ContainerRegistryReadOnly, + ] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_eks_node_group" "negative" { + cluster_name = aws_eks_cluster.example.name + node_group_name = "example" + node_role_arn = aws_iam_role.example.arn + subnet_ids = aws_subnet.example[*].id + + scaling_config { + desired_size = 1 + max_size = 1 + min_size = 1 + } + + remote_access { + ec2_ssh_key = "my-rsa-key" + source_security_groups_ids = "sg-213120ASNE" + } + + # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling. + # Otherwise, EKS will not be able to properly delete EC2 Instances and Elastic Network Interfaces. + depends_on = [ + aws_iam_role_policy_attachment.example-AmazonEKSWorkerNodePolicy, + aws_iam_role_policy_attachment.example-AmazonEKS_CNI_Policy, + aws_iam_role_policy_attachment.example-AmazonEC2ContainerRegistryReadOnly, + ] +} + +``` diff --git a/docs/queries/terraform-queries/aws/ba48df05-eaa1-4d64-905e-4a4b051e7587.md b/docs/queries/terraform-queries/aws/ba48df05-eaa1-4d64-905e-4a4b051e7587.md new file mode 100644 index 00000000000..59a43215b12 --- /dev/null +++ b/docs/queries/terraform-queries/aws/ba48df05-eaa1-4d64-905e-4a4b051e7587.md @@ -0,0 +1,543 @@ +--- +title: Autoscaling Groups Supply Tags +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ba48df05-eaa1-4d64-905e-4a4b051e7587 +- **Query name:** Autoscaling Groups Supply Tags +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/autoscaling_groups_supply_tags) + +### Description +Autoscaling groups should supply tags to configurate
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#tag-and-tags) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_autoscaling_group" "positive1" { + name = "foobar3-terraform-test" + max_size = 5 + min_size = 2 + launch_configuration = aws_launch_configuration.foobar.name + vpc_zone_identifier = [aws_subnet.example1.id, aws_subnet.example2.id] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "~> 4.0" + + # Autoscaling group + name = "example-asg" + + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + health_check_type = "EC2" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + + initial_lifecycle_hooks = [ + { + name = "ExampleStartupLifeCycleHook" + default_result = "CONTINUE" + heartbeat_timeout = 60 + lifecycle_transition = "autoscaling:EC2_INSTANCE_LAUNCHING" + notification_metadata = jsonencode({ "hello" = "world" }) + }, + { + name = "ExampleTerminationLifeCycleHook" + default_result = "CONTINUE" + heartbeat_timeout = 180 + lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" + notification_metadata = jsonencode({ "goodbye" = "world" }) + } + ] + + instance_refresh = { + strategy = "Rolling" + preferences = { + min_healthy_percentage = 50 + } + triggers = ["tag"] + } + + # Launch template + lt_name = "example-asg" + description = "Launch template example" + update_default_version = true + + use_lt = true + create_lt = true + + image_id = "ami-ebd02392" + instance_type = "t3.micro" + ebs_optimized = true + enable_monitoring = true + + block_device_mappings = [ + { + # Root volume + device_name = "/dev/xvda" + no_device = 0 + ebs = { + delete_on_termination = true + encrypted = true + volume_size = 20 + volume_type = "gp2" + } + }, { + device_name = "/dev/sda1" + no_device = 1 + ebs = { + delete_on_termination = true + encrypted = true + volume_size = 30 + volume_type = "gp2" + } + } + ] + + capacity_reservation_specification = { + capacity_reservation_preference = "open" + } + + cpu_options = { + core_count = 1 + threads_per_core = 1 + } + + credit_specification = { + cpu_credits = "standard" + } + + instance_market_options = { + market_type = "spot" + spot_options = { + block_duration_minutes = 60 + } + } + + metadata_options = { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 32 + } + + network_interfaces = [ + { + delete_on_termination = true + description = "eth0" + device_index = 0 + security_groups = ["sg-12345678"] + }, + { + delete_on_termination = true + description = "eth1" + device_index = 1 + security_groups = ["sg-12345678"] + } + ] + + placement = { + availability_zone = "us-west-1b" + } + + tag_specifications = [ + { + resource_type = "instance" + tags = { WhatAmI = "Instance" } + }, + { + resource_type = "volume" + tags = { WhatAmI = "Volume" } + }, + { + resource_type = "spot-instances-request" + tags = { WhatAmI = "SpotInstanceRequest" } + } + ] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_autoscaling_group" "negative1" { + name = "foobar3-terraform-test" + max_size = 5 + min_size = 2 + launch_configuration = aws_launch_configuration.foobar.name + vpc_zone_identifier = [aws_subnet.example1.id, aws_subnet.example2.id] + + tags = concat( + [ + { + "key" = "interpolation1" + "value" = "value3" + "propagate_at_launch" = true + }, + { + "key" = "interpolation2" + "value" = "value4" + "propagate_at_launch" = true + }, + ], + ) +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_autoscaling_group" "negative2" { + name = "foobar3-terraform-test" + max_size = 5 + min_size = 2 + launch_configuration = aws_launch_configuration.foobar.name + vpc_zone_identifier = [aws_subnet.example1.id, aws_subnet.example2.id] + + tag { + key = "foo" + value = "bar" + propagate_at_launch = true + } +} + +``` +```tf title="Negative test num. 3 - tf file" +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "~> 4.0" + + # Autoscaling group + name = "example-asg" + + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + health_check_type = "EC2" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + + initial_lifecycle_hooks = [ + { + name = "ExampleStartupLifeCycleHook" + default_result = "CONTINUE" + heartbeat_timeout = 60 + lifecycle_transition = "autoscaling:EC2_INSTANCE_LAUNCHING" + notification_metadata = jsonencode({ "hello" = "world" }) + }, + { + name = "ExampleTerminationLifeCycleHook" + default_result = "CONTINUE" + heartbeat_timeout = 180 + lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" + notification_metadata = jsonencode({ "goodbye" = "world" }) + } + ] + + instance_refresh = { + strategy = "Rolling" + preferences = { + min_healthy_percentage = 50 + } + triggers = ["tag"] + } + + # Launch template + lt_name = "example-asg" + description = "Launch template example" + update_default_version = true + + use_lt = true + create_lt = true + + image_id = "ami-ebd02392" + instance_type = "t3.micro" + ebs_optimized = true + enable_monitoring = true + + block_device_mappings = [ + { + # Root volume + device_name = "/dev/xvda" + no_device = 0 + ebs = { + delete_on_termination = true + encrypted = true + volume_size = 20 + volume_type = "gp2" + } + }, { + device_name = "/dev/sda1" + no_device = 1 + ebs = { + delete_on_termination = true + encrypted = true + volume_size = 30 + volume_type = "gp2" + } + } + ] + + capacity_reservation_specification = { + capacity_reservation_preference = "open" + } + + cpu_options = { + core_count = 1 + threads_per_core = 1 + } + + credit_specification = { + cpu_credits = "standard" + } + + instance_market_options = { + market_type = "spot" + spot_options = { + block_duration_minutes = 60 + } + } + + metadata_options = { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 32 + } + + network_interfaces = [ + { + delete_on_termination = true + description = "eth0" + device_index = 0 + security_groups = ["sg-12345678"] + }, + { + delete_on_termination = true + description = "eth1" + device_index = 1 + security_groups = ["sg-12345678"] + } + ] + + placement = { + availability_zone = "us-west-1b" + } + + tag_specifications = [ + { + resource_type = "instance" + tags = { WhatAmI = "Instance" } + }, + { + resource_type = "volume" + tags = { WhatAmI = "Volume" } + }, + { + resource_type = "spot-instances-request" + tags = { WhatAmI = "SpotInstanceRequest" } + } + ] + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] + + tags_as_map = { + extra_tag1 = "extra_value1" + extra_tag2 = "extra_value2" + } +} + +``` +
Negative test num. 4 - tf file + +```tf +module "asg" { + source = "terraform-aws-modules/autoscaling/aws" + version = "~> 4.0" + + # Autoscaling group + name = "example-asg" + + min_size = 0 + max_size = 1 + desired_capacity = 1 + wait_for_capacity_timeout = 0 + health_check_type = "EC2" + vpc_zone_identifier = ["subnet-1235678", "subnet-87654321"] + + initial_lifecycle_hooks = [ + { + name = "ExampleStartupLifeCycleHook" + default_result = "CONTINUE" + heartbeat_timeout = 60 + lifecycle_transition = "autoscaling:EC2_INSTANCE_LAUNCHING" + notification_metadata = jsonencode({ "hello" = "world" }) + }, + { + name = "ExampleTerminationLifeCycleHook" + default_result = "CONTINUE" + heartbeat_timeout = 180 + lifecycle_transition = "autoscaling:EC2_INSTANCE_TERMINATING" + notification_metadata = jsonencode({ "goodbye" = "world" }) + } + ] + + instance_refresh = { + strategy = "Rolling" + preferences = { + min_healthy_percentage = 50 + } + triggers = ["tag"] + } + + tag { + key = "foo" + value = "bar" + propagate_at_launch = true + } + + # Launch template + lt_name = "example-asg" + description = "Launch template example" + update_default_version = true + + use_lt = true + create_lt = true + + image_id = "ami-ebd02392" + instance_type = "t3.micro" + ebs_optimized = true + enable_monitoring = true + + block_device_mappings = [ + { + # Root volume + device_name = "/dev/xvda" + no_device = 0 + ebs = { + delete_on_termination = true + encrypted = true + volume_size = 20 + volume_type = "gp2" + } + }, { + device_name = "/dev/sda1" + no_device = 1 + ebs = { + delete_on_termination = true + encrypted = true + volume_size = 30 + volume_type = "gp2" + } + } + ] + + capacity_reservation_specification = { + capacity_reservation_preference = "open" + } + + cpu_options = { + core_count = 1 + threads_per_core = 1 + } + + credit_specification = { + cpu_credits = "standard" + } + + instance_market_options = { + market_type = "spot" + spot_options = { + block_duration_minutes = 60 + } + } + + metadata_options = { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 32 + } + + network_interfaces = [ + { + delete_on_termination = true + description = "eth0" + device_index = 0 + security_groups = ["sg-12345678"] + }, + { + delete_on_termination = true + description = "eth1" + device_index = 1 + security_groups = ["sg-12345678"] + } + ] + + placement = { + availability_zone = "us-west-1b" + } + + tag_specifications = [ + { + resource_type = "instance" + tags = { WhatAmI = "Instance" } + }, + { + resource_type = "volume" + tags = { WhatAmI = "Volume" } + }, + { + resource_type = "spot-instances-request" + tags = { WhatAmI = "SpotInstanceRequest" } + } + ] + + tags = [ + { + key = "Environment" + value = "dev" + propagate_at_launch = true + }, + { + key = "Project" + value = "megasecret" + propagate_at_launch = true + }, + ] + + tags_as_map = { + extra_tag1 = "extra_value1" + extra_tag2 = "extra_value2" + } +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698.md b/docs/queries/terraform-queries/aws/ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698.md new file mode 100644 index 00000000000..dd6c9aeaf8f --- /dev/null +++ b/docs/queries/terraform-queries/aws/ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698.md @@ -0,0 +1,62 @@ +--- +title: AMI Shared With Multiple Accounts +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ba4e0031-3e9d-4d7d-b0d6-bd8f003f8698 +- **Query name:** AMI Shared With Multiple Accounts +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ami_shared_with_multiple_accounts) + +### Description +Limits access to AWS AMIs by checking if more than one account is using the same image
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ami_launch_permission) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11 3" +resource "aws_ami_launch_permission" "positive1" { + + image_id = "ami-1235678" + account_id = "12345600012" + +} + + +resource "aws_ami_launch_permission" "positive2" { + + image_id = "ami-1235678" + account_id = "123456789012" + +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ami_launch_permission" "negative1" { + image_id = "ami-12345678" + account_id = "123456789012" +} + + +resource "aws_ami_launch_permission" "example" { + image_id = "ami-12345680" + account_id = "12345672" +} + +``` diff --git a/docs/queries/terraform-queries/aws/baecd2da-492a-4d59-b9dc-29540a1398e0.md b/docs/queries/terraform-queries/aws/baecd2da-492a-4d59-b9dc-29540a1398e0.md new file mode 100644 index 00000000000..2e6ca6cb155 --- /dev/null +++ b/docs/queries/terraform-queries/aws/baecd2da-492a-4d59-b9dc-29540a1398e0.md @@ -0,0 +1,229 @@ +--- +title: BOM - AWS SQS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** baecd2da-492a-4d59-b9dc-29540a1398e0 +- **Query name:** BOM - AWS SQS +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws_bom/sqs) + +### Description +A list of SQS resources specified. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_sqs_queue" "positive1" { + name = "terraform-example-queue" + delay_seconds = 90 + max_message_size = 2048 + message_retention_seconds = 86400 + receive_wait_time_seconds = 10 + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.terraform_queue_deadletter.arn + maxReceiveCount = 4 + }) + + tags = { + Environment = "production" + } +} + + +resource "aws_sqs_queue_policy" "positive1" { + queue_url = aws_sqs_queue.positive1.id + + policy = <Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "aws_sqs_queue" "positive4" { + name = "terraform-example-queue" + delay_seconds = 90 + max_message_size = 2048 + message_retention_seconds = 86400 + receive_wait_time_seconds = 10 + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.terraform_queue_deadletter.arn + maxReceiveCount = 4 + }) + + tags = { + Environment = "production" + } + + policy = < +
Postitive test num. 5 - tf file + +```tf hl_lines="1" +resource "aws_sqs_queue" "positive5" { + name = "terraform-example-queue" + delay_seconds = 90 + max_message_size = 2048 + message_retention_seconds = 86400 + receive_wait_time_seconds = 10 + redrive_policy = jsonencode({ + deadLetterTargetArn = aws_sqs_queue.terraform_queue_deadletter.arn + maxReceiveCount = 4 + }) + + tags = { + Environment = "production" + } + + sqs_managed_sse_enabled = true +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +module "user_queue" { + source = "terraform-aws-modules/sqs/aws" + version = "~> 2.0" + + name = "user" + + tags = { + Service = "user" + Environment = "dev" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9.md b/docs/queries/terraform-queries/aws/bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9.md new file mode 100644 index 00000000000..cb3533388d4 --- /dev/null +++ b/docs/queries/terraform-queries/aws/bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9.md @@ -0,0 +1,60 @@ +--- +title: IAM Password Without Lowercase Letter +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bbc7c137-6c7b-4fc4-984a-0c88e91fcaf9 +- **Query name:** IAM Password Without Lowercase Letter +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_password_without_lowercase_letter) + +### Description +IAM Password should have at least one lowercase letter
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9 2" +resource "aws_iam_account_password_policy" "positive1" { + require_lowercase_characters = false + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true +} + +resource "aws_iam_account_password_policy" "positive2" { + minimum_password_length = 3 + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_account_password_policy" "negative1" { + minimum_password_length = 8 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true +} +``` diff --git a/docs/queries/terraform-queries/aws/bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54.md b/docs/queries/terraform-queries/aws/bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54.md new file mode 100644 index 00000000000..c2477bdbd88 --- /dev/null +++ b/docs/queries/terraform-queries/aws/bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54.md @@ -0,0 +1,194 @@ +--- +title: Policy Without Principal +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bbe3dd3d-fea9-4b68-a785-cfabe2bbbc54 +- **Query name:** Policy Without Principal +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/policy_without_principal) + +### Description +All policies, except IAM identity-based policies, should have the 'Principal' element defined
+[Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9" +provider "aws" { + region = "us-east-1" +} + +resource "aws_kms_key" "secure_policy" { + description = "KMS key + secure_policy" + deletion_window_in_days = 7 + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** bc1f9009-84a0-490f-ae09-3e0ea6d74ad6 +- **Query name:** DOCDB Cluster Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/docdb_cluster_not_encrypted) + +### Description +AWS DOCDB Cluster storage should be encrypted
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#storage_encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 19" +resource "aws_docdb_cluster" "docdb" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true +} + +resource "aws_docdb_cluster" "docdb_2" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + storage_encrypted = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_docdb_cluster" "docdb" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + storage_encrypted = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/bca7cc4d-b3a4-4345-9461-eb69c68fcd26.md b/docs/queries/terraform-queries/aws/bca7cc4d-b3a4-4345-9461-eb69c68fcd26.md new file mode 100644 index 00000000000..8d05a17e0ad --- /dev/null +++ b/docs/queries/terraform-queries/aws/bca7cc4d-b3a4-4345-9461-eb69c68fcd26.md @@ -0,0 +1,153 @@ +--- +title: RDS Using Default Port +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bca7cc4d-b3a4-4345-9461-eb69c68fcd26 +- **Query name:** RDS Using Default Port +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/rds_using_default_port) + +### Description +RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#port) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +resource "aws_db_instance" "positive1" { + allocated_storage = 10 + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t3.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + parameter_group_name = aws_elasticache_parameter_group.default.id + skip_final_snapshot = true + port = 3306 +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="10" +resource "aws_db_instance" "positive2" { + allocated_storage = 10 + engine = "postgres" + engine_version = "5.7" + instance_class = "db.t3.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + skip_final_snapshot = true + port = 5432 +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="10" +resource "aws_db_instance" "positive3" { + allocated_storage = 10 + engine = "oracle-ee" + engine_version = "5.7" + instance_class = "db.t3.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + skip_final_snapshot = true + port = 1521 +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="10" +resource "aws_db_instance" "positive4" { + allocated_storage = 10 + engine = "sqlserver-ee" + engine_version = "5.7" + instance_class = "db.t3.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + skip_final_snapshot = true + port = 1433 +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_db_instance" "negative1" { + allocated_storage = 10 + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t3.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + parameter_group_name = aws_elasticache_parameter_group.default.id + skip_final_snapshot = true + port = 3307 +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_db_instance" "negative2" { + allocated_storage = 10 + engine = "postgres" + engine_version = "5.7" + instance_class = "db.t3.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + skip_final_snapshot = true + port = 5433 +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "aws_db_instance" "negative3" { + allocated_storage = 10 + engine = "oracle-ee" + engine_version = "5.7" + instance_class = "db.t3.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + skip_final_snapshot = true + port = 1522 +} + +``` +
Negative test num. 4 - tf file + +```tf +resource "aws_db_instance" "negative4" { + allocated_storage = 10 + engine = "sqlserver-ee" + engine_version = "5.7" + instance_class = "db.t3.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + skip_final_snapshot = true + port = 1434 +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/bcdcbdc6-a350-4855-ae7c-d1e6436f7c97.md b/docs/queries/terraform-queries/aws/bcdcbdc6-a350-4855-ae7c-d1e6436f7c97.md new file mode 100644 index 00000000000..7d8cb2ffeff --- /dev/null +++ b/docs/queries/terraform-queries/aws/bcdcbdc6-a350-4855-ae7c-d1e6436f7c97.md @@ -0,0 +1,188 @@ +--- +title: IAM Policy Grants 'AssumeRole' Permission Across All Services +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bcdcbdc6-a350-4855-ae7c-d1e6436f7c97 +- **Query name:** IAM Policy Grants 'AssumeRole' Permission Across All Services +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_policy_grants_assumerole_permission_across_all_services) + +### Description +IAM Policy should not grant 'AssumeRole' permission across all services.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="70 7" +// Create a role which OpenShift instances will assume. +// This role has a policy saying it can be assumed by ec2 +// instances. +resource "aws_iam_role" "positive1" { + name = "${var.name_tag_prefix}-openshift-instance-role" + + assume_role_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** bd0088a5-c133-4b20-b129-ec9968b16ef3 +- **Query name:** CloudTrail Log Files S3 Bucket is Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_is_publicly_accessible) + +### Description +CloudTrail Log Files S3 Bucket should not be publicly accessible
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#s3_bucket_name) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="25" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +data "aws_caller_identity" "current" {} + +resource "aws_cloudtrail" "foobar" { + name = "tf-trail-foobar" + s3_bucket_name = aws_s3_bucket.b.id + s3_key_prefix = "prefix" + include_global_service_events = false +} + +resource "aws_s3_bucket" "b" { + bucket = "my-tf-test-bucket" + acl = "public-read" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="23" +variable "aws_access_key" {} +variable "aws_secret_key" {} +variable "private_key_path" {} +variable "key_name" {} +variable "region" { + default = "us-west-2" +} +provider "aws" { + access_key = var.aws_access_key + secret_key = var.aws_secret_key + region = var.region +} + +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + versioning = { + enabled = true + } + + bucket = "my_bucket" + acl = "public-read" +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="24" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + + +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + versioning = { + enabled = true + } + + bucket = "my_bucket" + acl = "public-read" +} + +resource "aws_cloudtrail" "foobar2" { + name = "tf-trail-foobar" + s3_bucket_name = aws_s3_bucket.bb.id + s3_key_prefix = "prefix" + include_global_service_events = false +} + +resource "aws_s3_bucket" "bb" { + bucket = "my-tf-test-bucket" +} + +resource "aws_s3_bucket_acl" "example_bucket_acl" { + bucket = aws_s3_bucket.bb.id + acl = "public-read" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +data "aws_caller_identity" "current2" {} + +resource "aws_cloudtrail" "foobar2" { + name = "tf-trail-foobar" + s3_bucket_name = aws_s3_bucket.b2.id + s3_key_prefix = "prefix" + include_global_service_events = false +} + +resource "aws_s3_bucket" "b2" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_cloudtrail" "foobar4" { + name = "tf-trail-foobar" + s3_bucket_name = aws_s3_bucket.bbb.id + s3_key_prefix = "prefix" + include_global_service_events = false +} + +resource "aws_s3_bucket" "bb" { + bucket = "my-tf-test-bucket" +} + +resource "aws_s3_bucket_acl" "example_bucket_acl2" { + bucket = aws_s3_bucket.bbb.id + acl = "private" +} + +``` diff --git a/docs/queries/terraform-queries/aws/be2aa235-bd93-4b68-978a-1cc65d49082f.md b/docs/queries/terraform-queries/aws/be2aa235-bd93-4b68-978a-1cc65d49082f.md new file mode 100644 index 00000000000..855c865224a --- /dev/null +++ b/docs/queries/terraform-queries/aws/be2aa235-bd93-4b68-978a-1cc65d49082f.md @@ -0,0 +1,107 @@ +--- +title: Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** be2aa235-bd93-4b68-978a-1cc65d49082f +- **Query name:** Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_cloudformation_CreateStack) + +### Description +Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "cloudformation:CreateStack", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + roles = [aws_iam_role.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/bf878b1a-7418-4de3-b13c-3a86cf894920.md b/docs/queries/terraform-queries/aws/bf878b1a-7418-4de3-b13c-3a86cf894920.md new file mode 100644 index 00000000000..8ffc1868315 --- /dev/null +++ b/docs/queries/terraform-queries/aws/bf878b1a-7418-4de3-b13c-3a86cf894920.md @@ -0,0 +1,194 @@ +--- +title: S3 Bucket Public ACL Overridden By Public Access Block +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bf878b1a-7418-4de3-b13c-3a86cf894920 +- **Query name:** S3 Bucket Public ACL Overridden By Public Access Block +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_public_acl_overridden_by_public_access_block) + +### Description +S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="16" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "public-bucket" { + bucket = "bucket-with-public-acl-3" + acl = "public-read-write" +} + +resource "aws_s3_bucket_public_access_block" "block_public_bucket_3" { + bucket = aws_s3_bucket.public-bucket.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="7" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "public-read-write" + + versioning = { + enabled = true + } + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="20" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "bu" { + bucket = "my-tf-test-bucket" +} + +resource "aws_s3_bucket_acl" "example_bucket_acl" { + bucket = aws_s3_bucket.bu.id + acl = "public-read-write" +} + +resource "aws_s3_bucket_public_access_block" "block_public_bucket_3" { + bucket = aws_s3_bucket.bu.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} +resource "aws_s3_bucket" "public-bucket2" { + bucket = "bucket-with-public-acl-32" + acl = "public-read-write" +} + +resource "aws_s3_bucket_public_access_block" "block_public_bucket_32" { + bucket = aws_s3_bucket.public-bucket2.id + block_public_acls = false + block_public_policy = true + ignore_public_acls = false + restrict_public_buckets = true +} + +``` +```tf title="Negative test num. 2 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "public-read-write" + + versioning = { + enabled = true + } + + block_public_acls = false + block_public_policy = true + ignore_public_acls = false + restrict_public_buckets = true + +} + +``` +```tf title="Negative test num. 3 - tf file" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "bu2" { + bucket = "my-tf-test-bucket" +} + +resource "aws_s3_bucket_acl" "example_bucket_acl2" { + bucket = aws_s3_bucket.bu2.id + acl = "public-read-write" +} + +resource "aws_s3_bucket_public_access_block" "block_public_bucket_322" { + bucket = aws_s3_bucket.bu2.id + block_public_acls = false + block_public_policy = true + ignore_public_acls = false + restrict_public_buckets = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/bf9d42c7-c2f9-4dfe-942c-c8cc8249a081.md b/docs/queries/terraform-queries/aws/bf9d42c7-c2f9-4dfe-942c-c8cc8249a081.md new file mode 100644 index 00000000000..4df1bd70c09 --- /dev/null +++ b/docs/queries/terraform-queries/aws/bf9d42c7-c2f9-4dfe-942c-c8cc8249a081.md @@ -0,0 +1,89 @@ +--- +title: User With Privilege Escalation By Actions 'iam:AddUserToGroup' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bf9d42c7-c2f9-4dfe-942c-c8cc8249a081 +- **Query name:** User With Privilege Escalation By Actions 'iam:AddUserToGroup' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AddUserToGroup) + +### Description +User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AddUserToGroup", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/c0c1e744-0f37-445e-924a-1846f0839f69.md b/docs/queries/terraform-queries/aws/c0c1e744-0f37-445e-924a-1846f0839f69.md new file mode 100644 index 00000000000..5258aa5a480 --- /dev/null +++ b/docs/queries/terraform-queries/aws/c0c1e744-0f37-445e-924a-1846f0839f69.md @@ -0,0 +1,83 @@ +--- +title: Group With Privilege Escalation By Actions 'iam:PutRolePolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c0c1e744-0f37-445e-924a-1846f0839f69 +- **Query name:** Group With Privilege Escalation By Actions 'iam:PutRolePolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutRolePolicy) + +### Description +Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6.md b/docs/queries/terraform-queries/aws/c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6.md new file mode 100644 index 00000000000..6ecfa9e3ca6 --- /dev/null +++ b/docs/queries/terraform-queries/aws/c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6.md @@ -0,0 +1,67 @@ +--- +title: Certificate Has Expired +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c3831315-5ae6-4fa8-b458-3d4d5ab7a3f6 +- **Query name:** Certificate Has Expired +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/certificate_has_expired) + +### Description +Expired SSL/TLS certificates should be removed
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api) + +### Code samples +#### Code samples with security vulnerabilities +```yaml title="Postitive test num. 1 - yaml file" hl_lines="2" +- name: upload a self-signed certificate + community.aws.aws_acm: + certificate: "{{ lookup('file', 'expiredCertificate.pem' ) }}" + privateKey: "{{ lookup('file', 'key.pem' ) }}" + name_tag: my_cert + region: ap-southeast-2 + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="2" +resource "aws_api_gateway_domain_name" "example2" { + certificate_body = file("expiredCertificate.pem") + domain_name = "api.example.com" +} + + +``` + + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" +- name: upload a self-signed certificate2 + community.aws.aws_acm: + certificate: "{{ lookup('file', 'validCertificate.pem' ) }}" + privateKey: "{{ lookup('file', 'key.pem' ) }}" + name_tag: my_cert + region: ap-southeast-2 + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_api_gateway_domain_name" "example" { + certificate_body = file("validCertificate.pem") + domain_name = "api.example.com" +} + + +``` diff --git a/docs/queries/terraform-queries/aws/c53c7a89-f9d7-4c7b-8b66-8a555be99593.md b/docs/queries/terraform-queries/aws/c53c7a89-f9d7-4c7b-8b66-8a555be99593.md new file mode 100644 index 00000000000..24aeb806885 --- /dev/null +++ b/docs/queries/terraform-queries/aws/c53c7a89-f9d7-4c7b-8b66-8a555be99593.md @@ -0,0 +1,412 @@ +--- +title: Public and Private EC2 Share Role +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c53c7a89-f9d7-4c7b-8b66-8a555be99593 +- **Query name:** Public and Private EC2 Share Role +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/public_and_private_ec2_share_role) + +### Description +Public and private EC2 istances should not share the same role.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#iam_instance_profile) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="103" +provider "aws" { + region = "us-east-1" +} + +locals { + test_description = "two EC2s, one public, one private" + test_name = "Ec2RoleShareRule test - use case 1" +} + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + + name = "Ec2RoleShareRule1" + azs = ["us-east-1a", "us-east-1b", "us-east-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + + cidr = "10.0.0.0/16" + manage_default_security_group= true + default_security_group_ingress = [ + { + from_port = 22 + to_port = 22 + protocol = "tcp" + description = "ssh" + cidr_blocks = "0.0.0.0/0" + }] + default_security_group_egress =[] + version = "3.7.0" +} + +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_iam_role" "test_role" { + name = "test_role" + + assume_role_policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** c583f0f9-7dfd-476b-a056-f47c62b47b46 +- **Query name:** Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_lambda_UpdateFunctionCode) + +### Description +Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:UpdateFunctionCode", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/c5b31ab9-0f26-4a49-b8aa-4cc064392f4d.md b/docs/queries/terraform-queries/aws/c5b31ab9-0f26-4a49-b8aa-4cc064392f4d.md new file mode 100644 index 00000000000..c6e170a492d --- /dev/null +++ b/docs/queries/terraform-queries/aws/c5b31ab9-0f26-4a49-b8aa-4cc064392f4d.md @@ -0,0 +1,425 @@ +--- +title: S3 Bucket Without Enabled MFA Delete +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c5b31ab9-0f26-4a49-b8aa-4cc064392f4d +- **Query name:** S3 Bucket Without Enabled MFA Delete +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_without_enabled_mfa_delete) + +### Description +S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket= --mfa='. Please, also notice that MFA delete can not be used with lifecycle configurations
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#mfa_delete) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="14" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="23" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive2" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + enabled = true + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="25" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive3" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + enabled = true + mfa_delete = false + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="24 23" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive3" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + enabled = false + } +} + +``` +
+
Postitive test num. 5 - tf file + +```tf hl_lines="1" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" +} + +``` +
+
Postitive test num. 6 - tf file + +```tf hl_lines="8" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning { + enabled = true + } +} + +``` +
+
Postitive test num. 7 - tf file + +```tf hl_lines="10" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning { + enabled = true + mfa_delete = false + } +} + +``` +
+
Postitive test num. 8 - tf file + +```tf hl_lines="8 9" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning { + enabled = false + } +} + +``` +
+
Postitive test num. 9 - tf file + +```tf hl_lines="28" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "b0" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +resource "aws_s3_bucket_versioning" "example2" { + bucket = aws_s3_bucket.b0.id + + versioning_configuration { + status = "Enabled" + mfa_delete = "Disabled" + } +} + +``` +
+
Postitive test num. 10 - tf file + +```tf hl_lines="27" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "bbb" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +resource "aws_s3_bucket_versioning" "example" { + bucket = aws_s3_bucket.bbb.id + + versioning_configuration { + status = "Disabled" + mfa_delete = "Enabled" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "negative1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + enabled = true + mfa_delete = true + } +} + +``` +```tf title="Negative test num. 2 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning { + enabled = true + mfa_delete = true + } +} + +``` +```tf title="Negative test num. 3 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + lifecycle_rule { + id = "tmp" + prefix = "tmp/" + enabled = true + + expiration { + date = "2016-01-12" + } + } +} + +``` +
Negative test num. 4 - tf file + +```tf +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "negative4" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + lifecycle_rule { + id = "tmp" + prefix = "tmp/" + enabled = true + + expiration { + date = "2016-01-12" + } + } +} + +``` +
+
Negative test num. 5 - tf file + +```tf +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "bb" { + bucket = "my-tf-test-bucket" + + tags = { + Name = "My bucket" + Environment = "Dev" + } +} + +resource "aws_s3_bucket_versioning" "example" { + bucket = aws_s3_bucket.bb.id + + versioning_configuration { + status = "Enabled" + mfa_delete = "Enabled" + } +} + +``` +
diff --git a/docs/queries/terraform-queries/aws/c5ff7bc9-d8ea-46dd-81cb-8286f3222249.md b/docs/queries/terraform-queries/aws/c5ff7bc9-d8ea-46dd-81cb-8286f3222249.md new file mode 100644 index 00000000000..c47b25af570 --- /dev/null +++ b/docs/queries/terraform-queries/aws/c5ff7bc9-d8ea-46dd-81cb-8286f3222249.md @@ -0,0 +1,60 @@ +--- +title: IAM Password Without Uppercase Letter +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c5ff7bc9-d8ea-46dd-81cb-8286f3222249 +- **Query name:** IAM Password Without Uppercase Letter +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_password_without_uppercase_letter) + +### Description +IAM password should have at least one uppercase letter
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9 4" +resource "aws_iam_account_password_policy" "positive1" { + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = false + require_symbols = true + allow_users_to_change_password = true +} + +resource "aws_iam_account_password_policy" "positive2" { + minimum_password_length = 3 + require_lowercase_characters = true + require_numbers = true + require_symbols = true + allow_users_to_change_password = true +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_account_password_policy" "negative1" { + minimum_password_length = 8 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true +} +``` diff --git a/docs/queries/terraform-queries/aws/c91d7ea0-d4d1-403b-8fe1-c9961ac082c5.md b/docs/queries/terraform-queries/aws/c91d7ea0-d4d1-403b-8fe1-c9961ac082c5.md new file mode 100644 index 00000000000..21a17f4f787 --- /dev/null +++ b/docs/queries/terraform-queries/aws/c91d7ea0-d4d1-403b-8fe1-c9961ac082c5.md @@ -0,0 +1,69 @@ +--- +title: Neptune Cluster With IAM Database Authentication Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c91d7ea0-d4d1-403b-8fe1-c9961ac082c5 +- **Query name:** Neptune Cluster With IAM Database Authentication Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/neptune_cluster_with_iam_database_authentication_disabled) + +### Description +Neptune Cluster should have IAM Database Authentication enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#storage_encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 17" +resource "aws_neptune_cluster" "positive1" { + cluster_identifier = "neptune-cluster-demo" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + apply_immediately = true + storage_encrypted = true +} + +resource "aws_neptune_cluster" "positive2" { + cluster_identifier = "neptune-cluster-demo" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + iam_database_authentication_enabled = false + apply_immediately = true + storage_encrypted = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_neptune_cluster" "negative1" { + cluster_identifier = "neptune-cluster-demo" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + iam_database_authentication_enabled = true + apply_immediately = true + storage_encrypted = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/c999cf62-0920-40f8-8dda-0caccd66ed7e.md b/docs/queries/terraform-queries/aws/c999cf62-0920-40f8-8dda-0caccd66ed7e.md new file mode 100644 index 00000000000..4fe003e0da3 --- /dev/null +++ b/docs/queries/terraform-queries/aws/c999cf62-0920-40f8-8dda-0caccd66ed7e.md @@ -0,0 +1,80 @@ +--- +title: API Gateway Stage Without API Gateway UsagePlan Associated +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c999cf62-0920-40f8-8dda-0caccd66ed7e +- **Query name:** API Gateway Stage Without API Gateway UsagePlan Associated +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_stage_without_api_gateway_usage_plan_associated) + +### Description +API Gateway Stage should have API Gateway UsagePlan defined and associated.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 10" +resource "aws_api_gateway_stage" "positive1" { + rest_api_id = "some deployment id" + deployment_id = "some rest api id" + stage_name = "some name" + tags { + project = "ProjectName" + } +} + +resource "aws_api_gateway_stage" "positive2" { + deployment_id = "some deployment id" + rest_api_id = "some rest api id" + stage_name = "development" +} + +resource "aws_api_gateway_usage_plan" "positive3" { + name = "my-usage-plan" + description = "my description" + product_code = "MYCODE" + + api_stages { + api_id = "another id" + stage = "development" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_stage" "negative1" { + deployment_id = "some deployment id" + rest_api_id = "rest_api_1" + stage_name = "development" +} + +resource "aws_api_gateway_usage_plan" "negative2" { + name = "my-usage-plan" + description = "my description" + product_code = "MYCODE" + + api_stages { + api_id = "rest_api_1" + stage = "development" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/cb3f5ed6-0d18-40de-a93d-b3538db31e8c.md b/docs/queries/terraform-queries/aws/cb3f5ed6-0d18-40de-a93d-b3538db31e8c.md new file mode 100644 index 00000000000..5ca566443c3 --- /dev/null +++ b/docs/queries/terraform-queries/aws/cb3f5ed6-0d18-40de-a93d-b3538db31e8c.md @@ -0,0 +1,74 @@ +--- +title: Security Group Rule Without Description +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cb3f5ed6-0d18-40de-a93d-b3538db31e8c +- **Query name:** Security Group Rule Without Description +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/security_group_without_description) + +### Description +It's considered a best practice for AWS Security Group to have a description
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group#description) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_security_group" "allow_tls" { + name = "allow_tls" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + tags = { + Name = "allow_tls" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_security_group" "allow_tls" { + name = "allow_tls" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block] + } + + tags = { + Name = "allow_tls" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/cc997676-481b-4e93-aa81-d19f8c5e9b12.md b/docs/queries/terraform-queries/aws/cc997676-481b-4e93-aa81-d19f8c5e9b12.md new file mode 100644 index 00000000000..787097d1947 --- /dev/null +++ b/docs/queries/terraform-queries/aws/cc997676-481b-4e93-aa81-d19f8c5e9b12.md @@ -0,0 +1,68 @@ +--- +title: EBS Volume Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cc997676-481b-4e93-aa81-d19f8c5e9b12 +- **Query name:** EBS Volume Encryption Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ebs_volume_encryption_disabled) + +### Description +EBS volumes should be encrypted
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "aws_ebs_volume" "positive1" { + availability_zone = "us-west-2a" + size = 40 + encrypted = false + + tags = { + Name = "HelloWorld" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_ebs_volume" "positive2" { + availability_zone = "us-west-2a" + size = 40 + + tags = { + Name = "HelloWorld" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ebs_volume" "negative1" { + availability_zone = "us-west-2a" + size = 40 + encrypted = true + + tags = { + Name = "HelloWorld" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/ce089fd4-1406-47bd-8aad-c259772bb294.md b/docs/queries/terraform-queries/aws/ce089fd4-1406-47bd-8aad-c259772bb294.md new file mode 100644 index 00000000000..aea81d8ab82 --- /dev/null +++ b/docs/queries/terraform-queries/aws/ce089fd4-1406-47bd-8aad-c259772bb294.md @@ -0,0 +1,108 @@ +--- +title: DynamoDB Table Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ce089fd4-1406-47bd-8aad-c259772bb294 +- **Query name:** DynamoDB Table Not Encrypted +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/dynamodb_table_not_encrypted) + +### Description +AWS DynamoDB Tables should have server-side encryption
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#server_side_encryption) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 30" +resource "aws_dynamodb_table" "example" { + name = "example" + hash_key = "TestTableHashKey" + billing_mode = "PAY_PER_REQUEST" + stream_enabled = true + stream_view_type = "NEW_AND_OLD_IMAGES" + + attribute { + name = "TestTableHashKey" + type = "S" + } + + replica { + region_name = "us-east-2" + } + + replica { + region_name = "us-west-2" + } +} + +resource "aws_dynamodb_table" "example_2" { + name = "example" + hash_key = "TestTableHashKey" + billing_mode = "PAY_PER_REQUEST" + stream_enabled = true + stream_view_type = "NEW_AND_OLD_IMAGES" + + server_side_encryption { + enabled = false + } + + attribute { + name = "TestTableHashKey" + type = "S" + } + + replica { + region_name = "us-east-2" + } + + replica { + region_name = "us-west-2" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_dynamodb_table" "example" { + name = "example" + hash_key = "TestTableHashKey" + billing_mode = "PAY_PER_REQUEST" + stream_enabled = true + stream_view_type = "NEW_AND_OLD_IMAGES" + + server_side_encryption { + enabled = true + } + + attribute { + name = "TestTableHashKey" + type = "S" + } + + replica { + region_name = "us-east-2" + } + + replica { + region_name = "us-west-2" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/ce60cc6b-6831-4bd7-84a2-cc7f8ee71433.md b/docs/queries/terraform-queries/aws/ce60cc6b-6831-4bd7-84a2-cc7f8ee71433.md new file mode 100644 index 00000000000..a8e8fa50f62 --- /dev/null +++ b/docs/queries/terraform-queries/aws/ce60cc6b-6831-4bd7-84a2-cc7f8ee71433.md @@ -0,0 +1,88 @@ +--- +title: SSM Session Transit Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ce60cc6b-6831-4bd7-84a2-cc7f8ee71433 +- **Query name:** SSM Session Transit Encryption Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ssm_session_transit_encryption_disabled) + +### Description +SSM Session should be encrypted in transit
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_document#content) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_ssm_document" "positive1" { + name = "test_document" + document_type = "Session" + + content = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** ce60d060-efb8-4bfd-9cf7-ff8945d00d90 +- **Query name:** Misconfigured Password Policy Expiration +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/misconfigured_password_policy_expiration) + +### Description +No password expiration policy
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 12" +resource "aws_iam_account_password_policy" "positive1" { + minimum_password_length = 8 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true + max_password_age = 180 +} + +// comment +resource "aws_iam_account_password_policy" "positive2" { + minimum_password_length = 8 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_account_password_policy" "negative1" { + minimum_password_length = 8 + require_lowercase_characters = true + require_numbers = true + require_uppercase_characters = true + require_symbols = true + allow_users_to_change_password = true + max_password_age = 10 +} +``` diff --git a/docs/queries/terraform-queries/aws/ce9dfce0-5fc8-433b-944a-3b16153111a8.md b/docs/queries/terraform-queries/aws/ce9dfce0-5fc8-433b-944a-3b16153111a8.md new file mode 100644 index 00000000000..3f9d3ec8cbe --- /dev/null +++ b/docs/queries/terraform-queries/aws/ce9dfce0-5fc8-433b-944a-3b16153111a8.md @@ -0,0 +1,69 @@ +--- +title: SSO Permission With Inadequate User Session Duration +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ce9dfce0-5fc8-433b-944a-3b16153111a8 +- **Query name:** SSO Permission With Inadequate User Session Duration +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sso_permission_with_inadequate_user_session_duration) + +### Description +SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6 14" +resource "aws_ssoadmin_permission_set" "example3" { + name = "Example" + description = "An example" + instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0] + relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-east-1#" + session_duration = "PT1H1M" +} + +resource "aws_ssoadmin_permission_set" "example4" { + name = "Example" + description = "An example" + instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0] + relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-east-1#" + session_duration = "PT2H" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ssoadmin_permission_set" "example" { + name = "Example" + description = "An example" + instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0] + relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-east-1#" + session_duration = "PT1H" +} + +resource "aws_ssoadmin_permission_set" "example2" { + name = "Example" + description = "An example" + instance_arn = tolist(data.aws_ssoadmin_instances.example.arns)[0] + relay_state = "https://s3.console.aws.amazon.com/s3/home?region=us-east-1#" +} + + +``` diff --git a/docs/queries/terraform-queries/aws/cfdcabb0-fc06-427c-865b-c59f13e898ce.md b/docs/queries/terraform-queries/aws/cfdcabb0-fc06-427c-865b-c59f13e898ce.md new file mode 100644 index 00000000000..7f7d884619e --- /dev/null +++ b/docs/queries/terraform-queries/aws/cfdcabb0-fc06-427c-865b-c59f13e898ce.md @@ -0,0 +1,66 @@ +--- +title: Redshift Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cfdcabb0-fc06-427c-865b-c59f13e898ce +- **Query name:** Redshift Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/redshift_not_encrypted) + +### Description +AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 17" +resource "aws_redshift_cluster" "positive1" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" +} + +resource "aws_redshift_cluster" "positive2" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + encrypted = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_redshift_cluster" "negative1" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + encrypted = true +} + +``` diff --git a/docs/queries/terraform-queries/aws/d0cc8694-fcad-43ff-ac86-32331d7e867f.md b/docs/queries/terraform-queries/aws/d0cc8694-fcad-43ff-ac86-32331d7e867f.md new file mode 100644 index 00000000000..b67582a64e0 --- /dev/null +++ b/docs/queries/terraform-queries/aws/d0cc8694-fcad-43ff-ac86-32331d7e867f.md @@ -0,0 +1,172 @@ +--- +title: S3 Bucket Allows Public ACL +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d0cc8694-fcad-43ff-ac86-32331d7e867f +- **Query name:** S3 Bucket Allows Public ACL +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_allows_public_acl) + +### Description +S3 bucket allows public ACL
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 18" +resource "aws_s3_bucket" "positive1" { + bucket = "example" +} + +resource "aws_s3_bucket_public_access_block" "positive2" { + bucket = aws_s3_bucket.example.id + + block_public_acls = false + block_public_policy = true + ignore_public_acls = false +} + +// comment +// comment +// comment +// comment +// comment +resource "aws_s3_bucket_public_access_block" "positive3" { + bucket = aws_s3_bucket.example.id + + block_public_policy = true + ignore_public_acls = false +} +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="8" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + restrict_public_buckets = true + block_public_acls = false + + versioning = { + enabled = true + } + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** d1846b12-20c5-4d45-8798-fc35b79268eb +- **Query name:** ECR Image Tag Not Immutable +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ecr_image_tag_not_immutable) + +### Description +ECR should have an image tag be immutable. This prevents image tags from being overwritten.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10 3" +resource "aws_ecr_repository" "foo2" { + name = "bar" + image_tag_mutability = "MUTABLE" + + image_scanning_configuration { + scan_on_push = true + } +} + +resource "aws_ecr_repository" "foo3" { + name = "bar" + + image_scanning_configuration { + scan_on_push = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ecr_repository" "foo" { + name = "bar" + image_tag_mutability = "IMMUTABLE" + + image_scanning_configuration { + scan_on_push = true + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/d24c0755-c028-44b1-b503-8e719c898832.md b/docs/queries/terraform-queries/aws/d24c0755-c028-44b1-b503-8e719c898832.md new file mode 100644 index 00000000000..c98497ef999 --- /dev/null +++ b/docs/queries/terraform-queries/aws/d24c0755-c028-44b1-b503-8e719c898832.md @@ -0,0 +1,177 @@ +--- +title: S3 Bucket Allows Put Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d24c0755-c028-44b1-b503-8e719c898832 +- **Query name:** S3 Bucket Allows Put Action From All Principals +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_allows_put_action_from_all_principals) + +### Description +S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "aws_s3_bucket_policy" "positive1" { + bucket = aws_s3_bucket.b.id + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** d25edb51-07fb-4a73-97d4-41cecdc53a22 +- **Query name:** Glue With Vulnerable Policy +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/glue_with_vulnerable_policy) + +### Description +Glue policy should avoid wildcard in 'principals' and 'actions'
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/glue_resource_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="15" +data "aws_iam_policy_document" "glue-example-policy" { + statement { + actions = [ + "glue:*", + ] + resources = ["arn:data.aws_partition.current.partition:glue:data.aws_region.current.name:data.aws_caller_identity.current.account_id:*"] + principals { + identifiers = ["*"] + type = "AWS" + } + } +} + +resource "aws_glue_resource_policy" "example" { + policy = data.aws_iam_policy_document.glue-example-policy.json +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +data "aws_iam_policy_document" "glue-example-policy2" { + statement { + actions = [ + "glue:CreateTable", + ] + resources = ["arn:data.aws_partition.current.partition:glue:data.aws_region.current.name:data.aws_caller_identity.current.account_id:*"] + principals { + identifiers = ["arn:aws:iam::var.account_id:saml-provider/var.provider_name"] + type = "AWS" + } + } +} + +resource "aws_glue_resource_policy" "example2" { + policy = data.aws_iam_policy_document.glue-example-policy2.json +} + +``` diff --git a/docs/queries/terraform-queries/aws/d364984a-a222-4b5f-a8b0-e23ab19ebff3.md b/docs/queries/terraform-queries/aws/d364984a-a222-4b5f-a8b0-e23ab19ebff3.md new file mode 100644 index 00000000000..0b81b586c65 --- /dev/null +++ b/docs/queries/terraform-queries/aws/d364984a-a222-4b5f-a8b0-e23ab19ebff3.md @@ -0,0 +1,81 @@ +--- +title: Athena Workgroup Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d364984a-a222-4b5f-a8b0-e23ab19ebff3 +- **Query name:** Athena Workgroup Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/athena_workgroup_not_encrypted) + +### Description +Athena Workgroup query results should be encrypted, for all queries that run in the workgroup
