Skip to main content

Policy Library Rules

info

The AWS policies in Styra's Terraform Policy Library are currently tested against version 3 of the Terraform AWS provider. Version 4 of the provider introduced breaking changes for a number of AWS resources. AWS policies in the library which only apply to Terraform AWS provider v3 resources are noted in the policies below and may not result in accurate policy evaluation when used with provider v4.

AWS: Autoscaling Group: Deny public IP address in launch configuration

Prohibit creation of autoscaling group if the launch configuration used has public IP address enabled. Checks the resources with type 'aws_launch_configuration' for the value of 'associate_public_ip_address'.

Parameters

None


AWS: CloudFront: Prohibit CloudFront distributions without a default root object

Requires AWS/CloudFront distributions to be configured with a default root object. Checks resources with type 'aws_cloudfront_distribution'.

Parameters

None


AWS: CloudFront: Prohibit CloudFront distributions without access logging

Requires AWS/CloudFront distributions to be configured with access logging. Checks resources with type 'aws_cloudfront_distribution'.

Parameters

None


AWS: CloudFront: Prohibit CloudFront distributions without encrypted traffic to origin

Requires AWS/CloudFront distributions to be configured with encrypted traffic to origin. Prohibits 'origin_protocol_policy' set to 'http-only' and prohibits 'origin_protocol_policy' set to 'match-viewer' if 'viewer_protocol_policy' is set to 'allow-all'. Checks resources with type 'aws_cloudfront_distribution'.

Parameters

None


AWS: CloudFront: Prohibit CloudFront distributions without an HTTPS viewer protocol policy

Requires AWS/CloudFront distribution default and ordered cache behaviors to be configured with an 'https-only' or 'redirect-to-https' viewer_protocol_policy. Checks resources with type 'aws_cloudfront_distribution'.

Parameters

None


AWS: CloudFront: Prohibit CloudFront distributions without a WAF association

Requires AWS/CloudFront distributions to be configured with a WAF web ACL ID. Checks resources with type 'aws_cloudfront_distribution'.

Parameters

None


AWS: CloudTrail: Prohibit CloudTrails without server side encryption

Require AWS/Cloudtrail to have server side encryption using an AWS KMS key. Checks resources with type 'aws_cloudtrail'.

Parameters

None


AWS: CodeBuild Project: Prohibit if logging is not configured

Require CodeBuild Projects to have 'logs_config' with either s3_logs or 'cloudwatch_logs' enabled. Checks resources with type 'aws_codebuild_project'.

Parameters

None


AWS: Codebuild Project: Prohibit Privileged Mode enabled.

Require CodeBuild Projects to set 'privileged_mode' to false. Checks resources with type 'aws_codebuild_project'.

Parameters

None


AWS: DAX: Prohibit DAX clusters with disabled encryption at rest

Require AWS/DAX clusters to have enabled encryption at rest. Checks resources with type 'aws_dax_cluster'.

Parameters

None


AWS: DMS: Prohibit publicly accessible DMS replication instances

Require AWS/DMS replication instances to not be publicly accessible. Checks resources with type 'aws_dms_replication_instance'.

Parameters

None


AWS: EC2/EBS: Requires snapshot enabled.

Ensure individually created EBS volumes have snapshots enabled. Checks resources with type 'aws_ebs_volume'.

Parameters

None


AWS: EC2: Ensure the EBS volumes are encrypted.

Require individually created EBS volumes to be encrypted. Checks resources with type 'aws_ebs_volume'.

Parameters

None


AWS: EC2: Prohibit EC2 instances with a Public IP Address

Require AWS/EC2 instance to not have a Public IP Address. Checks resources with type 'aws_instance' and 'aws_launch_template'.

Parameters

None


AWS: EC2: Restrict volume deletion after instance termination

Prevent volume being deleted after the termination of EC2 instance.Retaining volumes until they are explicitly deleted can protect against adversaries deleting critical data, or evidence of an intrusion. Checks resources with type 'aws_instance'.

Parameters

None


AWS: EC2: Restrict instances with unapproved AMIs

Ensure EC2 instances are using an AMI from a pre-approved list. Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_ami_ids

      • Type: array
      • Unique: true
  • Required Parameters: allowed_ami_ids

AWS: EC2: Restrict instances with unapproved Regions

Ensure EC2 instances are deployed in a Region from a pre-approved list (due to plan format restrictions, this policy only works for Terraform 12 onward). Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_regions

      • Type: array
      • Unique: true
  • Required Parameters: allowed_regions

AWS: EC2: Restrict instances with unapproved subnets

Ensure EC2 instances are deployed in a subnet from a pre-approved list. Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_subnets

      • Type: array
      • Unique: true
  • Required Parameters: allowed_subnets

AWS: EC2: Restrict instances with unapproved Security Groups

Require AWS/EC2 to use Security Groups from a pre-approved list. Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_security_groups

      • Type: array
      • Unique: true
  • Required Parameters: allowed_security_groups

AWS: EC2: Ensure the instances use encrypted volume.

Require AWS/EC2 instances to use encrypted block storage volume. Checks resources with type 'aws_instance'.

Parameters

None


AWS: EC2: Restrict instances without IMDSv2

EC2 instances and EC2 Launch templates require Instance Metadata Service Version 2 (IMDSv2) enabled. Checks resources with type 'aws_instance' and 'aws_launch_template'.

Parameters

None


AWS: EC2: Prohibit EC2 instances without a VPC

Require AWS/EC2 instance to be deployed in a VPC. Checks resources with type 'aws_instance'.

Parameters

None


AWS: ECS: Prohibit ECS Service which has Assign Public IP enabled

Require AWS/ECS Service to have 'assign_public_ip' set as false in 'network_configuration'. Checks resources with type 'aws_ecs_service'.

Parameters

None


AWS: Elastic Beanstalk: Prohibit the Elastic beanstalk environments with disabled managed actions

Require AWS/Elastic Beanstalk environments to have the managed actions setting enabled. Checks resources with type 'aws_elastic_beanstalk_environment'.

Parameters

None


AWS: Elasticsearch: Prohibit Elasticsearch Domains with disabled encryption at rest

Require AWS/Elasticsearch domains to have enabled encryption at rest. Checks resources with type 'aws_elasticsearch_domain'.

Parameters

None


AWS: Elasticsearch: Prohibit Elasticsearch Domains not created in VPC

Require AWS/Elasticsearch domains to have subnets added in vpc_options. Checks resources with type 'aws_elasticsearch_domain'.

Parameters

None


AWS: Elasticsearch: Prohibit Elasticsearch Domains which does not use TLS 1.2 and have https enforced.

Require AWS/Elasticsearch domains to have https enforced and use TLS 1.2. Checks resources with type 'aws_elasticsearch_domain'.

Parameters

None


AWS: Elasticsearch: Prohibit Elasticsearch Domains with disabled node to node encryption

Require AWS/Elasticsearch domains to have enabled node to node encryption. Checks resources with type 'aws_elasticsearch_domain'.

Parameters

None


AWS: ELB: Prohibit Elastic Load Balancers with listener's lb_protocol not set to SSL/HTTPS.

Requires AWS/ELB listeners to be configured with lb_protocol as either SSL or HTTPS. Checks resources with type 'aws_elb'.

Parameters

None


AWS: ELB: Prohibit Elastic Load Balancers with connection draining not set to true.

Requires AWS/ELB listeners to be configured with connection_draining as true. Checks resources with type 'aws_elb'.

Parameters

None


AWS: GuardDuty: Block GuardDuty organization with disabled GuardDuty detector

Require GuardDuty Detector to be enabled for a GuardDuty Organiztion. Checks resources with type 'aws_guardduty_organization_configuration' along with 'aws_guardduty_detector'.

Parameters

None


AWS: IAM: Ensure IAM account has Complex and Unique password policy

Require AWS/IAM account to have complex and unique password policy. As recommended by https://attack.mitre.org/techniques/T1110/ the standards here are based off of those established in https://pages.nist.gov/800-63-3/sp800-63b.html#appA and https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6234434 Checks resources with type 'aws_iam_account_password_policy'.

Parameters

None


AWS: IAM: Ensure IAM account password policy meets AWS Foundational Security Best Practices

Require AWS/IAM account to have complex and unique password policy. As recommended by https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html Checks resources with type 'aws_iam_account_password_policy'.

Parameters

None


AWS: IAM: Restrict Attaching AdministratorAccess Policy.

Restricts attaching Managed AdministratorAccess policy to user, role and group. Checks resources with type 'aws_iam_user_policy_attachment', 'aws_iam_role_policy_attachment' and 'aws_iam_group_policy_attachment'.

Parameters

None


AWS: IAM: Restrict Access Key Actions in IAM policies

Require AWS/IAM user/group/role policies to not have Create/Update/List/Delete AccessKeys permissions and allow all ('iam:' or '') in 'Action'. Checks resources with type 'aws_iam_user_policy', 'aws_iam_role_policy', 'aws_iam_group_policy' and 'aws_iam_policy'.