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup#encryption_configuration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 1 21" +resource "aws_athena_workgroup" "example" { + name = "example" +} + +resource "aws_athena_workgroup" "example_2" { + name = "example" + + configuration { + enforce_workgroup_configuration = true + publish_cloudwatch_metrics_enabled = true + } +} + +resource "aws_athena_workgroup" "example_3" { + name = "example" + + configuration { + enforce_workgroup_configuration = true + publish_cloudwatch_metrics_enabled = true + + result_configuration { + output_location = "s3://${aws_s3_bucket.example.bucket}/output/" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_athena_workgroup" "example" { + name = "example" + + configuration { + enforce_workgroup_configuration = true + publish_cloudwatch_metrics_enabled = true + + result_configuration { + output_location = "s3://${aws_s3_bucket.example.bucket}/output/" + + encryption_configuration { + encryption_option = "SSE_KMS" + kms_key_arn = aws_kms_key.example.arn + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/d40210ea-64b9-4cce-a4fb-e8604f3c062c.md b/docs/queries/terraform-queries/aws/d40210ea-64b9-4cce-a4fb-e8604f3c062c.md new file mode 100644 index 00000000000..6d47f22d17a --- /dev/null +++ b/docs/queries/terraform-queries/aws/d40210ea-64b9-4cce-a4fb-e8604f3c062c.md @@ -0,0 +1,145 @@ +--- +title: ECS Task Definition Container With Plaintext Password +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d40210ea-64b9-4cce-a4fb-e8604f3c062c +- **Query name:** ECS Task Definition Container With Plaintext Password +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ecs_task_definition_with_plaintext_password) + +### Description +It's not recommended to use plaintext environment variables for sensitive information, such as credential data.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="30" +resource "aws_ecs_task_definition" "positive1" { + family = "service" + container_definitions = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** d6047119-a0b2-4b59-a4f2-127a36fb685b +- **Query name:** Role With Privilege Escalation By Actions 'iam:PutGroupPolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutGroupPolicy) + +### Description +Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/d7b9d850-3e06-4a75-852f-c46c2e92240b.md b/docs/queries/terraform-queries/aws/d7b9d850-3e06-4a75-852f-c46c2e92240b.md new file mode 100644 index 00000000000..52c55822fa3 --- /dev/null +++ b/docs/queries/terraform-queries/aws/d7b9d850-3e06-4a75-852f-c46c2e92240b.md @@ -0,0 +1,103 @@ +--- +title: Hardcoded AWS Access Key +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d7b9d850-3e06-4a75-852f-c46c2e92240b +- **Query name:** Hardcoded AWS Access Key +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/hardcoded_aws_access_key) + +### Description +AWS Access Key should not be hardcoded
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="13" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + user_data = "1234567890123456789012345678901234567890$" + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="5" +resource "aws_instance" "positive1" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" + + user_data = "1234567890123456789012345678901234567890$" + tags = { + Name = "HelloWorld" + } +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 3.0" + + name = "single-instance" + + ami = "ami-ebd02392" + instance_type = "t2.micro" + key_name = "user1" + monitoring = true + vpc_security_group_ids = ["sg-12345678"] + subnet_id = "subnet-eddcdzz4" + user_data = file("scripts/first-boot-http.sh") + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_instance" "negative1" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" + + user_data = file("scripts/first-boot-http.sh") + tags = { + Name = "HelloWorld" + } +} + + +``` diff --git a/docs/queries/terraform-queries/aws/db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8.md b/docs/queries/terraform-queries/aws/db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8.md new file mode 100644 index 00000000000..bfa8f509173 --- /dev/null +++ b/docs/queries/terraform-queries/aws/db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8.md @@ -0,0 +1,88 @@ +--- +title: CloudWatch Logs Destination With Vulnerable Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** db0ec4c4-852c-46a2-b4f3-7ec13cdb12a8 +- **Query name:** CloudWatch Logs Destination With Vulnerable Policy +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_logs_destination_with_vulnerable_policy) + +### Description +CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_destination_policy#access_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="22" +data "aws_iam_policy_document" "test_destination_policy" { + statement { + effect = "Allow" + + principals { + type = "AWS" + + identifiers = [ + data.aws_caller_identity.current.id, + ] + } + + actions = [ + "logs:*", + ] + + } +} + +resource "aws_cloudwatch_log_destination_policy" "test_destination_policy" { + destination_name = aws_cloudwatch_log_destination.test_destination.name + access_policy = data.aws_iam_policy_document.test_destination_policy.json +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +data "aws_iam_policy_document" "test_destination_policy2" { + statement { + effect = "Allow" + + principals { + type = "AWS" + + identifiers = [ + "123456789012", + ] + } + + actions = [ + "logs:PutSubscriptionFilter", + ] + + resources = [ + aws_cloudwatch_log_destination.test_destination.arn, + ] + } +} + +resource "aws_cloudwatch_log_destination_policy" "test_destination_policy2" { + destination_name = aws_cloudwatch_log_destination.test_destination.name + access_policy = data.aws_iam_policy_document.test_destination_policy2.json +} + +``` diff --git a/docs/queries/terraform-queries/aws/db78d14b-10e5-4e6e-84b1-dace6327b1ec.md b/docs/queries/terraform-queries/aws/db78d14b-10e5-4e6e-84b1-dace6327b1ec.md new file mode 100644 index 00000000000..f6d4ebaf020 --- /dev/null +++ b/docs/queries/terraform-queries/aws/db78d14b-10e5-4e6e-84b1-dace6327b1ec.md @@ -0,0 +1,81 @@ +--- +title: Group With Privilege Escalation By Actions 'iam:AttachUserPolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** db78d14b-10e5-4e6e-84b1-dace6327b1ec +- **Query name:** Group With Privilege Escalation By Actions 'iam:AttachUserPolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_AttachUserPolicy) + +### Description +Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachUserPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/de7f5e83-da88-4046-871f-ea18504b1d43.md b/docs/queries/terraform-queries/aws/de7f5e83-da88-4046-871f-ea18504b1d43.md new file mode 100644 index 00000000000..c78c1c2b787 --- /dev/null +++ b/docs/queries/terraform-queries/aws/de7f5e83-da88-4046-871f-ea18504b1d43.md @@ -0,0 +1,312 @@ +--- +title: ALB Listening on HTTP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** de7f5e83-da88-4046-871f-ea18504b1d43 +- **Query name:** ALB Listening on HTTP +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/alb_listening_on_http) + +### Description +AWS Application Load Balancer (alb) should not listen on HTTP
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9" +resource "aws_lb_listener" "listener5" { + load_balancer_arn = aws_lb.test3.arn + port = 80 + default_action { + type = "redirect" + + redirect { + port = "80" + protocol = "HTTP" + status_code = "HTTP_301" + } + } +} + +resource "aws_lb" "test3" { + name = "test123" + load_balancer_type = "application" + subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id] + internal = true +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="70" +provider "aws" { + profile = "default" + region = "us-west-2" +} + +data "aws_availability_zones" "available" { + state = "available" +} + +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_vpc" "vpc1" { + cidr_block = "10.10.0.0/16" +} + +resource "aws_subnet" "subnet1" { + vpc_id = aws_vpc.vpc1.id + cidr_block = "10.10.10.0/24" + availability_zone_id = data.aws_availability_zones.available.zone_ids[0] + tags = { + Name = "subnet1" + } +} + +resource "aws_subnet" "subnet2" { + vpc_id = aws_vpc.vpc1.id + cidr_block = "10.10.11.0/24" + availability_zone_id = data.aws_availability_zones.available.zone_ids[1] + + tags = { + Name = "subnet2" + } +} + +resource "aws_lb" "test" { + name = "test123" + load_balancer_type = "application" + subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id] + internal = true +} + +resource "aws_lb_target_group" "test" { + port = 80 + protocol = "HTTP" + target_type = "instance" + vpc_id = aws_vpc.vpc1.id +} + +resource "aws_default_security_group" "dsg" { + vpc_id = aws_vpc.vpc1.id +} + +resource "aws_lb_listener" "listener" { + load_balancer_arn = aws_lb.test.arn + port = 80 + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.test.arn + } +} + +resource "aws_lb_target_group_attachment" "attach1" { + target_group_arn = aws_lb_target_group.test.arn + target_id = aws_instance.inst1.id + port = 80 +} + +resource "aws_instance" "inst1" { + vpc_security_group_ids = [aws_default_security_group.dsg.id] + subnet_id = aws_subnet.subnet1.id + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" +} + +resource "aws_lb_target_group_attachment" "attach2" { + target_group_arn = aws_lb_target_group.test.arn + target_id = aws_instance.inst2.id + port = 80 +} + +resource "aws_instance" "inst2" { + vpc_security_group_ids = [aws_default_security_group.dsg.id] + subnet_id = aws_subnet.subnet1.id + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" +} + +resource "aws_lb_target_group_attachment" "attach3" { + target_group_arn = aws_lb_target_group.test.arn + target_id = aws_instance.inst3.id + port = 80 +} + +resource "aws_instance" "inst3" { + vpc_security_group_ids = [aws_default_security_group.dsg.id] + subnet_id = aws_subnet.subnet1.id + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_lb_listener" "listener55" { + load_balancer_arn = aws_lb.test33.arn + port = 80 + default_action { + type = "redirect" + + redirect { + port = "80" + protocol = "HTTPS" + status_code = "HTTPS_301" + } + } +} + +resource "aws_lb" "test33" { + name = "test123" + load_balancer_type = "application" + subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id] + internal = true +} + +``` +```tf title="Negative test num. 2 - tf file" +provider "aws2" { + profile = "default" + region = "us-west-2" +} + +data "aws_availability_zones" "available2" { + state = "available" +} + +data "aws_ami" "ubuntu2" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_vpc" "vpc1" { + cidr_block = "10.10.0.0/16" +} + +resource "aws_subnet" "subnet12" { + vpc_id = aws_vpc.vpc1.id + cidr_block = "10.10.10.0/24" + availability_zone_id = data.aws_availability_zones.available2.zone_ids[0] + tags = { + Name = "subnet1" + } +} + +resource "aws_subnet" "subnet22" { + vpc_id = aws_vpc.vpc1.id + cidr_block = "10.10.11.0/24" + availability_zone_id = data.aws_availability_zones.available2.zone_ids[1] + + tags = { + Name = "subnet2" + } +} + +resource "aws_lb" "test2" { + name = "test123" + load_balancer_type = "application" + subnets = [aws_subnet.subnet12.id, aws_subnet.subnet22.id] + internal = true +} + +resource "aws_lb_target_group" "test2" { + port = 80 + protocol = "HTTP" + target_type = "instance" + vpc_id = aws_vpc.vpc1.id +} + +resource "aws_default_security_group" "dsg2" { + vpc_id = aws_vpc.vpc1.id +} + +resource "aws_lb_listener" "listener2" { + load_balancer_arn = aws_lb.test2.arn + protocol = "HTTPS" + port = 80 + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.test2.arn + } +} + +resource "aws_lb_target_group_attachment" "attach12" { + target_group_arn = aws_lb_target_group.test2.arn + target_id = aws_instance.inst12.id + port = 80 +} + +resource "aws_instance" "inst12" { + vpc_security_group_ids = [aws_default_security_group.dsg2.id] + subnet_id = aws_subnet.subnet12.id + ami = data.aws_ami.ubuntu2.id + instance_type = "t3.micro" +} + +resource "aws_lb_target_group_attachment" "attach22" { + target_group_arn = aws_lb_target_group.test2.arn + target_id = aws_instance.inst22.id + port = 80 +} + +resource "aws_instance" "inst22" { + vpc_security_group_ids = [aws_default_security_group.dsg2.id] + subnet_id = aws_subnet.subnet12.id + ami = data.aws_ami.ubuntu2.id + instance_type = "t3.micro" +} + +resource "aws_lb_target_group_attachment" "attach32" { + target_group_arn = aws_lb_target_group.test2.arn + target_id = aws_instance.inst32.id + port = 80 +} + +resource "aws_instance" "inst32" { + vpc_security_group_ids = [aws_default_security_group.dsg2.id] + subnet_id = aws_subnet.subnet12.id + ami = data.aws_ami.ubuntu2.id + instance_type = "t3.micro" +} + +``` diff --git a/docs/queries/terraform-queries/aws/e08ed7eb-f3ef-494d-9d22-2e3db756a347.md b/docs/queries/terraform-queries/aws/e08ed7eb-f3ef-494d-9d22-2e3db756a347.md new file mode 100644 index 00000000000..52e0a4e85e6 --- /dev/null +++ b/docs/queries/terraform-queries/aws/e08ed7eb-f3ef-494d-9d22-2e3db756a347.md @@ -0,0 +1,55 @@ +--- +title: Lambda Permission Principal Is Wildcard +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e08ed7eb-f3ef-494d-9d22-2e3db756a347 +- **Query name:** Lambda Permission Principal Is Wildcard +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/lambda_permission_principal_is_wildcard) + +### Description +Lambda Permission Principal should not contain a wildcard.
+[Documentation](https://docs.ansible.com/ansible/latest/collections/community/aws/lambda_policy_module.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_lambda_permission" "positive1" { + statement_id = "AllowExecutionFromCloudWatch" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.test_lambda.function_name + principal = "*" + source_arn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily" + qualifier = aws_lambda_alias.test_alias.name +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_lambda_permission" "negative1" { + statement_id = "AllowExecutionFromCloudWatch" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.test_lambda.function_name + principal = "events.amazonaws.com" + source_arn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily" + qualifier = aws_lambda_alias.test_alias.name +} + +``` diff --git a/docs/queries/terraform-queries/aws/e227091e-2228-4b40-b046-fc13650d8e88.md b/docs/queries/terraform-queries/aws/e227091e-2228-4b40-b046-fc13650d8e88.md new file mode 100644 index 00000000000..bd2e725c2f3 --- /dev/null +++ b/docs/queries/terraform-queries/aws/e227091e-2228-4b40-b046-fc13650d8e88.md @@ -0,0 +1,90 @@ +--- +title: User With Privilege Escalation By Actions 'iam:AttachRolePolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e227091e-2228-4b40-b046-fc13650d8e88 +- **Query name:** User With Privilege Escalation By Actions 'iam:AttachRolePolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_AttachRolePolicy) + +### Description +User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/e35c16a2-d54e-419d-8546-a804d8e024d0.md b/docs/queries/terraform-queries/aws/e35c16a2-d54e-419d-8546-a804d8e024d0.md new file mode 100644 index 00000000000..8f27ec1ea6e --- /dev/null +++ b/docs/queries/terraform-queries/aws/e35c16a2-d54e-419d-8546-a804d8e024d0.md @@ -0,0 +1,244 @@ +--- +title: Sensitive Port Is Exposed To Small Public Network +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e35c16a2-d54e-419d-8546-a804d8e024d0 +- **Query name:** Sensitive Port Is Exposed To Small Public Network +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sensitive_port_is_exposed_to_small_public_network) + +### Description +A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="96 66 36 6 111 81 51 21" +resource "aws_security_group" "positive1" { + name = "allow_tls1" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2200 + to_port = 2500 + protocol = "-1" + cidr_blocks = ["12.0.0.0/25"] + } +} + + +resource "aws_security_group" "positive2" { + name = "allow_tls2" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 20 + to_port = 60 + protocol = "tcp" + cidr_blocks = ["1.2.3.4/26"] + } +} + + +resource "aws_security_group" "positive3" { + name = "allow_tls3" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 5000 + to_port = 6000 + protocol = "-1" + cidr_blocks = ["2.12.22.33/27"] + } +} + + +resource "aws_security_group" "positive4" { + name = "allow_tls4" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 20 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["10.92.168.0/28"] + } +} + + +resource "aws_security_group" "positive5" { + name = "allow_tls5" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 445 + to_port = 500 + protocol = "udp" + cidr_blocks = ["1.1.1.1/29","0.0.0.0/0", "2.2.3.4/12"] + } +} + + +resource "aws_security_group" "positive6" { + name = "allow_tls6" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 135 + to_port = 170 + protocol = "udp" + cidr_blocks = ["10.68.0.0", "0.0.0.0/28"] + } +} + + +resource "aws_security_group" "positive7" { + name = "allow_tls7" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2383 + to_port = 2383 + protocol = "udp" + cidr_blocks = ["/0", "1.2.3.4/27"] + } +} + + +resource "aws_security_group" "positive8" { + name = "allow_tls8" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["10.68.0.0/26"] + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_security_group" "negative1" { + name = "allow_tls1" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2383 + to_port = 2383 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + } +} + + +resource "aws_security_group" "negative2" { + name = "allow_tls2" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 2384 + to_port = 2386 + protocol = "tcp" + cidr_blocks = ["/0"] + } +} + + +resource "aws_security_group" "negative3" { + name = "allow_tls3" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 25 + to_port = 2500 + protocol = "tcp" + cidr_blocks = ["1.2.3.4/0"] + } +} + + +resource "aws_security_group" "negative4" { + name = "allow_tls4" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 25 + to_port = 2500 + protocol = "tcp" + cidr_blocks = ["1.2.3.4/5"] + } +} + + +resource "aws_security_group" "negative5" { + name = "allow_tls5" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 25 + to_port = 2500 + protocol = "udp" + cidr_blocks = ["1.2.3.4/5","0.0.0.0/12"] + } +} + + +resource "aws_security_group" "negative6" { + name = "allow_tls6" + description = "Allow TLS inbound traffic" + vpc_id = aws_vpc.main.id + + ingress { + description = "TLS from VPC" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["1.2.3.4","0.0.0.0/0"] + } +} +``` diff --git a/docs/queries/terraform-queries/aws/e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10.md b/docs/queries/terraform-queries/aws/e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10.md new file mode 100644 index 00000000000..37995ecbb6c --- /dev/null +++ b/docs/queries/terraform-queries/aws/e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10.md @@ -0,0 +1,77 @@ +--- +title: Resource Not Using Tags +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10 +- **Query name:** Resource Not Using Tags +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/resource_not_using_tags) + +### Description +AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/resource-tagging) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 14" +resource "aws_acm_certificate" "cert" { + domain_name = "example.com" + validation_method = "DNS" + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_acm_certificate" "cert_2" { + domain_name = "example.com" + validation_method = "DNS" + + tags = { + Name = "test" + } + + lifecycle { + create_before_destroy = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_acm_certificate" "cert" { + domain_name = "example.com" + validation_method = "DNS" + + tags = { + Environment = "test" + } + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_acm_certificate_validation" "example" { + certificate_arn = aws_acm_certificate.example.arn + validation_record_fqdns = [for record in aws_route53_record.example : record.fqdn] +} + +``` diff --git a/docs/queries/terraform-queries/aws/e39bee8c-fe54-4a3f-824d-e5e2d1cca40a.md b/docs/queries/terraform-queries/aws/e39bee8c-fe54-4a3f-824d-e5e2d1cca40a.md new file mode 100644 index 00000000000..e77bc3b19d9 --- /dev/null +++ b/docs/queries/terraform-queries/aws/e39bee8c-fe54-4a3f-824d-e5e2d1cca40a.md @@ -0,0 +1,81 @@ +--- +title: IAM Role Policy passRole Allows All +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e39bee8c-fe54-4a3f-824d-e5e2d1cca40a +- **Query name:** IAM Role Policy passRole Allows All +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_role_policy_passrole_allows_all) + +### Description +Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources
+[Documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_iam_role_policy" "test_policy" { + name = "test_policy" + role = aws_iam_role.test_role.id + + policy = <<-EOF + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "iam:passrole" + ], + "Effect": "Allow", + "Resource": "*" + } + ] + } + EOF +} + + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_role_policy" "test_policy" { + name = "test_policy" + role = aws_iam_role.test_role.id + + policy = <<-EOF + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "iam:passrole" + ], + "Effect": "Allow", + "Resource": "arn:aws:sqs:us-east-2:account-ID-without-hyphens:queue1" + } + ] + } + EOF +} + + +``` diff --git a/docs/queries/terraform-queries/aws/e542bd46-58c4-4e0f-a52a-1fb4f9548e02.md b/docs/queries/terraform-queries/aws/e542bd46-58c4-4e0f-a52a-1fb4f9548e02.md new file mode 100644 index 00000000000..84311e61ee0 --- /dev/null +++ b/docs/queries/terraform-queries/aws/e542bd46-58c4-4e0f-a52a-1fb4f9548e02.md @@ -0,0 +1,59 @@ +--- +title: RDS Cluster With Backup Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e542bd46-58c4-4e0f-a52a-1fb4f9548e02 +- **Query name:** RDS Cluster With Backup Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/rds_cluster_with_backup_disabled) + +### Description +RDS Cluster backup retention period should be specifically defined
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_rds_cluster" "postgresql" { + cluster_identifier = "aurora-cluster-demo" + engine = "aurora-postgresql" + availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] + database_name = "mydb" + master_username = "foo" + master_password = "bar" + preferred_backup_window = "07:00-09:00" +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_rds_cluster" "postgresql" { + cluster_identifier = "aurora-cluster-demo" + engine = "aurora-postgresql" + availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] + database_name = "mydb" + master_username = "foo" + master_password = "bar" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" +} + +``` diff --git a/docs/queries/terraform-queries/aws/e592a0c5-5bdb-414c-9066-5dba7cdea370.md b/docs/queries/terraform-queries/aws/e592a0c5-5bdb-414c-9066-5dba7cdea370.md new file mode 100644 index 00000000000..b94aee7cba8 --- /dev/null +++ b/docs/queries/terraform-queries/aws/e592a0c5-5bdb-414c-9066-5dba7cdea370.md @@ -0,0 +1,53 @@ +--- +title: IAM Access Analyzer Not Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e592a0c5-5bdb-414c-9066-5dba7cdea370 +- **Query name:** IAM Access Analyzer Not Enabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_access_analyzer_not_enabled) + +### Description +IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_organizations_organization" "example2" { + aws_service_access_principals = ["access-analyzer.amazonaws.com"] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +/*resource "aws_organizations_organization" "example" { + aws_service_access_principals = ["access-analyzer.amazonaws.com"] +} + +resource "aws_accessanalyzer_analyzer" "examplee" { + depends_on = [aws_organizations_organization.example] + + analyzer_name = "example" + type = "ORGANIZATION" +} +*/ + +``` diff --git a/docs/queries/terraform-queries/aws/e6b4b943-6883-47a9-9739-7ada9568f8ca.md b/docs/queries/terraform-queries/aws/e6b4b943-6883-47a9-9739-7ada9568f8ca.md new file mode 100644 index 00000000000..842459fadf3 --- /dev/null +++ b/docs/queries/terraform-queries/aws/e6b4b943-6883-47a9-9739-7ada9568f8ca.md @@ -0,0 +1,89 @@ +--- +title: EBS Volume Snapshot Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e6b4b943-6883-47a9-9739-7ada9568f8ca +- **Query name:** EBS Volume Snapshot Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ebs_volume_snapshot_not_encrypted) + +### Description +The value on AWS EBS Volume Snapshot Encryptation must be true
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_snapshot#encrypted) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "aws_ebs_volume" "positive1" { + availability_zone = "us-west-2a" + size = 40 + encrypted = false + + tags = { + Name = "HelloWorld" + } +} + +resource "aws_ebs_snapshot" "positive1" { + volume_id = aws_ebs_volume.positive1.id + tags { + Name = "Production" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="10" +resource "aws_ebs_volume" "positive2" { + availability_zone = "us-west-2a" + size = 40 + + tags = { + Name = "HelloWorld" + } +} + +resource "aws_ebs_snapshot" "positive2" { + volume_id = aws_ebs_volume.positive2.id + tags { + Name = "Production" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_ebs_volume" "negative1" { + availability_zone = "us-west-2a" + size = 40 + encrypted = true + + tags = { + Name = "HelloWorld" + } +} + +resource "aws_ebs_snapshot" "negative1" { + volume_id = aws_ebs_volume.negative1.id + tags { + Name = "Production" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/e7530c3c-b7cf-4149-8db9-d037a0b5268e.md b/docs/queries/terraform-queries/aws/e7530c3c-b7cf-4149-8db9-d037a0b5268e.md new file mode 100644 index 00000000000..addb16aac0d --- /dev/null +++ b/docs/queries/terraform-queries/aws/e7530c3c-b7cf-4149-8db9-d037a0b5268e.md @@ -0,0 +1,121 @@ +--- +title: Elasticsearch Without IAM Authentication +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e7530c3c-b7cf-4149-8db9-d037a0b5268e +- **Query name:** Elasticsearch Without IAM Authentication +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticsearch_without_iam_authentication) + +### Description +AWS Elasticsearch should ensure IAM Authentication
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_elasticsearch_domain" "example" { + domain_name = "tf-test" + elasticsearch_version = "2.3" +} + +resource "aws_elasticsearch_domain_policy" "main" { + domain_name = aws_elasticsearch_domain.example.domain_name + + access_policies = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** e77c89f6-9c85-49ea-b95b-5f960fe5be92 +- **Query name:** Group With Privilege Escalation By Actions 'iam:PutGroupPolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_PutGroupPolicy) + +### Description +Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/e86e26fc-489e-44f0-9bcd-97305e4ba69a.md b/docs/queries/terraform-queries/aws/e86e26fc-489e-44f0-9bcd-97305e4ba69a.md new file mode 100644 index 00000000000..48c2784471a --- /dev/null +++ b/docs/queries/terraform-queries/aws/e86e26fc-489e-44f0-9bcd-97305e4ba69a.md @@ -0,0 +1,113 @@ +--- +title: ECR Repository Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e86e26fc-489e-44f0-9bcd-97305e4ba69a +- **Query name:** ECR Repository Is Publicly Accessible +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ecr_repository_is_publicly_accessible) + +### Description +Amazon ECR image repositories shouldn't have public access
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "aws_ecr_repository" "positive1" { + name = "bar" +} + +resource "aws_ecr_repository_policy" "positive2" { + repository = aws_ecr_repository.foo.name + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** e979fcbc-df6c-422d-9458-c33d65e71c45 +- **Query name:** ElasticSearch Without Slow Logs +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/elasticsearch_without_slow_logs) + +### Description +Ensure that AWS Elasticsearch enables support for slow logs
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#log_publishing_options) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "aws_elasticsearch_domain" "positive1" { + log_publishing_options { + cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn + log_type = "ES_APPLICATION_LOGS" + enabled = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_elasticsearch_domain" "negative1" { + + log_publishing_options { + cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn + log_type = "INDEX_SLOW_LOGS" + enabled = true //for default its true + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/e9b7acf9-9ba0-4837-a744-31e7df1e434d.md b/docs/queries/terraform-queries/aws/e9b7acf9-9ba0-4837-a744-31e7df1e434d.md new file mode 100644 index 00000000000..1f0f7a66205 --- /dev/null +++ b/docs/queries/terraform-queries/aws/e9b7acf9-9ba0-4837-a744-31e7df1e434d.md @@ -0,0 +1,206 @@ +--- +title: SQS VPC Endpoint Without DNS Resolution +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e9b7acf9-9ba0-4837-a744-31e7df1e434d +- **Query name:** SQS VPC Endpoint Without DNS Resolution +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sqs_vpc_endpoint_without_dns_resolution) + +### Description +SQS VPC Endpoint should have DNS resolution enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc#enable_dns_support) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="95" +locals { + region = "us-east-1" + cidr_block = "172.16.0.0/16" + public_subnet_cidr_block = "172.16.100.0/24" + quad_zero_cidr_block = "0.0.0.0/0" +} + +provider "aws" { + region = local.region +} + +resource "aws_vpc" "main" { + cidr_block = local.cidr_block + enable_dns_support = false + enable_dns_hostnames = false +} + +resource "aws_subnet" "public-subnet" { + vpc_id = aws_vpc.main.id + cidr_block = local.public_subnet_cidr_block + + tags = { + Name = "public-subnet" + } +} + +resource "aws_route_table" "public-rtb" { + vpc_id = aws_vpc.main.id + + route { + cidr_block = local.cidr_block + vpc_endpoint_id = aws_vpc_endpoint.sqs-vpc-endpoint.id + } + + route { + cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id + } + + tags = { + Name = "public-rtb" + } +} + +resource "aws_route_table_association" "public-rtb-assoc" { + subnet_id = aws_subnet.public-subnet.id + route_table_id = aws_route_table.public-rtb.id +} + +resource "aws_security_group" "public-internet-sg" { + name = "public-internet-sg" + description = "Allow all local traffic with internet access" + vpc_id = aws_vpc.main.id + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [local.quad_zero_cidr_block] + } + + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [local.cidr_block] + } + +} + +data "aws_ami" "ubuntu" { + most_recent = true + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + owners = ["099720109477"] # Canonical +} + +resource "aws_instance" "test-ec2-instance" { + ami = data.aws_ami.ubuntu.id + instance_type = "t2.micro" + subnet_id = aws_subnet.public-subnet.id + vpc_security_group_ids = [aws_security_group.public-internet-sg.id] +} + +resource "aws_vpc_endpoint" "sqs-vpc-endpoint" { + vpc_id = aws_vpc.main.id + service_name = "com.amazonaws.${local.region}.sqs" + vpc_endpoint_type = "Interface" + private_dns_enabled = true + subnet_ids = [aws_subnet.public-subnet.id] + security_group_ids = [aws_security_group.public-internet-sg.id] +} + +resource "aws_sqs_queue" "test-queue" { + name = "test-queue" +} + +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.main.id +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="13" +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + enable_dns_support = false + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_vpc" "main2" { + cidr_block = local.cidr_block + enable_dns_support = true + enable_dns_hostnames = false +} + +resource "aws_vpc_endpoint" "sqs-vpc-endpoint2" { + vpc_id = aws_vpc.main2.id + service_name = "com.amazonaws.${local.region}.sqs" + vpc_endpoint_type = "Interface" + private_dns_enabled = true + subnet_ids = [aws_subnet.public-subnet.id] + security_group_ids = [aws_security_group.public-internet-sg.id] +} + +``` +```tf title="Negative test num. 2 - tf file" +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + enable_dns_support = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/eaaba502-2f94-411a-a3c2-83d63cc1776d.md b/docs/queries/terraform-queries/aws/eaaba502-2f94-411a-a3c2-83d63cc1776d.md new file mode 100644 index 00000000000..9b63372feb1 --- /dev/null +++ b/docs/queries/terraform-queries/aws/eaaba502-2f94-411a-a3c2-83d63cc1776d.md @@ -0,0 +1,150 @@ +--- +title: CloudWatch IAM Policy Changes Alarm Missing +hide: + toc: true + navigation: true +--- + + + +- **Query id:** eaaba502-2f94-411a-a3c2-83d63cc1776d +- **Query name:** CloudWatch IAM Policy Changes Alarm Missing +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_iam_policy_changes_alarm_missing) + +### Description +Ensure a log metric filter and alarm exist for IAM policy changes
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_metric_filter#pattern) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_iam_policy_change" { + alarm_name = "CIS-4.4-IAM-Policy-Change" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = "XXXX NOT YOUR FILTER XXXX" + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_iam_policy_change" { + name = "CIS-4.4-IAM-Policy-Change" + pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.4-IAM-Policy-Change" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_iam_policy_change" { + alarm_name = "CIS-4.4-IAM-Policy-Change" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_iam_policy_change.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_iam_policy_change" { + name = "CIS-4.4-IAM-Policy-Change" + pattern = "{($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.4-IAM-Policy-Change" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-2" +} + +resource "aws_cloudwatch_log_group" "CIS_CloudWatch_LogsGroup" { + name = "CIS_CloudWatch_LogsGroup" +} + +resource "aws_sns_topic" "cis_alerts_sns_topic" { + name = "cis-alerts-sns-topic" +} + +resource "aws_cloudwatch_metric_alarm" "cis_iam_policy_change" { + alarm_name = "CIS-4.4-IAM-Policy-Change" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "1" + metric_name = aws_cloudwatch_log_metric_filter.cis_iam_policy_change.id + namespace = "CIS_Metric_Alarm_Namespace" + period = "300" + statistic = "Sum" + threshold = "1" + alarm_actions = [aws_sns_topic.cis_alerts_sns_topic.arn] + insufficient_data_actions = [] +} + +resource "aws_cloudwatch_log_metric_filter" "cis_iam_policy_change" { + name = "CIS-4.4-IAM-Policy-Change" + pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" + log_group_name = aws_cloudwatch_log_group.CIS_CloudWatch_LogsGroup.name + + metric_transformation { + name = "CIS-4.4-IAM-Policy-Change" + namespace = "CIS_Metric_Alarm_Namespace" + value = "1" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7.md b/docs/queries/terraform-queries/aws/eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7.md new file mode 100644 index 00000000000..dd2abd4245f --- /dev/null +++ b/docs/queries/terraform-queries/aws/eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7.md @@ -0,0 +1,83 @@ +--- +title: Role With Privilege Escalation By Actions 'iam:PutRolePolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** eb64f1e9-f67d-4e35-8a3c-3d6a2f9efea7 +- **Query name:** Role With Privilege Escalation By Actions 'iam:PutRolePolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PutRolePolicy) + +### Description +Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/ec28bf61-a474-4dbe-b414-6dd3a067d6f0.md b/docs/queries/terraform-queries/aws/ec28bf61-a474-4dbe-b414-6dd3a067d6f0.md new file mode 100644 index 00000000000..407d27be0e8 --- /dev/null +++ b/docs/queries/terraform-queries/aws/ec28bf61-a474-4dbe-b414-6dd3a067d6f0.md @@ -0,0 +1,98 @@ +--- +title: Cognito UserPool Without MFA +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ec28bf61-a474-4dbe-b414-6dd3a067d6f0 +- **Query name:** Cognito UserPool Without MFA +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cognito_userpool_without_mfa) + +### Description +AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="16 1 32" +resource "aws_cognito_user_pool" "positive1" { + # ... other configuration ... + + sms_authentication_message = "Your code is {####}" + + sms_configuration { + external_id = "example" + sns_caller_arn = aws_iam_role.example.arn + } + + software_token_mfa_configuration { + enabled = true + } +} + +resource "aws_cognito_user_pool" "positive2" { + # ... other configuration ... + + mfa_configuration = "OFF" + sms_authentication_message = "Your code is {####}" + + sms_configuration { + external_id = "example" + sns_caller_arn = aws_iam_role.example.arn + } + + software_token_mfa_configuration { + enabled = true + } +} + +resource "aws_cognito_user_pool" "positive3" { + # ... other configuration ... + + mfa_configuration = "ON" + sms_authentication_message = "Your code is {####}" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cognito_user_pool" "negative1" { + # ... other configuration ... + + mfa_configuration = "ON" + sms_authentication_message = "Your code is {####}" + + sms_configuration { + external_id = "example" + sns_caller_arn = aws_iam_role.example.arn + } +} + +resource "aws_cognito_user_pool" "negative2" { + # ... other configuration ... + + mfa_configuration = "OPTIONAL" + sms_authentication_message = "Your code is {####}" + + software_token_mfa_configuration { + enabled = true + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/ec49cbfd-fae4-45f3-81b1-860526d66e3f.md b/docs/queries/terraform-queries/aws/ec49cbfd-fae4-45f3-81b1-860526d66e3f.md new file mode 100644 index 00000000000..0fb80473875 --- /dev/null +++ b/docs/queries/terraform-queries/aws/ec49cbfd-fae4-45f3-81b1-860526d66e3f.md @@ -0,0 +1,82 @@ +--- +title: Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ec49cbfd-fae4-45f3-81b1-860526d66e3f +- **Query name:** Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/group_with_privilege_escalation_by_actions_iam_CreatePolicyVersion) + +### Description +Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_group" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_group_policy" "test_inline_policy" { + name = "test_inline_policy" + group = aws_iam_group.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreatePolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/eccc4d59-74b9-4974-86f1-74386e0c7f33.md b/docs/queries/terraform-queries/aws/eccc4d59-74b9-4974-86f1-74386e0c7f33.md new file mode 100644 index 00000000000..04d493eb5cd --- /dev/null +++ b/docs/queries/terraform-queries/aws/eccc4d59-74b9-4974-86f1-74386e0c7f33.md @@ -0,0 +1,172 @@ +--- +title: BOM - AWS SNS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** eccc4d59-74b9-4974-86f1-74386e0c7f33 +- **Query name:** BOM - AWS SNS +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws_bom/sns) + +### Description +A list of SNS resources specified. Amazon Simple Notification Service (Amazon SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_sns_topic" "positive1" { + name = "user-updates-topic" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_sns_topic" "positive2" { + name = "user-updates-topic" +} + +resource "aws_sns_topic_policy" "positive2" { + arn = aws_sns_topic.positive2.arn + + policy = <Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "aws_sns_topic" "positive4" { + name = "user-updates-topic" + + policy = < +
Postitive test num. 5 - tf file + +```tf hl_lines="1" +resource "aws_sns_topic" "positive5" { + tags = { + Name = "SNS Topic" + } + + kms_master_key_id = "alias/aws/sns" + + policy = < + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +module "sns_topic" { + source = "terraform-aws-modules/sns/aws" + version = "~> 3.0" + + name = "my-topic" +} + +``` diff --git a/docs/queries/terraform-queries/aws/ed35928e-195c-4405-a252-98ccb664ab7b.md b/docs/queries/terraform-queries/aws/ed35928e-195c-4405-a252-98ccb664ab7b.md new file mode 100644 index 00000000000..6abfc06153a --- /dev/null +++ b/docs/queries/terraform-queries/aws/ed35928e-195c-4405-a252-98ccb664ab7b.md @@ -0,0 +1,75 @@ +--- +title: API Gateway With Invalid Compression +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ed35928e-195c-4405-a252-98ccb664ab7b +- **Query name:** API Gateway With Invalid Compression +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/api_gateway_with_invalid_compression) + +### Description +API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 28 17" +resource "aws_api_gateway_rest_api" "positive1" { + name = "regional-example" + + endpoint_configuration { + types = ["REGIONAL"] + } +} + + +resource "aws_api_gateway_rest_api" "positive2" { + name = "regional-example" + + endpoint_configuration { + types = ["REGIONAL"] + } + + minimum_compression_size = -1 +} + + +resource "aws_api_gateway_rest_api" "positive3" { + name = "regional-example" + + endpoint_configuration { + types = ["REGIONAL"] + } + + minimum_compression_size = 10485760 +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_api_gateway_rest_api" "negative1" { + name = "regional-example" + + endpoint_configuration { + types = ["REGIONAL"] + } + + minimum_compression_size = 0 +} +``` diff --git a/docs/queries/terraform-queries/aws/eda48c88-2b7d-4e34-b6ca-04c0194aee17.md b/docs/queries/terraform-queries/aws/eda48c88-2b7d-4e34-b6ca-04c0194aee17.md new file mode 100644 index 00000000000..a79e9abc5bc --- /dev/null +++ b/docs/queries/terraform-queries/aws/eda48c88-2b7d-4e34-b6ca-04c0194aee17.md @@ -0,0 +1,81 @@ +--- +title: Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** eda48c88-2b7d-4e34-b6ca-04c0194aee17 +- **Query name:** Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_glue_UpdateDevEndpoint) + +### Description +Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "glue:UpdateDevEndpoint", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/ee49557d-750c-4cc1-aa95-94ab36cbefde.md b/docs/queries/terraform-queries/aws/ee49557d-750c-4cc1-aa95-94ab36cbefde.md new file mode 100644 index 00000000000..d70c0b29220 --- /dev/null +++ b/docs/queries/terraform-queries/aws/ee49557d-750c-4cc1-aa95-94ab36cbefde.md @@ -0,0 +1,81 @@ +--- +title: Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ee49557d-750c-4cc1-aa95-94ab36cbefde +- **Query name:** Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_CreatePolicyVersion) + +### Description +Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:CreatePolicyVersion", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4.md b/docs/queries/terraform-queries/aws/ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4.md new file mode 100644 index 00000000000..1db85156e64 --- /dev/null +++ b/docs/queries/terraform-queries/aws/ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4.md @@ -0,0 +1,267 @@ +--- +title: CloudTrail Log Files S3 Bucket with Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ee9e50e8-b2ed-4176-ad42-8fc0cf7593f4 +- **Query name:** CloudTrail Log Files S3 Bucket with Logging Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudtrail_log_files_s3_bucket_with_logging_disabled) + +### Description +CloudTrail Log Files S3 Bucket should have 'logging' enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#s3_bucket_name) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="23" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +data "aws_caller_identity" "current" {} + +resource "aws_cloudtrail" "foobar" { + name = "tf-trail-foobar" + s3_bucket_name = aws_s3_bucket.foo.id + s3_key_prefix = "prefix" + include_global_service_events = false +} + +resource "aws_s3_bucket" "foo" { + bucket = "tf-test-trail" + force_destroy = true + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** eeb4d37a-3c59-4789-a00c-1509bc3af1e5 +- **Query name:** User With Privilege Escalation By Actions 'iam:PutRolePolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/user_with_privilege_escalation_by_actions_iam_PutRolePolicy) + +### Description +User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_user" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_user_policy" "test_inline_policy" { + name = "test_inline_policy" + user = aws_iam_user.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PutRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + users = [aws_iam_user.cosmic.name] + roles = [aws_iam_role.role.name] + groups = [aws_iam_group.group.name] +} + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/ef0b316a-211e-42f1-888e-64efe172b755.md b/docs/queries/terraform-queries/aws/ef0b316a-211e-42f1-888e-64efe172b755.md new file mode 100644 index 00000000000..c7cc2f41adb --- /dev/null +++ b/docs/queries/terraform-queries/aws/ef0b316a-211e-42f1-888e-64efe172b755.md @@ -0,0 +1,68 @@ +--- +title: CloudWatch Without Retention Period Specified +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ef0b316a-211e-42f1-888e-64efe172b755 +- **Query name:** CloudWatch Without Retention Period Specified +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/cloudwatch_without_retention_period_specified) + +### Description +AWS CloudWatch Log groups should have retention days specified
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 18" +resource "aws_cloudwatch_log_group" "positive1" { + name = "Yada" + + tags = { + Environment = "production" + Application = "serviceA" + } +} + +resource "aws_cloudwatch_log_group" "positive2" { + name = "Yada" + + tags = { + Environment = "production" + Application = "serviceA" + } + + retention_in_days = 0 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_cloudwatch_log_group" "negative1" { + name = "Yada" + + tags = { + Environment = "production" + Application = "serviceA" + } + + retention_in_days = 1 +} + +``` diff --git a/docs/queries/terraform-queries/aws/f0d8781f-99bf-4958-9917-d39283b168a0.md b/docs/queries/terraform-queries/aws/f0d8781f-99bf-4958-9917-d39283b168a0.md new file mode 100644 index 00000000000..82bd4c3be0c --- /dev/null +++ b/docs/queries/terraform-queries/aws/f0d8781f-99bf-4958-9917-d39283b168a0.md @@ -0,0 +1,67 @@ +--- +title: DB Security Group Has Public Interface +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f0d8781f-99bf-4958-9917-d39283b168a0 +- **Query name:** DB Security Group Has Public Interface +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/db_security_group_has_public_interface) + +### Description +The CIDR IP should not be a public interface
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_db_security_group" "positive1" { + name = "rds_sg" + + ingress { + cidr = "0.0.0.0/0" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9" +resource "aws_db_security_group" "positive1" { + name = "rds_sg" + + ingress { + cidr = "10.0.0.0/8" + } + + ingress { + cidr = "0.0.0.0/0" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_db_security_group" "negative1" { + name = "rds_sg" + + ingress { + cidr = "10.0.0.0/8" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/f1173d8c-3264-4148-9fdb-61181e031b51.md b/docs/queries/terraform-queries/aws/f1173d8c-3264-4148-9fdb-61181e031b51.md new file mode 100644 index 00000000000..dc0a837bc23 --- /dev/null +++ b/docs/queries/terraform-queries/aws/f1173d8c-3264-4148-9fdb-61181e031b51.md @@ -0,0 +1,107 @@ +--- +title: Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f1173d8c-3264-4148-9fdb-61181e031b51 +- **Query name:** Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_UpdateAssumeRolePolicy_and_sts_AssumeRole) + +### Description +Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:UpdateAssumeRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + roles = [aws_iam_role.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "sts:AssumeRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/f11aec39-858f-4b6f-b946-0a1bf46c0c87.md b/docs/queries/terraform-queries/aws/f11aec39-858f-4b6f-b946-0a1bf46c0c87.md new file mode 100644 index 00000000000..82032b76ead --- /dev/null +++ b/docs/queries/terraform-queries/aws/f11aec39-858f-4b6f-b946-0a1bf46c0c87.md @@ -0,0 +1,76 @@ +--- +title: DAX Cluster Not Encrypted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f11aec39-858f-4b6f-b946-0a1bf46c0c87 +- **Query name:** DAX Cluster Not Encrypted +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/dax_cluster_not_encrypted) + +### Description +AWS DAX Cluster should have server-side encryption at rest
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dax_cluster#enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 14 25" +resource "aws_dax_cluster" "bar_1" { + cluster_name = "cluster-example" + iam_role_arn = data.aws_iam_role.example.arn + node_type = "dax.r4.large" + replication_factor = 1 +} + +resource "aws_dax_cluster" "bar_2" { + cluster_name = "cluster-example" + iam_role_arn = data.aws_iam_role.example.arn + node_type = "dax.r4.large" + replication_factor = 1 + + server_side_encryption { + } +} + +resource "aws_dax_cluster" "bar_3" { + cluster_name = "cluster-example" + iam_role_arn = data.aws_iam_role.example.arn + node_type = "dax.r4.large" + replication_factor = 1 + + server_side_encryption { + enabled = false + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_dax_cluster" "bar" { + cluster_name = "cluster-example" + iam_role_arn = data.aws_iam_role.example.arn + node_type = "dax.r4.large" + replication_factor = 1 + + server_side_encryption { + enabled = true + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/f1adc521-f79a-4d71-b55b-a68294687432.md b/docs/queries/terraform-queries/aws/f1adc521-f79a-4d71-b55b-a68294687432.md new file mode 100644 index 00000000000..bee04a07622 --- /dev/null +++ b/docs/queries/terraform-queries/aws/f1adc521-f79a-4d71-b55b-a68294687432.md @@ -0,0 +1,79 @@ +--- +title: EC2 Instance Using Default Security Group +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f1adc521-f79a-4d71-b55b-a68294687432 +- **Query name:** EC2 Instance Using Default Security Group +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/ec2_instance_using_default_security_group) + +### Description +EC2 instances should not use default security group(s)
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#security_groups) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9" +resource "aws_instance" "positive1" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" + + tags = { + Name = "HelloWorld" + } + + security_groups = [aws_security_group.default.id] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="6" +resource "aws_instance" "positive2" { + ami = "ami-003634241a8fcdec0" + + instance_type = "t2.micro" + + vpc_security_group_ids = [aws_security_group.default.id] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_instance" "negative1" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.micro" + + tags = { + Name = "HelloWorld" + } + + security_groups = [aws_security_group.sg.id] +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "aws_instance" "negative2" { + ami = "ami-003634241a8fcdec0" + + instance_type = "t2.micro" + + vpc_security_group_ids = [aws_security_group.sg.id] +} + +``` diff --git a/docs/queries/terraform-queries/aws/f3674e0c-f6be-43fa-b71c-bf346d1aed99.md b/docs/queries/terraform-queries/aws/f3674e0c-f6be-43fa-b71c-bf346d1aed99.md new file mode 100644 index 00000000000..566cdec84cb --- /dev/null +++ b/docs/queries/terraform-queries/aws/f3674e0c-f6be-43fa-b71c-bf346d1aed99.md @@ -0,0 +1,58 @@ +--- +title: Sagemaker Notebook Instance Without KMS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f3674e0c-f6be-43fa-b71c-bf346d1aed99 +- **Query name:** Sagemaker Notebook Instance Without KMS +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/sagemaker_notebook_instance_without_kms) + +### Description +AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sagemaker_notebook_instance#kms_key_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_sagemaker_notebook_instance" "ni" { + name = "my-notebook-instance" + role_arn = aws_iam_role.role.arn + instance_type = "ml.t2.medium" + + tags = { + Name = "foo" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_sagemaker_notebook_instance" "ni" { + name = "my-notebook-instance" + role_arn = aws_iam_role.role.arn + instance_type = "ml.t2.medium" + kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + + tags = { + Name = "foo" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/f465fff1-0a0f-457d-aa4d-1bddb6f204ff.md b/docs/queries/terraform-queries/aws/f465fff1-0a0f-457d-aa4d-1bddb6f204ff.md new file mode 100644 index 00000000000..e578e3a4307 --- /dev/null +++ b/docs/queries/terraform-queries/aws/f465fff1-0a0f-457d-aa4d-1bddb6f204ff.md @@ -0,0 +1,81 @@ +--- +title: Role With Privilege Escalation By Actions 'iam:AttachRolePolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f465fff1-0a0f-457d-aa4d-1bddb6f204ff +- **Query name:** Role With Privilege Escalation By Actions 'iam:AttachRolePolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachRolePolicy) + +### Description +Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachRolePolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/f53f16d6-46a9-4277-9fbe-617b1e24cdca.md b/docs/queries/terraform-queries/aws/f53f16d6-46a9-4277-9fbe-617b1e24cdca.md new file mode 100644 index 00000000000..46ba110e361 --- /dev/null +++ b/docs/queries/terraform-queries/aws/f53f16d6-46a9-4277-9fbe-617b1e24cdca.md @@ -0,0 +1,102 @@ +--- +title: BOM - AWS EFS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f53f16d6-46a9-4277-9fbe-617b1e24cdca +- **Query name:** BOM - AWS EFS +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws_bom/efs) + +### Description +A list of EFS resources found. Amazon Elastic File System (Amazon EFS) automatically grows and shrinks as you add and remove files with no need for management or provisioning.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_efs_file_system" "positive1" { + creation_token = "my-product" + encrypted = true + + tags = { + Name = "MyProduct" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_efs_file_system" "positive2" { + creation_token = "my-product" + encrypted = true + + tags = { + Name = "MyProduct" + } +} + +resource "aws_efs_file_system_policy" "policy" { + file_system_id = aws_efs_file_system.positive2.id + + bypass_policy_lockout_safety_check = true + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** f83121ea-03da-434f-9277-9cd247ab3047 +- **Query name:** VPC FlowLogs Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/vpc_flowlogs_disabled) + +### Description +Every VPC resource should have an associated Flow Log
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "aws_vpc" "main" { + cidr_block = "10.0.0.0/16" +} + +resource "aws_flow_log" "example" { + iam_role_arn = aws_iam_role.example.arn + log_destination = aws_cloudwatch_log_group.example.arn + traffic_type = "ALL" +} + +resource "aws_flow_log" "example1" { + iam_role_arn = aws_iam_role.example.arn + log_destination = aws_cloudwatch_log_group.main.arn + traffic_type = "ALL" + vpc_id = aws_vpc.main.id +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_vpc" "main" { + cidr_block = "10.0.0.0/16" +} + +resource "aws_flow_log" "example" { + iam_role_arn = aws_iam_role.example.arn + log_destination = aws_cloudwatch_log_group.example.arn + traffic_type = "ALL" + vpc_id = aws_vpc.example.id +} + +resource "aws_flow_log" "example2" { + iam_role_arn = aws_iam_role.example.arn + log_destination = aws_cloudwatch_log_group.example.arn + traffic_type = "ALL" + vpc_id = aws_vpc.example2.id +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="14" +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + enable_flow_log = false + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_vpc" "main" { + cidr_block = "10.0.0.0/16" +} + +resource "aws_flow_log" "example" { + iam_role_arn = aws_iam_role.example.arn + log_destination = aws_cloudwatch_log_group.example.arn + traffic_type = "ALL" + vpc_id = aws_vpc.example.id +} + +resource "aws_flow_log" "example2" { + iam_role_arn = aws_iam_role.example.arn + log_destination = aws_cloudwatch_log_group.example.arn + traffic_type = "ALL" + vpc_id = aws_vpc.main.id +} +``` +```tf title="Negative test num. 2 - tf file" +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = "my-vpc" + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + enable_nat_gateway = true + enable_vpn_gateway = true + enable_flow_log = true + + tags = { + Terraform = "true" + Environment = "dev" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/f861041c-8c9f-4156-acfc-5e6e524f5884.md b/docs/queries/terraform-queries/aws/f861041c-8c9f-4156-acfc-5e6e524f5884.md new file mode 100644 index 00000000000..c1edfddd27b --- /dev/null +++ b/docs/queries/terraform-queries/aws/f861041c-8c9f-4156-acfc-5e6e524f5884.md @@ -0,0 +1,172 @@ +--- +title: S3 Bucket Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f861041c-8c9f-4156-acfc-5e6e524f5884 +- **Query name:** S3 Bucket Logging Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_logging_disabled) + +### Description +Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="14" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "positive1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + versioning { + mfa_delete = true + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="14" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "examplee" { + bucket = "my-tf-example-bucket" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "aws" { + region = "us-east-1" +} + +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 3.0" + } + } +} + +resource "aws_s3_bucket" "negative1" { + bucket = "my-tf-test-bucket" + acl = "private" + + tags = { + Name = "My bucket" + Environment = "Dev" + } + + logging { + target_bucket = "logs" + } + + versioning { + mfa_delete = true + } +} + +``` +```tf title="Negative test num. 2 - tf file" +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "3.7.0" + + bucket = "my-s3-bucket" + acl = "private" + + versioning = { + enabled = true + } + + logging { + target_bucket = "logs" + } +} + +``` +```tf title="Negative test num. 3 - tf file" +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "4.2.0" + } + } +} + +provider "aws" { + # Configuration options +} + +resource "aws_s3_bucket" "example" { + bucket = "my-tf-example-bucket" +} + +resource "aws_s3_bucket_logging" "example" { + bucket = aws_s3_bucket.example.id + + target_bucket = aws_s3_bucket.log_bucket.id + target_prefix = "log/" +} + +``` diff --git a/docs/queries/terraform-queries/aws/f906113d-cdc0-415a-ba60-609cc6daaf4d.md b/docs/queries/terraform-queries/aws/f906113d-cdc0-415a-ba60-609cc6daaf4d.md new file mode 100644 index 00000000000..e8d065a61b7 --- /dev/null +++ b/docs/queries/terraform-queries/aws/f906113d-cdc0-415a-ba60-609cc6daaf4d.md @@ -0,0 +1,84 @@ +--- +title: Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy' +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f906113d-cdc0-415a-ba60-609cc6daaf4d +- **Query name:** Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_AttachGroupPolicy) + +### Description +Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:AttachGroupPolicy", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/fa00ce45-386d-4718-8392-fb485e1f3c5b.md b/docs/queries/terraform-queries/aws/fa00ce45-386d-4718-8392-fb485e1f3c5b.md new file mode 100644 index 00000000000..6654cf83ab6 --- /dev/null +++ b/docs/queries/terraform-queries/aws/fa00ce45-386d-4718-8392-fb485e1f3c5b.md @@ -0,0 +1,91 @@ +--- +title: Secrets Manager With Vulnerable Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fa00ce45-386d-4718-8392-fb485e1f3c5b +- **Query name:** Secrets Manager With Vulnerable Policy +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/secrets_manager_with_vulnerable_policy) + +### Description +Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="12" +provider "aws" { + region = "us-east-1" +} + +resource "aws_secretsmanager_secret" "not_secure_policy" { + name = "not_secure_secret" +} + +resource "aws_secretsmanager_secret_policy" "example" { + secret_arn = aws_secretsmanager_secret.not_secure_policy.arn + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** fa62ac4f-f5b9-45b9-97c1-625c8b6253ca +- **Query name:** Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction' +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/role_with_privilege_escalation_by_actions_iam_PassRole_and_lambda_CreateFunction_lambda_InvokeFunction) + +### Description +Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_iam_role" "cosmic" { + name = "cosmic" +} + +resource "aws_iam_role_policy" "test_inline_policy" { + name = "test_inline_policy" + role = aws_iam_role.cosmic.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "lambda:CreateFunction", + "lambda:InvokeFunction" + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + + +resource "aws_iam_policy_attachment" "test-attach" { + name = "test-attachment" + roles = [aws_iam_role.cosmic.name] + policy_arn = aws_iam_policy.policy.arn +} + + +resource "aws_iam_policy" "policy" { + name = "test-policy" + description = "A test policy" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "iam:PassRole", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_user" "cosmic2" { + name = "cosmic2" +} + +resource "aws_iam_user_policy" "inline_policy_run_instances2" { + name = "inline_policy_run_instances" + user = aws_iam_user.cosmic2.name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} + +``` diff --git a/docs/queries/terraform-queries/aws/fae52418-bb8b-4ac2-b287-0b9082d6a3fd.md b/docs/queries/terraform-queries/aws/fae52418-bb8b-4ac2-b287-0b9082d6a3fd.md new file mode 100644 index 00000000000..e644ddf92c8 --- /dev/null +++ b/docs/queries/terraform-queries/aws/fae52418-bb8b-4ac2-b287-0b9082d6a3fd.md @@ -0,0 +1,106 @@ +--- +title: EFS With Vulnerable Policy +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fae52418-bb8b-4ac2-b287-0b9082d6a3fd +- **Query name:** EFS With Vulnerable Policy +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/efs_with_vulnerable_policy) + +### Description +EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system_policy#policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="16" +provider "aws" { + region = "us-east-1" +} + +resource "aws_efs_file_system" "not_secure" { + creation_token = "efs-not-secure" + + tags = { + Name = "NotSecure" + } +} + +resource "aws_efs_file_system_policy" "not_secure_policy" { + file_system_id = aws_efs_file_system.not_secure.id + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** fc101ca7-c9dd-4198-a1eb-0fbe92e80044 +- **Query name:** IAM Group Without Users +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/iam_group_without_users) + +### Description +IAM Group should have at least one user associated
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership#users) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="33 12" +resource "aws_iam_group_membership" "team2" { + name = "tf-testing-group-membership" + + users = [ + aws_iam_user.user_one2.name, + aws_iam_user.user_two2.name, + ] + + group = aws_iam_group.group222.name +} + +resource "aws_iam_group" "group2" { + name = "test-group" +} + +resource "aws_iam_user" "user_one2" { + name = "test-user" +} + +resource "aws_iam_user" "user_two2" { + name = "test-user-two" +} + +resource "aws_iam_group_membership" "team3" { + name = "tf-testing-group-membership" + + users = [ + ] + + group = aws_iam_group.group3.name +} + +resource "aws_iam_group" "group3" { + name = "test-group" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_iam_group_membership" "team" { + name = "tf-testing-group-membership" + + users = [ + aws_iam_user.user_one.name, + aws_iam_user.user_two.name, + ] + + group = aws_iam_group.group.name +} + +resource "aws_iam_group" "group" { + name = "test-group" +} + +resource "aws_iam_user" "user_one" { + name = "test-user" +} + +resource "aws_iam_user" "user_two" { + name = "test-user-two" +} + +``` diff --git a/docs/queries/terraform-queries/aws/fcb1b388-f558-4b7f-9b6e-f4e98abb7380.md b/docs/queries/terraform-queries/aws/fcb1b388-f558-4b7f-9b6e-f4e98abb7380.md new file mode 100644 index 00000000000..bae99804a94 --- /dev/null +++ b/docs/queries/terraform-queries/aws/fcb1b388-f558-4b7f-9b6e-f4e98abb7380.md @@ -0,0 +1,109 @@ +--- +title: BOM - AWS MQ +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fcb1b388-f558-4b7f-9b6e-f4e98abb7380 +- **Query name:** BOM - AWS MQ +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws_bom/mq) + +### Description +A list of MQ resources found. Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_mq_broker" "positive1" { + broker_name = "example" + + configuration { + id = aws_mq_configuration.test.id + revision = aws_mq_configuration.test.latest_revision + } + + engine_type = "ActiveMQ" + engine_version = "5.15.9" + host_instance_type = "mq.t2.micro" + security_groups = [aws_security_group.test.id] + + user { + username = "ExampleUser" + password = "MindTheGap" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "aws_mq_broker" "positive2" { + broker_name = "example" + + configuration { + id = aws_mq_configuration.test.id + revision = aws_mq_configuration.test.latest_revision + } + + engine_type = "RabbitMQ" + engine_version = "5.15.9" + host_instance_type = "mq.t2.micro" + security_groups = [aws_security_group.test.id] + + user { + username = "ExampleUser" + password = "111111111111" + } + + user { + username = "ExampleUser" + password = "MindTheGap" + } + + encryption_options { + kms_key_id = var.encryption_options.kms_key_id + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + module "mq_broker" { + source = "cloudposse/mq-broker/aws" + version = "0.14.0" + + namespace = "eg" + stage = "test" + name = "mq-broker" + apply_immediately = true + auto_minor_version_upgrade = true + deployment_mode = "ACTIVE_STANDBY_MULTI_AZ" + engine_type = "ActiveMQ" + engine_version = "5.15.14" + host_instance_type = "mq.t3.micro" + publicly_accessible = false + general_log_enabled = true + audit_log_enabled = true + encryption_enabled = true + use_aws_owned_key = true + vpc_id = var.vpc_id + subnet_ids = var.subnet_ids + security_groups = var.security_groups + } + +``` diff --git a/docs/queries/terraform-queries/aws/fd632aaf-b8a1-424d-a4d1-0de22fd3247a.md b/docs/queries/terraform-queries/aws/fd632aaf-b8a1-424d-a4d1-0de22fd3247a.md new file mode 100644 index 00000000000..43095af6cbe --- /dev/null +++ b/docs/queries/terraform-queries/aws/fd632aaf-b8a1-424d-a4d1-0de22fd3247a.md @@ -0,0 +1,59 @@ +--- +title: VPC Without Network Firewall +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fd632aaf-b8a1-424d-a4d1-0de22fd3247a +- **Query name:** VPC Without Network Firewall +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/vpc_without_network_firewall) + +### Description +VPC should have a Network Firewall associated
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall#vpc_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "aws_vpc" "positive" { + cidr_block = "10.0.0.0/16" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_vpc" "negative" { + cidr_block = "10.0.0.0/16" +} + +resource "aws_networkfirewall_firewall" "example" { + name = "example" + firewall_policy_arn = aws_networkfirewall_firewall_policy.example.arn + vpc_id = aws_vpc.negative.id + subnet_mapping { + subnet_id = aws_subnet.example.id + } + + tags = { + Tag1 = "Value1" + Tag2 = "Value2" + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md b/docs/queries/terraform-queries/aws/ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md new file mode 100644 index 00000000000..c3b9bd9fc00 --- /dev/null +++ b/docs/queries/terraform-queries/aws/ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md @@ -0,0 +1,95 @@ +--- +title: HTTP Port Open To Internet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ffac8a12-322e-42c1-b9b9-81ff85c39ef7 +- **Query name:** HTTP Port Open To Internet +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/http_port_open) + +### Description +The HTTP port is open to the internet in a Security Group
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 14" +resource "aws_security_group" "positive1" { + name = "http_positive_tcp_1" + description = "Gets the HTTP port open with the tcp protocol" + + ingress { + description = "HTTP port open" + from_port = 78 + to_port = 91 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_security_group" "positive2" { + name = "http_positive_tcp_2" + description = "Gets the HTTP port open with the tcp protocol" + + ingress { + description = "HTTP port open" + from_port = 60 + to_port = 85 + protocol = "tcp" + cidr_blocks = ["0.0.0.2/0"] + } + + ingress { + description = "HTTP port open" + from_port = 65 + to_port = 81 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "aws_security_group" "negative1" { + name = "negative_http" + description = "Doesn't get the HTTP port open" +} + +resource "aws_security_group" "negative2" { + + ingress { + from_port = 70 + to_port = 81 + protocol = "tcp" + } +} + +resource "aws_security_group" "negative3" { + + ingress { + from_port = 79 + to_port = 100 + protocol = "tcp" + cidr_blocks = ["0.1.0.0/0"] + } +} + +``` diff --git a/docs/queries/terraform-queries/aws/ffdf4b37-7703-4dfe-a682-9d2e99bc6c09.md b/docs/queries/terraform-queries/aws/ffdf4b37-7703-4dfe-a682-9d2e99bc6c09.md new file mode 100644 index 00000000000..7950981f18c --- /dev/null +++ b/docs/queries/terraform-queries/aws/ffdf4b37-7703-4dfe-a682-9d2e99bc6c09.md @@ -0,0 +1,174 @@ +--- +title: S3 Bucket Allows Delete Action From All Principals +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ffdf4b37-7703-4dfe-a682-9d2e99bc6c09 +- **Query name:** S3 Bucket Allows Delete Action From All Principals +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals) + +### Description +S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.
+[Documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "aws_s3_bucket_policy" "positive1" { + bucket = aws_s3_bucket.b.id + + policy = < + .highlight .hll { + background-color: #ff171742; + } + .md-content { + max-width: 1100px; + margin: 0 auto; + } + + +- **Query id:** 0437633b-daa6-4bbc-8526-c0d2443b946e +- **Query name:** SSL Enforce Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/ssl_enforce_is_disabled) + +### Description +Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="18 22" +resource "azurerm_postgresql_server" "positive1" { + name = "example-psqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "psqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = true + + public_network_access_enabled = false + ssl_enforcement_enabled = false + ssl_minimal_tls_version_enforced = "TLS1_2" +} + +resource "azurerm_postgresql_server" "positive2" { + name = "example-psqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "psqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = true + + public_network_access_enabled = false + ssl_minimal_tls_version_enforced = "TLS1_2" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_postgresql_server" "negative1" { + name = "example-psqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "psqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = true + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} +``` diff --git a/docs/queries/terraform-queries/azure/07f7134f-9f37-476e-8664-670c218e4702.md b/docs/queries/terraform-queries/azure/07f7134f-9f37-476e-8664-670c218e4702.md new file mode 100644 index 00000000000..2881dae5aef --- /dev/null +++ b/docs/queries/terraform-queries/azure/07f7134f-9f37-476e-8664-670c218e4702.md @@ -0,0 +1,77 @@ +--- +title: PostgreSQL Log Disconnections Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 07f7134f-9f37-476e-8664-670c218e4702 +- **Query name:** PostgreSQL Log Disconnections Not Set +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/postgresql_log_disconnections_not_set) + +### Description +Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="19 12 5" +resource "azurerm_postgresql_configuration" "positive1" { + name = "log_disconnections" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "off" +} + +resource "azurerm_postgresql_configuration" "positive2" { + name = "log_disconnections" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "Off" +} + +resource "azurerm_postgresql_configuration" "positive3" { + name = "log_disconnections" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "OFF" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_postgresql_configuration" "negative1" { + name = "log_disconnections" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "on" +} + +resource "azurerm_postgresql_configuration" "negative2" { + name = "log_disconnections" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "On" +} + +resource "azurerm_postgresql_configuration" "negative3" { + name = "log_disconnections" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "ON" +} +``` diff --git a/docs/queries/terraform-queries/azure/0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1.md b/docs/queries/terraform-queries/azure/0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1.md new file mode 100644 index 00000000000..a11b9e2ebb5 --- /dev/null +++ b/docs/queries/terraform-queries/azure/0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1.md @@ -0,0 +1,95 @@ +--- +title: MariaDB Server Geo-redundant Backup Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 0a70d5f3-1ecd-4c8e-9292-928fc9a8c4f1 +- **Query name:** MariaDB Server Geo-redundant Backup Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/mariadb_server_georedundant_backup_disabled) + +### Description +MariaDB Server Geo-redundant Backup should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_server#geo_redundant_backup_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="15" +resource "azurerm_mariadb_server" "positive1" { + name = "example-mariadb-server" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "mariadbadmin" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "10.2" + + auto_grow_enabled = true + backup_retention_days = 7 + geo_redundant_backup_enabled = false + public_network_access_enabled = false + ssl_enforcement_enabled = true +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "azurerm_mariadb_server" "positive2" { + name = "example-mariadb-server" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "mariadbadmin" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "10.2" + + auto_grow_enabled = true + backup_retention_days = 7 + public_network_access_enabled = false + ssl_enforcement_enabled = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_mariadb_server" "negative" { + name = "example-mariadb-server" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "mariadbadmin" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "10.2" + + auto_grow_enabled = true + backup_retention_days = 7 + geo_redundant_backup_enabled = true + public_network_access_enabled = false + ssl_enforcement_enabled = true +} + +``` diff --git a/docs/queries/terraform-queries/azure/11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe.md b/docs/queries/terraform-queries/azure/11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe.md new file mode 100644 index 00000000000..5447a19ae21 --- /dev/null +++ b/docs/queries/terraform-queries/azure/11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe.md @@ -0,0 +1,127 @@ +--- +title: Web App Accepting Traffic Other Than HTTPS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe +- **Query name:** Web App Accepting Traffic Other Than HTTPS +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/web_app_accepting_traffic_other_than_https) + +### Description +Web app should only accept HTTPS traffic in Azure Web App Service.
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="28 37" +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_app_service_plan" "example" { + name = "example-appserviceplan" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + sku { + tier = "Standard" + size = "S1" + } +} + +resource "azurerm_app_service" "example2" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + https_only = false + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +resource "azurerm_app_service" "example3" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_app_service_plan" "example" { + name = "example-appserviceplan" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + sku { + tier = "Standard" + size = "S1" + } +} + +resource "azurerm_app_service" "example" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + https_only = true + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/12944ec4-1fa0-47be-8b17-42a034f937c2.md b/docs/queries/terraform-queries/azure/12944ec4-1fa0-47be-8b17-42a034f937c2.md new file mode 100644 index 00000000000..04f15cb48bd --- /dev/null +++ b/docs/queries/terraform-queries/azure/12944ec4-1fa0-47be-8b17-42a034f937c2.md @@ -0,0 +1,61 @@ +--- +title: Storage Account Not Forcing HTTPS +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 12944ec4-1fa0-47be-8b17-42a034f937c2 +- **Query name:** Storage Account Not Forcing HTTPS +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/storage_account_not_forcing_https) + +### Description +Storage Accounts should enforce the use of HTTPS
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10 7" +resource "azurerm_storage_account" "positive1" { + name = "example1" + resource_group_name = data.azurerm_resource_group.example.name + location = data.azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + enable_https_traffic_only = false +} + +resource "azurerm_storage_account" "positive2" { + name = "example2" + resource_group_name = data.azurerm_resource_group.example.name + location = data.azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_storage_account" "negative1" { + name = "example" + resource_group_name = data.azurerm_resource_group.example.name + location = data.azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + enable_https_traffic_only = true +} +``` diff --git a/docs/queries/terraform-queries/azure/16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f.md b/docs/queries/terraform-queries/azure/16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f.md new file mode 100644 index 00000000000..0d964fa81cb --- /dev/null +++ b/docs/queries/terraform-queries/azure/16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f.md @@ -0,0 +1,79 @@ +--- +title: PostgreSQL Log Duration Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 16e0879a-c4ae-4ff8-a67d-a2eed5d67b8f +- **Query name:** PostgreSQL Log Duration Not Set +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/postgre_sql_log_duration_not_set) + +### Description +Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="20 13 6" +#this is a problematic code where the query should report a result(s) +resource "azurerm_postgresql_configuration" "positive1" { + name = "log_duration" + resource_group_name = "example1_resource_group_name" + server_name = "example1_server_name" + value = "off" +} + +resource "azurerm_postgresql_configuration" "positive2" { + name = "log_duration" + resource_group_name = "example2_resource_group_name" + server_name = "example2_server_name" + value = "Off" +} + +resource "azurerm_postgresql_configuration" "positive3" { + name = "log_duration" + resource_group_name = "example3_resource_group_name" + server_name = "example3_server_name" + value = "OFF" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "azurerm_postgresql_configuration" "negative1" { + name = "log_duration" + resource_group_name = "example1_resource_group_name" + server_name = "example1_server_name" + value = "on" +} + +resource "azurerm_postgresql_configuration" "negative2" { + name = "log_duration" + resource_group_name = "example2_resource_group_name" + server_name = "example2_server_name" + value = "On" +} + +resource "azurerm_postgresql_configuration" "negative3" { + name = "log_duration" + resource_group_name = "example3_resource_group_name" + server_name = "example3_server_name" + value = "ON" +} +``` diff --git a/docs/queries/terraform-queries/azure/17f75827-0684-48f4-8747-61129c7e4198.md b/docs/queries/terraform-queries/azure/17f75827-0684-48f4-8747-61129c7e4198.md new file mode 100644 index 00000000000..01075ef29e2 --- /dev/null +++ b/docs/queries/terraform-queries/azure/17f75827-0684-48f4-8747-61129c7e4198.md @@ -0,0 +1,154 @@ +--- +title: Public Storage Account +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 17f75827-0684-48f4-8747-61129c7e4198 +- **Query name:** Public Storage Account +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/public_storage_account) + +### Description +Storage Account should not be public to grant the principle of least privileges
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="48 43 11 28" +resource "azurerm_storage_account" "positive1" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" + + network_rules { + default_action = "Deny" + ip_rules = ["0.0.0.0/0"] + virtual_network_subnet_ids = [azurerm_subnet.example.id] + } + + tags = { + environment = "staging" + } +} + +resource "azurerm_storage_account" "positive2" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" + + network_rules { + default_action = "Allow" + virtual_network_subnet_ids = [azurerm_subnet.example.id] + } + + tags = { + environment = "staging" + } +} + +resource "azurerm_storage_account_network_rules" "positive3" { + resource_group_name = azurerm_resource_group.test.name + storage_account_name = azurerm_storage_account.test.name + + default_action = "Allow" + ip_rules = ["0.0.0.0/0"] + virtual_network_subnet_ids = [azurerm_subnet.test.id] + bypass = ["Metrics"] +} + +resource "azurerm_storage_account_network_rules" "positive4" { + resource_group_name = azurerm_resource_group.test.name + storage_account_name = azurerm_storage_account.test.name + + default_action = "Allow" + virtual_network_subnet_ids = [azurerm_subnet.test.id] + bypass = ["Metrics"] +} +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="8" +resource "azurerm_storage_account" "positive5" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + + allow_blob_public_access = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_storage_account" "negative1" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" + + network_rules { + default_action = "Deny" + ip_rules = ["100.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.example.id] + } + + tags = { + environment = "staging" + } +} + +resource "azurerm_storage_account_network_rules" "negative2" { + resource_group_name = azurerm_resource_group.test.name + storage_account_name = azurerm_storage_account.test.name + + default_action = "Allow" + ip_rules = ["127.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.test.id] + bypass = ["Metrics"] +} +``` +```tf title="Negative test num. 2 - tf file" +resource "azurerm_storage_account" "negative5" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + + allow_blob_public_access = false +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "azurerm_storage_account" "negative6" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" +} + +``` diff --git a/docs/queries/terraform-queries/azure/25c0ea09-f1c5-4380-b055-3b83863f2bb8.md b/docs/queries/terraform-queries/azure/25c0ea09-f1c5-4380-b055-3b83863f2bb8.md new file mode 100644 index 00000000000..f4292fe0b66 --- /dev/null +++ b/docs/queries/terraform-queries/azure/25c0ea09-f1c5-4380-b055-3b83863f2bb8.md @@ -0,0 +1,51 @@ +--- +title: SQLServer Ingress From Any IP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 25c0ea09-f1c5-4380-b055-3b83863f2bb8 +- **Query name:** SQLServer Ingress From Any IP +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/sql_server_ingress_from_any_ip) + +### Description +Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_sql_firewall_rule" "positive1" { + name = "FirewallRule1" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + start_ip_address = "0.0.0.0" + end_ip_address = "255.255.255.255" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_sql_firewall_rule" "negative1" { + name = "FirewallRule1" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.17.62" +} +``` diff --git a/docs/queries/terraform-queries/azure/261a83f8-dd72-4e8c-b5e1-ebf06e8fe606.md b/docs/queries/terraform-queries/azure/261a83f8-dd72-4e8c-b5e1-ebf06e8fe606.md new file mode 100644 index 00000000000..ec23e83d495 --- /dev/null +++ b/docs/queries/terraform-queries/azure/261a83f8-dd72-4e8c-b5e1-ebf06e8fe606.md @@ -0,0 +1,49 @@ +--- +title: Small PostgreSQL DB Server Log Retention Period +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 261a83f8-dd72-4e8c-b5e1-ebf06e8fe606 +- **Query name:** Small PostgreSQL DB Server Log Retention Period +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/small_postgresql_db_server_log_retention_period) + +### Description +Check if PostgreSQL Database Server retains logs for less than 3 Days
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "azurerm_postgresql_configuration" "positive1" { + name = "log_retention_days" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = 2 +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_postgresql_configuration" "negative1" { + name = "log_retention_days" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = 5 +} +``` diff --git a/docs/queries/terraform-queries/azure/2ab6de9a-0136-415c-be92-79d2e4fd750f.md b/docs/queries/terraform-queries/azure/2ab6de9a-0136-415c-be92-79d2e4fd750f.md new file mode 100644 index 00000000000..07999af8afb --- /dev/null +++ b/docs/queries/terraform-queries/azure/2ab6de9a-0136-415c-be92-79d2e4fd750f.md @@ -0,0 +1,124 @@ +--- +title: SQL Server Predictable Admin Account Name +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2ab6de9a-0136-415c-be92-79d2e4fd750f +- **Query name:** SQL Server Predictable Admin Account Name +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/sql_server_predictable_admin_account_name) + +### Description +Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="40 20" +#this is a problematic code where the query should report a result(s) +resource "azurerm_resource_group" "positive1" { + name = "database-rg" + location = "West US" +} + +resource "azurerm_storage_account" "positive2" { + name = "examplesa" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" +} + +resource "azurerm_sql_server" "positive3" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 6 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_sql_server" "positive4" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "Admin" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 6 + } + + tags = { + environment = "production" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "azurerm_resource_group" "negative1" { + name = "database-rg" + location = "West US" +} + +resource "azurerm_storage_account" "negative2" { + name = "examplesa" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" +} + +resource "azurerm_sql_server" "negative3" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "UnpredictableAdminLogin" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 6 + } + + tags = { + environment = "production" + } +} +``` diff --git a/docs/queries/terraform-queries/azure/2b3c671f-1b76-4741-8789-ed1fe0785dc4.md b/docs/queries/terraform-queries/azure/2b3c671f-1b76-4741-8789-ed1fe0785dc4.md new file mode 100644 index 00000000000..b2980deb9b1 --- /dev/null +++ b/docs/queries/terraform-queries/azure/2b3c671f-1b76-4741-8789-ed1fe0785dc4.md @@ -0,0 +1,77 @@ +--- +title: PostgreSQL Server Without Connection Throttling +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2b3c671f-1b76-4741-8789-ed1fe0785dc4 +- **Query name:** PostgreSQL Server Without Connection Throttling +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/postgre_sql_server_without_connection_throttling) + +### Description +Ensure that Connection Throttling is set for the PostgreSQL server
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="19 12 5" +resource "azurerm_postgresql_configuration" "positive1" { + name = "connection_throttling" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "off" +} + +resource "azurerm_postgresql_configuration" "positive2" { + name = "connection_throttling" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "Off" +} + +resource "azurerm_postgresql_configuration" "positive3" { + name = "connection_throttling" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "OFF" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_postgresql_configuration" "negative1" { + name = "connection_throttling" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "on" +} + +resource "azurerm_postgresql_configuration" "negative2" { + name = "connection_throttling" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "On" +} + +resource "azurerm_postgresql_configuration" "negative3" { + name = "connection_throttling" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "ON" +} +``` diff --git a/docs/queries/terraform-queries/azure/2b856bf9-8e8c-4005-875f-303a8cba3918.md b/docs/queries/terraform-queries/azure/2b856bf9-8e8c-4005-875f-303a8cba3918.md new file mode 100644 index 00000000000..61942088ee3 --- /dev/null +++ b/docs/queries/terraform-queries/azure/2b856bf9-8e8c-4005-875f-303a8cba3918.md @@ -0,0 +1,150 @@ +--- +title: Small Activity Log Retention Period +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2b856bf9-8e8c-4005-875f-303a8cba3918 +- **Query name:** Small Activity Log Retention Period +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/small_activity_log_retention_period) + +### Description +Ensure that Activity Log Retention is set 365 days or greater
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="64 41 20" +resource "azurerm_monitor_log_profile" "positive1" { + name = "default" + + categories = [ + "Action", + "Delete", + "Write", + ] + + locations = [ + "westus", + "global", + ] + + servicebus_rule_id = "${azurerm_eventhub_namespace.example.id}/authorizationrules/RootManageSharedAccessKey" + storage_account_id = azurerm_storage_account.example.id + + retention_policy { + enabled = true + days = 7 + } +} + +resource "azurerm_monitor_log_profile" "positive2" { + name = "default" + + categories = [ + "Action", + "Delete", + "Write", + ] + + locations = [ + "westus", + "global", + ] + + servicebus_rule_id = "${azurerm_eventhub_namespace.example.id}/authorizationrules/RootManageSharedAccessKey" + storage_account_id = azurerm_storage_account.example.id + + retention_policy { + enabled = true + } +} + +resource "azurerm_monitor_log_profile" "positive3" { + name = "default" + + categories = [ + "Action", + "Delete", + "Write", + ] + + locations = [ + "westus", + "global", + ] + + servicebus_rule_id = "${azurerm_eventhub_namespace.example.id}/authorizationrules/RootManageSharedAccessKey" + storage_account_id = azurerm_storage_account.example.id + + retention_policy { + enabled = false + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_monitor_log_profile" "negative1" { + name = "default" + + categories = [ + "Action", + "Delete", + "Write", + ] + + locations = [ + "westus", + "global", + ] + + servicebus_rule_id = "${azurerm_eventhub_namespace.example.id}/authorizationrules/RootManageSharedAccessKey" + storage_account_id = azurerm_storage_account.example.id + + retention_policy { + enabled = true + days = 367 + } +} + +resource "azurerm_monitor_log_profile" "negative2" { + name = "default" + + categories = [ + "Action", + "Delete", + "Write", + ] + + locations = [ + "westus", + "global", + ] + + servicebus_rule_id = "${azurerm_eventhub_namespace.example.id}/authorizationrules/RootManageSharedAccessKey" + storage_account_id = azurerm_storage_account.example.id + + retention_policy { + enabled = true + days = 0 + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/2bc626a8-0751-446f-975d-8139214fc790.md b/docs/queries/terraform-queries/azure/2bc626a8-0751-446f-975d-8139214fc790.md new file mode 100644 index 00000000000..f194e5ec249 --- /dev/null +++ b/docs/queries/terraform-queries/azure/2bc626a8-0751-446f-975d-8139214fc790.md @@ -0,0 +1,47 @@ +--- +title: Role Assignment Of Guest Users +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2bc626a8-0751-446f-975d-8139214fc790 +- **Query name:** Role Assignment Of Guest Users +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/role_assignment_of_guest_users) + +### Description +There is a role assignment for guest user
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +resource "azurerm_role_assignment" "positive1" { + scope = data.azurerm_subscription.primary.id + role_definition_name = "Guest" + principal_id = data.azurerm_client_config.example.object_id +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_role_assignment" "negative1" { + scope = data.azurerm_subscription.primary.id + role_definition_name = "Reader" + principal_id = data.azurerm_client_config.example.object_id +} +``` diff --git a/docs/queries/terraform-queries/azure/2e48d91c-50e4-45c8-9312-27b625868a72.md b/docs/queries/terraform-queries/azure/2e48d91c-50e4-45c8-9312-27b625868a72.md new file mode 100644 index 00000000000..d22e5ebfed9 --- /dev/null +++ b/docs/queries/terraform-queries/azure/2e48d91c-50e4-45c8-9312-27b625868a72.md @@ -0,0 +1,61 @@ +--- +title: WAF Is Disabled For Azure Application Gateway +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2e48d91c-50e4-45c8-9312-27b625868a72 +- **Query name:** WAF Is Disabled For Azure Application Gateway +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/waf_is_disabled_for_azure_application_gateway) + +### Description +Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11 7" +resource "azurerm_application_gateway" "positive1" { + name = "example-appgateway" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + + waf_configuration { + enabled = false + } +} + +resource "azurerm_application_gateway" "positive2" { + name = "example-appgateway" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_application_gateway" "negative1" { + name = "example-appgateway" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + + waf_configuration { + enabled = true + } +} +``` diff --git a/docs/queries/terraform-queries/azure/34664094-59e0-4524-b69f-deaa1a68cce3.md b/docs/queries/terraform-queries/azure/34664094-59e0-4524-b69f-deaa1a68cce3.md new file mode 100644 index 00000000000..6ee3e1deca9 --- /dev/null +++ b/docs/queries/terraform-queries/azure/34664094-59e0-4524-b69f-deaa1a68cce3.md @@ -0,0 +1,52 @@ +--- +title: Security Contact Email +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 34664094-59e0-4524-b69f-deaa1a68cce3 +- **Query name:** Security Contact Email +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/security_contact_email) + +### Description +Security Contact Email should be defined
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact#email) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_security_center_contact" "positive" { + phone = "+1-555-555-5555" + + alert_notifications = true + alerts_to_admins = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_security_center_contact" "negative" { + email = "contact@example.com" + phone = "+1-555-555-5555" + + alert_notifications = true + alerts_to_admins = true +} + +``` diff --git a/docs/queries/terraform-queries/azure/3790d386-be81-4dcf-9850-eaa7df6c10d9.md b/docs/queries/terraform-queries/azure/3790d386-be81-4dcf-9850-eaa7df6c10d9.md new file mode 100644 index 00000000000..46eaa3deb6d --- /dev/null +++ b/docs/queries/terraform-queries/azure/3790d386-be81-4dcf-9850-eaa7df6c10d9.md @@ -0,0 +1,77 @@ +--- +title: PostgreSQL Log Checkpoints Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3790d386-be81-4dcf-9850-eaa7df6c10d9 +- **Query name:** PostgreSQL Log Checkpoints Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/postgre_sql_log_checkpoints_disabled) + +### Description +Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="19 12 5" +resource "azurerm_postgresql_configuration" "positive1" { + name = "log_checkpoints" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "off" +} + +resource "azurerm_postgresql_configuration" "positive2" { + name = "log_checkpoints" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "Off" +} + +resource "azurerm_postgresql_configuration" "positive3" { + name = "log_checkpoints" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "OFF" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_postgresql_configuration" "negative1" { + name = "log_checkpoints" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "on" +} + +resource "azurerm_postgresql_configuration" "negative2" { + name = "log_checkpoints" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "On" +} + +resource "azurerm_postgresql_configuration" "negative3" { + name = "log_checkpoints" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "ON" +} +``` diff --git a/docs/queries/terraform-queries/azure/38c71c00-c177-4cd7-8d36-cd1007cdb190.md b/docs/queries/terraform-queries/azure/38c71c00-c177-4cd7-8d36-cd1007cdb190.md new file mode 100644 index 00000000000..0c952202567 --- /dev/null +++ b/docs/queries/terraform-queries/azure/38c71c00-c177-4cd7-8d36-cd1007cdb190.md @@ -0,0 +1,167 @@ +--- +title: Vault Auditing Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 38c71c00-c177-4cd7-8d36-cd1007cdb190 +- **Query name:** Vault Auditing Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/vault_auditing_disabled) + +### Description +Ensure that logging for Azure KeyVault is 'Enabled'
+[Documentation](https://www.terraform.io/docs/providers/azurerm/r/key_vault.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="16" +provider "azurerm" { + features { + key_vault { + purge_soft_delete_on_destroy = true + } + } +} + +data "azurerm_client_config" "current" {} + +resource "azurerm_resource_group" "example" { + name = "resourceGroup1" + location = "West US" +} + +resource "azurerm_key_vault" "example1" { + name = "testvault" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + enabled_for_disk_encryption = true + tenant_id = data.azurerm_client_config.current.tenant_id + soft_delete_enabled = true + soft_delete_retention_days = 7 + purge_protection_enabled = false + + sku_name = "standard" + + access_policy { + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + + key_permissions = [ + "get", + ] + + secret_permissions = [ + "get", + ] + + storage_permissions = [ + "get", + ] + } + + network_acls { + default_action = "Deny" + bypass = "AzureServices" + } + + tags = { + environment = "Testing" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +provider "azurerm" { + features { + key_vault { + purge_soft_delete_on_destroy = true + } + } +} + +data "azurerm_client_config" "current" {} + +resource "azurerm_resource_group" "example" { + name = "resourceGroup1" + location = "West US" +} + +resource "azurerm_monitor_diagnostic_setting" "example" { + name = "example" + target_resource_id = data.azurerm_key_vault.example.id + storage_account_id = data.azurerm_storage_account.example.id + + log { + category = "AuditEvent" + enabled = false + + retention_policy { + enabled = false + } + } + + metric { + category = "AllMetrics" + + retention_policy { + enabled = false + } + } +} + +resource "azurerm_key_vault" "example" { + name = "testvault" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + enabled_for_disk_encryption = true + tenant_id = data.azurerm_client_config.current.tenant_id + soft_delete_enabled = true + soft_delete_retention_days = 7 + purge_protection_enabled = false + + sku_name = "standard" + + access_policy { + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + + key_permissions = [ + "get", + ] + + secret_permissions = [ + "get", + ] + + storage_permissions = [ + "get", + ] + } + + network_acls { + default_action = "Deny" + bypass = "AzureServices" + } + + tags = { + environment = "Testing" + } +} +``` diff --git a/docs/queries/terraform-queries/azure/3ac3e75c-6374-4a32-8ba0-6ed69bda404e.md b/docs/queries/terraform-queries/azure/3ac3e75c-6374-4a32-8ba0-6ed69bda404e.md new file mode 100644 index 00000000000..136b59185d7 --- /dev/null +++ b/docs/queries/terraform-queries/azure/3ac3e75c-6374-4a32-8ba0-6ed69bda404e.md @@ -0,0 +1,63 @@ +--- +title: Storage Table Allows All ACL Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3ac3e75c-6374-4a32-8ba0-6ed69bda404e +- **Query name:** Storage Table Allows All ACL Permissions +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/storage_table_allows_all_acl_permissions) + +### Description +Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_table#permissions) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "azurerm_storage_table" "table_resource" { + name = "my_table_name" + storage_account_name = "mystoragexxx" + acl { + id = "someid-1XXXXXXXXX" + access_policy { + expiry = "2022-10-03T05:05:00.0000000Z" + permissions = "rwdl" + start = "2021-05-28T04:05:00.0000000Z" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_storage_table" "table_resource2" { + name = "my_table_name" + storage_account_name = "mystoragexxx" + acl { + id = "someid-1XXXXXXXXX" + access_policy { + expiry = "2022-10-03T05:05:00.0000000Z" + permissions = "r" + start = "2021-05-28T04:05:00.0000000Z" + } + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/3e3c175e-aadf-4e2b-a464-3fdac5748d24.md b/docs/queries/terraform-queries/azure/3e3c175e-aadf-4e2b-a464-3fdac5748d24.md new file mode 100644 index 00000000000..4aa37bae241 --- /dev/null +++ b/docs/queries/terraform-queries/azure/3e3c175e-aadf-4e2b-a464-3fdac5748d24.md @@ -0,0 +1,337 @@ +--- +title: SSH Is Exposed To The Internet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3e3c175e-aadf-4e2b-a464-3fdac5748d24 +- **Query name:** SSH Is Exposed To The Internet +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/ssh_is_exposed_to_the_internet) + +### Description +Port 22 (SSH) is exposed to the internet
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" +resource "azurerm_network_security_rule" "positive1" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive2" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "22-23" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive3" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "21-53" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive4" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive5" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "22,24" + source_address_prefix = "34.15.11.3/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive6" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive7" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "21-24, 230" + source_address_prefix = "internet" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive8" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "21, 22 , 24 " + source_address_prefix = "any" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive9" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "21, 22-23,2250" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive10" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "111-211, 20-30, 1-2 , 3" + source_address_prefix = "internet" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_network_security_rule" "negative1" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Deny" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative2" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "20-50" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + + +resource "azurerm_network_security_rule" "negative3" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "30-50" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + + +resource "azurerm_network_security_rule" "negative4" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "20-50" + source_address_prefix = "192.168.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + + +resource "azurerm_network_security_rule" "negative5" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "/1" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative6" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "21" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + + +resource "azurerm_network_security_rule" "negative7" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "internet" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + + +resource "azurerm_network_security_rule" "negative8" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "21, 23,10-20" + source_address_prefix = "any" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + + +resource "azurerm_network_security_rule" "negative9" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative10" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "22 , 23" + source_address_prefix = "0.0.1.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative11" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "220,230" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +``` diff --git a/docs/queries/terraform-queries/azure/3fa5900f-9aac-4982-96b2-a6143d9c99fb.md b/docs/queries/terraform-queries/azure/3fa5900f-9aac-4982-96b2-a6143d9c99fb.md new file mode 100644 index 00000000000..9596c012d39 --- /dev/null +++ b/docs/queries/terraform-queries/azure/3fa5900f-9aac-4982-96b2-a6143d9c99fb.md @@ -0,0 +1,72 @@ +--- +title: Role Definition Allows Custom Role Creation +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3fa5900f-9aac-4982-96b2-a6143d9c99fb +- **Query name:** Role Definition Allows Custom Role Creation +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/role_definition_allows_custom_role_creation) + +### Description +Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition#actions) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" +resource "azurerm_role_definition" "example2" { + role_definition_id = "00000000-0000-0000-0000-000000000000" + name = "my-custom-role-definition" + scope = data.azurerm_subscription.primary.id + + permissions { + actions = ["Microsoft.Authorization/roleDefinitions/write"] + not_actions = [] + } +} + +``` +```tf title="Postitive test num. 2 - tf file" +resource "azurerm_role_definition" "example" { + name = "my-custom-role" + scope = data.azurerm_subscription.primary.id + description = "This is a custom role created via Terraform" + + permissions { + actions = ["*"] + not_actions = [] + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_role_definition" "example3" { + role_definition_id = "00000000-0000-0000-0000-000000000000" + name = "my-custom-role-definition" + scope = data.azurerm_subscription.primary.id + + permissions { + actions = ["Microsoft.Authorization/roleDefinitions/read"] + not_actions = [] + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/4216ebac-d74c-4423-b437-35025cb88af5.md b/docs/queries/terraform-queries/azure/4216ebac-d74c-4423-b437-35025cb88af5.md new file mode 100644 index 00000000000..3c649e1d8b3 --- /dev/null +++ b/docs/queries/terraform-queries/azure/4216ebac-d74c-4423-b437-35025cb88af5.md @@ -0,0 +1,79 @@ +--- +title: Network Interfaces IP Forwarding Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4216ebac-d74c-4423-b437-35025cb88af5 +- **Query name:** Network Interfaces IP Forwarding Enabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/network_interfaces_ip_forwarding_enabled) + +### Description +Network Interfaces IP Forwarding should be disabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface#enable_ip_forwarding) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="12" +resource "azurerm_network_interface" "positive" { + name = "example-nic" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.example.id + private_ip_address_allocation = "Dynamic" + } + + enable_ip_forwarding = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_network_interface" "negative1" { + name = "example-nic" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.example.id + private_ip_address_allocation = "Dynamic" + } + + enable_ip_forwarding = false +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "azurerm_network_interface" "negative2" { + name = "example-nic" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.example.id + private_ip_address_allocation = "Dynamic" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/43789711-161b-4708-b5bb-9d1c626f7492.md b/docs/queries/terraform-queries/azure/43789711-161b-4708-b5bb-9d1c626f7492.md new file mode 100644 index 00000000000..18bf7a85920 --- /dev/null +++ b/docs/queries/terraform-queries/azure/43789711-161b-4708-b5bb-9d1c626f7492.md @@ -0,0 +1,116 @@ +--- +title: AKS Uses Azure Policies Add-On Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 43789711-161b-4708-b5bb-9d1c626f7492 +- **Query name:** AKS Uses Azure Policies Add-On Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/aks_uses_azure_policies_addon_disabled) + +### Description +Azure Container Service (AKS) should use Azure Policies Add-On
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#azure_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +resource "azurerm_kubernetes_cluster" "positive1" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + addon_profile { + + azure_policy { + + enabled = false + + } + } +} + + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="7" +resource "azurerm_kubernetes_cluster" "positive2" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + azure_policy_enabled = false +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="7" +resource "azurerm_kubernetes_cluster" "positive3" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + addon_profile {} +} + +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="1" +resource "azurerm_kubernetes_cluster" "positive4" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_kubernetes_cluster" "negative" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + addon_profile { + + azure_policy { + + enabled = true + + } + } +} + + +``` +```tf title="Negative test num. 2 - tf file" +resource "azurerm_kubernetes_cluster" "negative" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + azure_policy_enabled = true +} + +``` diff --git a/docs/queries/terraform-queries/azure/45fc717a-bd86-415c-bdd8-677901be1aa6.md b/docs/queries/terraform-queries/azure/45fc717a-bd86-415c-bdd8-677901be1aa6.md new file mode 100644 index 00000000000..954107f8a35 --- /dev/null +++ b/docs/queries/terraform-queries/azure/45fc717a-bd86-415c-bdd8-677901be1aa6.md @@ -0,0 +1,94 @@ +--- +title: Function App Not Using Latest TLS Encryption Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 45fc717a-bd86-415c-bdd8-677901be1aa6 +- **Query name:** Function App Not Using Latest TLS Encryption Version +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/function_app_not_using_latest_tls_encryption_version) + +### Description +Ensure Function App is using the latest version of TLS encryption