Parameters

None


AWS: IAM: Restrict hardcoded secret credentials.

Hardcoding of AWS 'access_key' and 'secret_key' in Terraform files is restricted. Due to plan format restrictions, this policy only works for Terraform 12 onward.

Parameters

None


AWS: IAM: Prohibit IAM policies directly being attached to IAM users

Requires AWS/IAM policies not to be attached directly to IAM users. Checks resources with type 'aws_iam_user_policy_attachment'.

Parameters

None


AWS: IAM: Prohibit IAM policies providing admin access

Require AWS/IAM policy statements to not allow all actions ('') on all resources (''). Checks resources with type 'aws_iam_policy' and data sources with type 'aws_iam_policy_document'.

Parameters

None


AWS: IAM: Prohibit Policies containing an Asterisk

Require AWS/IAM policies not have an asterisk ("") in Actions and asterisk("") without prefix in Resources. Checks resources with type 'aws_iam_policy'.

Parameters

None


KICS: ALB Deletion Protection Disabled

Application Load Balancer should have deletion protection enabled

Parameters

  • Parameters:

KICS: ALB Is Not Integrated With WAF

All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service

Parameters

  • Parameters:

KICS: ALB Listening on HTTP

AWS Application Load Balancer (alb) should not listen on HTTP

Parameters

  • Parameters:

KICS: ALB Not Dropping Invalid Headers

It's considered a best practice when using Application Load Balancers to drop invalid header fields

Parameters

  • Parameters:

KICS: AmazonMQ Broker Encryption Disabled

AmazonMQ Broker should have Encryption Options defined

Parameters

  • Parameters:

KICS: AMI Not Encrypted

AWS AMI Encryption is not enabled

Parameters

  • Parameters:

KICS: API Gateway Access Logging Disabled

API Gateway should have Access Log Settings defined

Parameters

  • Parameters:

KICS: API Gateway Deployment Without Access Log Setting

API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.

Parameters

  • Parameters:

KICS: API Gateway Deployment Without API Gateway UsagePlan Associated

API Gateway Deployment should have API Gateway UsagePlan defined and associated.

Parameters

  • Parameters:

KICS: API Gateway Endpoint Config is Not Private

The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet

Parameters

  • Parameters:

KICS: API Gateway Method Does Not Contains An API Key

An API Key should be required on a method request.

Parameters

  • Parameters:

KICS: API Gateway Method Settings Cache Not Encrypted

API Gateway Method Settings Cache should be encrypted

Parameters

  • Parameters:

KICS: API Gateway Stage Without API Gateway UsagePlan Associated

API Gateway Stage should have API Gateway UsagePlan defined and associated.

Parameters

  • Parameters:

KICS: API Gateway With CloudWatch Logging Disabled

AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation

Parameters

  • Parameters:

KICS: API Gateway With Invalid Compression

API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.

Parameters

  • Parameters:

KICS: API Gateway With Open Access

API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.

Parameters

  • Parameters:

KICS: API Gateway Without Configured Authorizer

API Gateway REST API should have an API Gateway Authorizer

Parameters

  • Parameters:

KICS: API Gateway Without Security Policy

API Gateway should have a Security Policy defined and use TLS 1.2.

Parameters

  • Parameters:

KICS: API Gateway Without SSL Certificate

SSL Client Certificate should be enabled

Parameters

  • Parameters:

KICS: API Gateway without WAF

API Gateway should have WAF (Web Application Firewall) enabled

Parameters

  • Parameters:

KICS: API Gateway X-Ray Disabled

API Gateway should have X-Ray Tracing enabled

Parameters

  • Parameters:

KICS: Athena Workgroup Not Encrypted

Athena Workgroup query results should be encrypted, for all queries that run in the workgroup

Parameters

  • Parameters:

KICS: Auto Scaling Group With No Associated ELB

AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.

Parameters

  • Parameters:

KICS: Automatic Minor Upgrades Disabled

RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.

Parameters

  • Parameters:

KICS: Autoscaling Groups Supply Tags

Autoscaling groups should supply tags to configurate

Parameters

  • Parameters:

KICS: AWS Password Policy With Unchangeable Passwords

Unchangeable passwords in AWS password policy

Parameters

  • Parameters:

KICS: Batch Job Definition With Privileged Container Properties

Batch Job Definition should not have Privileged Container Properties

Parameters

  • Parameters:

KICS: CA Certificate Identifier Is Outdated

The CA certificate Identifier must be 'rds-ca-2019'.

Parameters

  • Parameters:

KICS: CDN Configuration Is Missing

Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.

Parameters

  • Parameters:

KICS: CloudFront Logging Disabled

AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined

Parameters

  • Parameters:

KICS: Cloudfront Viewer Protocol Policy Allows HTTP

Checks if the connection between CloudFront and the viewer is encrypted

Parameters

  • Parameters:

KICS: CloudFront Without Minimum Protocol TLS 1.2

CloudFront Minimum Protocol version should be at least TLS 1.2

Parameters

  • Parameters:

KICS: CloudFront Without WAF

All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service

Parameters

  • Parameters:

KICS: CloudTrail Log File Validation Disabled

CloudTrail log file validation should be enabled to determine whether a log file has not been tampered

Parameters

  • Parameters:

KICS: CloudTrail Log Files Not Encrypted With KMS

Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail

Parameters

  • Parameters:

KICS: CloudTrail Logging Disabled

Checks if logging is enabled for CloudTrail.

Parameters

  • Parameters:

KICS: CloudTrail Multi Region Disabled

CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled

Parameters

  • Parameters:

KICS: CloudTrail Not Integrated With CloudWatch

CloudTrail should be integrated with CloudWatch

Parameters

  • Parameters:

KICS: CloudTrail SNS Topic Name Undefined

Check if SNS topic name is set for CloudTrail

Parameters

  • Parameters:

KICS: CloudWatch AWS Config Configuration Changes Alarm Missing

Ensure a log metric filter and alarm exist for AWS Config configuration changes

Parameters

  • Parameters:

KICS: CloudWatch AWS Organizations Changes Missing Alarm

Ensure a log metric filter and alarm exist for AWS organizations changes

Parameters

  • Parameters:

KICS: CloudWatch Changes To NACL Alarm Missing

Ensure a log metric filter and alarm exist for changes to NACL

Parameters

  • Parameters:

KICS: Cloudwatch Cloudtrail Configuration Changes Alarm Missing

Ensure a log metric filter and alarm exist for CloudTrail configuration changes

Parameters

  • Parameters:

KICS: CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK

Parameters

  • Parameters:

KICS: CloudWatch IAM Policy Changes Alarm Missing

Ensure a log metric filter and alarm exist for IAM policy changes

Parameters

  • Parameters:

KICS: CloudWatch Log Group Without KMS

AWS CloudWatch Log groups should be encrypted using KMS

Parameters

  • Parameters:

KICS: CloudWatch Logging Disabled

Check if CloudWatch logging is disabled for Route53 hosted zones

Parameters

  • Parameters:

KICS: CloudWatch Logs Destination With Vulnerable Policy

CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'

Parameters

  • Parameters:

KICS: CloudWatch Management Console Auth Failed Alarm Missing

Ensure a log metric filter and alarm exist for AWS Management Console authentication failures

Parameters

  • Parameters:

KICS: CloudWatch Console Sign-in Without MFA Alarm Missing

Ensure a log metric filter and alarm exist for management console sign-in without MFA

Parameters

  • Parameters:

KICS: CloudWatch Metrics Disabled

Checks if CloudWatch Metrics is Enabled

Parameters

  • Parameters:

KICS: CloudWatch Network Gateways Changes Alarm Missing

Ensure a log metric filter and alarm exist for network gateways changes

Parameters

  • Parameters:

KICS: CloudWatch Root Account Use Missing

Ensure a log metric filter and alarm exist for root acount usage

Parameters

  • Parameters:

KICS: CloudWatch Route Table Changes Alarm Missing

Ensure a log metric filter and alarm exist for route table changes

Parameters

  • Parameters:

KICS: CloudWatch S3 policy Change Alarm Missing

Ensure a log metric filter and alarm exist for S3 bucket policy changes

Parameters

  • Parameters:

KICS: Cloudwatch Security Group Changes Alarm Missing

Ensure a log metric filter and alarm exist for security group changes

Parameters

  • Parameters:

KICS: CloudWatch Unauthorized Access Alarm Missing

Ensure a log metric filter and alarm exist for unauthorized API calls

Parameters

  • Parameters:

KICS: CloudWatch VPC Changes Alarm Missing

Ensure a log metric filter and alarm exist for VPC changes

Parameters

  • Parameters:

KICS: CloudWatch Without Retention Period Specified

AWS CloudWatch Log groups should have retention days specified

Parameters

  • Parameters:

KICS: CMK Is Unusable

AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true

Parameters

  • Parameters:

KICS: CMK Rotation Disabled

Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.