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#min_tls_version) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="12" +resource "azurerm_function_app" "positive1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = 1.1 + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_function_app" "negative1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = 1.2 + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "azurerm_function_app" "negative2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "azurerm_function_app" "negative3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key +} + +``` diff --git a/docs/queries/terraform-queries/azure/48bbe0fd-57e4-4678-a4a1-119e79c90fc3.md b/docs/queries/terraform-queries/azure/48bbe0fd-57e4-4678-a4a1-119e79c90fc3.md new file mode 100644 index 00000000000..8814f749665 --- /dev/null +++ b/docs/queries/terraform-queries/azure/48bbe0fd-57e4-4678-a4a1-119e79c90fc3.md @@ -0,0 +1,72 @@ +--- +title: Storage Share File Allows All ACL Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 48bbe0fd-57e4-4678-a4a1-119e79c90fc3 +- **Query name:** Storage Share File Allows All ACL Permissions +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/storage_share_file_allows_all_acl_permissions) + +### Description +Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_share_file) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +resource "azurerm_storage_share" "example" { + name = "sharename" + storage_account_name = azurerm_storage_account.example.name + quota = 50 + + acl { + id = "MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI" + + access_policy { + permissions = "rwdl" + start = "2022-07-02T09:38:21.0000000Z" + expiry = "2021-07-02T10:38:21.0000000Z" + } + } +} + +resource "azurerm_storage_share_file" "example" { + name = "my-awesome-content.zip" + storage_share_id = azurerm_storage_share.example.id + source = "some-local-file.zip" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_storage_table" "table_resource2" { + name = "my_table_name" + storage_account_name = "mystoragexxx" + acl { + id = "someid-1XXXXXXXXX" + access_policy { + expiry = "2022-10-03T05:05:00.0000000Z" + permissions = "r" + start = "2021-05-28T04:05:00.0000000Z" + } + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/4a9e0f00-0765-4f72-a0d4-d31110b78279.md b/docs/queries/terraform-queries/azure/4a9e0f00-0765-4f72-a0d4-d31110b78279.md new file mode 100644 index 00000000000..ab0f7748c1f --- /dev/null +++ b/docs/queries/terraform-queries/azure/4a9e0f00-0765-4f72-a0d4-d31110b78279.md @@ -0,0 +1,62 @@ +--- +title: Azure Cognitive Search Public Network Access Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4a9e0f00-0765-4f72-a0d4-d31110b78279 +- **Query name:** Azure Cognitive Search Public Network Access Enabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/azure_cognitive_search_public_network_access_enabled) + +### Description +Public Network Access should be disabled for Azure Cognitive Search
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/search_service#public_network_access_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "azurerm_search_service" "positive1" { + name = "example-search-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + sku = "standard" + public_network_access_enabled = true +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "azurerm_search_service" "positive2" { + name = "example-search-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + sku = "standard" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_search_service" "example" { + name = "example-search-service" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + sku = "standard" + public_network_access_enabled = false +} + +``` diff --git a/docs/queries/terraform-queries/azure/4d080822-5ee2-49a4-8984-68f3d4c890fc.md b/docs/queries/terraform-queries/azure/4d080822-5ee2-49a4-8984-68f3d4c890fc.md new file mode 100644 index 00000000000..dbbebde6bd7 --- /dev/null +++ b/docs/queries/terraform-queries/azure/4d080822-5ee2-49a4-8984-68f3d4c890fc.md @@ -0,0 +1,68 @@ +--- +title: Key Expiration Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4d080822-5ee2-49a4-8984-68f3d4c890fc +- **Query name:** Key Expiration Not Set +- **Platform:** Terraform +- **Severity:** High +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/key_expiration_not_set) + +### Description +Make sure that for all keys the expiration date is set
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_key_vault_key" "positive1" { + name = "generated-certificate" + key_vault_id = azurerm_key_vault.example.id + key_type = "RSA" + key_size = 2048 + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_key_vault_key" "negative1" { + name = "generated-certificate" + key_vault_id = azurerm_key_vault.example.id + key_type = "RSA" + key_size = 2048 + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] + expiration_date = "2020-12-30T20:00:00Z" +} +``` diff --git a/docs/queries/terraform-queries/azure/5089d055-53ff-421b-9482-a5267bdce629.md b/docs/queries/terraform-queries/azure/5089d055-53ff-421b-9482-a5267bdce629.md new file mode 100644 index 00000000000..01f46e1795f --- /dev/null +++ b/docs/queries/terraform-queries/azure/5089d055-53ff-421b-9482-a5267bdce629.md @@ -0,0 +1,85 @@ +--- +title: Redis Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5089d055-53ff-421b-9482-a5267bdce629 +- **Query name:** Redis Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/redis_publicly_accessible) + +### Description +Firewall rule allowing unrestricted access to Redis from other Azure sources
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="22" +resource "azurerm_redis_cache" "positive1" { + name = "redis${random_id.server.hex}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + capacity = 1 + family = "P" + sku_name = "Premium" + enable_non_ssl_port = false + + redis_configuration { + maxclients = 256 + maxmemory_reserved = 2 + maxmemory_delta = 2 + maxmemory_policy = "allkeys-lru" + } +} + +resource "azurerm_redis_firewall_rule" "positive2" { + name = "someIPrange" + redis_cache_name = azurerm_redis_cache.example.name + resource_group_name = azurerm_resource_group.example.name + start_ip = "1.2.3.4" + end_ip = "2.3.4.5" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_redis_cache" "negative1" { + name = "redis${random_id.server.hex}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + capacity = 1 + family = "P" + sku_name = "Premium" + enable_non_ssl_port = false + + redis_configuration { + maxclients = 256 + maxmemory_reserved = 2 + maxmemory_delta = 2 + maxmemory_policy = "allkeys-lru" + } +} + +resource "azurerm_redis_firewall_rule" "negative2" { + name = "someIPrange" + redis_cache_name = azurerm_redis_cache.example.name + resource_group_name = azurerm_resource_group.example.name + start_ip = "10.2.3.4" + end_ip = "10.3.4.5" +} +``` diff --git a/docs/queries/terraform-queries/azure/525b53be-62ed-4244-b4df-41aecfcb4071.md b/docs/queries/terraform-queries/azure/525b53be-62ed-4244-b4df-41aecfcb4071.md new file mode 100644 index 00000000000..796188afdbd --- /dev/null +++ b/docs/queries/terraform-queries/azure/525b53be-62ed-4244-b4df-41aecfcb4071.md @@ -0,0 +1,129 @@ +--- +title: App Service HTTP2 Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 525b53be-62ed-4244-b4df-41aecfcb4071 +- **Query name:** App Service HTTP2 Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/app_service_http2_disabled) + +### Description +App Service should have 'http2_enabled' enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_app_service" "positive1" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="17" +resource "azurerm_app_service" "positive2" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = 1.2 + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="21" +resource "azurerm_app_service" "positive3" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = 1.2 + http2_enabled = false + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_app_service" "negative" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = 1.2 + http2_enabled = true + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/5400f379-a347-4bdd-a032-446465fdcc6f.md b/docs/queries/terraform-queries/azure/5400f379-a347-4bdd-a032-446465fdcc6f.md new file mode 100644 index 00000000000..bfe4f00068d --- /dev/null +++ b/docs/queries/terraform-queries/azure/5400f379-a347-4bdd-a032-446465fdcc6f.md @@ -0,0 +1,95 @@ +--- +title: Trusted Microsoft Services Not Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5400f379-a347-4bdd-a032-446465fdcc6f +- **Query name:** Trusted Microsoft Services Not Enabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/trusted_microsoft_services_not_enabled) + +### Description +Trusted Microsoft Services should be enabled for Storage Account access
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 21" +resource "azurerm_storage_account_network_rules" "positive1" { + resource_group_name = azurerm_resource_group.test.name + storage_account_name = azurerm_storage_account.test.name + + default_action = "Allow" + ip_rules = ["127.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.test.id] + bypass = ["Metrics"] +} + +resource "azurerm_storage_account" "positive2" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" + + network_rules { + default_action = "Deny" + bypass = ["None"] + ip_rules = ["100.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.example.id] + } + + tags = { + environment = "staging" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_storage_account" "negative1" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" + + network_rules { + default_action = "Deny" + bypass = ["AzureServices"] + ip_rules = ["100.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.example.id] + } + + tags = { + environment = "staging" + } +} + +resource "azurerm_storage_account_network_rules" "negative2" { + resource_group_name = azurerm_resource_group.test.name + storage_account_name = azurerm_storage_account.test.name + + default_action = "Allow" + ip_rules = ["127.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.test.id] + bypass = ["Metrics", "AzureServices"] +} +``` diff --git a/docs/queries/terraform-queries/azure/55975007-f6e7-4134-83c3-298f1fe4b519.md b/docs/queries/terraform-queries/azure/55975007-f6e7-4134-83c3-298f1fe4b519.md new file mode 100644 index 00000000000..9d5b9a5c1ff --- /dev/null +++ b/docs/queries/terraform-queries/azure/55975007-f6e7-4134-83c3-298f1fe4b519.md @@ -0,0 +1,81 @@ +--- +title: SQL Server Alert Email Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 55975007-f6e7-4134-83c3-298f1fe4b519 +- **Query name:** SQL Server Alert Email Disabled +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/sql_server_alert_email_disabled) + +### Description +SQL Server alert email should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_security_alert_policy#email_account_admins) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_mssql_server_security_alert_policy" "positive1" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="12" +resource "azurerm_mssql_server_security_alert_policy" "positive2" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 + email_account_admins = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_mssql_server_security_alert_policy" "negative" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 + email_account_admins = true +} + + +``` diff --git a/docs/queries/terraform-queries/azure/56dad03e-e94f-4dd6-93a4-c253a03ff7a0.md b/docs/queries/terraform-queries/azure/56dad03e-e94f-4dd6-93a4-c253a03ff7a0.md new file mode 100644 index 00000000000..dd2ffdbb181 --- /dev/null +++ b/docs/queries/terraform-queries/azure/56dad03e-e94f-4dd6-93a4-c253a03ff7a0.md @@ -0,0 +1,52 @@ +--- +title: Cosmos DB Account Without Tags +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 56dad03e-e94f-4dd6-93a4-c253a03ff7a0 +- **Query name:** Cosmos DB Account Without Tags +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/cosmos_db_account_without_tags) + +### Description +Cosmos DB Account must have a mapping of tags.
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_cosmosdb_account" "positive1" { + name = "tfex-cosmos-db-${random_integer.ri.result}" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + offer_type = "Standard" + kind = "GlobalDocumentDB" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_cosmosdb_account" "negative1" { + name = "tfex-cosmos-db-${random_integer.ri.result}" + location = azurerm_resource_group.rg.location + resource_group_name = azurerm_resource_group.rg.name + offer_type = "Standard" + kind = "GlobalDocumentDB" + tags = "tag_1" +} +``` diff --git a/docs/queries/terraform-queries/azure/594c198b-4d79-41b8-9b36-fde13348b619.md b/docs/queries/terraform-queries/azure/594c198b-4d79-41b8-9b36-fde13348b619.md new file mode 100644 index 00000000000..2888929d7a7 --- /dev/null +++ b/docs/queries/terraform-queries/azure/594c198b-4d79-41b8-9b36-fde13348b619.md @@ -0,0 +1,331 @@ +--- +title: Sensitive Port Is Exposed To Entire Network +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 594c198b-4d79-41b8-9b36-fde13348b619 +- **Query name:** Sensitive Port Is Exposed To Entire Network +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/sensitive_port_is_exposed_to_entire_network) + +### Description +A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" +resource "azurerm_network_security_rule" "positive1" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "61621" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive2" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23-34" + source_address_prefix = "1.1.1.1/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive3" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "21-23" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive4" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "0.0.0.0/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive5" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "23,245" + source_address_prefix = "34.15.11.3/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive6" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive7" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "22-64, 94" + source_address_prefix = "10.0.0.0/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive8" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "14, 23, 48" + source_address_prefix = "12.12.12.12/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive9" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "12, 23-24,46" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive10" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "46-146, 18-36, 1-2, 3" + source_address_prefix = "1.2.3.4/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_network_security_rule" "negative1" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Deny" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative2" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "23-34" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative3" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "8-174" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative4" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23-196" + source_address_prefix = "192.168.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative5" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "/1" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative6" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "43" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative7" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "internet" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative8" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "22, 24,49-67" + source_address_prefix = "any" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative9" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative10" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23 , 69" + source_address_prefix = "0.0.1.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative11" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "2,310" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +``` diff --git a/docs/queries/terraform-queries/azure/599318f2-6653-4569-9e21-041d06c63a89.md b/docs/queries/terraform-queries/azure/599318f2-6653-4569-9e21-041d06c63a89.md new file mode 100644 index 00000000000..807b8ff08ee --- /dev/null +++ b/docs/queries/terraform-queries/azure/599318f2-6653-4569-9e21-041d06c63a89.md @@ -0,0 +1,65 @@ +--- +title: AKS Private Cluster Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 599318f2-6653-4569-9e21-041d06c63a89 +- **Query name:** AKS Private Cluster Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/aks_private_cluster_disabled) + +### Description +Azure Kubernetes Service (AKS) API should not be exposed to the internet
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#private_cluster_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "azurerm_kubernetes_cluster" "positive1" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + private_cluster_enabled = false +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "azurerm_kubernetes_cluster" "positive2" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_kubernetes_cluster" "negative" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + private_cluster_enabled = true +} + +``` diff --git a/docs/queries/terraform-queries/azure/59acb56b-2b10-4c2c-ba38-f2223c3f5cfc.md b/docs/queries/terraform-queries/azure/59acb56b-2b10-4c2c-ba38-f2223c3f5cfc.md new file mode 100644 index 00000000000..6c7570edb49 --- /dev/null +++ b/docs/queries/terraform-queries/azure/59acb56b-2b10-4c2c-ba38-f2223c3f5cfc.md @@ -0,0 +1,194 @@ +--- +title: Small MSSQL Server Audit Retention +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 59acb56b-2b10-4c2c-ba38-f2223c3f5cfc +- **Query name:** Small MSSQL Server Audit Retention +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/small_msql_server_audit_retention) + +### Description +Make sure for SQL Servers that Auditing Retention is greater than 90 days
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="66 28 46 7" +resource "azurerm_sql_database" "positive1" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + } + + tags = { + environment = "production" + } +} + +resource "azurerm_sql_database" "positive2" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 90 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_sql_database" "positive3" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 0 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_sql_server" "positive4" { + name = "sqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 20 + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_sql_database" "negative1" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 91 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_sql_database" "negative2" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 214 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_sql_database" "negative3" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 30000 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_sql_database" "negative4" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 900 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_sql_server" "negative5" { + name = "sqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 95 + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/5c822443-e1ea-46b8-84eb-758ec602e844.md b/docs/queries/terraform-queries/azure/5c822443-e1ea-46b8-84eb-758ec602e844.md new file mode 100644 index 00000000000..882ab900779 --- /dev/null +++ b/docs/queries/terraform-queries/azure/5c822443-e1ea-46b8-84eb-758ec602e844.md @@ -0,0 +1,72 @@ +--- +title: Security Group is Not Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5c822443-e1ea-46b8-84eb-758ec602e844 +- **Query name:** Security Group is Not Configured +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/security_group_is_not_configured) + +### Description +Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty
+[Documentation](https://www.terraform.io/docs/providers/azure/r/virtual_network.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="21 7" +#this is a problematic code where the query should report a result(s) +resource "azure_virtual_network" "positive1" { + name = "test-network" + address_space = ["10.1.2.0/24"] + location = "West US" + + subnet { + name = "subnet1" + address_prefix = "10.1.2.0/25" + } +} + +resource "azure_virtual_network" "positive2" { + name = "test-network" + address_space = ["10.1.2.0/24"] + location = "West US" + + subnet { + name = "subnet1" + address_prefix = "10.1.2.0/25" + security_group = "" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "azure_virtual_network" "negative1" { + name = "test-network" + address_space = ["10.1.2.0/24"] + location = "West US" + + subnet { + name = "subnet1" + address_prefix = "10.1.2.0/25" + security_group = "a" + } +} +``` diff --git a/docs/queries/terraform-queries/azure/609839ae-bd81-4375-9910-5bce72ae7b92.md b/docs/queries/terraform-queries/azure/609839ae-bd81-4375-9910-5bce72ae7b92.md new file mode 100644 index 00000000000..93582eae8df --- /dev/null +++ b/docs/queries/terraform-queries/azure/609839ae-bd81-4375-9910-5bce72ae7b92.md @@ -0,0 +1,60 @@ +--- +title: MSSQL Server Auditing Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 609839ae-bd81-4375-9910-5bce72ae7b92 +- **Query name:** MSSQL Server Auditing Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/mssql_server_auditing_disabled) + +### Description +Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_mssql_server" "positive1" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_mssql_server" "negative1" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 90 + } +} +``` diff --git a/docs/queries/terraform-queries/azure/61c3cb8b-0715-47e4-b788-86dde40dd2db.md b/docs/queries/terraform-queries/azure/61c3cb8b-0715-47e4-b788-86dde40dd2db.md new file mode 100644 index 00000000000..64330599732 --- /dev/null +++ b/docs/queries/terraform-queries/azure/61c3cb8b-0715-47e4-b788-86dde40dd2db.md @@ -0,0 +1,110 @@ +--- +title: Dashboard Is Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 61c3cb8b-0715-47e4-b788-86dde40dd2db +- **Query name:** Dashboard Is Enabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/dashboard_is_enabled) + +### Description +Check if the Kubernetes Dashboard is enabled.
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="23" +resource "azurerm_kubernetes_cluster" "positive1" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Environment = "Production" + } + + addon_profile { + kube_dashboard { + enabled = true + } + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_kubernetes_cluster" "negative1" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Environment = "Production" + } +} + +resource "azurerm_kubernetes_cluster" "negative2" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Environment = "Production" + } + + addon_profile { + kube_dashboard { + enabled = false + } + } +} +``` diff --git a/docs/queries/terraform-queries/azure/6425c98b-ca4e-41fe-896a-c78772c131f8.md b/docs/queries/terraform-queries/azure/6425c98b-ca4e-41fe-896a-c78772c131f8.md new file mode 100644 index 00000000000..b0cb5030357 --- /dev/null +++ b/docs/queries/terraform-queries/azure/6425c98b-ca4e-41fe-896a-c78772c131f8.md @@ -0,0 +1,106 @@ +--- +title: PostgreSQL Server Infrastructure Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6425c98b-ca4e-41fe-896a-c78772c131f8 +- **Query name:** PostgreSQL Server Infrastructure Encryption Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/postgre_sql_server_infrastructure_encryption_disabled) + +### Description +PostgreSQL Server Infrastructure Encryption should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#infrastructure_encryption_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="21" +resource "azurerm_postgresql_server" "positive1" { + name = "example-psqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "psqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = true + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" + + infrastructure_encryption_enabled = false +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "azurerm_postgresql_server" "positive2" { + name = "example-psqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "psqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = true + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_postgresql_server" "negative" { + name = "example-psqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "psqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = true + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" + + infrastructure_encryption_enabled = true +} + +``` diff --git a/docs/queries/terraform-queries/azure/73e42469-3a86-4f39-ad78-098f325b4e9f.md b/docs/queries/terraform-queries/azure/73e42469-3a86-4f39-ad78-098f325b4e9f.md new file mode 100644 index 00000000000..21c307ceb43 --- /dev/null +++ b/docs/queries/terraform-queries/azure/73e42469-3a86-4f39-ad78-098f325b4e9f.md @@ -0,0 +1,75 @@ +--- +title: MySQL SSL Connection Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 73e42469-3a86-4f39-ad78-098f325b4e9f +- **Query name:** MySQL SSL Connection Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/mysql_ssl_connection_disabled) + +### Description +Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="17" +resource "azurerm_mysql_server" "positive1" { + name = "webflux-mysql-${var.environment}${random_integer.rnd_int.result}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "webflux-${var.environment}" + administrator_login_password = random_string.password.result + + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "5.7" + + auto_grow_enabled = true + backup_retention_days = 7 + infrastructure_encryption_enabled = true + public_network_access_enabled = true + ssl_enforcement_enabled = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_mysql_server" "negative1" { + name = "webflux-mysql-${var.environment}${random_integer.rnd_int.result}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "webflux-${var.environment}" + administrator_login_password = random_string.password.result + + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "5.7" + + auto_grow_enabled = true + backup_retention_days = 7 + infrastructure_encryption_enabled = true + public_network_access_enabled = true + ssl_enforcement_enabled = true +} + +``` diff --git a/docs/queries/terraform-queries/azure/7750fcca-dd03-4d38-b663-4b70289bcfd4.md b/docs/queries/terraform-queries/azure/7750fcca-dd03-4d38-b663-4b70289bcfd4.md new file mode 100644 index 00000000000..326124f2e84 --- /dev/null +++ b/docs/queries/terraform-queries/azure/7750fcca-dd03-4d38-b663-4b70289bcfd4.md @@ -0,0 +1,108 @@ +--- +title: Small Flow Logs Retention Period +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7750fcca-dd03-4d38-b663-4b70289bcfd4 +- **Query name:** Small Flow Logs Retention Period +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/small_flow_logs_retention_period) + +### Description +Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher_flow_log) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="43 10 27 23" +resource "azurerm_network_watcher_flow_log" "positive1" { + network_watcher_name = azurerm_network_watcher.test.name + resource_group_name = azurerm_resource_group.test.name + network_security_group_id = azurerm_network_security_group.test.id + storage_account_id = azurerm_storage_account.test.id + enabled = true + + retention_policy { + enabled = true + days = 89 + } +} + +resource "azurerm_network_watcher_flow_log" "positive2" { + network_watcher_name = azurerm_network_watcher.test.name + resource_group_name = azurerm_resource_group.test.name + network_security_group_id = azurerm_network_security_group.test.id + storage_account_id = azurerm_storage_account.test.id + enabled = true + + retention_policy { + enabled = true + days = 3 + } +} + +resource "azurerm_network_watcher_flow_log" "positive3" { + network_watcher_name = azurerm_network_watcher.test.name + resource_group_name = azurerm_resource_group.test.name + network_security_group_id = azurerm_network_security_group.test.id + storage_account_id = azurerm_storage_account.test.id + enabled = true +} + +resource "azurerm_network_watcher_flow_log" "positive4" { + network_watcher_name = azurerm_network_watcher.test.name + resource_group_name = azurerm_resource_group.test.name + network_security_group_id = azurerm_network_security_group.test.id + storage_account_id = azurerm_storage_account.test.id + enabled = true + + retention_policy { + enabled = false + days = 900 + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_network_watcher_flow_log" "negative1" { + network_watcher_name = azurerm_network_watcher.test.name + resource_group_name = azurerm_resource_group.test.name + network_security_group_id = azurerm_network_security_group.test.id + storage_account_id = azurerm_storage_account.test.id + enabled = true + + retention_policy { + enabled = true + days = 90 + } +} + +resource "azurerm_network_watcher_flow_log" "negative2" { + network_watcher_name = azurerm_network_watcher.test.name + resource_group_name = azurerm_resource_group.test.name + network_security_group_id = azurerm_network_security_group.test.id + storage_account_id = azurerm_storage_account.test.id + enabled = true + + retention_policy { + enabled = true + days = 900 + } +} +``` diff --git a/docs/queries/terraform-queries/azure/7f0a8696-7159-4337-ad0d-8a3ab4a78195.md b/docs/queries/terraform-queries/azure/7f0a8696-7159-4337-ad0d-8a3ab4a78195.md new file mode 100644 index 00000000000..faff8a412e8 --- /dev/null +++ b/docs/queries/terraform-queries/azure/7f0a8696-7159-4337-ad0d-8a3ab4a78195.md @@ -0,0 +1,75 @@ +--- +title: MariaDB Server Public Network Access Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 7f0a8696-7159-4337-ad0d-8a3ab4a78195 +- **Query name:** MariaDB Server Public Network Access Enabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/mariadb_public_network_access_enabled) + +### Description +MariaDB Server Public Network Access should be disabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_server#public_network_access_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="16 1" +resource "azurerm_mariadb_server" "positive" { + name = "example-mariadb-server" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "mariadbadmin" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "10.2" + + auto_grow_enabled = true + backup_retention_days = 7 + geo_redundant_backup_enabled = false + public_network_access_enabled = true + ssl_enforcement_enabled = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_mariadb_server" "negative" { + name = "example-mariadb-server" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "mariadbadmin" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "10.2" + + auto_grow_enabled = true + backup_retention_days = 7 + geo_redundant_backup_enabled = false + public_network_access_enabled = false + ssl_enforcement_enabled = true +} + +``` diff --git a/docs/queries/terraform-queries/azure/819d50fd-1cdf-45c3-9936-be408aaad93e.md b/docs/queries/terraform-queries/azure/819d50fd-1cdf-45c3-9936-be408aaad93e.md new file mode 100644 index 00000000000..eec86190513 --- /dev/null +++ b/docs/queries/terraform-queries/azure/819d50fd-1cdf-45c3-9936-be408aaad93e.md @@ -0,0 +1,43 @@ +--- +title: Security Center Pricing Tier Is Not Standard +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 819d50fd-1cdf-45c3-9936-be408aaad93e +- **Query name:** Security Center Pricing Tier Is Not Standard +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/security_center_pricing_tier_is_not_standard) + +### Description +Make sure that the 'Standard' pricing tiers were selected.
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_subscription_pricing) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +resource "azurerm_security_center_subscription_pricing" "positive1" { + tier = "Free" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_security_center_subscription_pricing" "negative1" { + tier = "Standard" +} +``` diff --git a/docs/queries/terraform-queries/azure/8263f146-5e03-43e0-9cfe-db960d56d1e7.md b/docs/queries/terraform-queries/azure/8263f146-5e03-43e0-9cfe-db960d56d1e7.md new file mode 100644 index 00000000000..af2416d8492 --- /dev/null +++ b/docs/queries/terraform-queries/azure/8263f146-5e03-43e0-9cfe-db960d56d1e7.md @@ -0,0 +1,63 @@ +--- +title: Storage Account Not Using Latest TLS Encryption Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8263f146-5e03-43e0-9cfe-db960d56d1e7 +- **Query name:** Storage Account Not Using Latest TLS Encryption Version +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/storage_account_not_using_latest_tls_encryption_version) + +### Description +Ensure Storage Account is using the latest version of TLS encryption
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "azurerm_storage_account" "positive2" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + min_tls_version = "TLS1_1" + + tags = { + environment = "staging" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_storage_account" "negative1" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + min_tls_version = "TLS1_2" + + tags = { + environment = "staging" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/835a4f2f-df43-437d-9943-545ccfc55961.md b/docs/queries/terraform-queries/azure/835a4f2f-df43-437d-9943-545ccfc55961.md new file mode 100644 index 00000000000..ca9260a5a94 --- /dev/null +++ b/docs/queries/terraform-queries/azure/835a4f2f-df43-437d-9943-545ccfc55961.md @@ -0,0 +1,124 @@ +--- +title: Azure Front Door WAF Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 835a4f2f-df43-437d-9943-545ccfc55961 +- **Query name:** Azure Front Door WAF Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/azure_front_door_waf_disabled) + +### Description +Azure Front Door WAF should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/frontdoor#web_application_firewall_policy_link_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="38" +resource "azurerm_frontdoor" "positive" { + name = "example-FrontDoor" + resource_group_name = azurerm_resource_group.example.name + enforce_backend_pools_certificate_name_check = false + + routing_rule { + name = "exampleRoutingRule1" + accepted_protocols = ["Http", "Https"] + patterns_to_match = ["/*"] + frontend_endpoints = ["exampleFrontendEndpoint1"] + forwarding_configuration { + forwarding_protocol = "MatchRequest" + backend_pool_name = "exampleBackendBing" + } + } + + backend_pool_load_balancing { + name = "exampleLoadBalancingSettings1" + } + + backend_pool_health_probe { + name = "exampleHealthProbeSetting1" + } + + backend_pool { + name = "exampleBackendBing" + backend { + host_header = "www.bing.com" + address = "www.bing.com" + http_port = 80 + https_port = 443 + } + + load_balancing_name = "exampleLoadBalancingSettings1" + health_probe_name = "exampleHealthProbeSetting1" + } + + frontend_endpoint { + name = "exampleFrontendEndpoint1" + host_name = "example-FrontDoor.azurefd.net" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_frontdoor" "negative" { + name = "example-FrontDoor" + resource_group_name = azurerm_resource_group.example.name + enforce_backend_pools_certificate_name_check = false + + routing_rule { + name = "exampleRoutingRule1" + accepted_protocols = ["Http", "Https"] + patterns_to_match = ["/*"] + frontend_endpoints = ["exampleFrontendEndpoint1"] + forwarding_configuration { + forwarding_protocol = "MatchRequest" + backend_pool_name = "exampleBackendBing" + } + } + + backend_pool_load_balancing { + name = "exampleLoadBalancingSettings1" + } + + backend_pool_health_probe { + name = "exampleHealthProbeSetting1" + } + + backend_pool { + name = "exampleBackendBing" + backend { + host_header = "www.bing.com" + address = "www.bing.com" + http_port = 80 + https_port = 443 + } + + load_balancing_name = "exampleLoadBalancingSettings1" + health_probe_name = "exampleHealthProbeSetting1" + } + + frontend_endpoint { + name = "exampleFrontendEndpoint1" + host_name = "example-FrontDoor.azurefd.net" + web_application_firewall_policy_link_id = "id" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/83a229ba-483e-47c6-8db7-dc96969bce5a.md b/docs/queries/terraform-queries/azure/83a229ba-483e-47c6-8db7-dc96969bce5a.md new file mode 100644 index 00000000000..5ffc1749421 --- /dev/null +++ b/docs/queries/terraform-queries/azure/83a229ba-483e-47c6-8db7-dc96969bce5a.md @@ -0,0 +1,152 @@ +--- +title: SQL Database Audit Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 83a229ba-483e-47c6-8db7-dc96969bce5a +- **Query name:** SQL Database Audit Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/sql_database_audit_disabled) + +### Description +Ensure that 'Threat Detection' is enabled for Azure SQL Database
+[Documentation](https://www.terraform.io/docs/providers/azurerm/r/sql_database.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="50 34" +resource "azurerm_resource_group" "positive1" { + name = "acceptanceTestResourceGroup1" + location = "West US" +} + +resource "azurerm_sql_server" "positive2" { + name = "myexamplesqlserver" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + version = "12.0" + administrator_login = "4dm1n157r470r" + administrator_login_password = "4-v3ry-53cr37-p455w0rd" + + tags = { + environment = "production" + } +} + +resource "azurerm_storage_account" "positive3" { + name = "examplesa" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" +} + +resource "azurerm_sql_database" "positive4" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + threat_detection_policy { + state = "Disabled" + } + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 6 + } + + tags = { + environment = "production" + } +} + + +resource "azurerm_sql_database" "positive5" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 6 + } + + tags = { + environment = "production" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_resource_group" "negative1" { + name = "acceptanceTestResourceGroup1" + location = "West US" +} + +resource "azurerm_sql_server" "negative2" { + name = "myexamplesqlserver" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + version = "12.0" + administrator_login = "4dm1n157r470r" + administrator_login_password = "4-v3ry-53cr37-p455w0rd" + + tags = { + environment = "production" + } +} + +resource "azurerm_storage_account" "negative3" { + name = "examplesa" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" +} + +resource "azurerm_sql_database" "negative4" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + threat_detection_policy { + state = "Enabled" + } + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 6 + } + + + + tags = { + environment = "production" + } +} +``` diff --git a/docs/queries/terraform-queries/azure/85da374f-b00f-4832-9d44-84a1ca1e89f8.md b/docs/queries/terraform-queries/azure/85da374f-b00f-4832-9d44-84a1ca1e89f8.md new file mode 100644 index 00000000000..19a94ecbfb1 --- /dev/null +++ b/docs/queries/terraform-queries/azure/85da374f-b00f-4832-9d44-84a1ca1e89f8.md @@ -0,0 +1,78 @@ +--- +title: App Service FTPS Enforce Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 85da374f-b00f-4832-9d44-84a1ca1e89f8 +- **Query name:** App Service FTPS Enforce Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/app_service_ftps_enforce_disabled) + +### Description +Azure App Service should only enforce FTPS when 'ftps_state' is enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#ftps_state) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +resource "azurerm_app_service" "positive1" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + ftps_state = "AllAllowed" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_app_service" "negative1" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + ftps_state = "FtpsOnly" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "azurerm_app_service" "negative2" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + ftps_state = "Disabled" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/86f92117-eed8-4614-9c6c-b26da20ff37f.md b/docs/queries/terraform-queries/azure/86f92117-eed8-4614-9c6c-b26da20ff37f.md new file mode 100644 index 00000000000..28b0541b527 --- /dev/null +++ b/docs/queries/terraform-queries/azure/86f92117-eed8-4614-9c6c-b26da20ff37f.md @@ -0,0 +1,121 @@ +--- +title: AKS RBAC Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 86f92117-eed8-4614-9c6c-b26da20ff37f +- **Query name:** AKS RBAC Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/aks_rbac_disabled) + +### Description +Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#role_based_access_control) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="35 7" +resource "azurerm_kubernetes_cluster" "positive1" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + role_based_access_control_enabled = false + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Environment = "Production" + } + + network_profile { + network_policy = "azure" + } +} + +resource "azurerm_kubernetes_cluster" "positive2" { + name = "example-aks2" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks2" + + role_based_access_control { + enabled = false + } + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Environment = "Production" + } + + network_profile { + network_policy = "calico" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_kubernetes_cluster" "negative1" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + role_based_access_control_enabled = true + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Environment = "Production" + } + + network_profile { + network_policy = "azure" + } +} + + +``` diff --git a/docs/queries/terraform-queries/azure/8b042c30-e441-453f-b162-7696982ebc58.md b/docs/queries/terraform-queries/azure/8b042c30-e441-453f-b162-7696982ebc58.md new file mode 100644 index 00000000000..b7358cc49c6 --- /dev/null +++ b/docs/queries/terraform-queries/azure/8b042c30-e441-453f-b162-7696982ebc58.md @@ -0,0 +1,97 @@ +--- +title: Geo Redundancy Is Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8b042c30-e441-453f-b162-7696982ebc58 +- **Query name:** Geo Redundancy Is Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/geo_redundancy_is_disabled) + +### Description +Make sure that on PostgreSQL Geo Redundant Backups is enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2 31" + +resource "azurerm_postgresql_server" "positive1" { + name = "dbserver" + location = "usgovvirginia" + resource_group_name = azurerm_resource_group.jira_rg.name + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + + backup_retention_days = var.jira_postgre_data_retention + auto_grow_enabled = true + + administrator_login = var.mp_db_username + administrator_login_password = azurerm_key_vault_secret.db_pswd.value + ssl_enforcement_enabled = true + + tags = local.postgresqlserver_tags +} + +resource "azurerm_postgresql_server" "positive2" { + name = "dbserver" + location = "usgovvirginia" + resource_group_name = azurerm_resource_group.jira_rg.name + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + + backup_retention_days = var.jira_postgre_data_retention + geo_redundant_backup_enabled = false + auto_grow_enabled = true + + administrator_login = var.mp_db_username + administrator_login_password = azurerm_key_vault_secret.db_pswd.value + ssl_enforcement_enabled = false + + tags = local.postgresqlserver_tags +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_postgresql_server" "negative1" { + name = "dbserver" + location = "usgovvirginia" + resource_group_name = azurerm_resource_group.jira_rg.name + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + + backup_retention_days = var.jira_postgre_data_retention + geo_redundant_backup_enabled = true + auto_grow_enabled = true + + administrator_login = var.mp_db_username + administrator_login_password = azurerm_key_vault_secret.db_pswd.value + ssl_enforcement_enabled = false + + tags = local.postgresqlserver_tags +} + +``` diff --git a/docs/queries/terraform-queries/azure/8e75e431-449f-49e9-b56a-c8f1378025cf.md b/docs/queries/terraform-queries/azure/8e75e431-449f-49e9-b56a-c8f1378025cf.md new file mode 100644 index 00000000000..728674af655 --- /dev/null +++ b/docs/queries/terraform-queries/azure/8e75e431-449f-49e9-b56a-c8f1378025cf.md @@ -0,0 +1,83 @@ +--- +title: Role Assignment Not Limit Guest User Permissions +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8e75e431-449f-49e9-b56a-c8f1378025cf +- **Query name:** Role Assignment Not Limit Guest User Permissions +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/role_assignment_not_limit_guest_users_permissions) + +### Description +Role Assignment should limit guest user permissions
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="20" +resource "azurerm_role_definition" "example" { + name = "my-custom-role" + scope = data.azurerm_subscription.primary.id + description = "This is a custom role created via Terraform" + + permissions { + actions = ["*"] + not_actions = [] + } + + assignable_scopes = [ + data.azurerm_subscription.primary.id, + ] +} + +resource "azurerm_role_assignment" "example" { + name = "00000000-0000-0000-0000-000000000000" + scope = data.azurerm_subscription.primary.id + role_definition_name = "Guest" + role_definition_id = azurerm_role_definition.example.role_definition_resource_id + principal_id = data.azurerm_client_config.example.object_id +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_role_definition" "example2" { + name = "my-custom-role" + scope = data.azurerm_subscription.primary.id + description = "This is a custom role created via Terraform" + + permissions { + actions = [] + not_actions = ["*"] + } + + assignable_scopes = [ + data.azurerm_subscription.primary.id, + ] +} + +resource "azurerm_role_assignment" "example2" { + name = "00000000-0000-0000-0000-000000000000" + scope = data.azurerm_subscription.primary.id + role_definition_name = "Guest" + role_definition_id = azurerm_role_definition.example2.role_definition_resource_id + principal_id = data.azurerm_client_config.example.object_id +} + +``` diff --git a/docs/queries/terraform-queries/azure/96fe318e-d631-4156-99fa-9080d57280ae.md b/docs/queries/terraform-queries/azure/96fe318e-d631-4156-99fa-9080d57280ae.md new file mode 100644 index 00000000000..7d4940976b8 --- /dev/null +++ b/docs/queries/terraform-queries/azure/96fe318e-d631-4156-99fa-9080d57280ae.md @@ -0,0 +1,210 @@ +--- +title: App Service Without Latest PHP Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 96fe318e-d631-4156-99fa-9080d57280ae +- **Query name:** App Service Without Latest PHP Version +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/app_service_without_latest_php_version) + +### Description +Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#php_version) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +resource "azurerm_app_service" "example4" { + name = "example4-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + # SiteConfig block is optional before AzureRM version 3.0 + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + php_version = "7.3" + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="25" +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_service_plan" "example" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + sku_name = "P1v2" +} + +resource "azurerm_windows_web_app" "example5" { + name = "example5" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config{ + application_stack{ + php_version = "v7.3" + } + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="26" +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_service_plan" "example" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + os_type = "Linux" + sku_name = "P1v2" +} + +resource "azurerm_linux_web_app" "example6" { + name = "example6" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config{ + application_stack{ + php_version = "7.4" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_app_service" "example1" { + name = "example1-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + # SiteConfig block is optional before AzureRM version 3.0 + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + php_version = "8.1" + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_service_plan" "example" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + sku_name = "P1v2" +} + +resource "azurerm_windows_web_app" "example2" { + name = "example2" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config{ + application_stack{ + php_version = "v8.1" + } + } +} + +``` +```tf title="Negative test num. 3 - tf file" +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_service_plan" "example" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + sku_name = "P1v2" +} + +resource "azurerm_linux_web_app" "example3" { + name = "example3" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config{ + application_stack{ + php_version = "8.1" + } + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/9bb3c639-5edf-458c-8ee5-30c17c7d671d.md b/docs/queries/terraform-queries/azure/9bb3c639-5edf-458c-8ee5-30c17c7d671d.md new file mode 100644 index 00000000000..28eaed2d713 --- /dev/null +++ b/docs/queries/terraform-queries/azure/9bb3c639-5edf-458c-8ee5-30c17c7d671d.md @@ -0,0 +1,70 @@ +--- +title: Function App Client Certificates Unrequired +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9bb3c639-5edf-458c-8ee5-30c17c7d671d +- **Query name:** Function App Client Certificates Unrequired +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/function_app_client_certificates_unrequired) + +### Description +Azure Function App should have 'client_cert_mode' set to required
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#client_cert_mode) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_function_app" "positive1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9" +resource "azurerm_function_app" "positive2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + client_cert_mode = "Optional" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_function_app" "negative" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + client_cert_mode = "Required" +} + +``` diff --git a/docs/queries/terraform-queries/azure/9c301481-e6ec-44f7-8a49-8ec63e2969ea.md b/docs/queries/terraform-queries/azure/9c301481-e6ec-44f7-8a49-8ec63e2969ea.md new file mode 100644 index 00000000000..527bc0ec9a8 --- /dev/null +++ b/docs/queries/terraform-queries/azure/9c301481-e6ec-44f7-8a49-8ec63e2969ea.md @@ -0,0 +1,193 @@ +--- +title: Small MSSQL Audit Retention Period +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9c301481-e6ec-44f7-8a49-8ec63e2969ea +- **Query name:** Small MSSQL Audit Retention Period +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/small_mssql_audit_retention_period) + +### Description +Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="67 11 29 47" +resource "azurerm_mssql_database" "positive1" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_mssql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 6 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_mssql_database" "positive2" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_mssql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 90 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_mssql_database" "positive3" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_mssql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 0 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_mssql_server" "positive4" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 20 + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_mssql_database" "negative1" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 91 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_mssql_database" "negative2" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 214 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_mssql_database" "negative3" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 30000 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_mssql_database" "negative4" { + name = "myexamplesqldatabase" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + server_name = azurerm_sql_server.example.name + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 900 + } + + tags = { + environment = "production" + } +} + +resource "azurerm_mssql_server" "negative5" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 95 + } +} +``` diff --git a/docs/queries/terraform-queries/azure/9dab0179-433d-4dff-af8f-0091025691df.md b/docs/queries/terraform-queries/azure/9dab0179-433d-4dff-af8f-0091025691df.md new file mode 100644 index 00000000000..b2da9250f46 --- /dev/null +++ b/docs/queries/terraform-queries/azure/9dab0179-433d-4dff-af8f-0091025691df.md @@ -0,0 +1,94 @@ +--- +title: Function App FTPS Enforce Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9dab0179-433d-4dff-af8f-0091025691df +- **Query name:** Function App FTPS Enforce Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/function_app_ftps_enforce_disabled) + +### Description +Azure Function App should only enforce FTPS when 'ftps_state' is enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#ftps_state) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +resource "azurerm_function_app" "positive1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + site_config { + http2_enabled = true + ftps_state = "AllAllowed" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9" +resource "azurerm_function_app" "positive2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + site_config { + http2_enabled = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_function_app" "negative1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + site_config { + ftps_state = "FtpsOnly" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "azurerm_function_app" "negative2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + site_config { + ftps_state = "Disabled" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/9db38e87-f6aa-4b5e-a1ec-7266df259409.md b/docs/queries/terraform-queries/azure/9db38e87-f6aa-4b5e-a1ec-7266df259409.md new file mode 100644 index 00000000000..c68eca6a8c4 --- /dev/null +++ b/docs/queries/terraform-queries/azure/9db38e87-f6aa-4b5e-a1ec-7266df259409.md @@ -0,0 +1,47 @@ +--- +title: Email Alerts Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9db38e87-f6aa-4b5e-a1ec-7266df259409 +- **Query name:** Email Alerts Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/email_alerts_disabled) + +### Description +Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "azurerm_security_center_contact" "positive1" { + email = "contact@example.com" + phone = "+1-555-555-5555" + alert_notifications = false +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_security_center_contact" "negative1" { + email = "contact@example.com" + phone = "+1-555-555-5555" + alert_notifications = true +} +``` diff --git a/docs/queries/terraform-queries/azure/a187ac47-8163-42ce-8a63-c115236be6fb.md b/docs/queries/terraform-queries/azure/a187ac47-8163-42ce-8a63-c115236be6fb.md new file mode 100644 index 00000000000..de8d9f6e4f7 --- /dev/null +++ b/docs/queries/terraform-queries/azure/a187ac47-8163-42ce-8a63-c115236be6fb.md @@ -0,0 +1,70 @@ +--- +title: Azure Container Registry With No Locks +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a187ac47-8163-42ce-8a63-c115236be6fb +- **Query name:** Azure Container Registry With No Locks +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/azure_container_registry_with_no_locks) + +### Description +Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/container_registry) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_container_registry" "acr" { +name = "containerRegistry1" +resource_group_name = azurerm_resource_group.rg.name +location = azurerm_resource_group.rg.location +sku = "Standard" +admin_enabled = false +} + + +resource "azurerm_management_lock" "public-ip" { +name = "resource-ip" +scope = azurerm_container_registry.acr1.id +lock_level = "CanNotDelete" +notes = "Locked because it's needed by a third-party" +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_container_registry" "acr" { +name = "containerRegistry1" +resource_group_name = azurerm_resource_group.rg.name +location = azurerm_resource_group.rg.location +sku = "Standard" +admin_enabled = false +} + + +resource "azurerm_management_lock" "public-ip" { +name = "resource-ip" +scope = azurerm_container_registry.acr.id +lock_level = "CanNotDelete" +notes = "Locked because it's needed by a third-party" +} + +``` diff --git a/docs/queries/terraform-queries/azure/a21c8da9-41bf-40cf-941d-330cf0d11fc7.md b/docs/queries/terraform-queries/azure/a21c8da9-41bf-40cf-941d-330cf0d11fc7.md new file mode 100644 index 00000000000..ac11fecc04e --- /dev/null +++ b/docs/queries/terraform-queries/azure/a21c8da9-41bf-40cf-941d-330cf0d11fc7.md @@ -0,0 +1,107 @@ +--- +title: Azure Active Directory Authentication +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a21c8da9-41bf-40cf-941d-330cf0d11fc7 +- **Query name:** Azure Active Directory Authentication +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/azure_active_directory_authentication) + +### Description +Azure Active Directory must be used for authentication for Service Fabric
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/service_fabric_cluster#tenant_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="19" +resource "azurerm_service_fabric_cluster" "positive1" { + name = "example-servicefabric" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + reliability_level = "Bronze" + upgrade_mode = "Manual" + cluster_code_version = "7.1.456.959" + vm_image = "Windows" + management_endpoint = "https://example:80" + + node_type { + name = "first" + instance_count = 3 + is_primary = true + client_endpoint_port = 2020 + http_endpoint_port = 80 + } + + azure_active_directory { + cluster_application_id = "id" + client_application_id = "id" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "azurerm_service_fabric_cluster" "positive2" { + name = "example-servicefabric" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + reliability_level = "Bronze" + upgrade_mode = "Manual" + cluster_code_version = "7.1.456.959" + vm_image = "Windows" + management_endpoint = "https://example:80" + + node_type { + name = "first" + instance_count = 3 + is_primary = true + client_endpoint_port = 2020 + http_endpoint_port = 80 + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_service_fabric_cluster" "negative" { + name = "example-servicefabric" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + reliability_level = "Bronze" + upgrade_mode = "Manual" + cluster_code_version = "7.1.456.959" + vm_image = "Windows" + management_endpoint = "https://example:80" + + node_type { + name = "first" + instance_count = 3 + is_primary = true + client_endpoint_port = 2020 + http_endpoint_port = 80 + } + + azure_active_directory { + tenant_id = "id" + cluster_application_id = "id" + client_application_id = "id" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b.md b/docs/queries/terraform-queries/azure/a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b.md new file mode 100644 index 00000000000..453735fc033 --- /dev/null +++ b/docs/queries/terraform-queries/azure/a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b.md @@ -0,0 +1,80 @@ +--- +title: AD Admin Not Configured For SQL Server +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b +- **Query name:** AD Admin Not Configured For SQL Server +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/ad_admin_not_configured_for_sql_server) + +### Description +The Active Directory Administrator is not configured for a SQL server
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_active_directory_administrator) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "azurerm_resource_group" "positive1" { + name = "acceptanceTestResourceGroup1" + location = "West US" +} + +resource "azurerm_sql_server" "positive2" { + name = "mysqlserver1" + resource_group_name = "acceptanceTestResourceGroup1" + location = "West US" + version = "12.0" + administrator_login = "4dm1n157r470r" + administrator_login_password = "4-v3ry-53cr37-p455w0rd" +} + +resource "azurerm_sql_active_directory_administrator" "positive3" { + server_name = "mysqlserver2" + resource_group_name = "acceptanceTestResourceGroup1" + login = "sqladmin" + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_resource_group" "negative1" { + name = "acceptanceTestResourceGroup1" + location = "West US" +} + +resource "azurerm_sql_server" "negative2" { + name = "mysqlserver" + resource_group_name = "acceptanceTestResourceGroup1" + location = "West US" + version = "12.0" + administrator_login = "4dm1n157r470r" + administrator_login_password = "4-v3ry-53cr37-p455w0rd" +} + +resource "azurerm_sql_active_directory_administrator" "negative3" { + server_name = "mysqlserver" + resource_group_name = "acceptanceTestResourceGroup1" + login = "sqladmin" + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id +} +``` diff --git a/docs/queries/terraform-queries/azure/a5613650-32ec-4975-a305-31af783153ea.md b/docs/queries/terraform-queries/azure/a5613650-32ec-4975-a305-31af783153ea.md new file mode 100644 index 00000000000..e29d152f1e4 --- /dev/null +++ b/docs/queries/terraform-queries/azure/a5613650-32ec-4975-a305-31af783153ea.md @@ -0,0 +1,256 @@ +--- +title: Default Azure Storage Account Network Access Is Too Permissive +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a5613650-32ec-4975-a305-31af783153ea +- **Query name:** Default Azure Storage Account Network Access Is Too Permissive +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/default_azure_storage_account_network_access_is_too_permissive) + +### Description +Default Azure Storage Account network access should be set to Deny
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="30" +resource "azurerm_resource_group" "example" { + name = "positive1-resources" + location = "West Europe" +} + +resource "azurerm_virtual_network" "positive1" { + name = "virtnetname" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_subnet" "positive1" { + name = "subnetname" + resource_group_name = azurerm_resource_group.example.name + virtual_network_name = azurerm_virtual_network.positive1.name + address_prefixes = ["10.0.2.0/24"] + service_endpoints = ["Microsoft.Sql", "Microsoft.Storage"] +} + +resource "azurerm_storage_account" "positive1" { + name = "positive1storageaccount" + resource_group_name = azurerm_resource_group.example.name + + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" + + network_rules { + default_action = "Allow" + ip_rules = ["100.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.positive1.id] + } + + tags = { + environment = "staging" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="38" +resource "azurerm_resource_group" "example" { + name = "positive2-resources" + location = "West Europe" +} + +resource "azurerm_virtual_network" "positive2" { + name = "positive2-vnet" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_subnet" "positive2" { + name = "positive2-subnet" + resource_group_name = azurerm_resource_group.example.name + virtual_network_name = azurerm_virtual_network.positive2.name + address_prefixes = ["10.0.2.0/24"] + service_endpoints = ["Microsoft.Storage"] +} + +resource "azurerm_storage_account" "positive2" { + name = "positive2storageaccount" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + environment = "staging" + } +} + +resource "azurerm_storage_account_network_rules" "positive2" { + resource_group_name = azurerm_resource_group.example.name + storage_account_name = azurerm_storage_account.positive2.name + storage_account_id = azurerm_storage_account.positive2.id + + default_action = "Allow" + ip_rules = ["127.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.positive2.id] + bypass = ["Metrics"] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="12" +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_storage_account" "positive3" { + name = "positive3storageaccount" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + public_network_access_enabled = true + + tags = { + environment = "staging" + } +} +``` +
Postitive test num. 4 - tf file + +```tf hl_lines="6" +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_storage_account" "positive4" { + name = "positive4storageaccount" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + environment = "staging" + } +} +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_virtual_network" "negative1" { + name = "virtnetname" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_subnet" "negative1" { + name = "subnetname" + resource_group_name = azurerm_resource_group.example.name + virtual_network_name = azurerm_virtual_network.negative1.name + address_prefixes = ["10.0.2.0/24"] + service_endpoints = ["Microsoft.Sql", "Microsoft.Storage"] +} + +resource "azurerm_storage_account" "negative1" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" + + network_rules { + default_action = "Deny" + ip_rules = ["100.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.negative1.id] + } + + tags = { + environment = "staging" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "azurerm_resource_group" "example" { + name = "negative2-resources" + location = "West Europe" +} + +resource "azurerm_virtual_network" "negative2" { + name = "negative2-vnet" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_subnet" "negative2" { + name = "negative2-subnet" + resource_group_name = azurerm_resource_group.example.name + virtual_network_name = azurerm_virtual_network.negative2.name + address_prefixes = ["10.0.2.0/24"] + service_endpoints = ["Microsoft.Storage"] +} + +resource "azurerm_storage_account" "negative2" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + environment = "staging" + } +} + +resource "azurerm_storage_account_network_rules" "negative2" { + resource_group_name = azurerm_resource_group.example.name + storage_account_name = azurerm_storage_account.negative2.name + storage_account_id = azurerm_storage_account.negative2.id + + default_action = "Deny" + ip_rules = ["127.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.negative2.id] + bypass = ["Metrics"] +} + +resource "azurerm_storage_account_network_rules" "negative2b" { + resource_group_name = azurerm_resource_group.example.name + storage_account_name = azurerm_storage_account.negative3.name + storage_account_id = azurerm_storage_account.negative3.id + + default_action = "Deny" + ip_rules = ["127.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.negative2.id] + bypass = ["Metrics"] +} + +``` diff --git a/docs/queries/terraform-queries/azure/a81573f9-3691-4d83-88a0-7d4af63e17a3.md b/docs/queries/terraform-queries/azure/a81573f9-3691-4d83-88a0-7d4af63e17a3.md new file mode 100644 index 00000000000..98358afa51b --- /dev/null +++ b/docs/queries/terraform-queries/azure/a81573f9-3691-4d83-88a0-7d4af63e17a3.md @@ -0,0 +1,110 @@ +--- +title: Azure App Service Client Certificate Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a81573f9-3691-4d83-88a0-7d4af63e17a3 +- **Query name:** Azure App Service Client Certificate Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/azure_app_service_client_certificate_disabled) + +### Description +Azure App Service client certificate should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_app_service" "positive1" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + app_settings = { + SOME_KEY = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="16" +resource "azurerm_app_service" "positive2" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + app_settings = { + SOME_KEY = "some-value" + } + + client_cert_enabled = false + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_app_service" "negative" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + app_settings = { + SOME_KEY = "some-value" + } + + client_cert_enabled = true + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + + +``` diff --git a/docs/queries/terraform-queries/azure/a829b715-cf75-4e92-b645-54c9b739edfb.md b/docs/queries/terraform-queries/azure/a829b715-cf75-4e92-b645-54c9b739edfb.md new file mode 100644 index 00000000000..9e624e0150c --- /dev/null +++ b/docs/queries/terraform-queries/azure/a829b715-cf75-4e92-b645-54c9b739edfb.md @@ -0,0 +1,51 @@ +--- +title: Firewall Rule Allows Too Many Hosts To Access Redis Cache +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a829b715-cf75-4e92-b645-54c9b739edfb +- **Query name:** Firewall Rule Allows Too Many Hosts To Access Redis Cache +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/firewall_rule_allows_too_many_hosts_to_access_redis_cache) + +### Description +Check if any firewall rule allows too many hosts to access Redis Cache
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "azurerm_redis_firewall_rule" "positive1" { + name = "someIPrange" + redis_cache_name = azurerm_redis_cache.example.name + resource_group_name = azurerm_resource_group.example.name + start_ip = "1.0.0.0" + end_ip = "3.0.0.0" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_redis_firewall_rule" "negative1" { + name = "someIPrange" + redis_cache_name = azurerm_redis_cache.example.name + resource_group_name = azurerm_resource_group.example.name + start_ip = "1.2.3.4" + end_ip = "1.2.3.8" +} +``` diff --git a/docs/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024.md b/docs/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024.md new file mode 100644 index 00000000000..41101d82328 --- /dev/null +++ b/docs/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024.md @@ -0,0 +1,83 @@ +--- +title: Encryption On Managed Disk Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a99130ab-4c0e-43aa-97f8-78d4fcb30024 +- **Query name:** Encryption On Managed Disk Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/encryption_on_managed_disk_disabled) + +### Description +Ensure that the encryption is active on the disk
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk#encryption_settings) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10 18" +resource "azurerm_managed_disk" "positive1" { + name = "acctestmd" + location = "West US 2" + resource_group_name = azurerm_resource_group.example.name + storage_account_type = "Standard_LRS" + create_option = "Empty" + disk_size_gb = "1" + + encryption_settings = { + enabled = false + } + + tags = { + environment = "staging" + } +} + +resource "azurerm_managed_disk" "positive2" { + name = "acctestmd" + location = "West US 2" + resource_group_name = azurerm_resource_group.example.name + storage_account_type = "Standard_LRS" + create_option = "Empty" + disk_size_gb = "1" + + + tags = { + environment = "staging" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "azurerm_managed_disk" "negative1" { + name = "acctestmd" + location = "West US 2" + resource_group_name = azurerm_resource_group.example.name + storage_account_type = "Standard_LRS" + create_option = "Empty" + disk_size_gb = "1" + + encryption_settings = { + enabled = true + } + tags = { + environment = "staging" + } +} +``` diff --git a/docs/queries/terraform-queries/azure/ace823d1-4432-4dee-945b-cdf11a5a6bd0.md b/docs/queries/terraform-queries/azure/ace823d1-4432-4dee-945b-cdf11a5a6bd0.md new file mode 100644 index 00000000000..37b35832ae0 --- /dev/null +++ b/docs/queries/terraform-queries/azure/ace823d1-4432-4dee-945b-cdf11a5a6bd0.md @@ -0,0 +1,97 @@ +--- +title: Function App HTTP2 Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ace823d1-4432-4dee-945b-cdf11a5a6bd0 +- **Query name:** Function App HTTP2 Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/function_app_http2_disabled) + +### Description +Function App should have 'http2_enabled' enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#http2_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_function_app" "positive1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="9" +resource "azurerm_function_app" "positive2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = 1.2 + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="13" +resource "azurerm_function_app" "positive3" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = 1.2 + http2_enabled = false + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_function_app" "negative" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = 1.2 + http2_enabled = true + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/ade36cf4-329f-4830-a83d-9db72c800507.md b/docs/queries/terraform-queries/azure/ade36cf4-329f-4830-a83d-9db72c800507.md new file mode 100644 index 00000000000..7780643f1c7 --- /dev/null +++ b/docs/queries/terraform-queries/azure/ade36cf4-329f-4830-a83d-9db72c800507.md @@ -0,0 +1,91 @@ +--- +title: MSSQL Server Public Network Access Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ade36cf4-329f-4830-a83d-9db72c800507 +- **Query name:** MSSQL Server Public Network Access Enabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/mssql_server_public_network_access_enabled) + +### Description +MSSQL Server public network access should be disabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server#public_network_access_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_mssql_server" "positive1" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 90 + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="16" +resource "azurerm_mssql_server" "positive2" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 90 + } + + public_network_access_enabled = true +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_mssql_server" "negative1" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 90 + } + + public_network_access_enabled = false +} + +``` diff --git a/docs/queries/terraform-queries/azure/b17d8bb8-4c08-4785-867e-cb9e62a622aa.md b/docs/queries/terraform-queries/azure/b17d8bb8-4c08-4785-867e-cb9e62a622aa.md new file mode 100644 index 00000000000..007d9c484b1 --- /dev/null +++ b/docs/queries/terraform-queries/azure/b17d8bb8-4c08-4785-867e-cb9e62a622aa.md @@ -0,0 +1,80 @@ +--- +title: AKS Disk Encryption Set ID Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b17d8bb8-4c08-4785-867e-cb9e62a622aa +- **Query name:** AKS Disk Encryption Set ID Undefined +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/aks_disk_encryption_set_id_undefined) + +### Description +Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#disk_encryption_set_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_kubernetes_cluster" "positive" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_kubernetes_cluster" "negative" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + disk_encryption_set_id = "id" + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } +} + + +resource "azurerm_kubernetes_cluster" "negative" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + os_disk_type = "Ephemeral" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a.md b/docs/queries/terraform-queries/azure/b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a.md new file mode 100644 index 00000000000..3793d2a2345 --- /dev/null +++ b/docs/queries/terraform-queries/azure/b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a.md @@ -0,0 +1,184 @@ +--- +title: Virtual Network with DDoS Protection Plan disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b4cc2c52-34a6-4b43-b57c-4bdeb4514a5a +- **Query name:** Virtual Network with DDoS Protection Plan disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Availability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/virtual_network_with_ddos_protection_plan_disabled) + +### Description +Virtual Network should have DDoS Protection Plan enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network#ddos_protection_plan) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="18" +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_network_security_group" "example" { + name = "acceptanceTestSecurityGroup1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_network_ddos_protection_plan" "example" { + name = "ddospplan1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_virtual_network" "positive1" { + name = "virtualNetwork1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + address_space = ["10.0.0.0/16"] + dns_servers = ["10.0.0.4", "10.0.0.5"] + + subnet { + name = "subnet1" + address_prefix = "10.0.1.0/24" + } + + subnet { + name = "subnet2" + address_prefix = "10.0.2.0/24" + } + + subnet { + name = "subnet3" + address_prefix = "10.0.3.0/24" + security_group = azurerm_network_security_group.example.id + } + + tags = { + environment = "Production" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="27" +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_network_security_group" "example" { + name = "acceptanceTestSecurityGroup1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_network_ddos_protection_plan" "example" { + name = "ddospplan1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_virtual_network" "positive1" { + name = "virtualNetwork1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + address_space = ["10.0.0.0/16"] + dns_servers = ["10.0.0.4", "10.0.0.5"] + + ddos_protection_plan { + id = azurerm_network_ddos_protection_plan.example.id + enable = false + } + + subnet { + name = "subnet1" + address_prefix = "10.0.1.0/24" + } + + subnet { + name = "subnet2" + address_prefix = "10.0.2.0/24" + } + + subnet { + name = "subnet3" + address_prefix = "10.0.3.0/24" + security_group = azurerm_network_security_group.example.id + } + + tags = { + environment = "Production" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_network_security_group" "example" { + name = "acceptanceTestSecurityGroup1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_network_ddos_protection_plan" "example" { + name = "ddospplan1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_virtual_network" "negative1" { + name = "virtualNetwork1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + address_space = ["10.0.0.0/16"] + dns_servers = ["10.0.0.4", "10.0.0.5"] + + ddos_protection_plan { + id = azurerm_network_ddos_protection_plan.example.id + enable = true + } + + subnet { + name = "subnet1" + address_prefix = "10.0.1.0/24" + } + + subnet { + name = "subnet2" + address_prefix = "10.0.2.0/24" + } + + subnet { + name = "subnet3" + address_prefix = "10.0.3.0/24" + security_group = azurerm_network_security_group.example.id + } + + tags = { + environment = "Production" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/b61cce4b-0cc4-472b-8096-15617a6d769b.md b/docs/queries/terraform-queries/azure/b61cce4b-0cc4-472b-8096-15617a6d769b.md new file mode 100644 index 00000000000..3a5632d9ba0 --- /dev/null +++ b/docs/queries/terraform-queries/azure/b61cce4b-0cc4-472b-8096-15617a6d769b.md @@ -0,0 +1,93 @@ +--- +title: App Service Managed Identity Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b61cce4b-0cc4-472b-8096-15617a6d769b +- **Query name:** App Service Managed Identity Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/app_service_managed_identity_disabled) + +### Description +Azure App Service should have managed identity enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_app_service" "positive1" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + auth_settings = { + enabled = true + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_app_service" "negative1" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + auth_settings = { + enabled = true + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } + + identity { + type = "SystemAssigned" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643.md b/docs/queries/terraform-queries/azure/b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643.md new file mode 100644 index 00000000000..2c27af93f43 --- /dev/null +++ b/docs/queries/terraform-queries/azure/b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643.md @@ -0,0 +1,86 @@ +--- +title: App Service Not Using Latest TLS Encryption Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643 +- **Query name:** App Service Not Using Latest TLS Encryption Version +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/app_service_not_using_latest_tls_encryption_version) + +### Description +Ensure App Service is using the latest version of TLS encryption
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +resource "azurerm_app_service" "positive1" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = 1.1 + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_app_service" "negative1" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + min_tls_version = 1.2 + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "azurerm_app_service" "negative1" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "azurerm_app_service" "negative3" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id +} + +``` diff --git a/docs/queries/terraform-queries/azure/b897dfbf-322c-45a8-b67c-1e698beeaa51.md b/docs/queries/terraform-queries/azure/b897dfbf-322c-45a8-b67c-1e698beeaa51.md new file mode 100644 index 00000000000..1ef0e3e9d72 --- /dev/null +++ b/docs/queries/terraform-queries/azure/b897dfbf-322c-45a8-b67c-1e698beeaa51.md @@ -0,0 +1,63 @@ +--- +title: Admin User Enabled For Container Registry +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b897dfbf-322c-45a8-b67c-1e698beeaa51 +- **Query name:** Admin User Enabled For Container Registry +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/admin_user_enabled_for_container_registry) + +### Description +Admin user is enabled for Container Registry
+[Documentation](https://www.terraform.io/docs/providers/azurerm/r/container_registry.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +resource "azurerm_resource_group" "positive1" { + name = "resourceGroup1" + location = "West US" +} + +resource "azurerm_container_registry" "positive2" { + name = "containerRegistry1" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + sku = "Premium" + admin_enabled = true + georeplication_locations = ["East US", "West Europe"] +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_resource_group" "negative1" { + name = "resourceGroup1" + location = "West US" +} + +resource "azurerm_container_registry" "negative2" { + name = "containerRegistry1" + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + sku = "Premium" + admin_enabled = false + georeplication_locations = ["East US", "West Europe"] +} +``` diff --git a/docs/queries/terraform-queries/azure/b90842e5-6779-44d4-9760-972f4c03ba1c.md b/docs/queries/terraform-queries/azure/b90842e5-6779-44d4-9760-972f4c03ba1c.md new file mode 100644 index 00000000000..0aeb0c9b1b5 --- /dev/null +++ b/docs/queries/terraform-queries/azure/b90842e5-6779-44d4-9760-972f4c03ba1c.md @@ -0,0 +1,63 @@ +--- +title: Network Watcher Flow Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b90842e5-6779-44d4-9760-972f4c03ba1c +- **Query name:** Network Watcher Flow Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/network_watcher_flow_disabled) + +### Description +Check if enable field in the resource azurerm_network_watcher_flow_log is false.
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher_flow_log) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "azurerm_network_watcher_flow_log" "positive1" { + network_watcher_name = azurerm_network_watcher.test.name + resource_group_name = azurerm_resource_group.test.name + + network_security_group_id = azurerm_network_security_group.test.id + storage_account_id = azurerm_storage_account.test.id + enabled = false + + retention_policy { + enabled = true + days = 7 + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_network_watcher_flow_log" "negative1" { + network_watcher_name = azurerm_network_watcher.test.name + resource_group_name = azurerm_resource_group.test.name + + network_security_group_id = azurerm_network_security_group.test.id + storage_account_id = azurerm_storage_account.test.id + enabled = true + + retention_policy { + enabled = true + days = 7 + } +} +``` diff --git a/docs/queries/terraform-queries/azure/b947809d-dd2f-4de9-b724-04d101c515aa.md b/docs/queries/terraform-queries/azure/b947809d-dd2f-4de9-b724-04d101c515aa.md new file mode 100644 index 00000000000..8fcf68606bc --- /dev/null +++ b/docs/queries/terraform-queries/azure/b947809d-dd2f-4de9-b724-04d101c515aa.md @@ -0,0 +1,80 @@ +--- +title: Redis Not Updated Regularly +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b947809d-dd2f-4de9-b724-04d101c515aa +- **Query name:** Redis Not Updated Regularly +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/redis_not_updated_regularly) + +### Description +Redis Cache is not configured to be updated regularly with security and operational updates
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache#patch_schedule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_redis_cache" "positive1" { + name = "timeout-redis" + location = "West Europe" + resource_group_name = azurerm_resource_group.example_rg.name + subnet_id = azurerm_subnet.example_redis_snet.id + + family = "P" + capacity = 1 + sku_name = "Premium" + shard_count = 1 + + enable_non_ssl_port = false + minimum_tls_version = "1.2" + + redis_configuration { + enable_authentication = true + maxmemory_policy = "volatile-lru" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_redis_cache" "negative1" { + name = "timeout-redis" + location = "West Europe" + resource_group_name = azurerm_resource_group.example_rg.name + subnet_id = azurerm_subnet.example_redis_snet.id + + family = "P" + capacity = 1 + sku_name = "Premium" + shard_count = 1 + + enable_non_ssl_port = false + minimum_tls_version = "1.2" + + redis_configuration { + enable_authentication = true + maxmemory_policy = "volatile-lru" + } + + patch_schedule { + day_of_week = "Thursday" + start_hour_utc = 7 + } +} +``` diff --git a/docs/queries/terraform-queries/azure/bbf6b3df-4b65-4f87-82cc-da9f30f8c033.md b/docs/queries/terraform-queries/azure/bbf6b3df-4b65-4f87-82cc-da9f30f8c033.md new file mode 100644 index 00000000000..612a0c9afa1 --- /dev/null +++ b/docs/queries/terraform-queries/azure/bbf6b3df-4b65-4f87-82cc-da9f30f8c033.md @@ -0,0 +1,71 @@ +--- +title: VM Not Attached To Network +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bbf6b3df-4b65-4f87-82cc-da9f30f8c033 +- **Query name:** VM Not Attached To Network +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/vm_not_attached_to_network) + +### Description +No Network Security Group is attached to the Virtual Machine
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine#network_interface_ids) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "azurerm_virtual_machine" "positive1" { + name = "${var.prefix}-vm" + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + network_interface_ids = [] + vm_size = "Standard_DS1_v2" + + os_profile_linux_config { + disable_password_authentication = false + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_network_interface" "negative1" { + name = "${var.prefix}-nic" + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + + ip_configuration { + name = "testconfiguration1" + subnet_id = azurerm_subnet.internal.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_virtual_machine" "negative2" { + name = "${var.prefix}-vm" + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + network_interface_ids = [azurerm_network_interface.main.id] + vm_size = "Standard_DS1_v2" + + os_profile_linux_config { + disable_password_authentication = false + } +} +``` diff --git a/docs/queries/terraform-queries/azure/bcd3fc01-5902-4f2a-b05a-227f9bbf5450.md b/docs/queries/terraform-queries/azure/bcd3fc01-5902-4f2a-b05a-227f9bbf5450.md new file mode 100644 index 00000000000..eafb4c8b803 --- /dev/null +++ b/docs/queries/terraform-queries/azure/bcd3fc01-5902-4f2a-b05a-227f9bbf5450.md @@ -0,0 +1,93 @@ +--- +title: SQL Server Predictable Active Directory Account Name +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bcd3fc01-5902-4f2a-b05a-227f9bbf5450 +- **Query name:** SQL Server Predictable Active Directory Account Name +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/sql_server_predictable_active_directory_admin_account_name) + +### Description +Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_active_directory_administrator) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="29 21" +#this is a problematic code where the query should report a result(s) +data "azurerm_client_config" "current" {} + +resource "azurerm_resource_group" "positive1" { + name = "acceptanceTestResourceGroup1" + location = "West US" +} + +resource "azurerm_sql_server" "positive2" { + name = "mysqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "4dm1n157r470r" + administrator_login_password = "4-v3ry-53cr37-p455w0rd" +} + +resource "azurerm_sql_active_directory_administrator" "positive3" { + server_name = azurerm_sql_server.example.name + resource_group_name = azurerm_resource_group.example.name + login = "" + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id +} + +resource "azurerm_sql_active_directory_administrator" "positive4" { + server_name = azurerm_sql_server.example.name + resource_group_name = azurerm_resource_group.example.name + login = "Admin" + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +data "azurerm_client_config" "current" {} + +resource "azurerm_resource_group" "negative1" { + name = "acceptanceTestResourceGroup1" + location = "West US" +} + +resource "azurerm_sql_server" "negative2" { + name = "mysqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "4dm1n157r470r" + administrator_login_password = "4-v3ry-53cr37-p455w0rd" +} + +resource "azurerm_sql_active_directory_administrator" "negative3" { + server_name = azurerm_sql_server.example.name + resource_group_name = azurerm_resource_group.example.name + login = "NotEasyToPredictAdmin" + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id +} +``` diff --git a/docs/queries/terraform-queries/azure/c1573577-e494-4417-8854-7e119368dc8b.md b/docs/queries/terraform-queries/azure/c1573577-e494-4417-8854-7e119368dc8b.md new file mode 100644 index 00000000000..a57e0a6de42 --- /dev/null +++ b/docs/queries/terraform-queries/azure/c1573577-e494-4417-8854-7e119368dc8b.md @@ -0,0 +1,62 @@ +--- +title: Network Interfaces With Public IP +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c1573577-e494-4417-8854-7e119368dc8b +- **Query name:** Network Interfaces With Public IP +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/network_interfaces_dont_use_public_ip) + +### Description +Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_interface#public_ip_address_id) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +resource "azurerm_network_interface" "positive" { + name = "example-nic" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.example.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = "IP" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_network_interface" "negative" { + name = "example-nic" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.example.id + private_ip_address_allocation = "Dynamic" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/c2a3efb6-8a58-481c-82f2-bfddf34bb4b7.md b/docs/queries/terraform-queries/azure/c2a3efb6-8a58-481c-82f2-bfddf34bb4b7.md new file mode 100644 index 00000000000..3ac17deab12 --- /dev/null +++ b/docs/queries/terraform-queries/azure/c2a3efb6-8a58-481c-82f2-bfddf34bb4b7.md @@ -0,0 +1,51 @@ +--- +title: CosmosDB Account IP Range Filter Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c2a3efb6-8a58-481c-82f2-bfddf34bb4b7 +- **Query name:** CosmosDB Account IP Range Filter Not Set +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/cosmosdb_account_ip_range_filter_not_set) + +### Description +The IP range filter should be defined to secure the data stored
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cosmosdb_account#ip_range_filter) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_cosmosdb_account" "positive1" { + name = "example" + is_virtual_network_filter_enabled = true + + +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_cosmosdb_account" "negative1" { + name = "example" + + ip_range_filter = "104.42.195.92" + is_virtual_network_filter_enabled = true + + +} +``` diff --git a/docs/queries/terraform-queries/azure/c407c3cf-c409-4b29-b590-db5f4138d332.md b/docs/queries/terraform-queries/azure/c407c3cf-c409-4b29-b590-db5f4138d332.md new file mode 100644 index 00000000000..1965fbdf889 --- /dev/null +++ b/docs/queries/terraform-queries/azure/c407c3cf-c409-4b29-b590-db5f4138d332.md @@ -0,0 +1,110 @@ +--- +title: PostgreSQL Server Threat Detection Policy Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c407c3cf-c409-4b29-b590-db5f4138d332 +- **Query name:** PostgreSQL Server Threat Detection Policy Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/postgresql_server_threat_detection_policy_disabled) + +### Description +PostgreSQL Server Threat Detection Policy should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#threat_detection_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="22" +resource "azurerm_postgresql_server" "positive1" { + name = "example-psqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "psqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = true + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" + + threat_detection_policy { + enabled = false + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "azurerm_postgresql_server" "positive2" { + name = "example-psqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "psqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = true + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_postgresql_server" "negative" { + name = "example-psqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "psqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + + backup_retention_days = 7 + geo_redundant_backup_enabled = true + auto_grow_enabled = true + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" + + threat_detection_policy { + enabled = true + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/c640d783-10c5-4071-b6c1-23507300d333.md b/docs/queries/terraform-queries/azure/c640d783-10c5-4071-b6c1-23507300d333.md new file mode 100644 index 00000000000..32fe2472857 --- /dev/null +++ b/docs/queries/terraform-queries/azure/c640d783-10c5-4071-b6c1-23507300d333.md @@ -0,0 +1,77 @@ +--- +title: PostgreSQL Log Connections Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c640d783-10c5-4071-b6c1-23507300d333 +- **Query name:** PostgreSQL Log Connections Not Set +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/postgre_sql_log_connections_not_set) + +### Description +Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="19 12 5" +resource "azurerm_postgresql_configuration" "positive1" { + name = "log_connections" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "off" +} + +resource "azurerm_postgresql_configuration" "positive2" { + name = "log_connections" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "Off" +} + +resource "azurerm_postgresql_configuration" "positive3" { + name = "log_connections" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "OFF" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_postgresql_configuration" "negative1" { + name = "log_connections" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "on" +} + +resource "azurerm_postgresql_configuration" "negative2" { + name = "log_connections" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "On" +} + +resource "azurerm_postgresql_configuration" "negative3" { + name = "log_connections" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "ON" +} +``` diff --git a/docs/queries/terraform-queries/azure/c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e.md b/docs/queries/terraform-queries/azure/c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e.md new file mode 100644 index 00000000000..d1176d1247e --- /dev/null +++ b/docs/queries/terraform-queries/azure/c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e.md @@ -0,0 +1,331 @@ +--- +title: Sensitive Port Is Exposed To Wide Private Network +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e +- **Query name:** Sensitive Port Is Exposed To Wide Private Network +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/sensitive_port_is_exposed_to_wide_private_network) + +### Description +A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" +resource "azurerm_network_security_rule" "positive1" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "61621" + source_address_prefix = "172.16.0.0/12" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive2" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23-34" + source_address_prefix = "172.16.0.0/12" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive3" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "21-23" + source_address_prefix = "172.16.0.0/12" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive4" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "192.168.0.0/16" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive5" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "23,245" + source_address_prefix = "192.168.0.0/16" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive6" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "192.168.0.0/16" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive7" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "22-64, 94" + source_address_prefix = "10.0.0.0/8" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive8" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "14, 23, 48" + source_address_prefix = "10.0.0.0/8" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive9" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "12, 23-24,46" + source_address_prefix = "10.0.0.0/8" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive10" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "46-146, 18-36, 1-2, 3" + source_address_prefix = "10.0.0.0/8" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_network_security_rule" "negative1" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Deny" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative2" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "23-34" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative3" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "8-174" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative4" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23-196" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative5" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "/1" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative6" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "43" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative7" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "internet" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative8" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "22, 24,49-67" + source_address_prefix = "any" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative9" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative10" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23 , 69" + source_address_prefix = "0.0.1.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative11" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "2,310" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +``` diff --git a/docs/queries/terraform-queries/azure/c7fc1481-2899-4490-bbd8-544a3a61a2f3.md b/docs/queries/terraform-queries/azure/c7fc1481-2899-4490-bbd8-544a3a61a2f3.md new file mode 100644 index 00000000000..d3864fed86b --- /dev/null +++ b/docs/queries/terraform-queries/azure/c7fc1481-2899-4490-bbd8-544a3a61a2f3.md @@ -0,0 +1,113 @@ +--- +title: App Service Authentication Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c7fc1481-2899-4490-bbd8-544a3a61a2f3 +- **Query name:** App Service Authentication Disabled +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/app_service_authentication_disabled) + +### Description +Azure App Service authentication settings should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_app_service" "positive1" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="17" +resource "azurerm_app_service" "positive2" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + auth_settings = { + enabled = false + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_app_service" "negative1" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + auth_settings = { + enabled = true + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/c87749b3-ff10-41f5-9df2-c421e8151759.md b/docs/queries/terraform-queries/azure/c87749b3-ff10-41f5-9df2-c421e8151759.md new file mode 100644 index 00000000000..f34dcce6e1f --- /dev/null +++ b/docs/queries/terraform-queries/azure/c87749b3-ff10-41f5-9df2-c421e8151759.md @@ -0,0 +1,59 @@ +--- +title: Function App Managed Identity Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c87749b3-ff10-41f5-9df2-c421e8151759 +- **Query name:** Function App Managed Identity Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/function_app_managed_identity_disabled) + +### Description +Azure Function App should have managed identity enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#identity) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_function_app" "positive1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_function_app" "negative" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + identity { + type = "SystemAssigned" + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/cc4aaa9d-1070-461a-b519-04e00f42db8a.md b/docs/queries/terraform-queries/azure/cc4aaa9d-1070-461a-b519-04e00f42db8a.md new file mode 100644 index 00000000000..d268aa7ab9c --- /dev/null +++ b/docs/queries/terraform-queries/azure/cc4aaa9d-1070-461a-b519-04e00f42db8a.md @@ -0,0 +1,238 @@ +--- +title: App Service Without Latest Python Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cc4aaa9d-1070-461a-b519-04e00f42db8a +- **Query name:** App Service Without Latest Python Version +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/app_service_without_latest_python_version) + +### Description +Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#python_version) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +resource "azurerm_app_service" "example4" { + name = "example4-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + # SiteConfig block is optional before AzureRM version 3.0 + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + python_version = "2.7" + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="25" +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_service_plan" "example" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + sku_name = "P1v2" +} + +resource "azurerm_windows_web_app" "example5" { + name = "example5" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config{ + application_stack{ + python_version = "v2.7" + } + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="26" +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_service_plan" "example" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + os_type = "Linux" + sku_name = "P1v2" +} + +resource "azurerm_linux_web_app" "example6" { + name = "example6" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config{ + application_stack{ + python_version = "2.7" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_app_service" "example1" { + name = "example1-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + # SiteConfig block is optional before AzureRM version 3.0 + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + python_version = "3.10" + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_service_plan" "example" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + sku_name = "P1v2" +} + +resource "azurerm_windows_web_app" "example2" { + name = "example2" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config{ + application_stack{ + python_version = "v3.10" + } + } +} + +``` +```tf title="Negative test num. 3 - tf file" +provider "azurerm" { + features {} +} + +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" +} + +resource "azurerm_service_plan" "example" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + sku_name = "P1v2" +} + +resource "azurerm_linux_web_app" "example3" { + name = "example3" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_service_plan.example.location + service_plan_id = azurerm_service_plan.example.id + + site_config{ + application_stack{ + python_version = "3.10" + } + } +} + +``` +
Negative test num. 4 - tf file + +```tf +resource "azurerm_app_service" "example1" { + name = "example1-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + # SiteConfig block is optional before AzureRM version 3.0 + site_config { + dotnet_framework_version = "v4.0" + scm_type = "LocalGit" + } + + app_settings = { + "SOME_KEY" = "some-value" + } + + connection_string { + name = "Database" + type = "SQLServer" + value = "Server=some-server.mydomain.com;Integrated Security=SSPI" + } +} + +``` +
diff --git a/docs/queries/terraform-queries/azure/d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md b/docs/queries/terraform-queries/azure/d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md new file mode 100644 index 00000000000..0d19d4af934 --- /dev/null +++ b/docs/queries/terraform-queries/azure/d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md @@ -0,0 +1,89 @@ +--- +title: Unrestricted SQL Server Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28 +- **Query name:** Unrestricted SQL Server Access +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/unrestricted_sql_server_access) + +### Description +Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="27 19" +resource "azurerm_resource_group" "positive1" { + name = "acceptanceTestResourceGroup1" + location = "West US" +} + +resource "azurerm_sql_server" "positive2" { + name = "mysqlserver" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + version = "12.0" + administrator_login = "4dm1n157r470r" + administrator_login_password = "4-v3ry-53cr37-p455w0rd" +} + +resource "azurerm_sql_firewall_rule" "positive3" { + name = "FirewallRule1" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + start_ip_address = "0.0.0.0" + end_ip_address = "10.0.27.62" +} + +resource "azurerm_sql_firewall_rule" "positive4" { + name = "FirewallRule1" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.27.62" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_resource_group" "negative1" { + name = "acceptanceTestResourceGroup1" + location = "West US" +} + +resource "azurerm_sql_server" "negative2" { + name = "mysqlserver" + resource_group_name = azurerm_resource_group.example.name + location = "West US" + version = "12.0" + administrator_login = "4dm1n157r470r" + administrator_login_password = "4-v3ry-53cr37-p455w0rd" +} + +resource "azurerm_sql_firewall_rule" "negative3" { + name = "FirewallRule1" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + start_ip_address = "10.0.17.62" + end_ip_address = "10.0.17.62" +} + +``` diff --git a/docs/queries/terraform-queries/azure/dafe30ec-325d-4516-85d1-e8e6776f012c.md b/docs/queries/terraform-queries/azure/dafe30ec-325d-4516-85d1-e8e6776f012c.md new file mode 100644 index 00000000000..fd3ddc56e92 --- /dev/null +++ b/docs/queries/terraform-queries/azure/dafe30ec-325d-4516-85d1-e8e6776f012c.md @@ -0,0 +1,92 @@ +--- +title: Azure Instance Using Basic Authentication +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dafe30ec-325d-4516-85d1-e8e6776f012c +- **Query name:** Azure Instance Using Basic Authentication +- **Platform:** Terraform +- **Severity:** High +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/azure_instance_using_basic_authentication) + +### Description +Azure Instances should use SSH Key instead of basic authentication
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine#admin_ssh_key) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_virtual_machine" "positive1" { + name = "${var.prefix}-vm" + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + network_interface_ids = [] + vm_size = "Standard_DS1_v2" + + os_profile_linux_config { + disable_password_authentication = false + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="1" +resource "azurerm_linux_virtual_machine" "positive1" { + name = "${var.prefix}-vm" + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + network_interface_ids = [] + vm_size = "Standard_DS1_v2" + disable_password_authentication = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_linux_virtual_machine" "negative1" { + name = "${var.prefix}-vm" + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + network_interface_ids = [azurerm_network_interface.main.id] + vm_size = "Standard_DS1_v2" + + admin_ssh_key { + username = "adminuser" + public_key = file("~/.ssh/id_rsa.pub") + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "azurerm_virtual_machine" "negative1" { + name = "${var.prefix}-vm" + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + network_interface_ids = [azurerm_network_interface.main.id] + vm_size = "Standard_DS1_v2" + + os_profile_linux_config { + disable_password_authentication = true + } + + admin_ssh_key { + username = "adminuser" + public_key = file("~/.ssh/id_rsa.pub") + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299.md b/docs/queries/terraform-queries/azure/dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299.md new file mode 100644 index 00000000000..985c6842afd --- /dev/null +++ b/docs/queries/terraform-queries/azure/dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299.md @@ -0,0 +1,53 @@ +--- +title: Storage Container Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dd5230f8-a577-4bbb-b7ac-f2c2fe7d5299 +- **Query name:** Storage Container Is Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/storage_container_is_publicly_accessible) + +### Description +Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container#container_access_type) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "azurerm_storage_container" "positive1" { + name = "vhds" + storage_account_name = azurerm_storage_account.example.name + container_access_type = "blob" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_storage_container" "negative1" { + name = "vhds" + storage_account_name = azurerm_storage_account.example.name + container_access_type = "private" +} + +resource "azurerm_storage_container" "negative2" { + name = "vhds2" + storage_account_name = azurerm_storage_account.example.name + // default is "private" +} +``` diff --git a/docs/queries/terraform-queries/azure/dfa20ffa-f476-428f-a490-424b41e91c7f.md b/docs/queries/terraform-queries/azure/dfa20ffa-f476-428f-a490-424b41e91c7f.md new file mode 100644 index 00000000000..6543ead4f9f --- /dev/null +++ b/docs/queries/terraform-queries/azure/dfa20ffa-f476-428f-a490-424b41e91c7f.md @@ -0,0 +1,56 @@ +--- +title: Secret Expiration Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dfa20ffa-f476-428f-a490-424b41e91c7f +- **Query name:** Secret Expiration Not Set +- **Platform:** Terraform +- **Severity:** High +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/secret_expiration_not_set) + +### Description +Make sure that for all secrets the expiration date is set