Parameters

  • Parameters:

KICS: Cognito UserPool Without MFA

AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users

Parameters

  • Parameters:

KICS: Configuration Aggregator to All Regions Disabled

AWS Config Configuration Aggregator All Regions must be set to True

Parameters

  • Parameters:

KICS: Config Rule For Encrypted Volumes Disabled

Check if AWS config rules do not identify Encrypted Volumes as a source.

Parameters

  • Parameters:

KICS: Cross-Account IAM Assume Role Policy Without ExternalId or MFA

Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access

Parameters

  • Parameters:

KICS: DAX Cluster Not Encrypted

AWS DAX Cluster should have server-side encryption at rest

Parameters

  • Parameters:

KICS: DB Instance Publicly Accessible

RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').

Parameters

  • Parameters:

KICS: DB Instance Storage Not Encrypted

AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.

Parameters

  • Parameters:

KICS: DB Security Group Has Public Interface

The CIDR IP should not be a public interface

Parameters

  • Parameters:

KICS: DB Security Group Open To Large Scope

The IP address in a DB Security Group must not have more than 256 hosts.

Parameters

  • Parameters:

KICS: DB Security Group With Public Scope

The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it

Parameters

  • Parameters:

KICS: Default Security Groups With Unrestricted Traffic

Check if default security group does not restrict all inbound and outbound traffic.

Parameters

  • Parameters:

KICS: DOCDB Cluster Not Encrypted

AWS DOCDB Cluster storage should be encrypted

Parameters

  • Parameters:

KICS: DOCDB Cluster Without KMS

AWS DOCDB Cluster should be encrypted with a KMS encryption key

Parameters

  • Parameters:

KICS: DocDB Logging Is Disabled

DocDB logging should be enabled

Parameters

  • Parameters:

KICS: DynamoDB Table Not Encrypted

AWS DynamoDB Tables should have server-side encryption

Parameters

  • Parameters:

KICS: DynamoDB Table Point In Time Recovery Disabled

It's considered a best practice to have point in time recovery enabled for DynamoDB Table

Parameters

  • Parameters:

KICS: EBS Default Encryption Disabled

EBS Encryption should be enabled

Parameters

  • Parameters:

KICS: EBS Volume Encryption Disabled

EBS volumes should be encrypted

Parameters

  • Parameters:

KICS: EBS Volume Snapshot Not Encrypted

The value on AWS EBS Volume Snapshot Encryptation must be true

Parameters

  • Parameters:

KICS: EC2 Instance Has Public IP

EC2 Instance should not have a public IP address.

Parameters

  • Parameters:

KICS: EC2 Instance Monitoring Disabled

EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods

Parameters

  • Parameters:

KICS: EC2 Instance Using Default Security Group

EC2 instances should not use default security group(s)

Parameters

  • Parameters:

KICS: EC2 Instance Using Default VPC

EC2 Instances should not be configured under a default VPC network

Parameters

  • Parameters:

KICS: EC2 Not EBS Optimized

It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance

Parameters

  • Parameters:

KICS: ECR Image Tag Not Immutable

ECR should have an image tag be immutable. This prevents image tags from being overwritten.

Parameters

  • Parameters:

KICS: ECR Repository Is Publicly Accessible

Amazon ECR image repositories shouldn't have public access

Parameters

  • Parameters:

KICS: ECR Repository Not Encrypted With CMK

ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation

Parameters

  • Parameters:

KICS: ECR Repository Without Policy

ECR Repository should have Policies attached to it

Parameters

  • Parameters:

KICS: ECS Cluster with Container Insights Disabled

ECS Cluster should enable container insights

Parameters

  • Parameters:

KICS: ECS Service Admin Role Is Present

ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role

Parameters

  • Parameters:

KICS: ECS Service Without Running Tasks

ECS Service should have at least 1 task running

Parameters

  • Parameters:

Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations

Parameters

  • Parameters:

KICS: ECS Task Definition Volume Not Encrypted

AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted

Parameters

  • Parameters:

KICS: ECS Task Definition Container With Plaintext Password

It's not recommended to use plaintext environment variables for sensitive information, such as credential data.

Parameters

  • Parameters:

KICS: EFS Not Encrypted

Elastic File System (EFS) must be encrypted

Parameters

  • Parameters:

KICS: EFS With Vulnerable Policy

EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.

Parameters

  • Parameters:

KICS: EFS Without KMS

Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys

Parameters

  • Parameters:

KICS: EKS Cluster Encryption Disabled

EKS Cluster should be encrypted

Parameters

  • Parameters:

KICS: EKS Cluster Has Public Access

Amazon EKS public endpoint shoud be set to false

Parameters

  • Parameters:

KICS: EKS Cluster Has Public Access CIDRs

Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"

Parameters

  • Parameters:

KICS: EKS cluster logging is not enabled

Amazon EKS control plane logging is not enabled

Parameters

  • Parameters:

KICS: EKS node group remote access disabled

EKS node group remote access is disabled when 'SourceSecurityGroups' is missing

Parameters

  • Parameters:

KICS: ElastiCache Nodes Not Created Across Multi AZ

ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster

Parameters

  • Parameters:

KICS: ElastiCache Redis Cluster Without Backup

ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0

Parameters

  • Parameters:

KICS: ElastiCache Replication Group Not Encrypted At Rest

ElastiCache Replication Group encryption should be enabled at Rest

Parameters

  • Parameters:

KICS: ElastiCache Replication Group Not Encrypted At Transit

ElastiCache Replication Group encryption should be enabled at Transit

Parameters

  • Parameters:

KICS: ElastiCache Using Default Port

ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211

Parameters

  • Parameters:

KICS: ElastiCache Without VPC

ElastiCache should be launched in a Virtual Private Cloud (VPC)

Parameters

  • Parameters:

KICS: Elasticsearch Domain Not Encrypted Node To Node

Elasticsearch Domain encryption should be enabled node to node

Parameters

  • Parameters:

KICS: Elasticsearch Domain With Vulnerable Policy

Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.

Parameters

  • Parameters:

KICS: ElasticSearch Encryption With KMS Disabled

Check if any ElasticSearch domain isn't encrypted with KMS.

Parameters

  • Parameters:

KICS: Elasticsearch Log Disabled

AWS Elasticsearch should have logs enabled

Parameters

  • Parameters:

KICS: ElasticSearch Not Encrypted At Rest

Check if ElasticSearch encryption is disabled at Rest

Parameters

  • Parameters:

KICS: Elasticsearch Without IAM Authentication

AWS Elasticsearch should ensure IAM Authentication

Parameters

  • Parameters:

KICS: ElasticSearch Without Slow Logs

Ensure that AWS Elasticsearch enables support for slow logs

Parameters

  • Parameters:

KICS: ELB Access Log Disabled

ELB should have logging enabled to help on error investigation

Parameters

  • Parameters:

KICS: ELB Using Insecure Protocols

ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.

Parameters

  • Parameters:

KICS: ELB Using Weak Ciphers

ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.

Parameters

  • Parameters:

KICS: EMR Without VPC

Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)

Parameters

  • Parameters:

KICS: Global Accelerator Flow Logs Disabled

Global Accelerator should have flow logs enabled

Parameters

  • Parameters:

KICS: Glue Data Catalog Encryption Disabled

Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled

Parameters

  • Parameters:

KICS: Glue Security Configuration Encryption Disabled

Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled

Parameters

  • Parameters:

KICS: Glue With Vulnerable Policy

Glue policy should avoid wildcard in 'principals' and 'actions'

Parameters

  • Parameters:

KICS: GuardDuty Detector Disabled

Make sure that Amazon GuardDuty is Enabled

Parameters

  • Parameters:

KICS: Hardcoded AWS Access Key In Lambda

Lambda access/secret keys should not be hardcoded

Parameters

  • Parameters:

KICS: HTTP Port Open To Internet

The HTTP port is open to the internet in a Security Group

Parameters

  • Parameters:

KICS: IAM Access Key Is Exposed

IAM Access Key should not be active for root users

Parameters

  • Parameters:

KICS: IAM Database Auth Not Enabled

IAM Database Auth Enabled should be configured to true when using compatible engine and version

Parameters

  • Parameters:

KICS: IAM Group Without Users

IAM Group should have at least one user associated

Parameters

  • Parameters:

KICS: IAM Password Without Lowercase Letter

IAM Password should have at least one lowercase letter

Parameters

  • Parameters:

KICS: IAM Password Without Minimum Length

IAM password should have the required minimum length

Parameters

  • Parameters:

KICS: IAM Password Without Symbol

IAM password should have the required symbols

Parameters

  • Parameters:

KICS: IAM Password Without Uppercase Letter

IAM password should have at least one uppercase letter

Parameters

  • Parameters:

KICS: IAM Policies Attached To User

IAM policies should be attached only to groups or roles

Parameters

  • Parameters:

KICS: IAM Policies With Full Privileges

IAM policies shouldn't allow full administrative privileges (for all resources)

Parameters

  • Parameters:

KICS: IAM Policy Grants 'AssumeRole' Permission Across All Services

IAM Policy should not grant 'AssumeRole' permission across all services.