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_key_vault_secret" "positive1" { + name = "secret-sauce" + value = "szechuan" + key_vault_id = azurerm_key_vault.example.id + + tags = { + environment = "Production" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_key_vault_secret" "negative1" { + name = "secret-sauce" + value = "szechuan" + key_vault_id = azurerm_key_vault.example.id + + tags = { + environment = "Production" + } + expiration_date = "2020-12-30T20:00:00Z" +} +``` diff --git a/docs/queries/terraform-queries/azure/e29a75e6-aba3-4896-b42d-b87818c16b58.md b/docs/queries/terraform-queries/azure/e29a75e6-aba3-4896-b42d-b87818c16b58.md new file mode 100644 index 00000000000..3ee45ad7ea6 --- /dev/null +++ b/docs/queries/terraform-queries/azure/e29a75e6-aba3-4896-b42d-b87818c16b58.md @@ -0,0 +1,77 @@ +--- +title: Redis Cache Allows Non SSL Connections +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e29a75e6-aba3-4896-b42d-b87818c16b58 +- **Query name:** Redis Cache Allows Non SSL Connections +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/redis_cache_allows_non_ssl_connections) + +### Description +Redis Cache resources should not allow non-SSL connections
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_cache) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "azurerm_redis_cache" "positive1" { + name = "example-cache" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + capacity = 2 + family = "C" + sku_name = "Standard" + enable_non_ssl_port = true + minimum_tls_version = "1.2" + + redis_configuration { + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_redis_cache" "negative1" { + name = "example-cache" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + capacity = 2 + family = "C" + sku_name = "Standard" + enable_non_ssl_port = false + minimum_tls_version = "1.2" + + redis_configuration { + } +} + +resource "azurerm_redis_cache" "negative2" { + name = "example-cache" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + capacity = 2 + family = "C" + sku_name = "Standard" + + minimum_tls_version = "1.2" + + redis_configuration { + } +} +``` diff --git a/docs/queries/terraform-queries/azure/e65a0733-94a0-4826-82f4-df529f4c593f.md b/docs/queries/terraform-queries/azure/e65a0733-94a0-4826-82f4-df529f4c593f.md new file mode 100644 index 00000000000..345049fafcd --- /dev/null +++ b/docs/queries/terraform-queries/azure/e65a0733-94a0-4826-82f4-df529f4c593f.md @@ -0,0 +1,74 @@ +--- +title: Function App Authentication Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e65a0733-94a0-4826-82f4-df529f4c593f +- **Query name:** Function App Authentication Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/function_app_authentication_disabled) + +### Description +Azure Function App authentication settings should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#auth_settings) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_function_app" "positive1" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="10" +resource "azurerm_function_app" "positive2" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + auth_settings { + enabled = false + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_function_app" "negative" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + + auth_settings { + enabled = true + } +} + +``` diff --git a/docs/queries/terraform-queries/azure/e9dee01f-2505-4df2-b9bf-7804d1fd9082.md b/docs/queries/terraform-queries/azure/e9dee01f-2505-4df2-b9bf-7804d1fd9082.md new file mode 100644 index 00000000000..29bdbfb7d67 --- /dev/null +++ b/docs/queries/terraform-queries/azure/e9dee01f-2505-4df2-b9bf-7804d1fd9082.md @@ -0,0 +1,331 @@ +--- +title: Sensitive Port Is Exposed To Small Public Network +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e9dee01f-2505-4df2-b9bf-7804d1fd9082 +- **Query name:** Sensitive Port Is Exposed To Small Public Network +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/sensitive_port_is_exposed_to_small_public_network) + +### Description +A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" +resource "azurerm_network_security_rule" "positive1" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "61621" + source_address_prefix = "/26" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive2" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23-34" + source_address_prefix = "1.1.1.1/25" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive3" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "21-23" + source_address_prefix = "/26" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive4" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "0.0.0.0/27" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive5" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "23,245" + source_address_prefix = "34.15.11.3/28" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive6" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "/29" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive7" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "22-64, 94" + source_address_prefix = "10.0.0.0/28" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive8" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "14, 23, 48" + source_address_prefix = "12.12.12.12/27" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive9" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "12, 23-24,46" + source_address_prefix = "/26" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive10" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "46-146, 18-36, 1-2, 3" + source_address_prefix = "1.2.3.4/25" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_network_security_rule" "negative1" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Deny" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative2" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "23-34" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative3" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "8-174" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative4" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23-196" + source_address_prefix = "192.168.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative5" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "/1" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative6" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "43" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative7" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "internet" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative8" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "22, 24,49-67" + source_address_prefix = "any" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative9" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Icmp" + source_port_range = "*" + destination_port_range = "23" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative10" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "23 , 69" + source_address_prefix = "0.0.1.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative11" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "2,310" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +``` diff --git a/docs/queries/terraform-queries/azure/efbf6449-5ec5-4cfe-8f15-acc51e0d787c.md b/docs/queries/terraform-queries/azure/efbf6449-5ec5-4cfe-8f15-acc51e0d787c.md new file mode 100644 index 00000000000..c24e1a36c9c --- /dev/null +++ b/docs/queries/terraform-queries/azure/efbf6449-5ec5-4cfe-8f15-acc51e0d787c.md @@ -0,0 +1,337 @@ +--- +title: RDP Is Exposed To The Internet +hide: + toc: true + navigation: true +--- + + + +- **Query id:** efbf6449-5ec5-4cfe-8f15-acc51e0d787c +- **Query name:** RDP Is Exposed To The Internet +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/rdp_is_exposed_to_the_internet) + +### Description +Port 3389 (Remote Desktop) is exposed to the internet
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="64 36 134 8 106 78 50 22 120 92" +resource "azurerm_network_security_rule" "positive1" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive2" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "3389-3390" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive3" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "3388-3389" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive4" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive5" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "3389,3391" + source_address_prefix = "34.15.11.3/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive6" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive7" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "3388-3390, 23000" + source_address_prefix = "internet" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive8" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "3387, 3389 , 3391 " + source_address_prefix = "any" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive9" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "3388, 3389-3390,2250" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "positive10" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "111-211, 2000-4430, 1-2 , 3" + source_address_prefix = "internet" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_network_security_rule" "negative1" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Deny" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative2" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "2000-5000" + source_address_prefix = "*" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + + +resource "azurerm_network_security_rule" "negative3" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "4030-5100" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + + +resource "azurerm_network_security_rule" "negative4" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "2100-5300" + source_address_prefix = "192.168.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + + +resource "azurerm_network_security_rule" "negative5" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "/1" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative6" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "3388" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + + +resource "azurerm_network_security_rule" "negative7" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "internet" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + + +resource "azurerm_network_security_rule" "negative8" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "*" + source_port_range = "*" + destination_port_range = "3388, 3390,1000-2000" + source_address_prefix = "any" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + + +resource "azurerm_network_security_rule" "negative9" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "UDP" + source_port_range = "*" + destination_port_range = "3389" + source_address_prefix = "/0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative10" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "3389 , 3390" + source_address_prefix = "0.0.1.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +resource "azurerm_network_security_rule" "negative11" { + name = "example" + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "338,389" + source_address_prefix = "0.0.0.0" + destination_address_prefix = "*" + resource_group_name = azurerm_resource_group.example.name + network_security_group_name = azurerm_network_security_group.example.name +} + +``` diff --git a/docs/queries/terraform-queries/azure/f118890b-2468-42b1-9ce9-af35146b425b.md b/docs/queries/terraform-queries/azure/f118890b-2468-42b1-9ce9-af35146b425b.md new file mode 100644 index 00000000000..a736f1109c8 --- /dev/null +++ b/docs/queries/terraform-queries/azure/f118890b-2468-42b1-9ce9-af35146b425b.md @@ -0,0 +1,101 @@ +--- +title: MySQL Server Public Access Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f118890b-2468-42b1-9ce9-af35146b425b +- **Query name:** MySQL Server Public Access Enabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/mysql_server_public_access_enabled) + +### Description +MySQL Server public access should be disabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server#public_network_access_enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_mysql_server" "positive1" { + name = "example-mysqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "mysqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "5.7" + + auto_grow_enabled = true + backup_retention_days = 7 + geo_redundant_backup_enabled = false + infrastructure_encryption_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="17" +resource "azurerm_mysql_server" "positive2" { + name = "example-mysqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "mysqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "5.7" + + auto_grow_enabled = true + backup_retention_days = 7 + geo_redundant_backup_enabled = false + infrastructure_encryption_enabled = false + public_network_access_enabled = true + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_mysql_server" "negative" { + name = "example-mysqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "mysqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "B_Gen5_2" + storage_mb = 5120 + version = "5.7" + + auto_grow_enabled = true + backup_retention_days = 7 + geo_redundant_backup_enabled = false + infrastructure_encryption_enabled = false + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" +} + +``` diff --git a/docs/queries/terraform-queries/azure/f5342045-b935-402d-adf1-8dbbd09c0eef.md b/docs/queries/terraform-queries/azure/f5342045-b935-402d-adf1-8dbbd09c0eef.md new file mode 100644 index 00000000000..ab2c557584c --- /dev/null +++ b/docs/queries/terraform-queries/azure/f5342045-b935-402d-adf1-8dbbd09c0eef.md @@ -0,0 +1,157 @@ +--- +title: AKS Network Policy Misconfigured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f5342045-b935-402d-adf1-8dbbd09c0eef +- **Query name:** AKS Network Policy Misconfigured +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/aks_network_policy_misconfigured) + +### Description +Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/kubernetes_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="26 69 21" +resource "azurerm_kubernetes_cluster" "positive1" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Environment = "Production" + } + + network_profile { + #...other configurations + } +} + +resource "azurerm_kubernetes_cluster" "positive2" { + name = "example-aks2" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks2" + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Environment = "Production" + } + +} + +resource "azurerm_kubernetes_cluster" "positive3" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Environment = "Production" + } + + network_profile { + network_policy = "roxanne" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_kubernetes_cluster" "negative1" { + name = "example-aks1" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks1" + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Environment = "Production" + } + + network_profile { + network_policy = "azure" + } +} + +resource "azurerm_kubernetes_cluster" "negative2" { + name = "example-aks2" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + dns_prefix = "exampleaks2" + + default_node_pool { + name = "default" + node_count = 1 + vm_size = "Standard_D2_v2" + } + + identity { + type = "SystemAssigned" + } + + tags = { + Environment = "Production" + } + + network_profile { + network_policy = "calico" + } +} +``` diff --git a/docs/queries/terraform-queries/azure/f7e296b0-6660-4bc5-8f87-22ac4a815edf.md b/docs/queries/terraform-queries/azure/f7e296b0-6660-4bc5-8f87-22ac4a815edf.md new file mode 100644 index 00000000000..2d94d733fe7 --- /dev/null +++ b/docs/queries/terraform-queries/azure/f7e296b0-6660-4bc5-8f87-22ac4a815edf.md @@ -0,0 +1,60 @@ +--- +title: SQL Server Auditing Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f7e296b0-6660-4bc5-8f87-22ac4a815edf +- **Query name:** SQL Server Auditing Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/sql_server_auditing_disabled) + +### Description +Make sure that for SQL Servers, 'Auditing' is set to 'On'
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_sql_server" "positive1" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_sql_server" "negative1" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "thisIsDog11" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 90 + } +} +``` diff --git a/docs/queries/terraform-queries/azure/f8e08a38-fc6e-4915-abbe-a7aadf1d59ef.md b/docs/queries/terraform-queries/azure/f8e08a38-fc6e-4915-abbe-a7aadf1d59ef.md new file mode 100644 index 00000000000..493090f10e6 --- /dev/null +++ b/docs/queries/terraform-queries/azure/f8e08a38-fc6e-4915-abbe-a7aadf1d59ef.md @@ -0,0 +1,50 @@ +--- +title: Key Vault Secrets Content Type Undefined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f8e08a38-fc6e-4915-abbe-a7aadf1d59ef +- **Query name:** Key Vault Secrets Content Type Undefined +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/key_vault_secrets_content_type_undefined) + +### Description +Key Vault Secrets should have set Content Type
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "azurerm_key_vault_secret" "positive" { + name = "secret-sauce" + value = "szechuan" + key_vault_id = azurerm_key_vault.example.id +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_key_vault_secret" "negative" { + name = "secret-sauce" + value = "szechuan" + key_vault_id = azurerm_key_vault.example.id + content_type = "password" +} + +``` diff --git a/docs/queries/terraform-queries/azure/fd8da341-6760-4450-b26c-9f6d8850575e.md b/docs/queries/terraform-queries/azure/fd8da341-6760-4450-b26c-9f6d8850575e.md new file mode 100644 index 00000000000..d4b6e2a7f60 --- /dev/null +++ b/docs/queries/terraform-queries/azure/fd8da341-6760-4450-b26c-9f6d8850575e.md @@ -0,0 +1,85 @@ +--- +title: Redis Entirely Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fd8da341-6760-4450-b26c-9f6d8850575e +- **Query name:** Redis Entirely Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/redis_entirely_accessible) + +### Description +Firewall rule allowing unrestricted access to Redis from the Internet
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/redis_firewall_rule) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="22" +resource "azurerm_redis_cache" "positive1" { + name = "redis${random_id.server.hex}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + capacity = 1 + family = "P" + sku_name = "Premium" + enable_non_ssl_port = false + + redis_configuration { + maxclients = 256 + maxmemory_reserved = 2 + maxmemory_delta = 2 + maxmemory_policy = "allkeys-lru" + } +} + +resource "azurerm_redis_firewall_rule" "positive2" { + name = "someIPrange" + redis_cache_name = azurerm_redis_cache.example.name + resource_group_name = azurerm_resource_group.example.name + start_ip = "0.0.0.0" + end_ip = "0.0.0.0" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_redis_cache" "negative1" { + name = "redis${random_id.server.hex}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + capacity = 1 + family = "P" + sku_name = "Premium" + enable_non_ssl_port = false + + redis_configuration { + maxclients = 256 + maxmemory_reserved = 2 + maxmemory_delta = 2 + maxmemory_policy = "allkeys-lru" + } +} + +resource "azurerm_redis_firewall_rule" "negative2" { + name = "someIPrange" + redis_cache_name = azurerm_redis_cache.example.name + resource_group_name = azurerm_resource_group.example.name + start_ip = "10.2.3.4" + end_ip = "10.3.4.5" +} +``` diff --git a/docs/queries/terraform-queries/azure/ffb02aca-0d12-475e-b77c-a726f7aeff4b.md b/docs/queries/terraform-queries/azure/ffb02aca-0d12-475e-b77c-a726f7aeff4b.md new file mode 100644 index 00000000000..af5dc379e2f --- /dev/null +++ b/docs/queries/terraform-queries/azure/ffb02aca-0d12-475e-b77c-a726f7aeff4b.md @@ -0,0 +1,77 @@ +--- +title: Log Retention Is Not Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ffb02aca-0d12-475e-b77c-a726f7aeff4b +- **Query name:** Log Retention Is Not Set +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/log_retention_is_not_set) + +### Description +Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="19 12 5" +resource "azurerm_postgresql_configuration" "positive1" { + name = "log_retention" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "off" +} + +resource "azurerm_postgresql_configuration" "positive2" { + name = "log_retention" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "Off" +} + +resource "azurerm_postgresql_configuration" "positive3" { + name = "log_retention" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "OFF" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_postgresql_configuration" "negative1" { + name = "log_retention" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "on" +} + +resource "azurerm_postgresql_configuration" "negative2" { + name = "log_retention" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "On" +} + +resource "azurerm_postgresql_configuration" "negative3" { + name = "log_retention" + resource_group_name = data.azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "ON" +} +``` diff --git a/docs/queries/terraform-queries/b80b14c6-aaa2-4876-b651-8a48b6c32fbf.md b/docs/queries/terraform-queries/b80b14c6-aaa2-4876-b651-8a48b6c32fbf.md new file mode 100644 index 00000000000..220886d30f5 --- /dev/null +++ b/docs/queries/terraform-queries/b80b14c6-aaa2-4876-b651-8a48b6c32fbf.md @@ -0,0 +1,257 @@ +--- +title: Network Policy Is Not Targeting Any Pod +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b80b14c6-aaa2-4876-b651-8a48b6c32fbf +- **Query name:** Network Policy Is Not Targeting Any Pod +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/network_policy_is_not_targeting_any_pod) + +### Description +Check if any network policy is not targeting any pod.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#match_labels) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="14" +resource "kubernetes_network_policy" "example" { + metadata { + name = "terraform-example-network-policy" + namespace = "default" + } + + spec { + pod_selector { + match_expressions { + key = "name" + operator = "In" + values = ["webfront", "api"] + } + match_labels = { + app = "ngnix" + } + + } + + ingress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + from { + namespace_selector { + match_labels = { + name = "default" + } + } + } + + from { + ip_block { + cidr = "10.0.0.0/8" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + egress {} # single empty rule to allow all egress traffic + + policy_types = ["Ingress", "Egress"] + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_network_policy" "example2" { + metadata { + name = "terraform-example-network-policy" + namespace = "default" + } + + spec { + pod_selector { + match_expressions { + key = "name" + operator = "In" + values = ["webfront", "api"] + } + match_labels = { + app = "ngnix2" + } + + } + + ingress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + from { + namespace_selector { + match_labels = { + name = "default" + } + } + } + + from { + ip_block { + cidr = "10.0.0.0/8" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + egress {} # single empty rule to allow all egress traffic + + policy_types = ["Ingress", "Egress"] + } +} + +resource "kubernetes_pod" "test2" { + metadata { + name = "terraform-example" + + labels = { + app = "ngnix2" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + +resource "kubernetes_network_policy" "example222" { + metadata { + name = "terraform-example-network-policy" + namespace = "default" + } + + spec { + pod_selector { + match_expressions { + key = "name" + operator = "In" + values = ["webfront", "api"] + } + match_labels = { + app = "kubernetes_pod.test2.metadata.0.labels.app" + } + + } + + ingress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + from { + namespace_selector { + match_labels = { + name = "default" + } + } + } + + from { + ip_block { + cidr = "10.0.0.0/8" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + egress {} # single empty rule to allow all egress traffic + + policy_types = ["Ingress", "Egress"] + } +} + +``` diff --git a/docs/queries/terraform-queries/bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e.md b/docs/queries/terraform-queries/bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e.md new file mode 100644 index 00000000000..8ec60e95fe4 --- /dev/null +++ b/docs/queries/terraform-queries/bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e.md @@ -0,0 +1,151 @@ +--- +title: Metadata Label Is Invalid +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e +- **Query name:** Metadata Label Is Invalid +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/metadata_label_is_invalid) + +### Description +Check if any label in the metadata is invalid.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#labels) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="5" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + + labels = { + app = "g**dy.l+bel" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "test2" { + metadata { + name = "terraform-example" + + labels = { + app = "MyApp" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/bd6bd46c-57db-4887-956d-d372f21291b6.md b/docs/queries/terraform-queries/bd6bd46c-57db-4887-956d-d372f21291b6.md new file mode 100644 index 00000000000..15addf25b10 --- /dev/null +++ b/docs/queries/terraform-queries/bd6bd46c-57db-4887-956d-d372f21291b6.md @@ -0,0 +1,202 @@ +--- +title: Missing App Armor Config +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bd6bd46c-57db-4887-956d-d372f21291b6 +- **Query name:** Missing App Armor Config +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/missing_app_armor_config) + +### Description +Containers should be configured with AppArmor for any application to reduce its potential attack
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#annotations) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="58 4" +resource "kubernetes_pod" "example1" { + metadata { + name = "terraform-example1" + annotations = { + "container.apparmor" = "localhost" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_pod" "example2" { + metadata { + name = "terraform-example2" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "test" { + metadata { + name = "terraform-example" + annotations = { + "container.apparmor.security.beta.kubernetes.io" = "localhost/k8s-apparmor-example-allow-write" + } + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/c878abb4-cca5-4724-92b9-289be68bd47c.md b/docs/queries/terraform-queries/c878abb4-cca5-4724-92b9-289be68bd47c.md new file mode 100644 index 00000000000..afe96784e6b --- /dev/null +++ b/docs/queries/terraform-queries/c878abb4-cca5-4724-92b9-289be68bd47c.md @@ -0,0 +1,345 @@ +--- +title: Privilege Escalation Allowed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c878abb4-cca5-4724-92b9-289be68bd47c +- **Query name:** Privilege Escalation Allowed +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/privilege_escalation_allowed) + +### Description +Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#allow_privilege_escalation) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="108 14 47" + +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + allow_privilege_escalation = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + allow_privilege_escalation = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + security_context = { + allow_privilege_escalation = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative4" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + allow_privilege_escalation = false + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + allow_privilege_escalation = false + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "negative5" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + security_context = { + allow_privilege_escalation = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/ca2fba76-c1a7-4afd-be67-5249f861cb0e.md b/docs/queries/terraform-queries/ca2fba76-c1a7-4afd-be67-5249f861cb0e.md new file mode 100644 index 00000000000..1eaefa776dc --- /dev/null +++ b/docs/queries/terraform-queries/ca2fba76-c1a7-4afd-be67-5249f861cb0e.md @@ -0,0 +1,455 @@ +--- +title: Tiller (Helm v2) Is Deployed +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ca2fba76-c1a7-4afd-be67-5249f861cb0e +- **Query name:** Tiller (Helm v2) Is Deployed +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/tiller_is_deployed) + +### Description +Check if Tiller is deployed.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3 103 8 200 175" + +resource "kubernetes_pod" "positive1" { + metadata { + name = "tiller-deploy" + } + + spec { + container = [ + { + image = "tiller-image" + name = "example22" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + resources = { + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "tiller-image" + name = "example" + + resources { + limits { + cpu = "0.5" + memory = "512Mi" + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_deployment" "example" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + app = "helm" + } + } + + spec { + + volume = [ + { + host_path = { + path = "/var/run/docker.sock" + type = "Directory" + } + } + , + { + host_path = { + path = "/var/run/docker.sock" + type = "Directory" + } + } + ] + + container { + image = "tiller-image" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + resources = { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + resources = { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_deployment" "example2" { + metadata { + name = "terraform-example" + labels = { + test = "MyExampleApp" + } + } + + spec { + replicas = 3 + + selector { + match_labels = { + test = "MyExampleApp" + } + } + + template { + metadata { + labels = { + test = "MyExampleApp" + } + } + + spec { + + volume = [ + { + host_path = { + path = "/data" + type = "Directory" + } + } + , + { + host_path = { + path = "/data" + type = "Directory" + } + } + ] + + container { + image = "nginx:1.7.8" + name = "example" + + resources { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/ce7c874e-1b88-450b-a5e4-cb76ada3c8a9.md b/docs/queries/terraform-queries/ce7c874e-1b88-450b-a5e4-cb76ada3c8a9.md new file mode 100644 index 00000000000..98fd454469d --- /dev/null +++ b/docs/queries/terraform-queries/ce7c874e-1b88-450b-a5e4-cb76ada3c8a9.md @@ -0,0 +1,63 @@ +--- +title: Github Organization Webhook With SSL Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ce7c874e-1b88-450b-a5e4-cb76ada3c8a9 +- **Query name:** Github Organization Webhook With SSL Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/github/github_organization_webhook_with_ssl_disabled) + +### Description +Check if insecure SSL is being used in the GitHub organization webhooks
+[Documentation](https://registry.terraform.io/providers/hashicorp/github/latest/docs/resources/organization_webhook) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "github_organization_webhook" "positive1" { + name = "web" + + configuration { + url = "https://google.de/" + content_type = "form" + insecure_ssl = true + } + + active = false + + events = ["issues"] +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "github_organization_webhook" "negative1" { + name = "web" + + configuration { + url = "https://google.de/" + content_type = "form" + insecure_ssl = false + } + + active = false + + events = ["issues"] +} +``` diff --git a/docs/queries/terraform-queries/common/1e434b25-8763-4b00-a5ca-ca03b7abbb66.md b/docs/queries/terraform-queries/common/1e434b25-8763-4b00-a5ca-ca03b7abbb66.md new file mode 100644 index 00000000000..dac321186cb --- /dev/null +++ b/docs/queries/terraform-queries/common/1e434b25-8763-4b00-a5ca-ca03b7abbb66.md @@ -0,0 +1,114 @@ +--- +title: Name Is Not Snake Case +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1e434b25-8763-4b00-a5ca-ca03b7abbb66 +- **Query name:** Name Is Not Snake Case +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/general/name_is_not_snake_case) + +### Description +All names should follow snake case pattern.
+[Documentation](https://www.terraform.io/docs/extend/best-practices/naming.html#naming) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +variable "cluster_name" { + default = "example" + description = "cluster name" + type = string +} + +resource "aws_eks_cluster" "positiveExample" { + depends_on = [aws_cloudwatch_log_group.example] + + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] + name = var.cluster_name +} + +module "acm" { + source = "terraform-aws-modules/acm/aws" + version = "~> v2.0" + domain_name = var.site_domain + zone_id = data.aws_route53_zone.this.zone_id + tags = var.tags + + providers = { + aws = aws.us_east_1 # cloudfront needs acm certificate to be from "us-east-1" region + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="14" +variable "cluster_name" { + default = "example" + description = "cluster name" + type = string +} + +resource "aws_eks_cluster" "positive2" { + depends_on = [aws_cloudwatch_log_group.example] + + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] + name = var.cluster_name +} + +module "ACMPositive2" { + source = "terraform-aws-modules/acm/aws" + version = "~> v2.0" + domain_name = var.site_domain + zone_id = data.aws_route53_zone.this.zone_id + tags = var.tags + + providers = { + aws = aws.us_east_1 # cloudfront needs acm certificate to be from "us-east-1" region + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +variable "cluster_name" { + default = "example" + description = "cluster name" + type = string +} + +module "acm" { + source = "terraform-aws-modules/acm/aws" + version = "~> v2.0" + domain_name = var.site_domain + zone_id = data.aws_route53_zone.this.zone_id + tags = var.tags + + providers = { + aws = aws.us_east_1 # cloudfront needs acm certificate to be from "us-east-1" region + } +} + +resource "aws_eks_cluster" "negative1" { + depends_on = [aws_cloudwatch_log_group.example] + + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] + name = var.cluster_name +} + +``` diff --git a/docs/queries/terraform-queries/common/2a153952-2544-4687-bcc9-cc8fea814a9b.md b/docs/queries/terraform-queries/common/2a153952-2544-4687-bcc9-cc8fea814a9b.md new file mode 100644 index 00000000000..0b3af81d783 --- /dev/null +++ b/docs/queries/terraform-queries/common/2a153952-2544-4687-bcc9-cc8fea814a9b.md @@ -0,0 +1,86 @@ +--- +title: Variable Without Description +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2a153952-2544-4687-bcc9-cc8fea814a9b +- **Query name:** Variable Without Description +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/general/variable_without_description) + +### Description +All variables should contain a valid description.
+[Documentation](https://www.terraform.io/docs/language/values/variables.html#input-variable-documentation) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +variable "cluster_name" { + default = "example" + type = string +} + +resource "aws_eks_cluster" "positive1" { + depends_on = [aws_cloudwatch_log_group.example] + name = var.cluster_name +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="4" +variable "cluster_name" { + default = "example" + type = string + description = " " +} + +resource "aws_eks_cluster" "positive1" { + depends_on = [aws_cloudwatch_log_group.example] + name = var.cluster_name +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="4" +variable "cluster_name" { + default = "example" + type = string + description = "" +} + +resource "aws_eks_cluster" "positive1" { + depends_on = [aws_cloudwatch_log_group.example] + name = var.cluster_name +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +variable "cluster_name" { + default = "example" + description = "cluster name" + type = string +} + +resource "aws_eks_cluster" "negative1" { + depends_on = [aws_cloudwatch_log_group.example] + + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] + name = var.cluster_name +} + +``` diff --git a/docs/queries/terraform-queries/common/3a81fc06-566f-492a-91dd-7448e409e2cd.md b/docs/queries/terraform-queries/common/3a81fc06-566f-492a-91dd-7448e409e2cd.md new file mode 100644 index 00000000000..f43bf40f82d --- /dev/null +++ b/docs/queries/terraform-queries/common/3a81fc06-566f-492a-91dd-7448e409e2cd.md @@ -0,0 +1,87 @@ +--- +title: Generic Git Module Without Revision +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3a81fc06-566f-492a-91dd-7448e409e2cd +- **Query name:** Generic Git Module Without Revision +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/general/generic_git_module_without_revision) + +### Description +All generic git repositories should reference a revision.
+[Documentation](https://www.terraform.io/docs/language/modules/sources.html#selecting-a-revision) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +variable "cluster_name" { + default = "example" + description = "cluster name" + type = string +} + +module "acm" { + source = "git::https://example.com/vpc.git" + version = "~> v2.0" + domain_name = var.site_domain + zone_id = data.aws_route53_zone.this.zone_id + tags = var.tags + + providers = { + aws = aws.us_east_1 # cloudfront needs acm certificate to be from "us-east-1" region + } +} + +resource "aws_eks_cluster" "negative1" { + depends_on = [aws_cloudwatch_log_group.example] + + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] + name = var.cluster_name +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +variable "cluster_name" { + default = "example" + description = "cluster name" + type = string +} + +module "acm" { + source = "terraform-aws-modules/acm/aws" + version = "~> v2.0" + domain_name = var.site_domain + zone_id = data.aws_route53_zone.this.zone_id + tags = var.tags + + providers = { + aws = aws.us_east_1 # cloudfront needs acm certificate to be from "us-east-1" region + } +} + +resource "aws_eks_cluster" "negative1" { + depends_on = [aws_cloudwatch_log_group.example] + + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] + name = var.cluster_name +} + +``` diff --git a/docs/queries/terraform-queries/common/59312e8a-a64e-41e7-a252-618533dd1ea8.md b/docs/queries/terraform-queries/common/59312e8a-a64e-41e7-a252-618533dd1ea8.md new file mode 100644 index 00000000000..7c1ee9eca35 --- /dev/null +++ b/docs/queries/terraform-queries/common/59312e8a-a64e-41e7-a252-618533dd1ea8.md @@ -0,0 +1,78 @@ +--- +title: Output Without Description +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 59312e8a-a64e-41e7-a252-618533dd1ea8 +- **Query name:** Output Without Description +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/general/output_without_description) + +### Description +All outputs should contain a valid description.
+[Documentation](https://www.terraform.io/docs/language/values/outputs.html#description-output-value-documentation) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +output "cluster_name" { + value = "example" +} + +resource "aws_eks_cluster" "positive1" { + depends_on = [aws_cloudwatch_log_group.example] +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="3" +output "cluster_name" { + value = "example" + description = " " +} + +resource "aws_eks_cluster" "positive1" { + depends_on = [aws_cloudwatch_log_group.example] +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="3" +output "cluster_name" { + value = "example" + description = "" +} + +resource "aws_eks_cluster" "positive1" { + depends_on = [aws_cloudwatch_log_group.example] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +output "cluster_name" { + value = "example" + description = "cluster name" +} + +resource "aws_eks_cluster" "negative1" { + depends_on = [aws_cloudwatch_log_group.example] + + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] +} + +``` diff --git a/docs/queries/terraform-queries/common/fc5109bf-01fd-49fb-8bde-4492b543c34a.md b/docs/queries/terraform-queries/common/fc5109bf-01fd-49fb-8bde-4492b543c34a.md new file mode 100644 index 00000000000..9e2277c660e --- /dev/null +++ b/docs/queries/terraform-queries/common/fc5109bf-01fd-49fb-8bde-4492b543c34a.md @@ -0,0 +1,86 @@ +--- +title: Variable Without Type +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fc5109bf-01fd-49fb-8bde-4492b543c34a +- **Query name:** Variable Without Type +- **Platform:** Terraform +- **Severity:** Info +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/general/variable_without_type) + +### Description +All variables should contain a valid type.
+[Documentation](https://www.terraform.io/docs/language/values/variables.html#input-variable-documentation) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +variable "cluster_name" { + default = "example" + description = "test" +} + +resource "aws_eks_cluster" "positive1" { + depends_on = [aws_cloudwatch_log_group.example] + name = var.cluster_name +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="3" +variable "cluster_name" { + default = "example" + type = " " + description = "test" +} + +resource "aws_eks_cluster" "positive1" { + depends_on = [aws_cloudwatch_log_group.example] + name = var.cluster_name +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="3" +variable "cluster_name" { + default = "example" + type = "" + description = "test" +} + +resource "aws_eks_cluster" "positive1" { + depends_on = [aws_cloudwatch_log_group.example] + name = var.cluster_name +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +variable "cluster_name" { + default = "example" + description = "cluster name" + type = string +} + +resource "aws_eks_cluster" "negative1" { + depends_on = [aws_cloudwatch_log_group.example] + + enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"] + name = var.cluster_name +} + +``` diff --git a/docs/queries/terraform-queries/d532566b-8d9d-4f3b-80bd-361fe802f9c2.md b/docs/queries/terraform-queries/d532566b-8d9d-4f3b-80bd-361fe802f9c2.md new file mode 100644 index 00000000000..923787244a0 --- /dev/null +++ b/docs/queries/terraform-queries/d532566b-8d9d-4f3b-80bd-361fe802f9c2.md @@ -0,0 +1,341 @@ +--- +title: Root Container Not Mounted As Read-only +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d532566b-8d9d-4f3b-80bd-361fe802f9c2 +- **Query name:** Root Container Not Mounted As Read-only +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/root_container_not_mounted_as_read_only) + +### Description +Check if the root container filesystem is not being mounted as read-only.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#read_only_root_filesystem) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="44 14 103" + +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + read_only_root_filesystem = false + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + security_context = { + allow_privilege_escalation = false + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative3" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + read_only_root_filesystem = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + read_only_root_filesystem = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "negative4" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + security_context = { + read_only_root_filesystem = true + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/e2c83c1f-84d7-4467-966c-ed41fd015bb9.md b/docs/queries/terraform-queries/e2c83c1f-84d7-4467-966c-ed41fd015bb9.md new file mode 100644 index 00000000000..417f9c661ef --- /dev/null +++ b/docs/queries/terraform-queries/e2c83c1f-84d7-4467-966c-ed41fd015bb9.md @@ -0,0 +1,324 @@ +--- +title: Ingress Controller Exposes Workload +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e2c83c1f-84d7-4467-966c-ed41fd015bb9 +- **Query name:** Ingress Controller Exposes Workload +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/ingress_controller_exposes_workload) + +### Description +Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/ingress#http) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="28" +resource "kubernetes_service" "example" { + metadata { + name = "ingress-service" + } + spec { + port { + port = 80 + target_port = 80 + protocol = "TCP" + } + type = "NodePort" + } +} + +resource "kubernetes_ingress" "example" { + wait_for_load_balancer = true + metadata { + name = "example" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + } + } + spec { + rule { + http { + path { + path = "/*" + backend { + service_name = "example" + service_port = 80 + } + } + } + } + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="32" +resource "kubernetes_service" "MyApp2" { + metadata { + name = "ingress-service-2" + } + spec { + port { + port = 80 + target_port = 8080 + protocol = "TCP" + } + type = "NodePort" + } +} + +resource "kubernetes_ingress" "example-ingress-2" { + metadata { + name = "example-ingress" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + } + } + + spec { + backend { + service_name = "MyApp1" + service_port = 8080 + } + + rule { + http { + path { + backend { + service_name = "MyApp1" + service_port = 8080 + } + + path = "/app1/*" + } + + path { + backend { + service_name = "MyApp2" + service_port = 8080 + } + + path = "/app2/*" + } + } + } + + tls { + secret_name = "tls-secret" + } + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="28" +resource "kubernetes_service" "example-4" { + metadata { + name = "ingress-service-4" + } + spec { + port { + port = 80 + target_port = 80 + protocol = "TCP" + } + type = "NodePort" + } +} + +resource "kubernetes_ingress" "example-4" { + wait_for_load_balancer = true + metadata { + name = "example-4" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + } + } + spec { + rule { + http { + path { + path = "/rule1*" + backend { + service_name = "example-4" + service_port = 80 + } + } + } + } + rule { + http { + path { + path = "/rule2*" + backend { + service_name = "service" + service_port = 80 + } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_service" "example" { + metadata { + name = "ingress-service" + } + spec { + port { + port = 80 + target_port = 80 + protocol = "TCP" + } + type = "NodePort" + } +} + +resource "kubernetes_ingress" "example" { + wait_for_load_balancer = true + metadata { + name = "example" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + } + } + spec { + rule { + http { + path { + path = "/*" + backend { + service_name = kubernetes_service.example.metadata.0.name + service_port = 80 + } + } + } + } + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "kubernetes_service" "example-2" { + metadata { + name = "ingress-service-2" + } + spec { + port { + port = 80 + target_port = 80 + protocol = "TCP" + } + type = "NodePort" + } +} + +resource "kubernetes_ingress" "example-ingress-2" { + metadata { + name = "example-ingress" + } + + spec { + backend { + service_name = "MyApp1" + service_port = 8080 + } + + rule { + http { + path { + backend { + service_name = "MyApp1" + service_port = 8080 + } + + path = "/app1/*" + } + + path { + backend { + service_name = "MyApp2" + service_port = 8080 + } + + path = "/app2/*" + } + } + } + + tls { + secret_name = "tls-secret" + } + } +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "kubernetes_service" "example-3" { + metadata { + name = "ingress-service-3" + } + spec { + port { + port = 80 + target_port = 80 + protocol = "TCP" + } + type = "NodePort" + } +} + +resource "kubernetes_ingress" "example-3" { + wait_for_load_balancer = true + metadata { + name = "example-3" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + } + } + spec { + rule { + http { + path { + path = "/*" + backend { + service_name = kubernetes_service.example.metadata.0.name + service_port = 80 + } + } + } + } + rule { + http { + path { + path = "/*" + backend { + service_name = kubernetes_service.example.metadata.0.name + service_port = 80 + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/e5587d53-a673-4a6b-b3f2-ba07ec274def.md b/docs/queries/terraform-queries/e5587d53-a673-4a6b-b3f2-ba07ec274def.md new file mode 100644 index 00000000000..2e0a2748ce2 --- /dev/null +++ b/docs/queries/terraform-queries/e5587d53-a673-4a6b-b3f2-ba07ec274def.md @@ -0,0 +1,384 @@ +--- +title: NET_RAW Capabilities Not Being Dropped +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e5587d53-a673-4a6b-b3f2-ba07ec274def +- **Query name:** NET_RAW Capabilities Not Being Dropped +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/net_raw_capabilities_not_being_dropped) + +### Description +Containers should drop 'ALL' or at least 'NET_RAW' capabilities
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#drop) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 140" + +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + capabilities = { + drop = ["NET_BIND_SERVICE"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + read_only_root_filesystem = true + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example3" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + drop = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative3" { + metadata { + name = "terraform-example" + } + + spec { + + container = [ + { + image = "nginx:1.7.9" + name = "example" + + security_context = { + capabilities = { + drop = ["ALL"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + + { + image = "nginx:1.7.9" + name = "example2" + + security_context = { + capabilities = { + drop = ["ALL"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "negative4" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + drop = ["ALL"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/e76cca7c-c3f9-4fc9-884c-b2831168ebd8.md b/docs/queries/terraform-queries/e76cca7c-c3f9-4fc9-884c-b2831168ebd8.md new file mode 100644 index 00000000000..efeda588cd3 --- /dev/null +++ b/docs/queries/terraform-queries/e76cca7c-c3f9-4fc9-884c-b2831168ebd8.md @@ -0,0 +1,251 @@ +--- +title: Invalid Image +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e76cca7c-c3f9-4fc9-884c-b2831168ebd8 +- **Query name:** Invalid Image +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Supply-Chain +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/invalid_image) + +### Description +Image must be defined and not be empty or equal to latest.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#image) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 113 60" +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "" + name = "example" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + +resource "kubernetes_pod" "positive3" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "latest" + name = "example" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "negative" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/e94d3121-c2d1-4e34-a295-139bfeb73ea3.md b/docs/queries/terraform-queries/e94d3121-c2d1-4e34-a295-139bfeb73ea3.md new file mode 100644 index 00000000000..37bff44415c --- /dev/null +++ b/docs/queries/terraform-queries/e94d3121-c2d1-4e34-a295-139bfeb73ea3.md @@ -0,0 +1,154 @@ +--- +title: Shared Host IPC Namespace +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e94d3121-c2d1-4e34-a295-139bfeb73ea3 +- **Query name:** Shared Host IPC Namespace +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/shared_host_ipc_namespace) + +### Description +Container should not share the host IPC namespace
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#host_ipc) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8" +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + + host_ipc = true + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "negative1" { + metadata { + name = "terraform-example" + } + + spec { + + host_ipc = false + + container { + image = "nginx:1.7.9" + name = "example" + + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + + +``` diff --git a/docs/queries/terraform-queries/f74b9c43-161a-4799-bc95-0b0ec81801b9.md b/docs/queries/terraform-queries/f74b9c43-161a-4799-bc95-0b0ec81801b9.md new file mode 100644 index 00000000000..920959ca97a --- /dev/null +++ b/docs/queries/terraform-queries/f74b9c43-161a-4799-bc95-0b0ec81801b9.md @@ -0,0 +1,212 @@ +--- +title: Shared Service Account +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f74b9c43-161a-4799-bc95-0b0ec81801b9 +- **Query name:** Shared Service Account +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/shared_service_account) + +### Description +A Service Account token is shared between workloads
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#service_account_name) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="46" +resource "kubernetes_pod" "with_pod_affinity" { + metadata { + name = "with-pod-affinity" + } + + spec { + affinity { + pod_affinity { + required_during_scheduling_ignored_during_execution { + label_selector { + match_expressions { + key = "security" + operator = "In" + values = ["S1"] + } + } + + topology_key = "failure-domain.beta.kubernetes.io/zone" + } + } + + pod_anti_affinity { + preferred_during_scheduling_ignored_during_execution { + weight = 100 + + pod_affinity_term { + label_selector { + match_expressions { + key = "security" + operator = "In" + values = ["S2"] + } + } + + topology_key = "failure-domain.beta.kubernetes.io/zone" + } + } + } + } + + container { + name = "with-pod-affinity" + image = "k8s.gcr.io/pause:2.0" + } + + service_account_name = "terraform-example" + } +} + +resource "kubernetes_service_account" "terraform-example" { + metadata { + name = "terraform-example" + } + secret { + name = kubernetes_secret.example.metadata.0.name + } +} + +resource "kubernetes_secret" "example" { + metadata { + name = "terraform-example" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_pod" "with_pod_affinity_1" { + metadata { + name = "with-pod-affinity-1" + } + + spec { + affinity { + pod_affinity { + required_during_scheduling_ignored_during_execution { + label_selector { + match_expressions { + key = "security" + operator = "In" + values = ["S1"] + } + } + + topology_key = "failure-domain.beta.kubernetes.io/zone" + } + } + + pod_anti_affinity { + preferred_during_scheduling_ignored_during_execution { + weight = 100 + + pod_affinity_term { + label_selector { + match_expressions { + key = "security" + operator = "In" + values = ["S2"] + } + } + + topology_key = "failure-domain.beta.kubernetes.io/zone" + } + } + } + } + + container { + name = "with-pod-affinity" + image = "k8s.gcr.io/pause:2.0" + } + } +} + +resource "kubernetes_pod" "with_pod_affinity_2" { + metadata { + name = "with-pod-affinity-2" + } + + spec { + affinity { + pod_affinity { + required_during_scheduling_ignored_during_execution { + label_selector { + match_expressions { + key = "security" + operator = "In" + values = ["S1"] + } + } + + topology_key = "failure-domain.beta.kubernetes.io/zone" + } + } + + pod_anti_affinity { + preferred_during_scheduling_ignored_during_execution { + weight = 100 + + pod_affinity_term { + label_selector { + match_expressions { + key = "security" + operator = "In" + values = ["S2"] + } + } + + topology_key = "failure-domain.beta.kubernetes.io/zone" + } + } + } + } + + container { + name = "with-pod-affinity" + image = "k8s.gcr.io/pause:2.0" + } + + service_account_name = "service-name" + } +} + +resource "kubernetes_service_account" "example" { + metadata { + name = "example" + } + secret { + name = kubernetes_secret.example.metadata.0.name + } +} + +resource "kubernetes_secret" "example" { + metadata { + name = "terraform-example" + } +} + +``` diff --git a/docs/queries/terraform-queries/fcc2612a-1dfe-46e4-8ce6-0320959f0040.md b/docs/queries/terraform-queries/fcc2612a-1dfe-46e4-8ce6-0320959f0040.md new file mode 100644 index 00000000000..5c11f5158b9 --- /dev/null +++ b/docs/queries/terraform-queries/fcc2612a-1dfe-46e4-8ce6-0320959f0040.md @@ -0,0 +1,405 @@ +--- +title: StatefulSet Requests Storage +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fcc2612a-1dfe-46e4-8ce6-0320959f0040 +- **Query name:** StatefulSet Requests Storage +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Build Process +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/statefulset_requests_storage) + +### Description +A StatefulSet requests volume storage.
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="177" +resource "kubernetes_stateful_set" "prometheus" { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus" + } + + spec { + pod_management_policy = "Parallel" + replicas = 1 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + service_name = "prometheus" + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] + + port { + container_port = 9090 + } + + resources { + limits = { + cpu = "200m" + memory = "1000Mi" + } + + requests = { + cpu = "200m" + memory = "1000Mi" + } + } + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + } + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + + readiness_probe { + http_get { + path = "/-/ready" + port = 9090 + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + + liveness_probe { + http_get { + path = "/-/healthy" + port = 9090 + scheme = "HTTPS" + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + } + + termination_grace_period_seconds = 300 + + volume { + name = "config-volume" + + config_map { + name = "prometheus-config" + } + } + } + } + + update_strategy { + type = "RollingUpdate" + + rolling_update { + partition = 1 + } + } + + volume_claim_template { + metadata { + name = "prometheus-data" + } + + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard" + + resources { + requests = { + storage = "16Gi" + } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "kubernetes_stateful_set" "prometheus" { + metadata { + annotations = { + SomeAnnotation = "foobar" + } + + labels = { + k8s-app = "prometheus" + "kubernetes.io/cluster-service" = "true" + "addonmanager.kubernetes.io/mode" = "Reconcile" + version = "v2.2.1" + } + + name = "prometheus" + } + + spec { + pod_management_policy = "Parallel" + replicas = 1 + revision_history_limit = 5 + + selector { + match_labels = { + k8s-app = "prometheus" + } + } + + service_name = "prometheus" + + template { + metadata { + labels = { + k8s-app = "prometheus" + } + + annotations = {} + } + + spec { + service_account_name = "prometheus" + + init_container { + name = "init-chown-data" + image = "busybox:latest" + image_pull_policy = "IfNotPresent" + command = ["chown", "-R", "65534:65534", "/data"] + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + } + + container { + name = "prometheus-server-configmap-reload" + image = "jimmidyson/configmap-reload:v0.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--volume-dir=/etc/config", + "--webhook-url=http://localhost:9090/-/reload", + ] + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + read_only = true + } + + resources { + limits = { + cpu = "10m" + memory = "10Mi" + } + + requests = { + cpu = "10m" + memory = "10Mi" + } + } + } + + container { + name = "prometheus-server" + image = "prom/prometheus:v2.2.1" + image_pull_policy = "IfNotPresent" + + args = [ + "--config.file=/etc/config/prometheus.yml", + "--storage.tsdb.path=/data", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--web.console.templates=/etc/prometheus/consoles", + "--web.enable-lifecycle", + ] + + port { + container_port = 9090 + } + + resources { + limits = { + cpu = "200m" + memory = "1000Mi" + } + + requests = { + cpu = "200m" + memory = "1000Mi" + } + } + + volume_mount { + name = "config-volume" + mount_path = "/etc/config" + } + + volume_mount { + name = "prometheus-data" + mount_path = "/data" + sub_path = "" + } + + readiness_probe { + http_get { + path = "/-/ready" + port = 9090 + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + + liveness_probe { + http_get { + path = "/-/healthy" + port = 9090 + scheme = "HTTPS" + } + + initial_delay_seconds = 30 + timeout_seconds = 30 + } + } + + termination_grace_period_seconds = 300 + + volume { + name = "config-volume" + + config_map { + name = "prometheus-config" + } + } + } + } + + update_strategy { + type = "RollingUpdate" + + rolling_update { + partition = 1 + } + } + + volume_claim_template { + metadata { + name = "prometheus-data" + } + + spec { + access_modes = ["ReadWriteOnce"] + storage_class_name = "standard" + + resources { + requests = { + cpu = "10m" + } + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/fd097ed0-7fe6-4f58-8b71-fef9f0820a21.md b/docs/queries/terraform-queries/fd097ed0-7fe6-4f58-8b71-fef9f0820a21.md new file mode 100644 index 00000000000..31fc9cb4719 --- /dev/null +++ b/docs/queries/terraform-queries/fd097ed0-7fe6-4f58-8b71-fef9f0820a21.md @@ -0,0 +1,367 @@ +--- +title: Memory Limits Not Defined +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fd097ed0-7fe6-4f58-8b71-fef9f0820a21 +- **Query name:** Memory Limits Not Defined +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/memory_limits_not_defined) + +### Description +Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#limits) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 106" + +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + resources = { + requests = { + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + resources { + limits { + cpu = "0.5" + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + resources = { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + resources = { + limits = { + cpu = "0.5" + memory = "512Mi" + } + requests = { + cpu = "250m" + memory = "50Mi" + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "negative2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + resources { + limits { + cpu = "0.5" + memory = "512Mi" + } + requests { + cpu = "250m" + memory = "50Mi" + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/fe771ff7-ba15-4f8f-ad7a-8aa232b49a28.md b/docs/queries/terraform-queries/fe771ff7-ba15-4f8f-ad7a-8aa232b49a28.md new file mode 100644 index 00000000000..f3542bb1174 --- /dev/null +++ b/docs/queries/terraform-queries/fe771ff7-ba15-4f8f-ad7a-8aa232b49a28.md @@ -0,0 +1,339 @@ +--- +title: Containers With Added Capabilities +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fe771ff7-ba15-4f8f-ad7a-8aa232b49a28 +- **Query name:** Containers With Added Capabilities +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/kubernetes/container_with_added_capabilities) + +### Description +Containers should not have extra capabilities allowed
+[Documentation](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/pod#capabilities-1) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 113" + +resource "kubernetes_pod" "positive1" { + metadata { + name = "terraform-example" + } + + spec { + container = [ + { + image = "nginx:1.7.9" + name = "example22" + + security_context = { + capabilities = { + add = ["NET_BIND_SERVICE"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + , + { + image = "nginx:1.7.9" + name = "example22222" + + security_context = { + capabilities = { + add = ["NET_BIND_SERVICE"] + } + } + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "positive2" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + security_context { + capabilities { + add = ["NET_BIND_SERVICE"] + } + } + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" + +resource "kubernetes_pod" "negative3" { + metadata { + name = "terraform-example" + } + + spec { + + container = [ + { + image = "nginx:1.7.9" + name = "example" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + }, + + { + image = "nginx:1.7.9" + name = "example2" + + env = { + name = "environment" + value = "test" + } + + port = { + container_port = 8080 + } + + liveness_probe = { + http_get = { + path = "/nginx_status" + port = 80 + + http_header = { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + ] + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + + + +resource "kubernetes_pod" "negative4" { + metadata { + name = "terraform-example" + } + + spec { + container { + image = "nginx:1.7.9" + name = "example" + + env { + name = "environment" + value = "test" + } + + port { + container_port = 8080 + } + + liveness_probe { + http_get { + path = "/nginx_status" + port = 80 + + http_header { + name = "X-Custom-Header" + value = "Awesome" + } + } + + initial_delay_seconds = 3 + period_seconds = 3 + } + } + + + dns_config { + nameservers = ["1.1.1.1", "8.8.8.8", "9.9.9.9"] + searches = ["example.com"] + + option { + name = "ndots" + value = 1 + } + + option { + name = "use-vc" + } + } + + dns_policy = "None" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00.md b/docs/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00.md new file mode 100644 index 00000000000..b2de804860d --- /dev/null +++ b/docs/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00.md @@ -0,0 +1,101 @@ +--- +title: SQL DB Instance With SSL Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 02474449-71aa-40a1-87ae-e14497747b00 +- **Query name:** SQL DB Instance With SSL Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled) + +### Description +Cloud SQL Database Instance should have SLL enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#require_ssl) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="24 9 44" +resource "google_sql_database_instance" "positive1" { + provider = google-beta + + name = "private-instance-${random_id.db_name_suffix.hex}" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + } +} + +resource "google_sql_database_instance" "positive2" { + provider = google-beta + + name = "private-instance-${random_id.db_name_suffix.hex}" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + } + } +} + +resource "google_sql_database_instance" "positive3" { + provider = google-beta + + name = "private-instance-${random_id.db_name_suffix.hex}" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + require_ssl = false + } + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_sql_database_instance" "negative1" { + provider = google-beta + + name = "private-instance-${random_id.db_name_suffix.hex}" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + require_ssl = true + } + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/11e7550e-c4b6-472e-adff-c698f157cdd7.md b/docs/queries/terraform-queries/gcp/11e7550e-c4b6-472e-adff-c698f157cdd7.md new file mode 100644 index 00000000000..40b224b9717 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/11e7550e-c4b6-472e-adff-c698f157cdd7.md @@ -0,0 +1,151 @@ +--- +title: Network Policy Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 11e7550e-c4b6-472e-adff-c698f157cdd7 +- **Query name:** Network Policy Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/network_policy_disabled) + +### Description +Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2 16 48 86 30 63" +#this is a problematic code where the query should report a result(s) +resource "google_container_cluster" "positive1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + network_policy { + enabled = true + } + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive2" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + network_policy { + enabled = true + } + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive3" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive4" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + network_policy { + enabled = true + } + addons_config { + + } + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive5" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + network_policy { + enabled = false + } + addons_config { + network_policy_config { + disabled = false + } + } + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive6" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + network_policy { + enabled = true + } + addons_config { + network_policy_config { + disabled = true + } + } + + timeouts { + create = "30m" + update = "40m" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "negative1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + network_policy { + enabled = true + } + addons_config { + network_policy_config { + disabled = false + } + } + networking_mode = "VPC_NATIVE" + + timeouts { + create = "30m" + update = "40m" + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/128df7ec-f185-48bc-8913-ce756a3ccb85.md b/docs/queries/terraform-queries/gcp/128df7ec-f185-48bc-8913-ce756a3ccb85.md new file mode 100644 index 00000000000..8a5438b6288 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/128df7ec-f185-48bc-8913-ce756a3ccb85.md @@ -0,0 +1,154 @@ +--- +title: Outdated GKE Version +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 128df7ec-f185-48bc-8913-ce756a3ccb85 +- **Query name:** Outdated GKE Version +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/outdated_gke_version) + +### Description +Running outdated versions of Google Kubernetes Engine (GKE) can expose it to known vulnerabilities and attacks. To reduce these risks, it is recommended to ensure that GKE is always running the latest version.
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#master_version) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="25 2" +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "positive1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + username = "" + password = "" + + client_certificate_config { + issue_client_certificate = false + } + } + + timeouts { + create = "30m" + update = "40m" + } + + min_master_version = "1.24" +} + +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "positive2" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + username = "" + password = "" + + client_certificate_config { + issue_client_certificate = false + } + } + + timeouts { + create = "30m" + update = "40m" + } + + + node_version = "1.24" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "negative1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + username = "" + password = "" + + client_certificate_config { + issue_client_certificate = false + } + } + + timeouts { + create = "30m" + update = "40m" + } + + min_master_version = "latest" +} + +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "negative2" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + username = "" + password = "" + + client_certificate_config { + issue_client_certificate = false + } + } + + timeouts { + create = "30m" + update = "40m" + } + + min_master_version = "1.25" +} + +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "negative3" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + username = "" + password = "" + + client_certificate_config { + issue_client_certificate = false + } + } + + timeouts { + create = "30m" + update = "40m" + } + + min_master_version = "1.25" + node_version = "1.25" +} + +``` diff --git a/docs/queries/terraform-queries/gcp/14a457f0-473d-4d1d-9e37-6d99b355b336.md b/docs/queries/terraform-queries/gcp/14a457f0-473d-4d1d-9e37-6d99b355b336.md new file mode 100644 index 00000000000..f96e56d5227 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/14a457f0-473d-4d1d-9e37-6d99b355b336.md @@ -0,0 +1,55 @@ +--- +title: Google Compute SSL Policy Weak Cipher In Use +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 14a457f0-473d-4d1d-9e37-6d99b355b336 +- **Query name:** Google Compute SSL Policy Weak Cipher In Use +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/google_compute_ssl_policy_weak_cipher_in_use) + +### Description +This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ssl_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 3" +resource "google_compute_ssl_policy" "positive1" { + name = "custom-ssl-policy" + min_tls_version = "TLS_1_1" + profile = "CUSTOM" + custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"] +} + +resource "google_compute_ssl_policy" "positive2" { + name = "custom-ssl-policy" + profile = "CUSTOM" + custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"] +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_ssl_policy" "negative1" { + name = "custom-ssl-policy" + min_tls_version = "TLS_1_2" + profile = "CUSTOM" + custom_features = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"] +} +``` diff --git a/docs/queries/terraform-queries/gcp/16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5.md b/docs/queries/terraform-queries/gcp/16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5.md new file mode 100644 index 00000000000..bbbcd5f0aaf --- /dev/null +++ b/docs/queries/terraform-queries/gcp/16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5.md @@ -0,0 +1,119 @@ +--- +title: KMS Crypto Key is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 16cc87d1-dd47-4f46-b3ce-4dfcac8fd2f5 +- **Query name:** KMS Crypto Key is Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/kms_crypto_key_publicly_accessible) + +### Description +KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_kms_crypto_key_iam#google_kms_crypto_key_iam_policy) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="24" +resource "google_kms_key_ring" "positive1" { + name = "keyring-example" + location = "global" +} +resource "google_kms_crypto_key" "positive1" { + name = "crypto-key-example" + key_ring = google_kms_key_ring.positive1.id + rotation_period = "100000s" + lifecycle { + prevent_destroy = true + } +} + +data "google_iam_policy" "positive1" { + binding { + role = "roles/cloudkms.cryptoKeyEncrypter" + + member = "allUsers" + } +} + +resource "google_kms_crypto_key_iam_policy" "positive1" { + crypto_key_id = google_kms_crypto_key.positive1.id + policy_data = data.google_iam_policy.positive1.policy_data +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="24" +resource "google_kms_key_ring" "positive2" { + name = "keyring-example" + location = "global" +} +resource "google_kms_crypto_key" "positive2" { + name = "crypto-key-example" + key_ring = google_kms_key_ring.positive2.id + rotation_period = "100000s" + lifecycle { + prevent_destroy = true + } +} + +data "google_iam_policy" "positive2" { + binding { + role = "roles/cloudkms.cryptoKeyEncrypter" + + member = "allAuthenticatedUsers" + } +} + +resource "google_kms_crypto_key_iam_policy" "positive2" { + crypto_key_id = google_kms_crypto_key.keyyy.id + policy_data = data.google_iam_policy.positive2.policy_data +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_kms_key_ring" "negative" { + name = "negative-example" + location = "global" +} +resource "google_kms_crypto_key" "negative" { + name = "crypto-key-example" + key_ring = google_kms_key_ring.negative.id + rotation_period = "100000s" + lifecycle { + prevent_destroy = true + } +} + +data "google_iam_policy" "negative" { + binding { + role = "roles/cloudkms.cryptoKeyEncrypter" + + members = [ + "user:jane@example.com", + ] + } +} + +resource "google_kms_crypto_key_iam_policy" "negative" { + crypto_key_id = google_kms_crypto_key.negative.id + policy_data = data.google_iam_policy.negative.policy_data +} + +``` diff --git a/docs/queries/terraform-queries/gcp/1b44e234-3d73-41a8-9954-0b154135280e.md b/docs/queries/terraform-queries/gcp/1b44e234-3d73-41a8-9954-0b154135280e.md new file mode 100644 index 00000000000..c682bf18d98 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/1b44e234-3d73-41a8-9954-0b154135280e.md @@ -0,0 +1,109 @@ +--- +title: Shielded VM Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1b44e234-3d73-41a8-9954-0b154135280e +- **Query name:** Shielded VM Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/shielded_vm_disabled) + +### Description +Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#shielded_instance_config) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2 38 10 60 49 19 28" +#this is a problematic code where the query should report a result(s) +data "google_compute_instance" "appserver1" { + name = "primary-application-server" + zone = "us-central1-a" +} + +data "google_compute_instance" "appserver2" { + name = "primary-application-server" + zone = "us-central1-a" + shielded_instance_config { + enable_secure_boot = true + enable_vtpm = true + } +} + +data "google_compute_instance" "appserver3" { + name = "primary-application-server" + zone = "us-central1-a" + shielded_instance_config { + enable_secure_boot = true + enable_integrity_monitoring = true + } +} + +data "google_compute_instance" "appserver4" { + name = "primary-application-server" + zone = "us-central1-a" + shielded_instance_config { + enable_vtpm = true + enable_integrity_monitoring = true + } +} + +data "google_compute_instance" "appserver5" { + name = "primary-application-server" + zone = "us-central1-a" + shielded_instance_config { + enable_secure_boot = false + enable_vtpm = true + enable_integrity_monitoring = true + } +} + +data "google_compute_instance" "appserver6" { + name = "primary-application-server" + zone = "us-central1-a" + shielded_instance_config { + enable_secure_boot = true + enable_vtpm = false + enable_integrity_monitoring = true + } +} + +data "google_compute_instance" "appserver7" { + name = "primary-application-server" + zone = "us-central1-a" + shielded_instance_config { + enable_secure_boot = true + enable_vtpm = true + enable_integrity_monitoring = false + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +data "google_compute_instance" "appserver" { + name = "primary-application-server" + zone = "us-central1-a" + shielded_instance_config { + enable_secure_boot = true + enable_vtpm = true + enable_integrity_monitoring = true + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/1c8eef02-17b1-4a3e-b01d-dcc3292d2c38.md b/docs/queries/terraform-queries/gcp/1c8eef02-17b1-4a3e-b01d-dcc3292d2c38.md new file mode 100644 index 00000000000..e9f28639e74 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/1c8eef02-17b1-4a3e-b01d-dcc3292d2c38.md @@ -0,0 +1,104 @@ +--- +title: GKE Using Default Service Account +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 1c8eef02-17b1-4a3e-b01d-dcc3292d2c38 +- **Query name:** GKE Using Default Service Account +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/gke_using_default_service_account) + +### Description +Kubernetes Engine Clusters should not be configured to use the default service account
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#node_config) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="7" +resource "google_container_cluster" "positive1" { + name = "my-gke-cluster" + location = "us-central1" + remove_default_node_pool = true + initial_node_count = 1 + + node_config { + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + labels = { + foo = "bar" + } + tags = ["foo", "bar"] + } + timeouts { + create = "30m" + update = "40m" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="8" +resource "google_container_cluster" "positive2" { + name = "my-gke-cluster" + location = "us-central1" + remove_default_node_pool = true + initial_node_count = 1 + + node_config { + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + labels = { + foo = "bar" + } + tags = ["foo", "bar"] + } + timeouts { + create = "30m" + update = "40m" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_container_cluster" "negative1" { + name = "my-gke-cluster" + location = "us-central1" + remove_default_node_pool = true + initial_node_count = 1 + + node_config { + service_account = google_service_account.myserviceaccount.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + labels = { + foo = "bar" + } + tags = ["foo", "bar"] + } + timeouts { + create = "30m" + update = "40m" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/22ef1d26-80f8-4a6c-8c15-f35aab3cac78.md b/docs/queries/terraform-queries/gcp/22ef1d26-80f8-4a6c-8c15-f35aab3cac78.md new file mode 100644 index 00000000000..e8e99ea3ad1 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/22ef1d26-80f8-4a6c-8c15-f35aab3cac78.md @@ -0,0 +1,77 @@ +--- +title: Google Compute Network Using Firewall Rule that Allows All Ports +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 22ef1d26-80f8-4a6c-8c15-f35aab3cac78 +- **Query name:** Google Compute Network Using Firewall Rule that Allows All Ports +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_all_ports) + +### Description +Google Compute Network should not use a firewall rule that allows all ports
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#allow) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="17" +resource "google_compute_firewall" "positive1" { + name = "test-firewall" + network = google_compute_network.positive1.name + + allow { + protocol = "icmp" + } + + allow { + protocol = "tcp" + ports = ["0-65535"] + } + + source_tags = ["web"] +} + +resource "google_compute_network" "positive1" { + name = "test-network" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_firewall" "negative1" { + name = "test-firewall" + network = google_compute_network.negative1.name + + allow { + protocol = "icmp" + } + + allow { + protocol = "tcp" + ports = ["80", "8080"] + } + + source_tags = ["web"] +} + +resource "google_compute_network" "negative1" { + name = "test-network" +} + +``` diff --git a/docs/queries/terraform-queries/gcp/2f06d22c-56bd-4f73-8a51-db001fcf2150.md b/docs/queries/terraform-queries/gcp/2f06d22c-56bd-4f73-8a51-db001fcf2150.md new file mode 100644 index 00000000000..ae09aea6693 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/2f06d22c-56bd-4f73-8a51-db001fcf2150.md @@ -0,0 +1,99 @@ +--- +title: BOM - GCP SB +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 2f06d22c-56bd-4f73-8a51-db001fcf2150 +- **Query name:** BOM - GCP SB +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp_bom/sb) + +### Description +A list of Storage Bucket resources found. Buckets are the basic containers that hold your data. Everything that you store in Cloud Storage must be contained in a bucket.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="35 21 7" +resource "google_storage_bucket_access_control" "public_rule" { + bucket = google_storage_bucket.bucket.name + role = "READER" + entity = "allUsers" +} + +resource "google_storage_bucket" "bucket" { + name = "static-content-bucket" + location = "US" +} + + +resource "google_storage_bucket_iam_binding" "binding" { + bucket = google_storage_bucket.bucket2.name + role = "roles/storage.admin" + members = [ + "allUsers", + ] +} + +resource "google_storage_bucket" "bucket2" { + name = "static-content-bucket" + location = "US" + encryption { + default_kms_key_name = "somekey" + } +} + +resource "google_storage_bucket_iam_member" "member" { + bucket = google_storage_bucket.bucket3.name + role = "roles/storage.admin" + member = "user:jane@example.com" +} + +resource "google_storage_bucket" "bucket3" { + name = "static-content-bucket" + location = "US" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +# negative sample +resource "google_bigquery_dataset" "negative1" { + dataset_id = "example_dataset" + friendly_name = "test" + description = "This is a test description" + location = "EU" + default_table_expiration_ms = 3600000 + + labels = { + env = "default" + } + + access { + role = "OWNER" + user_by_email = google_service_account.bqowner.email + } + + access { + role = "READER" + domain = "hashicorp.com" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/30e8dfd2-3591-4d19-8d11-79e93106c93d.md b/docs/queries/terraform-queries/gcp/30e8dfd2-3591-4d19-8d11-79e93106c93d.md new file mode 100644 index 00000000000..e67d712917d --- /dev/null +++ b/docs/queries/terraform-queries/gcp/30e8dfd2-3591-4d19-8d11-79e93106c93d.md @@ -0,0 +1,85 @@ +--- +title: Stackdriver Monitoring Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 30e8dfd2-3591-4d19-8d11-79e93106c93d +- **Query name:** Stackdriver Monitoring Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/stackdriver_monitoring_disabled) + +### Description +Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must either be undefined or set to 'monitoring.googleapis.com/kubernetes'
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#monitoring_service) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="18 6" +#this is a problematic code where the query should report a result(s) +resource "google_container_cluster" "positive1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + monitoring_service = "none" + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive2" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + monitoring_service = "monitoring.googleapis.com" + + timeouts { + create = "30m" + update = "40m" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "negative1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + monitoring_service = "monitoring.googleapis.com/kubernetes" + + timeouts { + create = "30m" + update = "40m" + } +} + +# Monitoring service defaults to Stackdriver, so it's okay to be undefined +resource "google_container_cluster" "negative1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + timeouts { + create = "30m" + update = "40m" + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/32ecd6eb-0711-421f-9627-1a28d9eff217.md b/docs/queries/terraform-queries/gcp/32ecd6eb-0711-421f-9627-1a28d9eff217.md new file mode 100644 index 00000000000..3bf200b2054 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/32ecd6eb-0711-421f-9627-1a28d9eff217.md @@ -0,0 +1,55 @@ +--- +title: OSLogin Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 32ecd6eb-0711-421f-9627-1a28d9eff217 +- **Query name:** OSLogin Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/os_login_disabled) + +### Description +Verifies that the OSLogin is enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_metadata#metadata) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 3" +resource "google_compute_project_metadata" "positive1" { + metadata = { + enable-oslogin = false + } +} + +resource "google_compute_project_metadata" "positive2" { + metadata = { + foo = "bar" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_project_metadata" "negative1" { + metadata = { + enable-oslogin = true + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/3cb4af0b-056d-4fb1-8b95-fdc4593625ff.md b/docs/queries/terraform-queries/gcp/3cb4af0b-056d-4fb1-8b95-fdc4593625ff.md new file mode 100644 index 00000000000..27cd4e72b88 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/3cb4af0b-056d-4fb1-8b95-fdc4593625ff.md @@ -0,0 +1,199 @@ +--- +title: Using Default Service Account +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3cb4af0b-056d-4fb1-8b95-fdc4593625ff +- **Query name:** Using Default Service Account +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Defaults +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/using_default_service_account) + +### Description +Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2 100 73 46 127" +#this is a problematic code where the query should report a result(s) +resource "google_compute_instance" "positive1" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + +} + +resource "google_compute_instance" "positive2" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + service_account { + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} + +resource "google_compute_instance" "positive3" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + service_account { + email = "" + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} + +resource "google_compute_instance" "positive4" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + service_account { + email = "a" + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} + +resource "google_compute_instance" "positive5" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + service_account { + email = "email@developer.gserviceaccount.com" + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "google_compute_instance" "negative1" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + service_account { + email = "email@email.com" + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/3e4d5ce6-3280-4027-8010-c26eeea1ec01.md b/docs/queries/terraform-queries/gcp/3e4d5ce6-3280-4027-8010-c26eeea1ec01.md new file mode 100644 index 00000000000..77623583700 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/3e4d5ce6-3280-4027-8010-c26eeea1ec01.md @@ -0,0 +1,148 @@ +--- +title: Project-wide SSH Keys Are Enabled In VM Instances +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 3e4d5ce6-3280-4027-8010-c26eeea1ec01 +- **Query name:** Project-wide SSH Keys Are Enabled In VM Instances +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/project_wide_ssh_keys_are_enabled_in_vm_instances) + +### Description +VM Instance should block project-wide SSH keys
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="29 39" +resource "google_compute_instance" "positive1" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + metadata = { + #... some other metadata + block-project-ssh-keys = false + } + + metadata_startup_script = "echo hi > /test.txt" + + service_account { + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} + +resource "google_compute_instance" "positive2" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + metadata_startup_script = "echo hi > /test.txt" + + service_account { + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_instance" "negative1" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + metadata = { + #... some other metadata + + block-project-ssh-keys = "TRUE" + } + + metadata_startup_script = "echo hi > /test.txt" + + service_account { + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/40430747-442d-450a-a34f-dc57149f4609.md b/docs/queries/terraform-queries/gcp/40430747-442d-450a-a34f-dc57149f4609.md new file mode 100644 index 00000000000..4f3dd47b34e --- /dev/null +++ b/docs/queries/terraform-queries/gcp/40430747-442d-450a-a34f-dc57149f4609.md @@ -0,0 +1,55 @@ +--- +title: Google Compute Subnetwork Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 40430747-442d-450a-a34f-dc57149f4609 +- **Query name:** Google Compute Subnetwork Logging Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/google_compute_subnetwork_logging_disabled) + +### Description +This query checks if logs are enabled for a Google Compute Subnetwork resource.
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "google_compute_subnetwork" "positive1" { + name = "log-test-subnetwork" + ip_cidr_range = "10.2.0.0/16" + region = "us-central1" + network = google_compute_network.custom-test.id +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_subnetwork" "negative1" { + name = "log-test-subnetwork" + ip_cidr_range = "10.2.0.0/16" + region = "us-central1" + network = google_compute_network.custom-test.id + + log_config { + aggregation_interval = "INTERVAL_10_MIN" + flow_sampling = 0.5 + metadata = "INCLUDE_ALL_METADATA" + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/40abce54-95b1-478c-8e5f-ea0bf0bb0e33.md b/docs/queries/terraform-queries/gcp/40abce54-95b1-478c-8e5f-ea0bf0bb0e33.md new file mode 100644 index 00000000000..e7a5bacdf8b --- /dev/null +++ b/docs/queries/terraform-queries/gcp/40abce54-95b1-478c-8e5f-ea0bf0bb0e33.md @@ -0,0 +1,66 @@ +--- +title: Google Compute Network Using Default Firewall Rule +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 40abce54-95b1-478c-8e5f-ea0bf0bb0e33 +- **Query name:** Google Compute Network Using Default Firewall Rule +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/google_compute_network_using_default_firewall_rule) + +### Description +Google Compute Network should not use default firewall rule
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#name) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "google_compute_firewall" "positive1" { + name = "default" + network = google_compute_network.positive1.name +} + +resource "google_compute_network" "positive1" { + name = "test-network" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_firewall" "negative1" { + name = "test-firewall" + network = google_compute_network.negative1.name + + allow { + protocol = "icmp" + } + + allow { + protocol = "tcp" + ports = ["80", "8080"] + } + + source_tags = ["web"] +} + +resource "google_compute_network" "negative1" { + name = "test-network" +} + +``` diff --git a/docs/queries/terraform-queries/gcp/4b82202a-b18e-4891-a1eb-a0989850bbb3.md b/docs/queries/terraform-queries/gcp/4b82202a-b18e-4891-a1eb-a0989850bbb3.md new file mode 100644 index 00000000000..9dfa55a478c --- /dev/null +++ b/docs/queries/terraform-queries/gcp/4b82202a-b18e-4891-a1eb-a0989850bbb3.md @@ -0,0 +1,123 @@ +--- +title: BOM - GCP PST +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4b82202a-b18e-4891-a1eb-a0989850bbb3 +- **Query name:** BOM - GCP PST +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp_bom/pst) + +### Description +A list of Pub/Sub Topic resources found. Cloud Pub/Sub is designed to provide reliable, many-to-many, asynchronous messaging between applications. Publisher applications can send messages to a 'topic' and other applications can subscribe to that topic to receive the messages.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="34 44 54 39" +resource "google_pubsub_topic_iam_binding" "binding" { + project = google_pubsub_topic.example.project + topic = google_pubsub_topic.example1.name + role = "roles/viewer" + members = [ + "user:jane@example.com", + ] +} + +resource "google_pubsub_topic_iam_member" "member" { + project = google_pubsub_topic.example.project + topic = google_pubsub_topic.example2.name + role = "roles/viewer" + member = "user:jane@example.com" +} + +resource "google_pubsub_topic_iam_binding" "binding_public" { + project = google_pubsub_topic.example.project + topic = google_pubsub_topic.example3.name + role = "roles/pubsub.publisher" + members = [ + "allUsers", + "allAuthenticatedUsers" + ] +} + +resource "google_pubsub_topic_iam_member" "member_public" { + project = google_pubsub_topic.example.project + topic = google_pubsub_topic.example4.name + role = "roles/pubsub.publisher" + member = "allUsers" +} + +resource "google_pubsub_topic" "example1" { + name = "example-topic" + kms_key_name = google_kms_crypto_key.crypto_key.id +} + +resource "google_pubsub_topic" "example2" { + name = "example-topic" + kms_key_name = google_kms_crypto_key.crypto_key.id +} + +resource "google_pubsub_topic" "example3" { + name = "example-topic" + + labels = { + foo = "bar" + } + + message_retention_duration = "86600s" +} + +resource "google_pubsub_topic" "example4" { + name = "example-topic" + + labels = { + foo = "bar" + } + + message_retention_duration = "86600s" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +# negative sample +resource "google_bigquery_dataset" "negative1" { + dataset_id = "example_dataset" + friendly_name = "test" + description = "This is a test description" + location = "EU" + default_table_expiration_ms = 3600000 + + labels = { + env = "default" + } + + access { + role = "OWNER" + user_by_email = google_service_account.bqowner.email + } + + access { + role = "READER" + domain = "hashicorp.com" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/4c7ebcb2-eae2-461e-bc83-456ee2d4f694.md b/docs/queries/terraform-queries/gcp/4c7ebcb2-eae2-461e-bc83-456ee2d4f694.md new file mode 100644 index 00000000000..b9634643009 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/4c7ebcb2-eae2-461e-bc83-456ee2d4f694.md @@ -0,0 +1,85 @@ +--- +title: Stackdriver Logging Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 4c7ebcb2-eae2-461e-bc83-456ee2d4f694 +- **Query name:** Stackdriver Logging Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/stackdriver_logging_disabled) + +### Description +Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must either be undefined or set to 'logging.googleapis.com/kubernetes'
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#logging_service) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="18 6" +#this is a problematic code where the query should report a result(s) +resource "google_container_cluster" "positive1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + logging_service = "none" + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive2" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + logging_service = "logging.googleapis.com" + + timeouts { + create = "30m" + update = "40m" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "negative1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + logging_service = "logging.googleapis.com/kubernetes" + + timeouts { + create = "30m" + update = "40m" + } +} + +# Logging service defaults to Stackdriver, so it's okay to be undefined +resource "google_container_cluster" "negative1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + timeouts { + create = "30m" + update = "40m" + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/59571246-3f62-4965-a96f-c7d97e269351.md b/docs/queries/terraform-queries/gcp/59571246-3f62-4965-a96f-c7d97e269351.md new file mode 100644 index 00000000000..2abcdde73f2 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/59571246-3f62-4965-a96f-c7d97e269351.md @@ -0,0 +1,57 @@ +--- +title: Google Project Auto Create Network Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 59571246-3f62-4965-a96f-c7d97e269351 +- **Query name:** Google Project Auto Create Network Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/google_project_auto_create_network_disabled) + +### Description +Verifies if the Google Project Auto Create Network is Disabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="8 5" +resource "google_project" "positive1" { + name = "My Project" + project_id = "your-project-id" + org_id = "1234567" + auto_create_network = true +} + +resource "google_project" "positive2" { + name = "My Project" + project_id = "your-project-id" + org_id = "1234567" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_project" "negative1" { + name = "My Project" + project_id = "your-project-id" + org_id = "1234567" + auto_create_network = false +} + +``` diff --git a/docs/queries/terraform-queries/gcp/5baa92d2-d8ee-4c75-88a4-52d9d8bb8067.md b/docs/queries/terraform-queries/gcp/5baa92d2-d8ee-4c75-88a4-52d9d8bb8067.md new file mode 100644 index 00000000000..177993b257c --- /dev/null +++ b/docs/queries/terraform-queries/gcp/5baa92d2-d8ee-4c75-88a4-52d9d8bb8067.md @@ -0,0 +1,61 @@ +--- +title: GKE Legacy Authorization Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5baa92d2-d8ee-4c75-88a4-52d9d8bb8067 +- **Query name:** GKE Legacy Authorization Enabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/gke_legacy_authorization_enabled) + +### Description +Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +#this is a problematic code where the query should report a result(s) +resource "google_container_cluster" "positive1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + enable_legacy_abac = true + + timeouts { + create = "30m" + update = "40m" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "negative1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + enable_legacy_abac = false + + timeouts { + create = "30m" + update = "40m" + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/5ef61c88-bbb4-4725-b1df-55d23c9676bb.md b/docs/queries/terraform-queries/gcp/5ef61c88-bbb4-4725-b1df-55d23c9676bb.md new file mode 100644 index 00000000000..ce9235fc347 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/5ef61c88-bbb4-4725-b1df-55d23c9676bb.md @@ -0,0 +1,59 @@ +--- +title: Cloud DNS Without DNSSEC +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 5ef61c88-bbb4-4725-b1df-55d23c9676bb +- **Query name:** Cloud DNS Without DNSSEC +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/cloud_dns_without_dnssec) + +### Description +DNSSEC must be enabled for Cloud DNS
+[Documentation](https://www.terraform.io/docs/providers/google/d/dns_managed_zone.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10" +// comment +// comment +// comment +// comment +resource "google_dns_managed_zone" "positive1" { + name = "foobar" + dns_name = "foo.bar." + + dnssec_config { + state = "off" + non_existence = "nsec3" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_dns_managed_zone" "negative1" { + name = "foobar" + dns_name = "foo.bar." + + dnssec_config { + state = "on" + non_existence = "nsec3" + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/617ef6ff-711e-4bd7-94ae-e965911b1b40.md b/docs/queries/terraform-queries/gcp/617ef6ff-711e-4bd7-94ae-e965911b1b40.md new file mode 100644 index 00000000000..b04ac4fe0e5 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/617ef6ff-711e-4bd7-94ae-e965911b1b40.md @@ -0,0 +1,76 @@ +--- +title: Google Project IAM Binding Service Account has Token Creator or Account User Role +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 617ef6ff-711e-4bd7-94ae-e965911b1b40 +- **Query name:** Google Project IAM Binding Service Account has Token Creator or Account User Role +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/google_project_iam_binding_service_account_has_token_creator_or_account_user_role) + +### Description +Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_binding) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="19 29 3 13" +resource "google_project_iam_binding" "positive1" { + project = "your-project-id" + role = "roles/iam.serviceAccountTokenCreator" + + members = [ + "user:jane@example.com", + "serviceAccount:my-other-app@appspot.gserviceacccount.com" + ] +} + +resource "google_project_iam_binding" "positive2" { + project = "your-project-id" + role = "roles/iam.serviceAccountTokenCreator" + member = "serviceAccount:my-other-app@appspot.gserviceacccount.com" +} + +resource "google_project_iam_binding" "positive3" { + project = "your-project-id" + role = "roles/iam.serviceAccountUser" + + members = [ + "user:jane@example.com", + "serviceAccount:my-other-app@appspot.gserviceacccount.com" + ] +} + +resource "google_project_iam_binding" "positive4" { + project = "your-project-id" + role = "roles/iam.serviceAccountUser" + member = "serviceAccount:my-other-app@appspot.gserviceacccount.com" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_project_iam_binding" "negative1" { + project = "your-project-id" + role = "roles/editor" + + members = [ + "user:jane@example.com", + ] +} +``` diff --git a/docs/queries/terraform-queries/gcp/65c1bc7a-4835-4ac4-a2b6-13d310b0648d.md b/docs/queries/terraform-queries/gcp/65c1bc7a-4835-4ac4-a2b6-13d310b0648d.md new file mode 100644 index 00000000000..bb5b3c02691 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/65c1bc7a-4835-4ac4-a2b6-13d310b0648d.md @@ -0,0 +1,65 @@ +--- +title: Cluster Labels Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 65c1bc7a-4835-4ac4-a2b6-13d310b0648d +- **Query name:** Cluster Labels Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/cluster_labels_disabled) + +### Description +Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2" +#this is a problematic code where the query should report a result(s) +resource "google_container_cluster" "positive1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + timeouts { + create = "30m" + update = "40m" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "negative1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + resource_labels { + + } + + timeouts { + create = "30m" + update = "40m" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/678fd659-96f2-454a-a2a0-c2571f83a4a3.md b/docs/queries/terraform-queries/gcp/678fd659-96f2-454a-a2a0-c2571f83a4a3.md new file mode 100644 index 00000000000..88e94345144 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/678fd659-96f2-454a-a2a0-c2571f83a4a3.md @@ -0,0 +1,95 @@ +--- +title: RDP Access Is Not Restricted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 678fd659-96f2-454a-a2a0-c2571f83a4a3 +- **Query name:** RDP Access Is Not Restricted +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/rdp_access_is_not_restricted) + +### Description +Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="25 12 36" +resource "google_compute_firewall" "positive1" { + name = "test-firewall" + network = google_compute_network.default.name + direction = "INGRESS" + + allow { + protocol = "icmp" + } + + allow { + protocol = "tcp" + ports = ["80", "8080", "1000-2000","3389"] + } + + source_tags = ["web"] + source_ranges = ["0.0.0.0/0"] +} + +resource "google_compute_firewall" "positive2" { + name = "test-firewall" + network = google_compute_network.default.name + + allow { + protocol = "udp" + ports = ["80", "8080", "1000-2000","21-3390"] + } + + source_tags = ["web"] + source_ranges = ["::/0"] +} + +resource "google_compute_firewall" "positive3" { + name = "test-firewall" + network = google_compute_network.default.name + + allow { + protocol = "all" + } + + source_tags = ["web"] + source_ranges = ["::/0"] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_firewall" "negative1" { + name = "test-firewall" + network = google_compute_network.default.name + + allow { + protocol = "icmp" + } + + allow { + protocol = "tcp" + ports = ["80", "8080", "1000-2000"] + } + + source_tags = ["web"] +} +``` diff --git a/docs/queries/terraform-queries/gcp/6ccb85d7-0420-4907-9380-50313f80946b.md b/docs/queries/terraform-queries/gcp/6ccb85d7-0420-4907-9380-50313f80946b.md new file mode 100644 index 00000000000..600725777a1 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/6ccb85d7-0420-4907-9380-50313f80946b.md @@ -0,0 +1,150 @@ +--- +title: Private Cluster Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 6ccb85d7-0420-4907-9380-50313f80946b +- **Query name:** Private Cluster Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/private_cluster_disabled) + +### Description +Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 73 44 16 88 58 30" +resource "google_container_cluster" "positive1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive2" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + private_cluster_config { + enable_private_endpoint = true + } + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive3" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + private_cluster_config { + enable_private_nodes = true + } + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive4" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + private_cluster_config { + + } + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive5" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + private_cluster_config { + enable_private_endpoint = false + enable_private_nodes = true + } + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive6" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + private_cluster_config { + enable_private_endpoint = true + enable_private_nodes = false + } + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive7" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + private_cluster_config { + enable_private_endpoint = false + enable_private_nodes = false + } + + timeouts { + create = "30m" + update = "40m" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_container_cluster" "negative1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + private_cluster_config { + enable_private_endpoint = true + enable_private_nodes = true + } + + timeouts { + create = "30m" + update = "40m" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/704fcc44-a58f-4af5-82e2-93f2a58ef918.md b/docs/queries/terraform-queries/gcp/704fcc44-a58f-4af5-82e2-93f2a58ef918.md new file mode 100644 index 00000000000..304df6f8941 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/704fcc44-a58f-4af5-82e2-93f2a58ef918.md @@ -0,0 +1,80 @@ +--- +title: User with IAM Role +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 704fcc44-a58f-4af5-82e2-93f2a58ef918 +- **Query name:** User with IAM Role +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Best Practices +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/user_with_iam_role) + +### Description +As a best practice, it is better to assign an IAM Role to a group than to a user
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy#role) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +data "google_iam_policy" "positive" { + binding { + role = "roles/apigee.runtimeAgent" + + members = [ + "user:jane@example.com", + ] + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="18 3" +resource "google_project_iam_binding" "positive2" { + project = "your-project-id" + role = "roles/container.admin" + + members = [ + "user:jane@example.com", + ] + + condition { + title = "expires_after_2019_12_31" + description = "Expiring at midnight of 2019-12-31" + expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")" + } +} + +resource "google_project_iam_member" "positive3" { + project = "your-project-id" + role = "roles/editor" + member = "user:jane@example.com" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +data "google_iam_policy" "negative" { + binding { + role = "roles/apigee.runtimeAgent" + + members = [ + "group:jane@example.com", + ] + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/73fb21a1-b19a-45b1-b648-b47b1678681e.md b/docs/queries/terraform-queries/gcp/73fb21a1-b19a-45b1-b648-b47b1678681e.md new file mode 100644 index 00000000000..393fc5fa97d --- /dev/null +++ b/docs/queries/terraform-queries/gcp/73fb21a1-b19a-45b1-b648-b47b1678681e.md @@ -0,0 +1,99 @@ +--- +title: Legacy Client Certificate Auth Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 73fb21a1-b19a-45b1-b648-b47b1678681e +- **Query name:** Legacy Client Certificate Auth Enabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/legacy_client_certificate_auth_enabled) + +### Description +Kubernetes Clusters must use the default OAuth authentication, which means 'master_auth' must either be undefined or have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to false
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="24 7" +#this is a problematic code where the query should report a result(s) +resource "google_container_cluster" "positive1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + + } + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive2" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + client_certificate_config { + issue_client_certificate = true + } + } + + timeouts { + create = "30m" + update = "40m" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "negative1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + master_auth { + client_certificate_config { + issue_client_certificate = false + } + } + + timeouts { + create = "30m" + update = "40m" + } +} + +# leaving the field undefined is acceptable +resource "google_container_cluster" "negative2" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + timeouts { + create = "30m" + update = "40m" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/84d36481-fd63-48cb-838e-635c44806ec2.md b/docs/queries/terraform-queries/gcp/84d36481-fd63-48cb-838e-635c44806ec2.md new file mode 100644 index 00000000000..a202f636a66 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/84d36481-fd63-48cb-838e-635c44806ec2.md @@ -0,0 +1,54 @@ +--- +title: Google Project IAM Member Service Account Has Admin Role +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 84d36481-fd63-48cb-838e-635c44806ec2 +- **Query name:** Google Project IAM Member Service Account Has Admin Role +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_admin_role) + +### Description +Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9 3" +resource "google_project_iam_member" "positive1" { + project = "your-project-id" + role = "roles/iam.serviceAccountAdmin" + member = "serviceAccount:my-other-app@appspot.gserviceacccount.com" +} + +resource "google_project_iam_member" "positive2" { + project = "your-project-id" + role = "roles/iam.serviceAccountAdmin" + members = ["user:jane@example.com", "serviceAccount:my-other-app@appspot.gserviceacccount.com"] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_project_iam_member" "negative1" { + project = "your-project-id" + role = "roles/editor" + members = "user:jane@example.com" +} +``` diff --git a/docs/queries/terraform-queries/gcp/895ed0d9-6fec-4567-8614-d7a74b599a53.md b/docs/queries/terraform-queries/gcp/895ed0d9-6fec-4567-8614-d7a74b599a53.md new file mode 100644 index 00000000000..3b004a8625d --- /dev/null +++ b/docs/queries/terraform-queries/gcp/895ed0d9-6fec-4567-8614-d7a74b599a53.md @@ -0,0 +1,94 @@ +--- +title: BOM - GCP Dataflow +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 895ed0d9-6fec-4567-8614-d7a74b599a53 +- **Query name:** BOM - GCP Dataflow +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp_bom/dataflow) + +### Description +A list of Dataflow resources found. Unified stream and batch data processing that's serverless, fast, and cost-effective.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 17" +resource "google_dataflow_job" "pubsub_stream" { + name = "tf-test-dataflow-job1" + template_gcs_path = "gs://my-bucket/templates/template_file" + temp_gcs_location = "gs://my-bucket/tmp_dir" + enable_streaming_engine = true + parameters = { + inputFilePattern = "${google_storage_bucket.bucket1.url}/*.json" + outputTopic = google_pubsub_topic.topic.id + } + transform_name_mapping = { + name = "test_job" + env = "test" + } + on_delete = "cancel" +} + +resource "google_dataflow_job" "pubsub_stream2" { + name = "tf-test-dataflow-job1" + template_gcs_path = "gs://my-bucket/templates/template_file" + temp_gcs_location = "gs://my-bucket/tmp_dir" + enable_streaming_engine = true + parameters = { + inputFilePattern = "${google_storage_bucket.bucket1.url}/*.json" + outputTopic = google_pubsub_topic.topic.id + } + transform_name_mapping = { + name = "test_job" + env = "test" + } + on_delete = "cancel" + kms_key_name = "somekey" + ip_configuration = "WORKER_IP_PUBLIC" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +# negative sample +resource "google_bigquery_dataset" "negative1" { + dataset_id = "example_dataset" + friendly_name = "test" + description = "This is a test description" + location = "EU" + default_table_expiration_ms = 3600000 + + labels = { + env = "default" + } + + access { + role = "OWNER" + user_by_email = google_service_account.bqowner.email + } + + access { + role = "READER" + domain = "hashicorp.com" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/89fe890f-b480-460c-8b6b-7d8b1468adb4.md b/docs/queries/terraform-queries/gcp/89fe890f-b480-460c-8b6b-7d8b1468adb4.md new file mode 100644 index 00000000000..028c8b7437a --- /dev/null +++ b/docs/queries/terraform-queries/gcp/89fe890f-b480-460c-8b6b-7d8b1468adb4.md @@ -0,0 +1,74 @@ +--- +title: IAM Audit Not Properly Configured +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 89fe890f-b480-460c-8b6b-7d8b1468adb4 +- **Query name:** IAM Audit Not Properly Configured +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/iam_audit_not_properly_configured) + +### Description +Audit Logging Configuration is defective
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_audit_config) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="19 9 3 23" +resource "google_project_iam_audit_config" "positive1" { + project = "your-project-id" + service = "some_specific_service" + audit_log_config { + log_type = "ADMIN_READ" + } + audit_log_config { + log_type = "DATA_READ" + exempted_members = [ + "user:joebloggs@hashicorp.com" + ] + } +} + +resource "google_project_iam_audit_config" "positive2" { + project = "your-project-id" + service = "allServices" + audit_log_config { + log_type = "INVALID_TYPE" + } + audit_log_config { + log_type = "DATA_READ" + exempted_members = [ + "user:joebloggs@hashicorp.com" + ] + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_project_iam_audit_config" "negative1" { + project = "your-project-id" + service = "allServices" + audit_log_config { + log_type = "ADMIN_READ" + } + audit_log_config { + log_type = "DATA_READ" + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/8a893e46-e267-485a-8690-51f39951de58.md b/docs/queries/terraform-queries/gcp/8a893e46-e267-485a-8690-51f39951de58.md new file mode 100644 index 00000000000..9e0ecc4447c --- /dev/null +++ b/docs/queries/terraform-queries/gcp/8a893e46-e267-485a-8690-51f39951de58.md @@ -0,0 +1,91 @@ +--- +title: COS Node Image Not Used +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 8a893e46-e267-485a-8690-51f39951de58 +- **Query name:** COS Node Image Not Used +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/cos_node_image_not_used) + +### Description +The node image should be Container-Optimized OS(COS)
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#node_config) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="16" +resource "google_container_cluster" "positive1" { + name = "my-gke-cluster" + location = "us-central1" + remove_default_node_pool = true + initial_node_count = 1 +} + + +resource "google_container_node_pool" "positive2" { + project = "gcp_project" + name = "primary-pool" + region = "us-west1" + cluster = google_container_cluster.primary.name + + node_config { + image_type = "WINDOWS_LTSC" + } + } +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_container_cluster" "negative1" { + name = "my-gke-cluster" + location = "us-central1" + remove_default_node_pool = true + initial_node_count = 1 +} + + +resource "google_container_node_pool" "negative2" { + project = "gcp_project" + name = "primary-pool" + region = "us-west1" + cluster = google_container_cluster.primary.name + + node_config { + image_type = "COS" + } +} + + resource "google_container_node_pool" "negative3" { + project = "gcp_project" + name = "primary-pool2" + region = "us-west1" + cluster = google_container_cluster.primary.name + } + +resource "google_container_node_pool" "negative4" { + project = "gcp_project" + name = "primary-pool2" + region = "us-west1" + cluster = google_container_cluster.primary.name + + node_config { + image_type = "COS_CONTAINERD" + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/9192e0f9-eca5-4056-9282-ae2a736a4088.md b/docs/queries/terraform-queries/gcp/9192e0f9-eca5-4056-9282-ae2a736a4088.md new file mode 100644 index 00000000000..c9e3bc5a6b0 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/9192e0f9-eca5-4056-9282-ae2a736a4088.md @@ -0,0 +1,78 @@ +--- +title: Pod Security Policy Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9192e0f9-eca5-4056-9282-ae2a736a4088 +- **Query name:** Pod Security Policy Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/pod_security_policy_disabled) + +### Description +Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2 18" +#this is a problematic code where the query should report a result(s) +resource "google_container_cluster" "positive1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive2" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + pod_security_policy_config { + enabled = false + } + + timeouts { + create = "30m" + update = "40m" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "negative1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + pod_security_policy_config { + enabled = "true" + } + + timeouts { + create = "30m" + update = "40m" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/92e4464a-4139-4d57-8742-b5acc0347680.md b/docs/queries/terraform-queries/gcp/92e4464a-4139-4d57-8742-b5acc0347680.md new file mode 100644 index 00000000000..9f7f547ffad --- /dev/null +++ b/docs/queries/terraform-queries/gcp/92e4464a-4139-4d57-8742-b5acc0347680.md @@ -0,0 +1,83 @@ +--- +title: KMS Admin and CryptoKey Roles In Use +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 92e4464a-4139-4d57-8742-b5acc0347680 +- **Query name:** KMS Admin and CryptoKey Roles In Use +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/kms_admin_and_crypto_key_roles_in_use) + +### Description +Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#policy_data) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +resource "google_project_iam_policy" "positive1" { + project = "your-project-id" + policy_data = data.google_iam_policy.positive1.policy_data +} + +data "google_iam_policy" "positive1" { + binding { + role = "roles/cloudkms.admin" + + members = [ + "user:jane@example.com", + ] + } + + binding { + role = "roles/cloudkms.cryptoKeyDecrypter" + + members = [ + "user:jane@example.com", + ] + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_project_iam_policy" "negative1" { + project = "your-project-id" + policy_data = data.google_iam_policy.negative1.policy_data +} + +data "google_iam_policy" "negative1" { + binding { + role = "roles/cloudkms.admin" + + members = [ + "user:jane@example.com", + ] + } + + binding { + role = "roles/cloudkms.cryptoKeyDecrypter" + + members = [ + "user:jane2@example.com", + ] + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/9356962e-4a4f-4d06-ac59-dc8008775eaa.md b/docs/queries/terraform-queries/gcp/9356962e-4a4f-4d06-ac59-dc8008775eaa.md new file mode 100644 index 00000000000..68d827b4140 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/9356962e-4a4f-4d06-ac59-dc8008775eaa.md @@ -0,0 +1,53 @@ +--- +title: Not Proper Email Account In Use +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 9356962e-4a4f-4d06-ac59-dc8008775eaa +- **Query name:** Not Proper Email Account In Use +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/not_proper_email_account_in_use) + +### Description +Gmail accounts are being used instead of corporate credentials
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_binding) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="6" +resource "google_project_iam_binding" "positive1" { + project = "your-project-id" + role = "roles/editor" + + members = [ + "user:jane@gmail.com", + ] +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_project_iam_binding" "negative1" { + project = "your-project-id" + role = "roles/editor" + + members = [ + "user:jane@example.com", + ] +} +``` diff --git a/docs/queries/terraform-queries/gcp/97fa667a-d05b-4f16-9071-58b939f34751.md b/docs/queries/terraform-queries/gcp/97fa667a-d05b-4f16-9071-58b939f34751.md new file mode 100644 index 00000000000..1250763da56 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/97fa667a-d05b-4f16-9071-58b939f34751.md @@ -0,0 +1,129 @@ +--- +title: Serial Ports Are Enabled For VM Instances +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 97fa667a-d05b-4f16-9071-58b939f34751 +- **Query name:** Serial Ports Are Enabled For VM Instances +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/vm_serial_ports_are_enabled_for_vm_instances) + +### Description +Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="26 44 38" +resource "google_compute_instance" "positive1" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + + access_config { + } + } + + metadata = { + serial-port-enable = true + } + + metadata_startup_script = "echo hi > /test.txt" + + service_account { + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} + +resource "google_compute_project_metadata" "positive2" { + metadata = { + serial-port-enable = "TRUE" + } +} + +resource "google_compute_project_metadata_item" "positive3" { + key = "serial-port-enable" + value = "TRUE" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_instance" "negative1" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + + access_config { + } + } + + metadata = { + serial-port-enable = "FALSE" + } + + metadata_startup_script = "echo hi > /test.txt" + + service_account { + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} + +resource "google_compute_project_metadata" "negative2" { + metadata = { + serial-port-enable = false + } +} + +resource "google_compute_project_metadata_item" "negative3" { + key = "my_metadata" + value = "my_value" +} + +``` diff --git a/docs/queries/terraform-queries/gcp/a6cd52a1-3056-4910-96a5-894de9f3f3b3.md b/docs/queries/terraform-queries/gcp/a6cd52a1-3056-4910-96a5-894de9f3f3b3.md new file mode 100644 index 00000000000..a5e0713efa4 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/a6cd52a1-3056-4910-96a5-894de9f3f3b3.md @@ -0,0 +1,63 @@ +--- +title: Cloud Storage Anonymous or Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a6cd52a1-3056-4910-96a5-894de9f3f3b3 +- **Query name:** Cloud Storage Anonymous or Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/cloud_storage_anonymous_or_publicly_accessible) + +### Description +Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#google_storage_bucket_iam_binding) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="17 11 5" +#this is a problematic code where the query should report a result(s) +resource "google_storage_bucket_iam_binding" "positive1" { + bucket = google_storage_bucket.default.name + role = "roles/storage.admin" + members = [] +} + +resource "google_storage_bucket_iam_binding" "positive2" { + bucket = google_storage_bucket.default.name + role = "roles/storage.admin" + members = ["user:jane@example.com","allUsers"] +} + +resource "google_storage_bucket_iam_binding" "positive3" { + bucket = google_storage_bucket.default.name + role = "roles/storage.admin" + members = ["user:jane@example.com", "allAuthenticatedUsers"] +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "google_storage_bucket_iam_binding" "negative1" { + bucket = google_storage_bucket.default.name + role = "roles/storage.admin" + members = [ + "user:jane@example.com", + ] +} +``` diff --git a/docs/queries/terraform-queries/gcp/acfdbec6-4a17-471f-b412-169d77553332.md b/docs/queries/terraform-queries/gcp/acfdbec6-4a17-471f-b412-169d77553332.md new file mode 100644 index 00000000000..af68d47bc84 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/acfdbec6-4a17-471f-b412-169d77553332.md @@ -0,0 +1,79 @@ +--- +title: Google Container Node Pool Auto Repair Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** acfdbec6-4a17-471f-b412-169d77553332 +- **Query name:** Google Container Node Pool Auto Repair Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/google_container_node_pool_auto_repair_disabled) + +### Description +Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="19 15" +resource "google_container_cluster" "positive1" { + name = "my-gke-cluster" + location = "us-central1" + remove_default_node_pool = true + initial_node_count = 1 +} + +resource "google_container_node_pool" "positive2" { + name = "my-node-pool" + location = "us-central1" + cluster = google_container_cluster.primary.name + node_count = 1 + + management { + auto_repair = false + } +} + +resource "google_container_node_pool" "positive3" { + name = "my-node-pool" + location = "us-central1" + cluster = google_container_cluster.primary.name + node_count = 1 +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_container_cluster" "negative1" { + name = "my-gke-cluster" + location = "us-central1" + remove_default_node_pool = true + initial_node_count = 1 +} + +resource "google_container_node_pool" "negative2" { + name = "my-node-pool" + location = "us-central1" + cluster = google_container_cluster.primary.name + node_count = 1 + + management { + auto_repair = true + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/b139213e-7d24-49c2-8025-c18faa21ecaa.md b/docs/queries/terraform-queries/gcp/b139213e-7d24-49c2-8025-c18faa21ecaa.md new file mode 100644 index 00000000000..e3e147a0ffe --- /dev/null +++ b/docs/queries/terraform-queries/gcp/b139213e-7d24-49c2-8025-c18faa21ecaa.md @@ -0,0 +1,96 @@ +--- +title: Node Auto Upgrade Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b139213e-7d24-49c2-8025-c18faa21ecaa +- **Query name:** Node Auto Upgrade Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/node_auto_upgrade_disabled) + +### Description +Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#auto_upgrade) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 19 36" +resource "google_container_node_pool" "positive1" { + name = "my-node-pool" + location = "us-central1-a" + cluster = google_container_cluster.primary.name + node_count = 3 + + timeouts { + create = "30m" + update = "20m" + } +} + +resource "google_container_node_pool" "positive2" { + name = "my-node-pool" + location = "us-central1-a" + cluster = google_container_cluster.primary.name + node_count = 3 + + management { + auto_repair = true + } + + timeouts { + create = "30m" + update = "20m" + } +} + +resource "google_container_node_pool" "positive3" { + name = "my-node-pool" + location = "us-central1-a" + cluster = google_container_cluster.primary.name + node_count = 3 + + management { + auto_upgrade = false + } + + timeouts { + create = "30m" + update = "20m" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_container_node_pool" "negative1" { + name = "my-node-pool" + location = "us-central1-a" + cluster = google_container_cluster.primary.name + node_count = 3 + + management { + auto_upgrade = true + } + + timeouts { + create = "30m" + update = "20m" + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/b187edca-b81e-4fdc-aff4-aab57db45edb.md b/docs/queries/terraform-queries/gcp/b187edca-b81e-4fdc-aff4-aab57db45edb.md new file mode 100644 index 00000000000..2d6d2308006 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/b187edca-b81e-4fdc-aff4-aab57db45edb.md @@ -0,0 +1,136 @@ +--- +title: SQL DB Instance Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b187edca-b81e-4fdc-aff4-aab57db45edb +- **Query name:** SQL DB Instance Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/sql_db_instance_is_publicly_accessible) + +### Description +Cloud SQL instances should not be publicly accessible.