Parameters

  • Parameters:

KICS: IAM Policy Grants Full Permissions

IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.

Parameters

  • Parameters:

KICS: IAM Role Allows All Principals To Assume

IAM role allows all services or principals to assume it

Parameters

  • Parameters:

KICS: IAM Role Policy passRole Allows All

Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources

Parameters

  • Parameters:

KICS: IAM Role With Full Privileges

IAM role policy that allow full administrative privileges (for all resources)

Parameters

  • Parameters:

KICS: IAM User Policy Without MFA

Check if the root user is authenticated with MFA

Parameters

  • Parameters:

KICS: Instance With No VPC

EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.

Parameters

  • Parameters:

KICS: Kinesis Not Encrypted With KMS

AWS Kinesis Streams and metadata should be protected with KMS

Parameters

  • Parameters:

KICS: Kinesis SSE Not Configured

AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled

Parameters

  • Parameters:

KICS: KMS Key With No Deletion Window

AWS KMS Key should have a valid deletion window

Parameters

  • Parameters:

KICS: KMS Key With Vulnerable Policy

Checks if the policy is vulnerable and needs updating.

Parameters

  • Parameters:

KICS: Lambda Function With Privileged Role

It is not advisable for AWS Lambda Functions to have privileged permissions.

Parameters

  • Parameters:

KICS: Lambda Functions Without X-Ray Tracing

AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'

Parameters

  • Parameters:

KICS: Lambda IAM InvokeFunction Misconfigured

Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'

Parameters

  • Parameters:

KICS: Lambda Permission Misconfigured

Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'

Parameters

  • Parameters:

KICS: Lambda Permission Principal Is Wildcard

Lambda Permission Principal should not contain a wildcard.

Parameters

  • Parameters:

KICS: Lambda With Vulnerable Policy

The attribute 'action' should not have wildcard

Parameters

  • Parameters:

KICS: Launch Configuration Is Not Encrypted

Launch Configuration EBS should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' argument should be set to true in each volume block

Parameters

  • Parameters:

KICS: Misconfigured Password Policy Expiration

No password expiration policy

Parameters

  • Parameters:

KICS: Missing Cluster Log Types

Amazon EKS control plane logging don't enabled for all log types

Parameters

  • Parameters:

KICS: MQ Broker Is Publicly Accessible

Check if any MQ Broker is not publicly accessible

Parameters

  • Parameters:

KICS: MQ Broker Logging Disabled

Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).

Parameters

  • Parameters:

KICS: MSK Broker Is Publicly Accessible

Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible

Parameters

  • Parameters:

KICS: MSK Cluster Encryption Disabled

Ensure MSK Cluster encryption in rest and transit is enabled

Parameters

  • Parameters:

KICS: MSK Cluster Logging Disabled

Ensure MSK Cluster Logging is enabled

Parameters

  • Parameters:

KICS: Neptune Cluster Instance is Publicly Accessible

Neptune Cluster Instance should not be publicly accessible

Parameters

  • Parameters:

KICS: Neptune Cluster With IAM Database Authentication Disabled

Neptune Cluster should have IAM Database Authentication enabled

Parameters

  • Parameters:

KICS: Neptune Database Cluster Encryption Disabled

Neptune database cluster storage should have encryption enabled

Parameters

  • Parameters:

KICS: Neptune Logging Is Disabled

Neptune logging should be enabled

Parameters

  • Parameters:

KICS: Network ACL With Unrestricted Access To RDP

'RDP' (TCP:3389) should not be public in AWS Network ACL

Parameters

  • Parameters:

KICS: Network ACL With Unrestricted Access To SSH

'SSH' (TCP:22) should not be public in AWS Network ACL

Parameters

  • Parameters:

KICS: No Password Policy Enabled

IAM password policies should be set through the password minimum length and reset password attributes

Parameters

  • Parameters:

KICS: No Stack Policy

AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions

Parameters

  • Parameters:

KICS: Password Without Reuse Prevention

Check if IAM account password has the reuse password configured with 24

Parameters

  • Parameters:

KICS: Policy Without Principal

All policies, except IAM identity-based policies, should have the 'Principal' element defined

Parameters

  • Parameters:

KICS: Public Lambda via API Gateway

Allowing to run lambda function using public API Gateway

Parameters

  • Parameters:

KICS: RDS Associated with Public Subnet

RDS should not run in public subnet

Parameters

  • Parameters:

KICS: RDS Database Cluster not Encrypted

RDS Database Cluster Encryption should be enabled

Parameters

  • Parameters:

KICS: RDS Storage Not Encrypted

RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'

Parameters

  • Parameters:

KICS: RDS Using Default Port

RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433

Parameters

  • Parameters:

KICS: RDS With Backup Disabled

Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup

Parameters

  • Parameters:

KICS: RDS Without Logging

RDS does not have any kind of logger

Parameters

  • Parameters:

KICS: Redis Disabled

ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'

Parameters

  • Parameters:

KICS: Redis Not Compliant

Check if the redis version is compliant with the necessary AWS PCI DSS requirements

Parameters

  • Parameters:

KICS: Redshift Cluster Logging Disabled

Make sure Logging is enabled for Redshift Cluster

Parameters

  • Parameters:

KICS: Redshift Cluster Without VPC

Redshift Cluster should be configured in VPC (Virtual Private Cloud)

Parameters

  • Parameters:

KICS: Redshift Not Encrypted

AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)

Parameters

  • Parameters:

KICS: Redshift Publicly Accessible

AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)

Parameters

  • Parameters:

KICS: Redshift Using Default Port

Redshift should not use the default port (5439) because an attacker can easily guess the port

Parameters

  • Parameters:

KICS: Remote Desktop Port Open To Internet

The Remote Desktop port is open to the internet in a Security Group

Parameters

  • Parameters:

KICS: Resource Not Using Tags

AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'

Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:AddUserToGroup'

Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'

Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'

Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'

Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:CreateAccessKey'

Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'

Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'

Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'

Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'

Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'

Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'

Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'

Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:PutRolePolicy'

Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:PutUserPolicy'

Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'

Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'

Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'

Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'

Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: Root Account Has Active Access Keys

The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.

Parameters

  • Parameters:

KICS: Route53 Record Undefined

Check if Record is set

Parameters

  • Parameters:

KICS: S3 Bucket Access to Any Principal

S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals

Parameters

  • Parameters:

KICS: S3 Bucket ACL Allows Read Or Write to All Users

S3 Buckets should not be readable and writable to all users

Parameters

  • Parameters:

KICS: S3 Bucket ACL Allows Read to Any Authenticated User

S3 Buckets should not be readable to any authenticated user

Parameters

  • Parameters:

KICS: S3 Bucket ACL Grants WRITE_ACP Permission

S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.

Parameters

  • Parameters:

KICS: S3 Bucket Allows Delete Action From All Principals

S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.

Parameters

  • Parameters:

KICS: S3 Bucket Allows Get Action From All Principals

S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.

Parameters

  • Parameters:

KICS: S3 Bucket Allows List Action From All Principals

S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.

Parameters

  • Parameters:

KICS: S3 Bucket Allows Public ACL

S3 bucket allows public ACL

Parameters

  • Parameters:

KICS: S3 Bucket Allows Put Action From All Principals

S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.

Parameters

  • Parameters:

KICS: S3 Bucket Object Not Encrypted

S3 Bucket Object should have server-side encryption enabled

Parameters

  • Parameters:

KICS: S3 Bucket Policy Accepts HTTP Requests

S3 Bucket policy should not accept HTTP Requests

Parameters

  • Parameters:

KICS: S3 Bucket With All Permissions

S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.

Parameters

  • Parameters:

KICS: S3 Bucket Allows Public Policy

S3 bucket allows public policy

Parameters

  • Parameters:

KICS: S3 Bucket with Unsecured CORS Rule

If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure

Parameters

  • Parameters:

KICS: S3 Bucket Without Ignore Public ACL

S3 bucket without ignore public ACL

Parameters

  • Parameters:

KICS: S3 Bucket Without Restriction Of Public Bucket

S3 bucket without restriction of public bucket

Parameters

  • Parameters:

KICS: S3 Bucket Without Versioning

S3 bucket should have versioning enabled

Parameters

  • Parameters:

KICS: S3 Static Website Host Enabled

Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.