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="24 41 56 6" +resource "google_sql_database_instance" "positive1" { + name = "master-instance" + database_version = "POSTGRES_11" + region = "us-central1" + + settings { + # Second-generation instance tiers are based on the machine + # type. See argument reference below. + tier = "db-f1-micro" + } +} + +resource "google_sql_database_instance" "positive2" { + name = "postgres-instance-2" + database_version = "POSTGRES_11" + + settings { + tier = "db-f1-micro" + + ip_configuration { + + authorized_networks { + name = "pub-network" + value = "0.0.0.0/0" + } + } + } +} + +resource "google_sql_database_instance" "positive3" { + name = "master-instance" + database_version = "POSTGRES_11" + region = "us-central1" + + settings { + # Second-generation instance tiers are based on the machine + # type. See argument reference below. + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = true + } + } +} + +resource "google_sql_database_instance" "positive4" { + name = "master-instance" + database_version = "POSTGRES_11" + region = "us-central1" + + settings { + # Second-generation instance tiers are based on the machine + # type. See argument reference below. + tier = "db-f1-micro" + + ip_configuration {} + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_sql_database_instance" "negative1" { + + name = "private-instance-1" + database_version = "POSTGRES_11" + settings { + ip_configuration { + ipv4_enabled = false + private_network = "some_private_network" + } + } +} + +resource "google_sql_database_instance" "negative2" { + name = "postgres-instance-2" + database_version = "POSTGRES_11" + + settings { + tier = "db-f1-micro" + + ip_configuration { + + authorized_networks { + + content { + name = "some_trusted_network" + value = "some_trusted_network_address" + } + } + + authorized_networks { + + content { + name = "another_trusted_network" + value = "another_trusted_network_address" + } + } + } + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/b1d51728-7270-4991-ac2f-fc26e2695b38.md b/docs/queries/terraform-queries/gcp/b1d51728-7270-4991-ac2f-fc26e2695b38.md new file mode 100644 index 00000000000..3d0f80391ce --- /dev/null +++ b/docs/queries/terraform-queries/gcp/b1d51728-7270-4991-ac2f-fc26e2695b38.md @@ -0,0 +1,133 @@ +--- +title: Disk Encryption Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** b1d51728-7270-4991-ac2f-fc26e2695b38 +- **Query name:** Disk Encryption Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/disk_encryption_disabled) + +### Description +VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_disk) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 22" +resource "google_compute_disk" "positive1" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 +} + +resource "google_compute_disk" "positive2" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 + + disk_encryption_key { + sha256 = "A" + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="12" +resource "google_compute_disk" "positive3" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 + + disk_encryption_key { + raw_key = "" + sha256 = "A" + } +} + +``` +```tf title="Postitive test num. 3 - tf file" hl_lines="12" +resource "google_compute_disk" "positive4" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 + + disk_encryption_key { + kms_key_self_link = "" + sha256 = "A" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_disk" "negative1" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 + + disk_encryption_key { + raw_key = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + sha256 = "A" + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "google_compute_disk" "negative1" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 + + disk_encryption_key { + kms_key_self_link = "disk-crypto-key" + sha256 = "A" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/bb0db090-5509-4853-a827-75ced0b3caa0.md b/docs/queries/terraform-queries/gcp/bb0db090-5509-4853-a827-75ced0b3caa0.md new file mode 100644 index 00000000000..b4996c0ab95 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/bb0db090-5509-4853-a827-75ced0b3caa0.md @@ -0,0 +1,90 @@ +--- +title: Google Storage Bucket Level Access Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bb0db090-5509-4853-a827-75ced0b3caa0 +- **Query name:** Google Storage Bucket Level Access Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/google_storage_bucket_level_access_disabled) + +### Description +Google Storage Bucket Level Access should be enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="20 6" +resource "google_storage_bucket" "positive1" { + name = "image-store.com" + location = "EU" + force_destroy = true + + uniform_bucket_level_access = false + + website { + main_page_suffix = "index.html" + not_found_page = "404.html" + } + cors { + origin = ["http://image-store.com"] + method = ["GET", "HEAD", "PUT", "POST", "DELETE"] + response_header = ["*"] + max_age_seconds = 3600 + } +} + +resource "google_storage_bucket" "positive2" { + name = "image-store.com" + location = "EU" + force_destroy = true + + website { + main_page_suffix = "index.html" + not_found_page = "404.html" + } + cors { + origin = ["http://image-store.com"] + method = ["GET", "HEAD", "PUT", "POST", "DELETE"] + response_header = ["*"] + max_age_seconds = 3600 + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_storage_bucket" "negative1" { + name = "image-store.com" + location = "EU" + force_destroy = true + + uniform_bucket_level_access = true + + website { + main_page_suffix = "index.html" + not_found_page = "404.html" + } + cors { + origin = ["http://image-store.com"] + method = ["GET", "HEAD", "PUT", "POST", "DELETE"] + response_header = ["*"] + max_age_seconds = 3600 + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/bc280331-27b9-4acb-a010-018e8098aa5d.md b/docs/queries/terraform-queries/gcp/bc280331-27b9-4acb-a010-018e8098aa5d.md new file mode 100644 index 00000000000..ccae8a1450a --- /dev/null +++ b/docs/queries/terraform-queries/gcp/bc280331-27b9-4acb-a010-018e8098aa5d.md @@ -0,0 +1,81 @@ +--- +title: VM With Full Cloud Access +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bc280331-27b9-4acb-a010-018e8098aa5d +- **Query name:** VM With Full Cloud Access +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/vm_with_full_cloud_access) + +### Description +A VM instance is configured to use the default service account with full access to all Cloud APIs
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#scopes) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="20" +resource "google_compute_instance" "positive1" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + network_interface { + network = "default" + access_config { + // Ephemeral IP + } + } + + service_account { + scopes = ["userinfo-email", "compute-ro", "storage-ro", "cloud-platform"] + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_instance" "negative1" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + network_interface { + network = "default" + access_config { + // Ephemeral IP + } + } + + service_account { + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/bc75ce52-a60a-4660-b533-bce837a5019b.md b/docs/queries/terraform-queries/gcp/bc75ce52-a60a-4660-b533-bce837a5019b.md new file mode 100644 index 00000000000..1533bca91be --- /dev/null +++ b/docs/queries/terraform-queries/gcp/bc75ce52-a60a-4660-b533-bce837a5019b.md @@ -0,0 +1,115 @@ +--- +title: BOM - GCP Redis +hide: + toc: true + navigation: true +--- + + + +- **Query id:** bc75ce52-a60a-4660-b533-bce837a5019b +- **Query name:** BOM - GCP Redis +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp_bom/redis) + +### Description +A list of Redis Instance resources found. Memorystore for Redis is a fully managed Redis service for Google Cloud. Applications running on Google Cloud can achieve extreme performance by leveraging the highly scalable, available, secure Redis service without the burden of managing complex Redis deployments.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 20" +resource "google_redis_instance" "cache" { + name = "memory-cache" + memory_size_gb = 1 +} + +resource "google_compute_global_address" "service_range" { + name = "address" + purpose = "VPC_PEERING" + address_type = "INTERNAL" + prefix_length = 16 + network = data.google_compute_network.redis-network.id +} + +resource "google_service_networking_connection" "private_service_connection" { + network = data.google_compute_network.redis-network.id + service = "servicenetworking.googleapis.com" + reserved_peering_ranges = [google_compute_global_address.service_range.name] +} + +resource "google_redis_instance" "cache2" { + name = "private-cache" + tier = "STANDARD_HA" + memory_size_gb = 1 + + location_id = "us-central1-a" + alternative_location_id = "us-central1-f" + + authorized_network = data.google_compute_network.redis-network.id + connect_mode = "PRIVATE_SERVICE_ACCESS" + + redis_version = "REDIS_4_0" + display_name = "Terraform Test Instance" + + depends_on = [google_service_networking_connection.private_service_connection] + +} + +resource "google_compute_firewall" "positive1" { + name = "test-firewall" + network = google_compute_network.redis-network.name + direction = "INGRESS" + source_ranges = ["0.0.0.0/0"] + + allow { + protocol = "icmp" + } + + allow { + protocol = "tcp" + ports = ["22", "80", "3389", "8080", "1000-2000"] + } + + source_tags = ["web"] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +# negative sample +resource "google_bigquery_dataset" "negative1" { + dataset_id = "example_dataset" + friendly_name = "test" + description = "This is a test description" + location = "EU" + default_table_expiration_ms = 3600000 + + labels = { + env = "default" + } + + access { + role = "OWNER" + user_by_email = google_service_account.bqowner.email + } + + access { + role = "READER" + domain = "hashicorp.com" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/c010082c-76e0-4b91-91d9-6e8439e455dd.md b/docs/queries/terraform-queries/gcp/c010082c-76e0-4b91-91d9-6e8439e455dd.md new file mode 100644 index 00000000000..56bda431c2b --- /dev/null +++ b/docs/queries/terraform-queries/gcp/c010082c-76e0-4b91-91d9-6e8439e455dd.md @@ -0,0 +1,67 @@ +--- +title: Cloud Storage Bucket Is Publicly Accessible +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c010082c-76e0-4b91-91d9-6e8439e455dd +- **Query name:** Cloud Storage Bucket Is Publicly Accessible +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/cloud_storage_bucket_is_publicly_accessible) + +### Description +Cloud Storage Bucket is anonymously or publicly accessible
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#member/members) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="17 4" +resource "google_storage_bucket_iam_member" "positive1" { + bucket = google_storage_bucket.default.name + role = "roles/storage.admin" + member = "allUsers" + + condition { + title = "expires_after_2019_12_31" + description = "Expiring at midnight of 2019-12-31" + expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")" + } +} + + +resource "google_storage_bucket_iam_member" "positive2" { + bucket = google_storage_bucket.default.name + role = "roles/storage.admin" + members = ["user:john@example.com","allAuthenticatedUsers"] +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_storage_bucket_iam_member" "negative1" { + bucket = google_storage_bucket.default.name + role = "roles/storage.admin" + member = "user:jane@example.com" +} + + +resource "google_storage_bucket_iam_member" "negative2" { + bucket = google_storage_bucket.default.name + role = "roles/storage.admin" + members = ["user:john@example.com","user:john@example.com"] +} +``` diff --git a/docs/queries/terraform-queries/gcp/c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0.md b/docs/queries/terraform-queries/gcp/c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0.md new file mode 100644 index 00000000000..ee53144d82c --- /dev/null +++ b/docs/queries/terraform-queries/gcp/c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0.md @@ -0,0 +1,105 @@ +--- +title: SSH Access Is Not Restricted +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c4dcdcdf-10dd-4bf4-b4a0-8f6239e6aaa0 +- **Query name:** SSH Access Is Not Restricted +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/ssh_access_is_not_restricted) + +### Description +Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="43 13 31" +resource "google_compute_firewall" "positive1" { + name = "test-firewall" + network = google_compute_network.default.name + direction = "INGRESS" + source_ranges = ["0.0.0.0/0"] + + allow { + protocol = "icmp" + } + + allow { + protocol = "tcp" + ports = ["22", "80", "3389", "8080", "1000-2000"] + } + + source_tags = ["web"] +} + +resource "google_compute_firewall" "positive2" { + name = "test-firewall" + network = google_compute_network.default.name + + source_ranges = ["0.0.0.0/0"] + + allow { + protocol = "icmp" + } + + allow { + protocol = "tcp" + ports = ["80", "8080", "1000-2000","21-3390"] + } + + source_tags = ["web"] +} + +resource "google_compute_firewall" "positive3" { + name = "test-firewall" + network = google_compute_network.default.name + + source_ranges = ["0.0.0.0/0"] + + allow { + protocol = "icmp" + } + + allow { + protocol = "all" + } + + source_tags = ["web"] +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_firewall" "negative1" { + name = "test-firewall" + network = google_compute_network.default.name + + allow { + protocol = "icmp" + } + + allow { + protocol = "tcp" + ports = ["80", "8080", "1000-2000"] + } + + source_tags = ["web"] +} +``` diff --git a/docs/queries/terraform-queries/gcp/c606ba1d-d736-43eb-ac24-e16108f3a9e0.md b/docs/queries/terraform-queries/gcp/c606ba1d-d736-43eb-ac24-e16108f3a9e0.md new file mode 100644 index 00000000000..f161bc3e85c --- /dev/null +++ b/docs/queries/terraform-queries/gcp/c606ba1d-d736-43eb-ac24-e16108f3a9e0.md @@ -0,0 +1,91 @@ +--- +title: IP Aliasing Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c606ba1d-d736-43eb-ac24-e16108f3a9e0 +- **Query name:** IP Aliasing Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/ip_aliasing_disabled) + +### Description +Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="2 26 13" +#this is a problematic code where the query should report a result(s) +resource "google_container_cluster" "positive1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive2" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + + networking_mode = "VPC_NATIVE" + + timeouts { + create = "30m" + update = "40m" + } +} + +resource "google_container_cluster" "positive3" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + ip_allocation_policy { + + } + networking_mode = "ROUTES" + + timeouts { + create = "30m" + update = "40m" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +#this code is a correct code for which the query should not find any result +resource "google_container_cluster" "negative1" { + name = "marcellus-wallace" + location = "us-central1-a" + initial_node_count = 3 + ip_allocation_policy { + + } + networking_mode = "VPC_NATIVE" + + timeouts { + create = "30m" + update = "40m" + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/c68b4e6d-4e01-4ca1-b256-1e18e875785c.md b/docs/queries/terraform-queries/gcp/c68b4e6d-4e01-4ca1-b256-1e18e875785c.md new file mode 100644 index 00000000000..587307d903b --- /dev/null +++ b/docs/queries/terraform-queries/gcp/c68b4e6d-4e01-4ca1-b256-1e18e875785c.md @@ -0,0 +1,53 @@ +--- +title: Google Project IAM Member Service Account has Token Creator or Account User Role +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c68b4e6d-4e01-4ca1-b256-1e18e875785c +- **Query name:** Google Project IAM Member Service Account has Token Creator or Account User Role +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/google_project_iam_member_service_account_has_token_creator_or_account_user_role) + +### Description +Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_member) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="9 3" +resource "google_project_iam_member" "positive1" { + project = "your-project-id" + role = "roles/iam.serviceAccountTokenCreator" + member = "serviceAccount:my-other-app@appspot.gserviceacccount.com" +} + +resource "google_project_iam_member" "positive2" { + project = "your-project-id" + role = "roles/iam.serviceAccountUser" + members = ["user:jane@example.com", "serviceAccount:my-other-app@appspot.gserviceacccount.com"] +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_project_iam_member" "negative1" { + project = "your-project-id" + role = "roles/editor" + members = "user:jane@example.com" +} +``` diff --git a/docs/queries/terraform-queries/gcp/c9d81239-c818-4869-9917-1570c62b81fd.md b/docs/queries/terraform-queries/gcp/c9d81239-c818-4869-9917-1570c62b81fd.md new file mode 100644 index 00000000000..ef3d070ec99 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/c9d81239-c818-4869-9917-1570c62b81fd.md @@ -0,0 +1,141 @@ +--- +title: BOM - GCP FI +hide: + toc: true + navigation: true +--- + + + +- **Query id:** c9d81239-c818-4869-9917-1570c62b81fd +- **Query name:** BOM - GCP FI +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp_bom/fi) + +### Description +A list of Filestore Instance resources found. Filestore instances are fully managed file servers on Google Cloud that can be connected to Compute Engine VMs, GKE clusters, and your on-premises machines. Once provisioned, you can scale the capacity of your instances according to need without any downtime.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="32 1 59" +resource "google_filestore_instance" "instance" { + name = "test-instance" + location = "us-central1-b" + tier = "BASIC_SSD" + + file_shares { + capacity_gb = 2660 + name = "share1" + + nfs_export_options { + ip_ranges = ["10.0.0.0/24"] + access_mode = "READ_WRITE" + squash_mode = "NO_ROOT_SQUASH" + } + + nfs_export_options { + ip_ranges = ["10.10.0.0/24"] + access_mode = "READ_ONLY" + squash_mode = "ROOT_SQUASH" + anon_uid = 123 + anon_gid = 456 + } + } + + networks { + network = "default" + modes = ["MODE_IPV4"] + connect_mode = "DIRECT_PEERING" + } +} + +resource "google_filestore_instance" "instance2" { + name = "test-instance" + location = "us-central1" + tier = "ENTERPRISE" + + file_shares { + capacity_gb = 2560 + name = "share1" + } + + networks { + network = "default" + modes = ["MODE_IPV4"] + } + kms_key_name = google_kms_crypto_key.filestore_key.id +} + +resource "google_kms_key_ring" "filestore_keyring" { + name = "filestore-keyring" + location = "us-central1" +} + +resource "google_kms_crypto_key" "filestore_key" { + name = "filestore-key" + key_ring = google_kms_key_ring.filestore_keyring.id +} + +resource "google_filestore_instance" "instance3" { + name = "test-instance" + location = "us-central1-b" + tier = "BASIC_SSD" + + file_shares { + capacity_gb = 2660 + name = "share1" + + nfs_export_options { + ip_ranges = ["0.0.0.0/0"] + access_mode = "READ_WRITE" + squash_mode = "NO_ROOT_SQUASH" + } + } + + networks { + network = "default" + modes = ["MODE_IPV4"] + connect_mode = "DIRECT_PEERING" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +# negative sample +resource "google_bigquery_dataset" "negative1" { + dataset_id = "example_dataset" + friendly_name = "test" + description = "This is a test description" + location = "EU" + default_table_expiration_ms = 3600000 + + labels = { + env = "default" + } + + access { + role = "OWNER" + user_by_email = google_service_account.bqowner.email + } + + access { + role = "READER" + domain = "hashicorp.com" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/ccc3100c-0fdd-4a5e-9908-c10107291860.md b/docs/queries/terraform-queries/gcp/ccc3100c-0fdd-4a5e-9908-c10107291860.md new file mode 100644 index 00000000000..cb642e369f3 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/ccc3100c-0fdd-4a5e-9908-c10107291860.md @@ -0,0 +1,68 @@ +--- +title: DNSSEC Using RSASHA1 +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ccc3100c-0fdd-4a5e-9908-c10107291860 +- **Query name:** DNSSEC Using RSASHA1 +- **Platform:** Terraform +- **Severity:** High +- **Category:** Encryption +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/dnssec_using_rsasha1) + +### Description +DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone#algorithm) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="11" +resource "google_dns_managed_zone" "positive1" { + name = "example-zone" + dns_name = "example-${random_id.rnd.hex}.com." + description = "Example DNS zone" + labels = { + foo = "bar" + } + + dnssec_config { + default_key_specs{ + algorithm = "rsasha1" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_dns_managed_zone" "negative1" { + name = "example-zone" + dns_name = "example-${random_id.rnd.hex}.com." + description = "Example DNS zone" + labels = { + foo = "bar" + } + + dnssec_config { + default_key_specs{ + algorithm = "rsasha256" + } + } +} + + +``` diff --git a/docs/queries/terraform-queries/gcp/cefdad16-0dd5-4ac5-8ed2-a37502c78672.md b/docs/queries/terraform-queries/gcp/cefdad16-0dd5-4ac5-8ed2-a37502c78672.md new file mode 100644 index 00000000000..e504646ee1a --- /dev/null +++ b/docs/queries/terraform-queries/gcp/cefdad16-0dd5-4ac5-8ed2-a37502c78672.md @@ -0,0 +1,123 @@ +--- +title: Service Account with Improper Privileges +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cefdad16-0dd5-4ac5-8ed2-a37502c78672 +- **Query name:** Service Account with Improper Privileges +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Resource Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/service_account_with_improper_privileges) + +### Description +Service account should not have improper privileges like admin, editor, owner, or write roles
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy#role) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="3" +data "google_iam_policy" "admin" { + binding { + role = "roles/editor" + + members = [ + "serviceAccount:jane@example.com", + ] + } +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="18 3" +resource "google_project_iam_binding" "project1" { + project = "your-project-id" + role = "roles/container.admin" + + members = [ + "serviceAccount:jane@example.com", + ] + + condition { + title = "expires_after_2019_12_31" + description = "Expiring at midnight of 2019-12-31" + expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")" + } +} + +resource "google_project_iam_member" "project2" { + project = "your-project-id" + role = "roles/editor" + member = "serviceAccount:jane@example.com" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +data "google_iam_policy" "policy5" { + binding { + role = "roles/apigee.runtimeAgent" + + members = [ + "user:jane@example.com", + ] + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "google_project_iam_binding" "project3" { + project = "your-project-id" + role = "roles/apigee.runtimeAgent" + + members = [ + "user:jane@example.com", + ] + + condition { + title = "expires_after_2019_12_31" + description = "Expiring at midnight of 2019-12-31" + expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")" + } +} + +resource "google_project_iam_member" "project4" { + project = "your-project-id" + role = "roles/apigee.runtimeAgent" + member = "user:jane@example.com" +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "google_project_iam_binding" "project5" { + role = "roles/viewer" + + members = [ + "serviceAccount:jane@example.com", + ] +} + +data "google_iam_policy" "policy6" { + binding { + role = "roles/viewer" + + members = [ + "user:jane@example.com", + ] + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/cf3c7631-cd1e-42f3-8801-a561214a6e79.md b/docs/queries/terraform-queries/gcp/cf3c7631-cd1e-42f3-8801-a561214a6e79.md new file mode 100644 index 00000000000..3e107a4e138 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/cf3c7631-cd1e-42f3-8801-a561214a6e79.md @@ -0,0 +1,85 @@ +--- +title: SQL DB Instance Backup Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** cf3c7631-cd1e-42f3-8801-a561214a6e79 +- **Query name:** SQL DB Instance Backup Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Backup +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/sql_db_instance_backup_disabled) + +### Description +Checks if backup configuration is enabled for all Cloud SQL Database instances
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="18 6 31" +resource "google_sql_database_instance" "positive1" { + name = "master-instance" + database_version = "POSTGRES_11" + region = "us-central1" + + settings { + tier = "db-f1-micro" + } +} + +resource "google_sql_database_instance" "positive2" { + name = "master-instance" + database_version = "POSTGRES_11" + region = "us-central1" + + settings { + tier = "db-f1-micro" + backup_configuration{ + binary_log_enabled = true + } + } +} + +resource "google_sql_database_instance" "positive3" { + name = "master-instance" + database_version = "POSTGRES_11" + region = "us-central1" + + settings { + backup_configuration{ + enabled = false + } + } +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_sql_database_instance" "negative1" { + name = "master-instance" + database_version = "POSTGRES_11" + region = "us-central1" + + settings { + backup_configuration{ + enabled = true + } + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/d0b4d550-c001-46c3-bbdb-d5d75d33f05f.md b/docs/queries/terraform-queries/gcp/d0b4d550-c001-46c3-bbdb-d5d75d33f05f.md new file mode 100644 index 00000000000..acf8b5b372e --- /dev/null +++ b/docs/queries/terraform-queries/gcp/d0b4d550-c001-46c3-bbdb-d5d75d33f05f.md @@ -0,0 +1,116 @@ +--- +title: OSLogin Is Disabled For VM Instance +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d0b4d550-c001-46c3-bbdb-d5d75d33f05f +- **Query name:** OSLogin Is Disabled For VM Instance +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Configurations +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/os_login_is_disabled_for_vm_instance) + +### Description +Check if any VM instance disables OSLogin
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="30" +resource "google_compute_instance" "positive1" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + metadata = { + #... some other metadata + + enable-oslogin = "FALSE" + } + + metadata_startup_script = "echo hi > /test.txt" + + service_account { + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_instance" "negative1" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + metadata = { + #... some other metadata + + # or if not undefined + enable-oslogin = true + } + + metadata_startup_script = "echo hi > /test.txt" + + service_account { + scopes = ["userinfo-email", "compute-ro", "storage-ro"] + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/d6cabc3a-d57e-48c2-b341-bf3dd4f4a120.md b/docs/queries/terraform-queries/gcp/d6cabc3a-d57e-48c2-b341-bf3dd4f4a120.md new file mode 100644 index 00000000000..e3d72db2410 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/d6cabc3a-d57e-48c2-b341-bf3dd4f4a120.md @@ -0,0 +1,70 @@ +--- +title: Cloud Storage Bucket Logging Not Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d6cabc3a-d57e-48c2-b341-bf3dd4f4a120 +- **Query name:** Cloud Storage Bucket Logging Not Enabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/cloud_storage_bucket_logging_not_enabled) + +### Description +Cloud storage bucket should have logging enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#log_bucket) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "google_storage_bucket" "positive1" { + name = "auto-expiring-bucket" + location = "US" + force_destroy = true + + lifecycle_rule { + condition { + age = 3 + } + action { + type = "Delete" + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_storage_bucket" "negative1" { + name = "auto-expiring-bucket" + location = "US" + force_destroy = true + + logging { + logBucket = "example-logs-bucket" + } + + lifecycle_rule { + condition { + age = 3 + } + action { + type = "Delete" + } + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/d8c57c4e-bf6f-4e32-a2bf-8643532de77b.md b/docs/queries/terraform-queries/gcp/d8c57c4e-bf6f-4e32-a2bf-8643532de77b.md new file mode 100644 index 00000000000..93430da9b18 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/d8c57c4e-bf6f-4e32-a2bf-8643532de77b.md @@ -0,0 +1,63 @@ +--- +title: High Google KMS Crypto Key Rotation Period +hide: + toc: true + navigation: true +--- + + + +- **Query id:** d8c57c4e-bf6f-4e32-a2bf-8643532de77b +- **Query name:** High Google KMS Crypto Key Rotation Period +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Secret Management +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/high_google_kms_crypto_key_rotation_period) + +### Description +KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10 4" +resource "google_kms_crypto_key" "positive1" { + name = "crypto-key-example" + key_ring = google_kms_key_ring.keyring.id + rotation_period = "77760009s" + lifecycle { + prevent_destroy = true + } +} + +resource "google_kms_crypto_key" "positive2" { + name = "crypto-key-example" + key_ring = google_kms_key_ring.keyring.id + lifecycle { + prevent_destroy = true + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_kms_crypto_key" "negative1" { + name = "crypto-key-example" + key_ring = google_kms_key_ring.keyring.id + rotation_period = "100000s" + lifecycle { + prevent_destroy = true + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/dd7d70aa-a6ec-460d-b5d2-38b40253b16f.md b/docs/queries/terraform-queries/gcp/dd7d70aa-a6ec-460d-b5d2-38b40253b16f.md new file mode 100644 index 00000000000..cac61f5269c --- /dev/null +++ b/docs/queries/terraform-queries/gcp/dd7d70aa-a6ec-460d-b5d2-38b40253b16f.md @@ -0,0 +1,152 @@ +--- +title: BOM - GCP PD +hide: + toc: true + navigation: true +--- + + + +- **Query id:** dd7d70aa-a6ec-460d-b5d2-38b40253b16f +- **Query name:** BOM - GCP PD +- **Platform:** Terraform +- **Severity:** Trace +- **Category:** Bill Of Materials +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp_bom/pd) + +### Description +A list of Persistent Disk resources found. Persistent Disk is Google's local durable storage service, fully integrated with Google Cloud products, Compute Engine and Google Kubernetes Engine.
+[Documentation](https://kics.io) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1 12 44 60 76 28" +resource "google_compute_disk" "positive1" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 +} + +resource "google_compute_disk" "positive2" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 + + disk_encryption_key { + sha256 = "A" + } +} + + +resource "google_compute_disk" "positive3" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 + + disk_encryption_key { + raw_key = "" + sha256 = "A" + } +} + +resource "google_compute_disk" "positive4" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 + + disk_encryption_key { + kms_key_self_link = "" + sha256 = "A" + } +} + +resource "google_compute_disk" "negative1" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 + + disk_encryption_key { + kms_key_self_link = "disk-crypto-key" + sha256 = "A" + } +} + +resource "google_compute_disk" "negative2" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 + + disk_encryption_key { + raw_key = "SGVsbG8gZnJvbSBHb29nbGUgQ2xvdWQgUGxhdGZvcm0=" + sha256 = "A" + } +} + + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +# negative sample +resource "google_bigquery_dataset" "negative1" { + dataset_id = "example_dataset" + friendly_name = "test" + description = "This is a test description" + location = "EU" + default_table_expiration_ms = 3600000 + + labels = { + env = "default" + } + + access { + role = "OWNER" + user_by_email = google_service_account.bqowner.email + } + + access { + role = "READER" + domain = "hashicorp.com" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/e576ce44-dd03-4022-a8c0-3906acca2ab4.md b/docs/queries/terraform-queries/gcp/e576ce44-dd03-4022-a8c0-3906acca2ab4.md new file mode 100644 index 00000000000..224de73902b --- /dev/null +++ b/docs/queries/terraform-queries/gcp/e576ce44-dd03-4022-a8c0-3906acca2ab4.md @@ -0,0 +1,76 @@ +--- +title: BigQuery Dataset Is Public +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e576ce44-dd03-4022-a8c0-3906acca2ab4 +- **Query name:** BigQuery Dataset Is Public +- **Platform:** Terraform +- **Severity:** High +- **Category:** Access Control +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/bigquery_dataset_is_public) + +### Description +BigQuery dataset is anonymously or publicly accessible
+[Documentation](https://www.terraform.io/docs/providers/google/r/bigquery_dataset.html) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="14" +resource "google_bigquery_dataset" "positive1" { + dataset_id = "example_dataset" + friendly_name = "test" + description = "This is a test description" + location = "EU" + default_table_expiration_ms = 3600000 + + labels = { + env = "default" + } + + access { + role = "OWNER" + special_group = "allAuthenticatedUsers" + } +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +# negative sample +resource "google_bigquery_dataset" "negative1" { + dataset_id = "example_dataset" + friendly_name = "test" + description = "This is a test description" + location = "EU" + default_table_expiration_ms = 3600000 + + labels = { + env = "default" + } + + access { + role = "OWNER" + user_by_email = google_service_account.bqowner.email + } + + access { + role = "READER" + domain = "hashicorp.com" + } +} + +``` diff --git a/docs/queries/terraform-queries/gcp/e6f61c37-106b-449f-a5bb-81bfcaceb8b4.md b/docs/queries/terraform-queries/gcp/e6f61c37-106b-449f-a5bb-81bfcaceb8b4.md new file mode 100644 index 00000000000..88b62e73ca8 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/e6f61c37-106b-449f-a5bb-81bfcaceb8b4.md @@ -0,0 +1,77 @@ +--- +title: Google Compute Network Using Firewall Rule that Allows Port Range +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e6f61c37-106b-449f-a5bb-81bfcaceb8b4 +- **Query name:** Google Compute Network Using Firewall Rule that Allows Port Range +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/google_compute_network_using_firewall_rule_allows_port_range) + +### Description +Google Compute Network should not use a firewall rule that allows port range
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#allow) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="17" +resource "google_compute_firewall" "positive1" { + name = "test-firewall" + network = google_compute_network.positive1.name + + allow { + protocol = "icmp" + } + + allow { + protocol = "tcp" + ports = ["80", "8080", "1000-2000"] + } + + source_tags = ["web"] +} + +resource "google_compute_network" "positive1" { + name = "test-network" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_firewall" "negative1" { + name = "test-firewall" + network = google_compute_network.negative1.name + + allow { + protocol = "icmp" + } + + allow { + protocol = "tcp" + ports = ["80", "8080"] + } + + source_tags = ["web"] +} + +resource "google_compute_network" "negative1" { + name = "test-network" +} + +``` diff --git a/docs/queries/terraform-queries/gcp/e7e961ac-d17e-4413-84bc-8a1fbe242944.md b/docs/queries/terraform-queries/gcp/e7e961ac-d17e-4413-84bc-8a1fbe242944.md new file mode 100644 index 00000000000..2ab42f3ff7c --- /dev/null +++ b/docs/queries/terraform-queries/gcp/e7e961ac-d17e-4413-84bc-8a1fbe242944.md @@ -0,0 +1,58 @@ +--- +title: Cloud Storage Bucket Versioning Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** e7e961ac-d17e-4413-84bc-8a1fbe242944 +- **Query name:** Cloud Storage Bucket Versioning Disabled +- **Platform:** Terraform +- **Severity:** High +- **Category:** Observability +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/cloud_storage_bucket_versioning_disabled) + +### Description +Cloud Storage Bucket should have versioning enabled
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#enabled) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="10 6" +resource "google_storage_bucket" "positive1" { + name = "foo" + location = "EU" + + versioning = { + enabled = false + } +} + +resource "google_storage_bucket" "positive2" { + name = "foo" + location = "EU" +} +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_storage_bucket" "negative1" { + name = "foo" + location = "EU" + + versioning = { + enabled = true + } +} +``` diff --git a/docs/queries/terraform-queries/gcp/ee7b93c1-b3f8-4a3b-9588-146d481814f5.md b/docs/queries/terraform-queries/gcp/ee7b93c1-b3f8-4a3b-9588-146d481814f5.md new file mode 100644 index 00000000000..eef2a40795b --- /dev/null +++ b/docs/queries/terraform-queries/gcp/ee7b93c1-b3f8-4a3b-9588-146d481814f5.md @@ -0,0 +1,89 @@ +--- +title: Google Compute Subnetwork with Private Google Access Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** ee7b93c1-b3f8-4a3b-9588-146d481814f5 +- **Query name:** Google Compute Subnetwork with Private Google Access Disabled +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/google_compute_subnetwork_with_private_google_access_disabled) + +### Description +Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork#private_ip_google_access) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="1" +resource "google_compute_subnetwork" "positive1" { + name = "test-subnetwork" + ip_cidr_range = "10.2.0.0/16" + region = "us-central1" + network = google_compute_network.custom-test.id + secondary_ip_range { + range_name = "tf-test-secondary-range-update1" + ip_cidr_range = "192.168.10.0/24" + } +} + +resource "google_compute_network" "custom-test" { + name = "test-network" + auto_create_subnetworks = false +} + +``` +```tf title="Postitive test num. 2 - tf file" hl_lines="10" +resource "google_compute_subnetwork" "positive2" { + name = "test-subnetwork" + ip_cidr_range = "10.2.0.0/16" + region = "us-central1" + network = google_compute_network.custom-test.id + secondary_ip_range { + range_name = "tf-test-secondary-range-update1" + ip_cidr_range = "192.168.10.0/24" + } + private_ip_google_access = false +} + +resource "google_compute_network" "custom-test" { + name = "test-network" + auto_create_subnetworks = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_subnetwork" "negative1" { + name = "test-subnetwork" + ip_cidr_range = "10.2.0.0/16" + region = "us-central1" + network = google_compute_network.custom-test.id + secondary_ip_range { + range_name = "tf-test-secondary-range-update1" + ip_cidr_range = "192.168.10.0/24" + } + private_ip_google_access = true +} + +resource "google_compute_network" "custom-test" { + name = "test-network" + auto_create_subnetworks = false +} + +``` diff --git a/docs/queries/terraform-queries/gcp/f34c0c25-47b4-41eb-9c79-249b4dd47b89.md b/docs/queries/terraform-queries/gcp/f34c0c25-47b4-41eb-9c79-249b4dd47b89.md new file mode 100644 index 00000000000..66f4a3dd2d3 --- /dev/null +++ b/docs/queries/terraform-queries/gcp/f34c0c25-47b4-41eb-9c79-249b4dd47b89.md @@ -0,0 +1,69 @@ +--- +title: IP Forwarding Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** f34c0c25-47b4-41eb-9c79-249b4dd47b89 +- **Query name:** IP Forwarding Enabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Networking and Firewall +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/gcp/ip_forwarding_enabled) + +### Description +Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true
+[Documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_instance) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Postitive test num. 1 - tf file" hl_lines="4" +resource "google_compute_instance" "appserver" { + name = "primary-application-server" + machine_type = "e2-medium" + can_ip_forward = true + + boot_disk { + initialize_params { + image = "debian-cloud/debian-11" + } + } + + network_interface { + network = "default" + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "google_compute_instance" "appserver" { + name = "primary-application-server" + machine_type = "e2-medium" + can_ip_forward = false + + boot_disk { + initialize_params { + image = "debian-cloud/debian-11" + } + } + + network_interface { + network = "default" + } +} + +```