Parameters

  • Parameters:

KICS: Sagemaker Endpoint Configuration Encryption Disabled

Sagemaker endpoint configuration should encrypt data

Parameters

  • Parameters:

KICS: Sagemaker Notebook Instance Without KMS

AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS

Parameters

  • Parameters:

KICS: Secrets Manager With Vulnerable Policy

Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'

Parameters

  • Parameters:

KICS: Secretsmanager Secret Without KMS

AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret

Parameters

  • Parameters:

KICS: Secure Ciphers Disabled

Check if secure ciphers aren't used in CloudFront

Parameters

  • Parameters:

KICS: Security Group Rule Without Description

It's considered a best practice for all rules in AWS Security Group to have a description

Parameters

  • Parameters:

KICS: Security Group With Unrestricted Access To SSH

'SSH' (TCP:22) should not be public in AWS Security Group

Parameters

  • Parameters:

KICS: Security Group Rule Without Description

It's considered a best practice for AWS Security Group to have a description

Parameters

  • Parameters:

KICS: Security Group Not Used

Security group must be used or not declared

Parameters

  • Parameters:

KICS: Sensitive Port Is Exposed To Entire Network

A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol

Parameters

  • Parameters:

KICS: Sensitive Port Is Exposed To Small Public Network

A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol

Parameters

  • Parameters:

KICS: Sensitive Port Is Exposed To Wide Private Network

A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol

Parameters

  • Parameters:

KICS: Service Control Policies Disabled

Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).

Parameters

  • Parameters:

KICS: SES Policy With Allowed IAM Actions

SES policy should not allow IAM actions to all principals

Parameters

  • Parameters:

KICS: Shield Advanced Not In Use

AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks

Parameters

  • Parameters:

KICS: SNS Topic is Publicly Accessible

SNS Topic Policy should not allow any principal to access

Parameters

  • Parameters:

KICS: SNS Topic Not Encrypted

SNS (Simple Notification Service) Topic should be encrypted

Parameters

  • Parameters:

KICS: SNS Topic Publicity Has Allow and NotAction Simultaneously

SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.

Parameters

  • Parameters:

KICS: SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible

Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.

Parameters

  • Parameters:

KICS: SQS Policy Allows All Actions

SQS policy allows ALL (*) actions

Parameters

  • Parameters:

KICS: SQS Policy With Public Access

Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue

Parameters

  • Parameters:

KICS: SQS Queue Exposed

Checks if the SQS Queue is exposed

Parameters

  • Parameters:

KICS: SQS With SSE Disabled

Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)

Parameters

  • Parameters:

KICS: SSM Session Transit Encryption Disabled

SSM Session should be encrypted in transit

Parameters

  • Parameters:

KICS: Stack Notifications Disabled

AWS CloudFormation should have stack notifications enabled to be notified when an event occurs

Parameters

  • Parameters:

KICS: Stack Retention Disabled

Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction

Parameters

  • Parameters:

KICS: Stack Without Template

AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body

Parameters

  • Parameters:

KICS: Unknown Port Exposed To Internet

AWS Security Group should not have an unknown port exposed to the entire Internet

Parameters

  • Parameters:

KICS: Unrestricted Security Group Ingress

Security groups allow ingress from 0.0.0.0:0

Parameters

  • Parameters:

KICS: Unscanned ECR Image

Checks if the ECR Image has been scanned

Parameters

  • Parameters:

KICS: User Data Contains Encoded Private Key

User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily

Parameters

  • Parameters:

KICS: User Data Shell Script Is Encoded

User Data Shell Script must be encoded

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'

User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:AddUserToGroup'

User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'

User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:AttachRolePolicy'

User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:AttachUserPolicy'

User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:CreateAccessKey'

User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:CreateLoginProfile'

User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'

User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'

User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'

User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'

User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'

User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:PutGroupPolicy'

User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:PutRolePolicy'

User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:PutUserPolicy'

User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'

User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'

User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'

User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'

User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

Parameters

  • Parameters:

KICS: VPC Default Security Group Accepts All Traffic

Default Security Group attached to every VPC should restrict all traffic

Parameters

  • Parameters:

KICS: VPC FlowLogs Disabled

Every VPC resource should have an associated Flow Log

Parameters

  • Parameters:

KICS: VPC Subnet Assigns Public IP

VPC Subnet should not assign public IP

Parameters

  • Parameters:

KICS: VPC Without Network Firewall

VPC should have a Network Firewall associated

Parameters

  • Parameters:

KICS: Vulnerable Default SSL Certificate

CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.

Parameters

  • Parameters:

KICS: Workspaces Workspace Volume Not Encrypted

AWS Workspaces Workspace data stored in volumes should be encrypted

Parameters

  • Parameters:

AWS: Lambda: Prohibit publicly accessible Lambda functions

Requires AWS/Lambda Function Permissions to include an AWS account ID principal, principal_org_id, source_account AWS account ID, or source_arn resource ARN to prevent public access. Checks resources with type 'aws_lambda_permission'.

Parameters

None


AWS: Security Groups: Restrict Ingress from public IPs.

Require AWS/Security Groups to allow ingress from private IPv4 CIDRs only. Private IPv4 CIDR IP range: "10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.168.0.0/16" Checks resources with type 'aws_security_group'.

Parameters

None


AWS: Security Groups: Ingress Allow only whitelisted CIDR and Ports

Require AWS/Security Groups to have ingress from whitelisted CIDR blocks on whitelisted ports. To allow all, use wildcard entry '*' Checks resources with type 'aws_security_group'.

Parameters

  • Parameters:

    • allowed_cidr_ports

      • Type: object
      • Unique: false
  • Required Parameters: allowed_cidr_ports

AWS: Security Groups: Ingress Allow only whitelisted Ports

Require AWS/Security Groups with whitelisted ports only for CIDR "0.0.0.0/0". Checks resources with type 'aws_security_group'.

Parameters

  • Parameters:

    • allowed_ports

      • Type: array
      • Unique: true
  • Required Parameters: allowed_ports

AWS: OpenSearch: Prohibit OpenSearch Domains with disabled encryption at rest

Require AWS/OpenSearch domains to have enabled encryption at rest. Checks resources with type 'aws_opensearch_domain'.

Parameters

None


AWS: Opensearch: Prohibit Opensearch Domains with disabled node to node encryption

Require AWS/Opensearch domains to have enabled node to node encryption. Checks resources with type 'aws_opensearch_domain'.

Parameters

None


AWS: Opensearch: Prohibit Opensearch Domains not created in VPC

Require AWS/Opensearch domains to have subnets added in vpc_options. Checks resources with type 'aws_opensearch_domain'.

Parameters

None


AWS: RDS: Prohibit RDS instance with disabled automatic minor version upgrade

Require AWS/RDS instances to have automatic minor version upgrade enabled. Checks resources with type 'aws_db_instance'.

Parameters

None


AWS: RDS: Prohibit RDS instances with disabled IAM database authentication

Require AWS/RDS instances to have IAM authentication enabled. Checks resources with type 'aws_db_instance'.

Parameters

None


AWS: RDS: Prohibit publicly accessible RDS instances

Require AWS/RDS instances to not be publicly accessible. Checks resources with type 'aws_db_instance'.

Parameters

None


AWS: RDS: Prohibit RDS clusters with disabled IAM authentication

Require AWS/RDS clusters to have IAM authentication enabled. Checks resources with type 'aws_rds_cluster'.

Parameters

None


AWS: RDS: Prohibit RDS instances with disabled CloudWatch log exports

Require AWS/RDS instances to have CloudWatch log exports enabled. Checks resources with type 'aws_db_instance'.

Parameters

None


AWS: Redshift: Prohibit Redshift cluster with disabled enhanced VPC routing

Require AWS/Redshift cluster to have enhanced VPC routing enabled. Checks resources with type 'aws_redshift_cluster'.

Parameters

None


AWS: Redshift: Prohibit publicly accessible Redshift cluster

Require AWS/Redshift cluster to not be publicly accessible. Checks resources with type 'aws_redshift_cluster'.

Parameters

None


AWS: S3: Block All Public Access to Buckets

Require AWS/S3 buckets to have blocked all public access. Checks resources with type 'aws_s3_bucket' along with 'aws_s3_bucket_public_access_block'.

Parameters

None


AWS: S3: Ensure Logging is Enabled in S3 Buckets

Require AWS/S3 buckets to have logging enabled. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

None


AWS: S3: Prohibit Bucket Policies containing An Asterisk In Actions

Require AWS/S3 bucket policy to not use asterisk in 'Action'. Checks resources with type 'aws_s3_bucket_policy'.

Parameters

None


AWS: S3: Prohibit Unencrypted Buckets

Require AWS/S3 buckets to be encrypted. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

None


AWS: S3: Prohibit Unencrypted Bucket Object

Require AWS/S3 bucket object to be server side encrypted Checks resources with type 'aws_s3_bucket_object'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

None


AWS: S3: Ensure Versioning is Enabled for S3 Buckets

Require AWS/S3 buckets to have versioning enabled. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

None


AWS: S3: Restrict S3 buckets with unapproved ACL

Require AWS/S3 to use Canned ACL from a pre-approved list. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

  • Parameters:

    • allowed_acls

      • Type: array
      • Unique: true
  • Required Parameters: allowed_acls

AWS: S3: Allow ingress only from whitelisted IP's

Require AWS/S3 bucket policy with whitelisted source IP's. To allow all, use wildcard entry '*'. Checks resources with type 'aws_s3_bucket_policy'.

Parameters

  • Parameters:

    • allowed_ips

      • Type: array
      • Unique: true
  • Required Parameters: allowed_ips

AWS: SageMaker: Prohibit SageMaker Notebook instance with direct internet access enabled

Require AWS/SageMaker instance to have direct internet access disabled. Checks resources with type 'aws_sagemaker_notebook_instance'.

Parameters

None


AWS: SSM: Prohibit publicly accessible SSM documents

Require AWS/SSM Document not to be publicly accessible. Checks resources with type 'aws_ssm_document'.

Parameters

None


Azure: IAM: Prohibit assignment of Owner role

Require Azure/IAM role assignment to not have owner role assigned to any principal. Checks resources with type 'azurerm_role_assignment'.

Parameters

None


KICS: AD Admin Not Configured For SQL Server

The Active Directory Administrator is not configured for a SQL server

Parameters

  • Parameters:

KICS: Admin User Enabled For Container Registry

Admin user is enabled for Container Registry

Parameters

  • Parameters:

KICS: AKS Disk Encryption Set ID Undefined

Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk

Parameters

  • Parameters:

KICS: AKS Network Policy Misconfigured

Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined

Parameters

  • Parameters:

KICS: AKS Private Cluster Disabled

Azure Kubernetes Service (AKS) API should not be exposed to the internet

Parameters

  • Parameters:

KICS: AKS RBAC Disabled

Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled

Parameters

  • Parameters:

KICS: AKS Uses Azure Policies Add-On Disabled

Azure Container Service (AKS) should use Azure Policies Add-On

Parameters

  • Parameters:

KICS: App Service Authentication Disabled

Azure App Service authentication settings should be enabled

Parameters

  • Parameters:

KICS: App Service FTPS Enforce Disabled

Azure App Service should only enforce FTPS when 'ftps_state' is enabled

Parameters

  • Parameters:

KICS: App Service HTTP2 Disabled

App Service should have 'http2_enabled' enabled

Parameters

  • Parameters:

KICS: App Service Managed Identity Disabled

Azure App Service should have managed identity enabled

Parameters

  • Parameters:

KICS: App Service Not Using Latest TLS Encryption Version

Ensure App Service is using the latest version of TLS encryption

Parameters

  • Parameters:

KICS: App Service Without Latest PHP Version

Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.

Parameters

  • Parameters:

KICS: App Service Without Latest Python Version

Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.

Parameters

  • Parameters:

KICS: Azure Active Directory Authentication

Azure Active Directory must be used for authentication for Service Fabric

Parameters

  • Parameters:

KICS: Azure App Service Client Certificate Disabled

Azure App Service client certificate should be enabled

Parameters

  • Parameters:

KICS: Azure Cognitive Search Public Network Access Enabled

Public Network Access should be disabled for Azure Cognitive Search

Parameters

  • Parameters:

KICS: Azure Container Registry With No Locks

Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'

Parameters

  • Parameters:

KICS: Azure Front Door WAF Disabled

Azure Front Door WAF should be enabled

Parameters

  • Parameters:

KICS: Cosmos DB Account Without Tags

Cosmos DB Account must have a mapping of tags.

Parameters

  • Parameters:

KICS: CosmosDB Account IP Range Filter Not Set

The IP range filter should be defined to secure the data stored

Parameters

  • Parameters:

KICS: Dashboard Is Enabled

Check if the Kubernetes Dashboard is enabled.

Parameters

  • Parameters:

KICS: Default Azure Storage Account Network Access Is Too Permissive

Default Azure Storage Account network access should be set to Deny

Parameters

  • Parameters:

KICS: Default Network Access is Allowed

Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'

Parameters

  • Parameters:

KICS: Email Alerts Disabled

Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact

Parameters

  • Parameters:

KICS: Encryption On Managed Disk Disabled

Ensure that the encryption is active on the disk

Parameters

  • Parameters:

KICS: Firewall Rule Allows Too Many Hosts To Access Redis Cache

Check if any firewall rule allows too many hosts to access Redis Cache

Parameters

  • Parameters:

KICS: Function App Authentication Disabled

Azure Function App authentication settings should be enabled

Parameters

  • Parameters:

KICS: Function App Client Certificates Unrequired

Azure Function App should have 'client_cert_mode' set to required

Parameters

  • Parameters:

KICS: Function App FTPS Enforce Disabled

Azure Function App should only enforce FTPS when 'ftps_state' is enabled

Parameters

  • Parameters:

KICS: Function App HTTP2 Disabled

Function App should have 'http2_enabled' enabled

Parameters

  • Parameters:

KICS: Function App Managed Identity Disabled

Azure Function App should have managed identity enabled

Parameters

  • Parameters:

KICS: Function App Not Using Latest TLS Encryption Version

Ensure Function App is using the latest version of TLS encryption

Parameters

  • Parameters:

KICS: Geo Redundancy Is Disabled

Make sure that on PostgreSQL Geo Redundant Backups is enabled

Parameters

  • Parameters:

KICS: Key Expiration Not Set

Make sure that for all keys the expiration date is set

Parameters

  • Parameters:

KICS: Key Vault Secrets Content Type Undefined

Key Vault Secrets should have set Content Type

Parameters

  • Parameters:

KICS: Log Retention Is Not Set

Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'

Parameters

  • Parameters:

KICS: MariaDB Server Public Network Access Enabled

MariaDB Server Public Network Access should be disabled

Parameters

  • Parameters:

KICS: MariaDB Server Geo-redundant Backup Disabled

MariaDB Server Geo-redundant Backup should be enabled

Parameters

  • Parameters:

KICS: MSSQL Server Auditing Disabled

Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'

Parameters

  • Parameters:

KICS: MSSQL Server Public Network Access Enabled

MSSQL Server public network access should be disabled

Parameters

  • Parameters:

KICS: MySQL Server Public Access Enabled

MySQL Server public access should be disabled

Parameters

  • Parameters:

KICS: MySQL SSL Connection Disabled

Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled

Parameters

  • Parameters:

KICS: Network Interfaces With Public IP

Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)

Parameters

  • Parameters:

KICS: Network Interfaces IP Forwarding Enabled

Network Interfaces IP Forwarding should be disabled

Parameters

  • Parameters:

KICS: Network Watcher Flow Disabled

Check if enable field in the resource azurerm_network_watcher_flow_log is false.

Parameters

  • Parameters:

KICS: PostgreSQL Log Checkpoints Disabled

Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'

Parameters

  • Parameters:

KICS: PostgreSQL Log Connections Not Set

Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'

Parameters

  • Parameters:

KICS: PostgreSQL Log Duration Not Set

Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'

Parameters

  • Parameters:

KICS: PostgreSQL Server Infrastructure Encryption Disabled

PostgreSQL Server Infrastructure Encryption should be enabled

Parameters

  • Parameters:

KICS: PostgreSQL Server Without Connection Throttling

Ensure that Connection Throttling is set for the PostgreSQL server

Parameters

  • Parameters:

KICS: PostgreSQL Log Disconnections Not Set

Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'

Parameters

  • Parameters:

KICS: PostgreSQL Server Threat Detection Policy Disabled

PostgreSQL Server Threat Detection Policy should be enabled

Parameters

  • Parameters:

KICS: Public Storage Account

Storage Account should not be public to grant the principle of least privileges

Parameters

  • Parameters:

KICS: RDP Is Exposed To The Internet

Port 3389 (Remote Desktop) is exposed to the internet

Parameters

  • Parameters:

KICS: Redis Cache Allows Non SSL Connections

Redis Cache resources should not allow non-SSL connections

Parameters

  • Parameters:

KICS: Redis Entirely Accessible

Firewall rule allowing unrestricted access to Redis from the Internet

Parameters

  • Parameters:

KICS: Redis Not Updated Regularly

Redis Cache is not configured to be updated regularly with security and operational updates

Parameters

  • Parameters:

KICS: Redis Publicly Accessible

Firewall rule allowing unrestricted access to Redis from other Azure sources

Parameters

  • Parameters:

KICS: Role Assignment Not Limit Guest User Permissions

Role Assignment should limit guest user permissions

Parameters

  • Parameters:

KICS: Role Assignment Of Guest Users

There is a role assignment for guest user

Parameters

  • Parameters:

KICS: Role Definition Allows Custom Role Creation

Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)

Parameters

  • Parameters:

KICS: Secret Expiration Not Set

Make sure that for all secrets the expiration date is set

Parameters

  • Parameters:

KICS: Security Center Pricing Tier Is Not Standard

Make sure that the 'Standard' pricing tiers were selected.

Parameters

  • Parameters:

KICS: Security Contact Email

Security Contact Email should be defined

Parameters

  • Parameters:

KICS: Security Group is Not Configured

Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty

Parameters

  • Parameters:

KICS: Sensitive Port Is Exposed To Entire Network

A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol

Parameters

  • Parameters:

KICS: Sensitive Port Is Exposed To Small Public Network

A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol

Parameters

  • Parameters:

KICS: Sensitive Port Is Exposed To Wide Private Network

A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol

Parameters

  • Parameters:

KICS: Small Activity Log Retention Period

Ensure that Activity Log Retention is set 365 days or greater

Parameters

  • Parameters:

KICS: Small Flow Logs Retention Period

Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches

Parameters

  • Parameters:

KICS: Small MSSQL Server Audit Retention

Make sure for SQL Servers that Auditing Retention is greater than 90 days

Parameters

  • Parameters:

KICS: Small MSSQL Audit Retention Period

Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days

Parameters

  • Parameters:

KICS: Small PostgreSQL DB Server Log Retention Period

Check if PostgreSQL Database Server retains logs for less than 3 Days

Parameters

  • Parameters:

KICS: SQL Database Audit Disabled

Ensure that 'Threat Detection' is enabled for Azure SQL Database

Parameters

  • Parameters:

KICS: SQL Server Alert Email Disabled

SQL Server alert email should be enabled

Parameters

  • Parameters:

KICS: SQL Server Auditing Disabled

Make sure that for SQL Servers, 'Auditing' is set to 'On'

Parameters

  • Parameters:

KICS: SQLServer Ingress From Any IP

Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.

Parameters

  • Parameters:

KICS: SQL Server Predictable Active Directory Account Name

Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict

Parameters

  • Parameters:

KICS: SQL Server Predictable Admin Account Name

Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict

Parameters

  • Parameters:

KICS: SSH Is Exposed To The Internet

Port 22 (SSH) is exposed to the internet

Parameters

  • Parameters:

KICS: SSL Enforce Disabled

Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'

Parameters

  • Parameters:

KICS: Storage Account Not Forcing HTTPS

Storage Accounts should enforce the use of HTTPS

Parameters

  • Parameters:

KICS: Storage Account Not Using Latest TLS Encryption Version

Ensure Storage Account is using the latest version of TLS encryption

Parameters

  • Parameters:

KICS: Storage Container Is Publicly Accessible

Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage

Parameters

  • Parameters:

KICS: Storage Share File Allows All ACL Permissions

Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).

Parameters

  • Parameters:

KICS: Storage Table Allows All ACL Permissions

Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).

Parameters

  • Parameters:

KICS: Trusted Microsoft Services Not Enabled

Trusted Microsoft Services should be enabled for Storage Account access

Parameters

  • Parameters:

KICS: Unrestricted SQL Server Access

Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.

Parameters

  • Parameters:

KICS: Vault Auditing Disabled

Ensure that logging for Azure KeyVault is 'Enabled'

Parameters

  • Parameters:

KICS: Virtual Network with DDoS Protection Plan disabled

Virtual Network should have DDoS Protection Plan enabled

Parameters

  • Parameters:

KICS: VM Not Attached To Network

No Network Security Group is attached to the Virtual Machine

Parameters

  • Parameters:

KICS: WAF Is Disabled For Azure Application Gateway

Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.

Parameters

  • Parameters:

KICS: Web App Accepting Traffic Other Than HTTPS

Web app should only accept HTTPS traffic in Azure Web App Service.

Parameters

  • Parameters:

Azure: MariaDB: Prohibit backup disabled MariaDB database

Require Azure/MariaDB database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_mariadb_server'.

Parameters

None


Azure: MySQL: Prohibit backup disabled MySQL database

Require Azure/MySQL database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_mysql_server'.

Parameters

None


Azure: Security Groups: Block port 22 for '0.0.0.0/0'

Azure/Network Security Groups should block Inbound traffic on 22 port for "0.0.0.0/0" or "*". Checks resources with type 'azurerm_network_security_group'.

Parameters

None


Azure: Postgres: Prohibit backup disabled Postgres database

Require Azure/Postgres database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_postgresql_server'.

Parameters

None


Azure: Storage Account: Deny Unencrypted transit

Azure/Storage Account should accept requests from secure connections (https) only. Checks resources with type 'azurerm_storage_account'.

Parameters

None


GCP: Service Account: Prohibit using default Service Account

Requires custom service account for google_compute_instance resource. Checks resources with type 'google_compute_instance'.

Parameters

None


GCP: Bigquery Dataset: Prohibit Dataset accessible to all authenticated users

Restrict public accessibilty for google_bigquery_dataset resource. Checks resources with type 'google_bigquery_dataset'.

Parameters

None


GCP: IAM: Prohibit service account with admin privileges

Restrict service account to have admin privileges while adding google_project_iam_member resource. Checks resources with type 'google_project_iam_member'.

Parameters

None


KICS: BigQuery Dataset Is Public

BigQuery dataset is anonymously or publicly accessible

Parameters

  • Parameters:

KICS: Client Certificate Disabled

Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true

Parameters

  • Parameters:

KICS: Cloud DNS Without DNSSEC

DNSSEC must be enabled for Cloud DNS

Parameters

  • Parameters:

KICS: Cloud Storage Anonymous or Publicly Accessible

Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'

Parameters

  • Parameters:

KICS: Cloud Storage Bucket Is Publicly Accessible

Cloud Storage Bucket is anonymously or publicly accessible

Parameters

  • Parameters:

KICS: Cloud Storage Bucket Logging Not Enabled

Cloud storage bucket should have logging enabled

Parameters

  • Parameters:

KICS: Cloud Storage Bucket Versioning Disabled

Cloud Storage Bucket should have versioning enabled

Parameters

  • Parameters:

KICS: Cluster Labels Disabled

Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined

Parameters

  • Parameters:

KICS: Cluster Master Authentication Disabled

Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty

Parameters

  • Parameters:

KICS: COS Node Image Not Used

The node image should be Container-Optimized OS(COS)

Parameters

  • Parameters:

KICS: Disk Encryption Disabled

VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined

Parameters

  • Parameters:

KICS: DNSSEC Using RSASHA1

DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.

Parameters

  • Parameters:

KICS: GKE Basic Authentication Enabled

GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty

Parameters

  • Parameters:

KICS: GKE Legacy Authorization Enabled

Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true

Parameters

  • Parameters:

KICS: GKE Using Default Service Account

Kubernetes Engine Clusters should not be configured to use the default service account

Parameters

  • Parameters:

KICS: Google Compute Network Using Default Firewall Rule

Google Compute Network should not use default firewall rule

Parameters

  • Parameters:

KICS: Google Compute Network Using Firewall Rule that Allows All Ports

Google Compute Network should not use a firewall rule that allows all ports

Parameters

  • Parameters:

KICS: Google Compute Network Using Firewall Rule that Allows Port Range

Google Compute Network should not use a firewall rule that allows port range

Parameters

  • Parameters:

KICS: Google Compute SSL Policy Weak Cipher In Use

This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers

Parameters

  • Parameters:

KICS: Google Compute Subnetwork Logging Disabled

This query checks if logs are enabled for a Google Compute Subnetwork resource.

Parameters

  • Parameters:

KICS: Google Compute Subnetwork with Private Google Access Disabled

Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true

Parameters

  • Parameters:

KICS: Google Container Node Pool Auto Repair Disabled

Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.

Parameters

  • Parameters:

KICS: Google Project Auto Create Network Disabled

Verifies if the Google Project Auto Create Network is Disabled

Parameters

  • Parameters:

KICS: Google Project IAM Binding Service Account has Token Creator or Account User Role

Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated

Parameters

  • Parameters:

KICS: Google Project IAM Member Service Account Has Admin Role

Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated

Parameters

  • Parameters:

KICS: Google Project IAM Member Service Account has Token Creator or Account User Role

Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated

Parameters

  • Parameters:

KICS: Google Storage Bucket Level Access Disabled

Google Storage Bucket Level Access should be enabled

Parameters

  • Parameters:

KICS: High Google KMS Crypto Key Rotation Period

KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.

Parameters

  • Parameters:

KICS: IAM Audit Not Properly Configured

Audit Logging Configuration is defective

Parameters

  • Parameters:

KICS: IP Aliasing Disabled

Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE

Parameters

  • Parameters:

KICS: IP Forwarding Enabled

Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true

Parameters

  • Parameters:

KICS: KMS Admin and CryptoKey Roles In Use

Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member

Parameters

  • Parameters:

KICS: KMS Crypto Key is Publicly Accessible

KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'

Parameters

  • Parameters:

KICS: Network Policy Disabled

Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false

Parameters

  • Parameters:

KICS: Node Auto Upgrade Disabled

Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters

Parameters

  • Parameters:

KICS: Not Proper Email Account In Use

Gmail accounts are being used instead of corporate credentials

Parameters

  • Parameters:

KICS: OSLogin Disabled

Verifies that the OSLogin is enabled

Parameters

  • Parameters:

KICS: OSLogin Is Disabled For VM Instance

Check if any VM instance disables OSLogin

Parameters

  • Parameters:

KICS: Pod Security Policy Disabled

Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true

Parameters

  • Parameters:

KICS: Private Cluster Disabled

Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true

Parameters

  • Parameters:

KICS: Project-wide SSH Keys Are Enabled In VM Instances

VM Instance should block project-wide SSH keys

Parameters

  • Parameters:

KICS: RDP Access Is Not Restricted

Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389

Parameters

  • Parameters:

KICS: Service Account with Improper Privileges

Service account should not have improper privileges like admin, editor, owner, or write roles

Parameters

  • Parameters:

KICS: Shielded VM Disabled

Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true

Parameters

  • Parameters:

KICS: SQL DB Instance Backup Disabled

Checks if backup configuration is enabled for all Cloud SQL Database instances

Parameters

  • Parameters:

KICS: SQL DB Instance Publicly Accessible

Cloud SQL instances should not be publicly accessible.

Parameters

  • Parameters:

KICS: SQL DB Instance With SSL Disabled

Cloud SQL Database Instance should have SLL enabled

Parameters

  • Parameters:

KICS: SSH Access Is Not Restricted

Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges

Parameters

  • Parameters:

KICS: Stackdriver Logging Disabled

Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'

Parameters

  • Parameters:

KICS: Stackdriver Monitoring Disabled

Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'

Parameters

  • Parameters:

KICS: User with IAM Role

As a best practice, it is better to assign an IAM Role to a group than to a user

Parameters

  • Parameters:

KICS: Using Default Service Account

Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.

Parameters

  • Parameters:

KICS: Serial Ports Are Enabled For VM Instances

Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone

Parameters

  • Parameters:

KICS: VM With Full Cloud Access

A VM instance is configured to use the default service account with full access to all Cloud APIs

Parameters

  • Parameters:

GCP: Network: Prohibit firewall allowing SSH access over internet

Network firewall resource should not allow ingress from '0.0.0.0/0' to port 22. Checks resources with type 'google_compute_firewall'.

Parameters

None


GCP: Storage Bucket: Prohibit buckets without versioning

Requires versioning to be enabled for google_storage_bucket resource. Checks resources with type 'google_storage_bucket'.

Parameters

None


KICS: Cluster Admin Rolebinding With Superuser Permissions

Ensure that the cluster-admin role is only used where required (RBAC)

Parameters

  • Parameters:

KICS: Cluster Allows Unsafe Sysctls

A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.

Parameters

  • Parameters:

KICS: Container Host Pid Is True

Minimize the admission of containers wishing to share the host process ID namespace

Parameters

  • Parameters:

KICS: Container Is Privileged

Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false

Parameters

  • Parameters:

KICS: Container Resources Limits Undefined

Kubernetes container should have resource limitations defined such as CPU and memory

Parameters

  • Parameters:

KICS: Container Runs Unmasked

Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.

Parameters

  • Parameters:

KICS: Containers With Added Capabilities

Containers should not have extra capabilities allowed

Parameters

  • Parameters:

KICS: Containers With Sys Admin Capabilities

Containers should not have CAP_SYS_ADMIN Linux capability

Parameters

  • Parameters:

KICS: CPU Limits Not Set

CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests

Parameters

  • Parameters:

KICS: CPU Requests Not Set

CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node

Parameters

  • Parameters:

KICS: Default Service Account In Use

Default service accounts should not be actively used

Parameters

  • Parameters:

KICS: Docker Daemon Socket is Exposed to Containers

Sees if Docker Daemon Socket is not exposed to Containers

Parameters

  • Parameters:

KICS: HPA Targets Invalid Object

The Horizontal Pod Autoscale must target a valid object

Parameters

  • Parameters:

KICS: Image Without Digest

Images should be specified together with their digests to ensure integrity

Parameters

  • Parameters:

KICS: Incorrect Volume Claim Access Mode ReadWriteOnce

Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'

Parameters

  • Parameters:

KICS: Invalid Image

Image must be defined and not be empty or equal to latest.

Parameters

  • Parameters:

KICS: Memory Limits Not Defined

Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory

Parameters

  • Parameters:

KICS: Memory Requests Not Defined

Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes

Parameters

  • Parameters:

KICS: Metadata Label Is Invalid

Check if any label in the metadata is invalid.

Parameters

  • Parameters:

KICS: Missing App Armor Config

Containers should be configured with AppArmor for any application to reduce its potential attack

Parameters

  • Parameters:

KICS: NET_RAW Capabilities Disabled for PSP

Containers need to have NET_RAW or All as drop capabilities

Parameters

  • Parameters:

KICS: NET_RAW Capabilities Not Being Dropped

Containers should drop 'ALL' or at least 'NET_RAW' capabilities

Parameters

  • Parameters:

KICS: No Drop Capabilities for Containers

Sees if Kubernetes Drop Capabilities exists to ensure containers security context

Parameters

  • Parameters:

KICS: Non Kube System Pod With Host Mount

A non kube-system workload should not have hostPath mounted

Parameters

  • Parameters:

KICS: Not Limited Capabilities For Pod Security Policy

Limit capabilities for a Pod Security Policy

Parameters

  • Parameters:

KICS: Permissive Access to Create Pods

The permission to create pods in a cluster should be restricted because it allows privilege escalation.

Parameters

  • Parameters:

KICS: Pod or Container Without Security Context

A security context defines privilege and access control settings for a Pod or Container

Parameters

  • Parameters:

KICS: Privilege Escalation Allowed

Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process

Parameters

  • Parameters:

KICS: PSP Allows Containers To Share The Host Network Namespace

Check if Pod Security Policies allow containers to share the host network namespace.

Parameters

  • Parameters:

KICS: PSP Allows Privilege Escalation

PodSecurityPolicy should not allow privilege escalation

Parameters

  • Parameters:

KICS: PSP Allows Sharing Host IPC

Pod Security Policy allows containers to share the host IPC namespace

Parameters

  • Parameters:

KICS: PSP Set To Privileged

Do not allow pod to request execution as privileged.

Parameters

  • Parameters:

KICS: PSP With Added Capabilities

PodSecurityPolicy should not have added capabilities

Parameters

  • Parameters:

KICS: RBAC Roles with Read Secrets Permissions

Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys

Parameters

  • Parameters:

KICS: Role Binding To Default Service Account

No role nor cluster role should bind to a default service account

Parameters

  • Parameters:

KICS: Root Container Not Mounted As Read-only

Check if the root container filesystem is not being mounted as read-only.

Parameters

  • Parameters:

KICS: Root Containers Admitted

Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden

Parameters

  • Parameters:

KICS: Seccomp Profile Is Not Configured

Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls

Parameters

  • Parameters:

KICS: Secrets As Environment Variables

Container should not use secrets as environment variables

Parameters

  • Parameters:

KICS: Service Account Allows Access Secrets

Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs

Parameters

  • Parameters:

KICS: Service Account Name Undefined Or Empty

A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.

Parameters

  • Parameters:

KICS: Service Account Token Automount Not Disabled

Service Account Tokens are automatically mounted even if not necessary

Parameters

  • Parameters:

KICS: Service Type is NodePort

Service type should not be NodePort

Parameters

  • Parameters:

KICS: Service With External Load Balancer

Service has an external load balancer, which may cause accessibility from other networks and the Internet

Parameters

  • Parameters:

KICS: Shared Host IPC Namespace

Container should not share the host IPC namespace

Parameters

  • Parameters:

KICS: Shared Host Network Namespace

Container should not share the host network namespace

Parameters

  • Parameters:

KICS: Shared Service Account

A Service Account token is shared between workloads

Parameters

  • Parameters:

KICS: StatefulSet Without Service Name

StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.

Parameters

  • Parameters:

KICS: Tiller (Helm v2) Is Deployed

Check if Tiller is deployed.

Parameters

  • Parameters:

KICS: Using Default Namespace

The default namespace should not be used

Parameters

  • Parameters:

KICS: Volume Mount With OS Directory Write Permissions

Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.

Parameters

  • Parameters:

KICS: Workload Mounting With Sensitive OS Directory

Workload is mounting a volume with sensitive OS Directory

Parameters

  • Parameters: