Terraform Policy Library Rules
AWS: AutoScaling Group: Deny public IP address in launch configuration
Prohibit creation of autoscaling group if the launch configuration used has public IP address enabled.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without a default root object.
Requires AWS/CloudFront distributions to be configured with a default root object.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without access logging
Requires AWS/CloudFront distributions to be configured with access logging.
Parameters
None
Requires AWS/CloudFront distributions to be configured with encrypted traffic to origin.
Requires AWS/CloudFront distributions to be configured with access logging. Prohibits 'origin_protocol_policy' set to 'http-only' and prohibits 'origin_protocol_policy' set to 'match-viewer' if 'viewer_protocol_policy' is set to 'allow-all'.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without an HTTPS viewer protocol policy
Requires AWS/CloudFront distribution default and ordered cache behaviors to be configured with an 'https-only' or 'redirect-to-https' viewer_protocol_policy.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without a WAF association
Requires AWS/CloudFront distributions to be configured with a WAF web ACL ID.
Parameters
None
AWS: CloudTrail: Prohibit CloudTrails without server side encryption
Require AWS/Cloudtrail to have server side encryption using an AWS KMS key.
Parameters
None
AWS: CodeBuild Project: Prohibit if logging is not configured
Require CodeBuild Projects to have 'logs_config' with either s3_logs or 'cloudwatch_logs' enabled.
Parameters
None
AWS: Codebuild Project: Prohibit Privileged Mode enabled.
Require CodeBuild Projects environment config to have 'privileged_mode' set to false.
Parameters
None
AWS: DAX: Prohibit DAX clusters with disabled encryption at rest
Require AWS/DAX clusters to have enabled encryption at rest.
Parameters
None
AWS: DMS: Prohibit publicly accessible DMS replication instances
Require AWS/DMS replication instances to not be publicly accessible.
Parameters
None
AWS: EC2/EBS: Requires volumes to have a snapshot.
Ensure individually created EBS volumes have at least one associated snapshot.
Parameters
None
AWS: EC2: Ensure the EBS volumes are encrypted
Require individually created EBS volumes to be encrypted.
Parameters
None
AWS: EC2: Prohibit EC2 instances with a Public IP Address
Require AWS/EC2 instance to not have a Public IP Address.
Parameters
None
AWS: EC2: Restrict volume deletion after instance termination
Prevent volume being deleted after the termination of EC2 instance.
Parameters
None
AWS: EC2: Restrict instances with unapproved AMIs
Require EC2 instances to use an AMI from a pre-approved list.
Parameters
Parameters:
allowed_ami_ids: A list of AMI IDs (e.g., ami-830c94e3, ami-0022c769)
- Type: set_of_strings
- Unique: false
- Required: true
- Required Parameters: allowed_ami_ids
AWS: EC2: Restrict instances with unapproved Regions
Require EC2 instances to use an AWS Region from a pre-approved list.
Parameters
Parameters:
allowed_regions: A list of AWS regions (eg., us-east-1, us-west-2)
- Type: set_of_strings
- Unique: false
- Required: true
- Required Parameters: allowed_regions
AWS: EC2: Restrict instances with unapproved subnets
Require EC2 instances to use a subnet from a pre-approved list.
Parameters
Parameters:
allowed_subnets: A list of subnet IDs (e.g., subnet-012, subnet-890)
- Type: set_of_strings
- Unique: false
- Required: true
- Required Parameters: allowed_subnets
AWS: EC2: Restrict instances with unapproved Security Groups
Require AWS/EC2 to use Security Groups from a pre-approved list.
Parameters
Parameters:
allowed_security_groups: A list of Security Groups (e.g., sg-830c94e3, sg-0022c769)
- Type: set_of_strings
- Unique: false
- Required: true
- Required Parameters: allowed_security_groups
AWS: EC2: Ensure the instances use encrypted volume.
Require AWS/EC2 instances to use encrypted block storage volume.
Parameters
None
AWS: EC2: Restrict instances without IMDSv2
EC2 instances and EC2 Launch templates require Instance Metadata Service Version 2 (IMDSv2) enabled.
Parameters
None
AWS: EC2: Prohibit EC2 instances without a VPC
Require AWS/EC2 instances to be deployed in a dedicated VPC with specified security group IDs
Parameters
None
AWS: ECS: Prohibit ECS Service which has Assign Public IP enabled
Require AWS/ECS Service to have 'assign_public_ip' set as false in 'network_configuration'.
Parameters
None
AWS: Elastic Beanstalk: Prohibit the Elastic beanstalk environments with disabled managed actions
Require AWS/Elastic Beanstalk environments to have the managed actions setting enabled.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains with disabled encryption at rest
Require AWS/Elasticsearch domains to have enabled encryption at rest.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains not created in VPC
Require AWS/Elasticsearch domains to have subnets added in vpc_options.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains which does not use TLS 1.2 and have https enforced.
Require AWS/Elasticsearch domains to have https enforced and use TLS 1.2.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains with disabled node to node encryption
Require AWS/Elasticsearch domains to have enabled node to node encryption.
Parameters
None
AWS: ELB: Prohibit Elastic Load Balancers with listener's lb_protocol not set to SSL/HTTPS
Requires AWS/ELB listeners to be configured with lb_protocol as either SSL or HTTPS.
Parameters
None
AWS: ELB: Prohibit Elastic Load Balancers with connection draining not set to true
Requires AWS/ELB listeners to be configured with connection_draining as true.
Parameters
None
AWS: GuardDuty: Block GuardDuty organization with disabled GuardDuty detector
Require GuardDuty Detector to be enabled for a GuardDuty Organiztion.
Parameters
None
AWS: IAM: Ensure IAM account has Complex and Unique password policy
Require AWS/IAM account to have complex and unique password policy. As recommended by https://attack.mitre.org/techniques/T1110/ the standards here are based off of those established in https://pages.nist.gov/800-63-3/sp800-63b.html#appA and https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6234434
Parameters
None
AWS: IAM: Ensure IAM account password policy meets AWS Foundational Security Best Practices
Require AWS/IAM account to have complex and unique password policy. As recommended by https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html
Parameters
None
AWS: IAM: Restrict Access Key Actions in IAM policies
Require AWS/IAM user/group/role policies to not have Create/Update/List/Delete AccessKeys permissions and allow all ('iam:' or '') in 'Action'.
Parameters
None
AWS: IAM: Restrict hardcoded secret credentials.
Hardcoding of AWS 'access_key' and 'secret_key' in Terraform files is prohibited.
Parameters
None
AWS: IAM: Prohibit IAM policies directly being attached to IAM users
Requires AWS/IAM policies not to be attached directly to IAM users.
Parameters
None
AWS: IAM: Prohibit Policies containing an Asterisk
Require AWS/IAM policies not have an asterisk ("") in Actions nor asterisk ("") without prefix in Resources.
Parameters
None
KICS: ALB Deletion Protection Disabled
Application Load Balancer should have deletion protection enabled
Parameters
None
KICS: ALB Is Not Integrated With WAF
All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service
Parameters
None
KICS: ALB Listening on HTTP
AWS Application Load Balancer (alb) should not listen on HTTP
Parameters
None
KICS: ALB Not Dropping Invalid Headers
It's considered a best practice when using Application Load Balancers to drop invalid header fields
Parameters
None
KICS: AmazonMQ Broker Encryption Disabled
AmazonMQ Broker should have Encryption Options defined
Parameters
None
KICS: AMI Not Encrypted
AWS AMI Encryption is not enabled
Parameters
None
KICS: AMI Shared With Multiple Accounts
Limits access to AWS AMIs by checking if more than one account is using the same image
Parameters
None
KICS: API Gateway Access Logging Disabled
API Gateway should have Access Log Settings defined
Parameters
None
KICS: API Gateway Deployment Without Access Log Setting
API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.
Parameters
None
KICS: API Gateway Deployment Without API Gateway UsagePlan Associated
API Gateway Deployment should have API Gateway UsagePlan defined and associated.
Parameters
None
KICS: API Gateway Endpoint Config is Not Private
The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet
Parameters
None
KICS: API Gateway Method Does Not Contains An API Key
An API Key should be required on a method request.
Parameters
None
KICS: API Gateway Method Settings Cache Not Encrypted
API Gateway Method Settings Cache should be encrypted
Parameters
None
KICS: API Gateway Stage Without API Gateway UsagePlan Associated
API Gateway Stage should have API Gateway UsagePlan defined and associated.
Parameters
None
KICS: API Gateway With CloudWatch Logging Disabled
AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation
Parameters
None
KICS: API Gateway With Invalid Compression
API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.
Parameters
None
KICS: API Gateway With Open Access
API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.
Parameters
None
KICS: API Gateway Without Configured Authorizer
API Gateway REST API should have an API Gateway Authorizer
Parameters
None
KICS: API Gateway Without Security Policy
API Gateway should have a Security Policy defined and use TLS 1.2.
Parameters
None
KICS: API Gateway Without SSL Certificate
SSL Client Certificate should be enabled
Parameters
None
KICS: API Gateway without WAF
API Gateway should have WAF (Web Application Firewall) enabled
Parameters
None
KICS: API Gateway X-Ray Disabled
API Gateway should have X-Ray Tracing enabled
Parameters
None
KICS: Athena Database Not Encrypted
AWS Athena Database data in S3 should be encrypted
Parameters
None
KICS: Athena Workgroup Not Encrypted
Athena Workgroup query results should be encrypted, for all queries that run in the workgroup
Parameters
None
KICS: Authentication Without MFA
Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating
Parameters
None
KICS: Auto Scaling Group With No Associated ELB
AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.
Parameters
None
KICS: Automatic Minor Upgrades Disabled
RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.
Parameters
None
KICS: Autoscaling Groups Supply Tags
Autoscaling groups should supply tags to configurate
Parameters
None
KICS: AWS Password Policy With Unchangeable Passwords
Unchangeable passwords in AWS password policy
Parameters
None
KICS: Batch Job Definition With Privileged Container Properties
Batch Job Definition should not have Privileged Container Properties
Parameters
None
KICS: CA Certificate Identifier Is Outdated
The CA certificate Identifier must be 'rds-ca-2019'.
Parameters
None
KICS: CDN Configuration Is Missing
Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.
Parameters
None
KICS: Certificate Has Expired
Expired SSL/TLS certificates should be removed
Parameters
None
KICS: Certificate RSA Key Bytes Lower Than 256
The certificate should use a RSA key with a length equal to or higher than 256 bytes
Parameters
None
KICS: CloudFront Logging Disabled
AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined
Parameters
None
KICS: Cloudfront Viewer Protocol Policy Allows HTTP
Checks if the connection between CloudFront and the viewer is encrypted
Parameters
None
KICS: CloudFront Without Minimum Protocol TLS 1.2
CloudFront Minimum Protocol version should be at least TLS 1.2
Parameters
None
KICS: CloudFront Without WAF
All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service
Parameters
None
KICS: CloudTrail Log File Validation Disabled
CloudTrail log file validation should be enabled to determine whether a log file has not been tampered
Parameters
None
KICS: CloudTrail Log Files Not Encrypted With KMS
Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail
Parameters
None
KICS: CloudTrail Log Files S3 Bucket is Publicly Accessible
CloudTrail Log Files S3 Bucket should not be publicly accessible
Parameters
None
KICS: CloudTrail Log Files S3 Bucket with Logging Disabled
CloudTrail Log Files S3 Bucket should have 'logging' enabled
Parameters
None
KICS: CloudTrail Logging Disabled
Checks if logging is enabled for CloudTrail.
Parameters
None
KICS: CloudTrail Multi Region Disabled
CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled
Parameters
None
KICS: CloudTrail Not Integrated With CloudWatch
CloudTrail should be integrated with CloudWatch
Parameters
None
KICS: CloudTrail SNS Topic Name Undefined
Check if SNS topic name is set for CloudTrail
Parameters
None
KICS: CloudWatch AWS Config Configuration Changes Alarm Missing
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Parameters
None
KICS: CloudWatch AWS Organizations Changes Missing Alarm
Ensure a log metric filter and alarm exist for AWS organizations changes
Parameters
None
KICS: CloudWatch Changes To NACL Alarm Missing
Ensure a log metric filter and alarm exist for changes to NACL
Parameters
None
KICS: Cloudwatch Cloudtrail Configuration Changes Alarm Missing
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Parameters
None
KICS: CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK
Parameters
None
KICS: CloudWatch IAM Policy Changes Alarm Missing
Ensure a log metric filter and alarm exist for IAM policy changes
Parameters
None
KICS: CloudWatch Log Group Without KMS
AWS CloudWatch Log groups should be encrypted using KMS
Parameters
None
KICS: CloudWatch Logging Disabled
Check if CloudWatch logging is disabled for Route53 hosted zones
Parameters
None
KICS: CloudWatch Logs Destination With Vulnerable Policy
CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'
Parameters
None
KICS: CloudWatch Management Console Auth Failed Alarm Missing
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Parameters
None
KICS: CloudWatch Console Sign-in Without MFA Alarm Missing
Ensure a log metric filter and alarm exist for management console sign-in without MFA
Parameters
None
KICS: CloudWatch Metrics Disabled
Checks if CloudWatch Metrics is Enabled
Parameters
None
KICS: CloudWatch Network Gateways Changes Alarm Missing
Ensure a log metric filter and alarm exist for network gateways changes
Parameters
None
KICS: CloudWatch Root Account Use Missing
Ensure a log metric filter and alarm exist for root acount usage
Parameters
None
KICS: CloudWatch Route Table Changes Alarm Missing
Ensure a log metric filter and alarm exist for route table changes
Parameters
None
KICS: CloudWatch S3 policy Change Alarm Missing
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Parameters
None
KICS: Cloudwatch Security Group Changes Alarm Missing
Ensure a log metric filter and alarm exist for security group changes
Parameters
None
KICS: CloudWatch Unauthorized Access Alarm Missing
Ensure a log metric filter and alarm exist for unauthorized API calls
Parameters
None
KICS: CloudWatch VPC Changes Alarm Missing
Ensure a log metric filter and alarm exist for VPC changes
Parameters
None
KICS: CloudWatch Without Retention Period Specified
AWS CloudWatch Log groups should have retention days specified
Parameters
None
KICS: CMK Is Unusable
AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true
Parameters
None
KICS: CMK Rotation Disabled
Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.
Parameters
None
KICS: CodeBuild Project Encrypted With AWS Managed Key
CodeBuild Project should be encrypted with customer-managed KMS keys instead of AWS managed keys
Parameters
None
KICS: Cognito UserPool Without MFA
AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users
Parameters
None
KICS: Configuration Aggregator to All Regions Disabled
AWS Config Configuration Aggregator All Regions must be set to True
Parameters
None
KICS: Config Rule For Encrypted Volumes Disabled
Check if AWS config rules do not identify Encrypted Volumes as a source.
Parameters
None
KICS: Cross-Account IAM Assume Role Policy Without ExternalId or MFA
Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access
Parameters
None
KICS: DAX Cluster Not Encrypted
AWS DAX Cluster should have server-side encryption at rest
Parameters
None
KICS: DB Instance Publicly Accessible
RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').
Parameters
None
KICS: DB Instance Storage Not Encrypted
AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.
Parameters
None
KICS: DB Security Group Has Public Interface
The CIDR IP should not be a public interface
Parameters
None
KICS: DB Security Group Open To Large Scope
The IP address in a DB Security Group must not have more than 256 hosts.
Parameters
None
KICS: DB Security Group With Public Scope
The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it
Parameters
None
KICS: Default Security Groups With Unrestricted Traffic
Check if default security group does not restrict all inbound and outbound traffic.
Parameters
None
KICS: Default VPC Exists
It isn't recommended to use resources in default VPC
Parameters
None
KICS: DOCDB Cluster Encrypted With AWS Managed Key
DOCDB Cluster should be encrypted with customer-managed KMS keys instead of AWS managed keys
Parameters
None
KICS: DOCDB Cluster Not Encrypted
AWS DOCDB Cluster storage should be encrypted
Parameters
None
KICS: DOCDB Cluster Without KMS
AWS DOCDB Cluster should be encrypted with a KMS encryption key
Parameters
None
KICS: DocDB Logging Is Disabled
DocDB logging should be enabled
Parameters
None
KICS: DynamoDB Table Not Encrypted
AWS DynamoDB Tables should have server-side encryption
Parameters
None
KICS: DynamoDB Table Point In Time Recovery Disabled
It's considered a best practice to have point in time recovery enabled for DynamoDB Table
Parameters
None
KICS: Dynamodb VPC Endpoint Without Route Table Association
Dynamodb VPC Endpoint should be associated with Route Table Association
Parameters
None
KICS: EBS Default Encryption Disabled
EBS Encryption should be enabled
Parameters
None
KICS: EBS Volume Encryption Disabled
EBS volumes should be encrypted
Parameters
None
KICS: EBS Volume Snapshot Not Encrypted
The value on AWS EBS Volume Snapshot Encryptation must be true
Parameters
None
KICS: EC2 Instance Has Public IP
EC2 Instance should not have a public IP address.
Parameters
None
KICS: EC2 Instance Monitoring Disabled
EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods
Parameters
None
KICS: EC2 Instance Using API Keys
EC2 instances should use roles to be granted access to other AWS services
Parameters
None
KICS: EC2 Instance Using Default Security Group
EC2 instances should not use default security group(s)
Parameters
None
KICS: EC2 Instance Using Default VPC
EC2 Instances should not be configured under a default VPC network
Parameters
None
KICS: EC2 Not EBS Optimized
It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance
Parameters
None
KICS: ECR Image Tag Not Immutable
ECR should have an image tag be immutable. This prevents image tags from being overwritten.
Parameters
None
KICS: ECR Repository Is Publicly Accessible
Amazon ECR image repositories shouldn't have public access
Parameters
None
KICS: ECR Repository Not Encrypted With CMK
ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation
Parameters
None
KICS: ECR Repository Without Policy
ECR Repository should have Policies attached to it
Parameters
None
KICS: ECS Cluster with Container Insights Disabled
ECS Cluster should enable container insights
Parameters
None
KICS: ECS Service Admin Role Is Present
ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role
Parameters
None
KICS: ECS Service Without Running Tasks
ECS Service should have at least 1 task running
Parameters
None
KICS: ECS Task Definition Network Mode Not Recommended
Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations
Parameters
None
KICS: ECS Task Definition Volume Not Encrypted
AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted
Parameters
None
KICS: ECS Task Definition Container With Plaintext Password
It's not recommended to use plaintext environment variables for sensitive information, such as credential data.
Parameters
None
KICS: EFS Not Encrypted
Elastic File System (EFS) must be encrypted
Parameters
None
KICS: EFS With Vulnerable Policy
EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.
Parameters
None
KICS: EFS Without KMS
Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
Parameters
None
KICS: EKS Cluster Encryption Disabled
EKS Cluster should be encrypted
Parameters
None
KICS: EKS Cluster Has Public Access
Amazon EKS public endpoint shoud be set to false
Parameters
None
KICS: EKS Cluster Has Public Access CIDRs
Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"
Parameters
None
KICS: EKS cluster logging is not enabled
Amazon EKS control plane logging is not enabled
Parameters
None
KICS: EKS node group remote access disabled
EKS node group remote access is disabled when 'SourceSecurityGroups' is missing
Parameters
None
KICS: ElastiCache Nodes Not Created Across Multi AZ
ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster
Parameters
None
KICS: ElastiCache Redis Cluster Without Backup
ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0
Parameters
None
KICS: ElastiCache Replication Group Not Encrypted At Rest
ElastiCache Replication Group encryption should be enabled at Rest
Parameters
None
KICS: ElastiCache Replication Group Not Encrypted At Transit
ElastiCache Replication Group encryption should be enabled at Transit
Parameters
None
KICS: ElastiCache Using Default Port
ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211
Parameters
None
KICS: ElastiCache Without VPC
ElastiCache should be launched in a Virtual Private Cloud (VPC)
Parameters
None
KICS: Elasticsearch Domain Not Encrypted Node To Node
Elasticsearch Domain encryption should be enabled node to node
Parameters
None
KICS: Elasticsearch Domain With Vulnerable Policy
Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.
Parameters
None
KICS: ElasticSearch Encryption With KMS Disabled
Check if any ElasticSearch domain isn't encrypted with KMS.
Parameters
None
KICS: Elasticsearch Log Disabled
AWS Elasticsearch should have logs enabled
Parameters
None
KICS: ElasticSearch Not Encrypted At Rest
Check if ElasticSearch encryption is disabled at Rest
Parameters
None
KICS: Elasticsearch Without IAM Authentication
AWS Elasticsearch should ensure IAM Authentication
Parameters
None
KICS: ElasticSearch Without Slow Logs
Ensure that AWS Elasticsearch enables support for slow logs
Parameters
None
KICS: ELB Access Log Disabled
ELB should have logging enabled to help on error investigation
Parameters
None
KICS: ELB Using Insecure Protocols
ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.
Parameters
None
KICS: ELB Using Weak Ciphers
ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.
Parameters
None
KICS: EMR Without VPC
Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)
Parameters
None
KICS: Global Accelerator Flow Logs Disabled
Global Accelerator should have flow logs enabled
Parameters
None
KICS: Glue Data Catalog Encryption Disabled
Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled
Parameters
None
KICS: Glue Security Configuration Encryption Disabled
Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled
Parameters
None
KICS: Glue With Vulnerable Policy
Glue policy should avoid wildcard in 'principals' and 'actions'
Parameters
None
KICS: Group With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
Group with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:AddUserToGroup'
Group with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
Group with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:AttachRolePolicy'
Group with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:AttachUserPolicy'
Group with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:CreateAccessKey'
Group with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:CreateLoginProfile'
Group with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
Group with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
Group with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
Group with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
Group with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
Group with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:PutGroupPolicy'
Group with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:PutRolePolicy'
Group with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:PutUserPolicy'
Group with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
Group with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
Group with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
Group with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Group With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
Group with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: GuardDuty Detector Disabled
Make sure that Amazon GuardDuty is Enabled
Parameters
None
KICS: Hardcoded AWS Access Key
AWS Access Key should not be hardcoded
Parameters
None
KICS: Hardcoded AWS Access Key In Lambda
Lambda access/secret keys should not be hardcoded
Parameters
None
KICS: HTTP Port Open To Internet
The HTTP port is open to the internet in a Security Group
Parameters
None
KICS: IAM Access Analyzer Not Enabled
IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
Parameters
None
KICS: IAM Access Key Is Exposed
IAM Access Key should not be active for root users
Parameters
None
KICS: IAM Database Auth Not Enabled
IAM Database Auth Enabled should be configured to true when using compatible engine and version
Parameters
None
KICS: IAM Group Without Users
IAM Group should have at least one user associated
Parameters
None
KICS: IAM Password Without Lowercase Letter
IAM Password should have at least one lowercase letter
Parameters
None
KICS: IAM Password Without Minimum Length
IAM password should have the required minimum length
Parameters
None
KICS: IAM Password Without Symbol
IAM password should have the required symbols
Parameters
None
KICS: IAM Password Without Uppercase Letter
IAM password should have at least one uppercase letter
Parameters
None
KICS: IAM Policies Attached To User
IAM policies should be attached only to groups or roles
Parameters
None
KICS: IAM Policies With Full Privileges
IAM policies shouldn't allow full administrative privileges (for all resources)
Parameters
None
KICS: IAM Policy Grants 'AssumeRole' Permission Across All Services
IAM Policy should not grant 'AssumeRole' permission across all services.
Parameters
None
KICS: IAM Policy Grants Full Permissions
IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.
Parameters
None
KICS: IAM Role Allows All Principals To Assume
IAM role allows all services or principals to assume it
Parameters
None
KICS: IAM Role Policy passRole Allows All
Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources
Parameters
None
KICS: IAM Role With Full Privileges
IAM role policy that allow full administrative privileges (for all resources)
Parameters
None
KICS: IAM User Policy Without MFA
Check if the root user is authenticated with MFA
Parameters
None
KICS: IAM User Has Too Many Access Keys
Any IAM User should not have more than one access key since it increases the risk of unauthorized access and compromise credentials
Parameters
None
KICS: IAM User With Access To Console
AWS IAM Users should not have access to console
Parameters
None
KICS: Instance With No VPC
EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
Parameters
None
KICS: Kinesis Not Encrypted With KMS
AWS Kinesis Streams and metadata should be protected with KMS
Parameters
None
KICS: Kinesis SSE Not Configured
AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled
Parameters
None
KICS: KMS Key With No Deletion Window
AWS KMS Key should have a valid deletion window
Parameters
None
KICS: KMS Key With Vulnerable Policy
Checks if the policy is vulnerable and needs updating.
Parameters
None
KICS: Lambda Function With Privileged Role
It is not advisable for AWS Lambda Functions to have privileged permissions.
Parameters
None
KICS: Lambda Functions Without X-Ray Tracing
AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'
Parameters
None
KICS: Lambda IAM InvokeFunction Misconfigured
Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'
Parameters
None
KICS: Lambda Permission Misconfigured
Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'
Parameters
None
KICS: Lambda Permission Principal Is Wildcard
Lambda Permission Principal should not contain a wildcard.
Parameters
None
KICS: Lambda With Vulnerable Policy
The attribute 'action' should not have wildcard
Parameters
None
KICS: Launch Configuration Is Not Encrypted
Launch Configurations should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' parameter should be set to true in each volume
Parameters
None
KICS: Misconfigured Password Policy Expiration
No password expiration policy
Parameters
None
KICS: Missing Cluster Log Types
Amazon EKS control plane logging don't enabled for all log types
Parameters
None
KICS: MQ Broker Is Publicly Accessible
Check if any MQ Broker is not publicly accessible
Parameters
None
KICS: MQ Broker Logging Disabled
Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).
Parameters
None
KICS: MSK Broker Is Publicly Accessible
Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible
Parameters
None
KICS: MSK Cluster Encryption Disabled
Ensure MSK Cluster encryption in rest and transit is enabled
Parameters
None
KICS: MSK Cluster Logging Disabled
Ensure MSK Cluster Logging is enabled
Parameters
None
KICS: Neptune Cluster Instance is Publicly Accessible
Neptune Cluster Instance should not be publicly accessible
Parameters
None
KICS: Neptune Cluster With IAM Database Authentication Disabled
Neptune Cluster should have IAM Database Authentication enabled
Parameters
None
KICS: Neptune Database Cluster Encryption Disabled
Neptune database cluster storage should have encryption enabled
Parameters
None
KICS: Neptune Logging Is Disabled
Neptune logging should be enabled
Parameters
None
KICS: Network ACL With Unrestricted Access To RDP
'RDP' (TCP:3389) should not be public in AWS Network ACL
Parameters
None
KICS: Network ACL With Unrestricted Access To SSH
'SSH' (TCP:22) should not be public in AWS Network ACL
Parameters
None
KICS: No Password Policy Enabled
IAM password policies should be set through the password minimum length and reset password attributes
Parameters
None
KICS: No Stack Policy
AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions
Parameters
None
KICS: Password Without Reuse Prevention
Check if IAM account password has the reuse password configured with 24
Parameters
None
KICS: Policy Without Principal
All policies, except IAM identity-based policies, should have the 'Principal' element defined
Parameters
None
KICS: Public and Private EC2 Share Role
Public and private EC2 istances should not share the same role.
Parameters
None
KICS: Public Lambda via API Gateway
Allowing to run lambda function using public API Gateway
Parameters
None
KICS: RDS Associated with Public Subnet
RDS should not run in public subnet
Parameters
None
KICS: RDS Cluster With Backup Disabled
RDS Cluster backup retention period should be specifically defined
Parameters
None
KICS: RDS Database Cluster not Encrypted
RDS Database Cluster Encryption should be enabled
Parameters
None
KICS: RDS Storage Not Encrypted
RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'
Parameters
None
KICS: RDS Using Default Port
RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433
Parameters
None
KICS: RDS With Backup Disabled
Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup
Parameters
None
KICS: RDS Without Logging
RDS does not have any kind of logger
Parameters
None
KICS: Redis Disabled
ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'
Parameters
None
KICS: Redis Not Compliant
Check if the redis version is compliant with the necessary AWS PCI DSS requirements
Parameters
None
KICS: Redshift Cluster Logging Disabled
Make sure Logging is enabled for Redshift Cluster
Parameters
None
KICS: Redshift Cluster Without VPC
Redshift Cluster should be configured in VPC (Virtual Private Cloud)
Parameters
None
KICS: Redshift Not Encrypted
AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)
Parameters
None
KICS: Redshift Publicly Accessible
AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)
Parameters
None
KICS: Redshift Using Default Port
Redshift should not use the default port (5439) because an attacker can easily guess the port
Parameters
None
KICS: Remote Desktop Port Open To Internet
The Remote Desktop port is open to the internet in a Security Group
Parameters
None
KICS: Resource Not Using Tags
AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'
Parameters
None
KICS: REST API With Vulnerable Policy
REST API policy should avoid wildcard in 'Action' and 'Principal'
Parameters
None
KICS: Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: Root Account Has Active Access Keys
The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.
Parameters
None
KICS: Route53 Record Undefined
Check if Record is set
Parameters
None
KICS: S3 Bucket Access to Any Principal
S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals
Parameters
None
KICS: S3 Bucket ACL Allows Read Or Write to All Users
S3 Buckets should not be readable and writable to all users
Parameters
None
KICS: S3 Bucket ACL Allows Read to Any Authenticated User
S3 Buckets should not be readable to any authenticated user
Parameters
None
KICS: S3 Bucket ACL Grants WRITE_ACP Permission
S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.
Parameters
None
KICS: S3 Bucket Allows Delete Action From All Principals
S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.
Parameters
None
KICS: S3 Bucket Allows Get Action From All Principals
S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.
Parameters
None
KICS: S3 Bucket Allows List Action From All Principals
S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.
Parameters
None
KICS: S3 Bucket Allows Public ACL
S3 bucket allows public ACL
Parameters
None
KICS: S3 Bucket Allows Put Action From All Principals
S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.
Parameters
None
KICS: S3 Bucket Logging Disabled
Server Access Logging should be enabled on S3 Buckets so that all changes are logged and trackable
Parameters
None
KICS: S3 Bucket Object Level CloudTrail Logging Disabled
S3 Bucket object-level CloudTrail logging should be enabled for read and write events
Parameters
None
KICS: S3 Bucket Object Not Encrypted
S3 Bucket Object should have server-side encryption enabled
Parameters
None
KICS: S3 Bucket Policy Accepts HTTP Requests
S3 Bucket policy should not accept HTTP Requests
Parameters
None
KICS: S3 Bucket Public ACL Overridden By Public Access Block
S3 bucket public access is overridden by S3 bucket Public Access Block when the following attributes are set to true - 'block_public_acls', 'block_public_policy', 'ignore_public_acls', and 'restrict_public_buckets'
Parameters
None
KICS: S3 Bucket SSE Disabled
If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required
Parameters
None
KICS: S3 Bucket With All Permissions
S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.
Parameters
None
KICS: S3 Bucket Allows Public Policy
S3 bucket allows public policy
Parameters
None
KICS: S3 Bucket with Unsecured CORS Rule
If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure
Parameters
None
KICS: S3 Bucket Without Enabled MFA Delete
S3 bucket without MFA Delete Enabled. MFA delete cannot be enabled through Terraform, it can be done by adding a MFA device (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable.html) and enabling versioning and MFA delete by using AWS CLI: 'aws s3api put-bucket-versioning --versioning-configuration=Status=Enabled,MFADelete=Enabled --bucket=<BUCKET_NAME> --mfa=<MFA_SERIAL_NUMBER>'. Please, also notice that MFA delete can not be used with lifecycle configurations
Parameters
None
KICS: S3 Bucket Without Ignore Public ACL
S3 bucket without ignore public ACL
Parameters
None
KICS: S3 Bucket Without Restriction Of Public Bucket
S3 bucket without restriction of public bucket
Parameters
None
KICS: S3 Bucket Without Versioning
S3 bucket should have versioning enabled
Parameters
None
KICS: S3 Static Website Host Enabled
Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.
Parameters
None
KICS: Sagemaker Endpoint Configuration Encryption Disabled
Sagemaker endpoint configuration should encrypt data
Parameters
None
KICS: Sagemaker Notebook Instance Without KMS
AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS
Parameters
None
KICS: Secrets Manager With Vulnerable Policy
Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'
Parameters
None
KICS: Secretsmanager Secret Encrypted With AWS Managed Key
Secrets Manager secret should be encrypted with customer-managed KMS keys instead of AWS managed keys
Parameters
None
KICS: Secretsmanager Secret Without KMS
AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret
Parameters
None
KICS: Secure Ciphers Disabled
Check if secure ciphers aren't used in CloudFront
Parameters
None
KICS: Security Group Rule Without Description
It's considered a best practice for all rules in AWS Security Group to have a description
Parameters
None
KICS: Security Group With Unrestricted Access To SSH
'SSH' (TCP:22) should not be public in AWS Security Group
Parameters
None
KICS: Security Group Rule Without Description
It's considered a best practice for AWS Security Group to have a description
Parameters
None
KICS: Security Group Not Used
Security group must be used or not declared
Parameters
None
KICS: Sensitive Port Is Exposed To Entire Network
A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
Parameters
None
KICS: Sensitive Port Is Exposed To Small Public Network
A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol
Parameters
None
KICS: Sensitive Port Is Exposed To Wide Private Network
A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol
Parameters
None
KICS: Service Control Policies Disabled
Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).
Parameters
None
KICS: SES Policy With Allowed IAM Actions
SES policy should not allow IAM actions to all principals
Parameters
None
KICS: Shield Advanced Not In Use
AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks
Parameters
None
KICS: SNS Topic Encrypted With AWS Managed Key
SNS (Simple Notification Service) Topic should be encrypted with customer-managed KMS keys instead of AWS managed keys
Parameters
None
KICS: SNS Topic is Publicly Accessible
SNS Topic Policy should not allow any principal to access
Parameters
None
KICS: SNS Topic Not Encrypted
SNS (Simple Notification Service) Topic should be encrypted
Parameters
None
KICS: SNS Topic Publicity Has Allow and NotAction Simultaneously
SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.
Parameters
None
KICS: SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.
Parameters
None
KICS: SQS Policy Allows All Actions
SQS policy allows ALL (*) actions
Parameters
None
KICS: SQS Policy With Public Access
Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue
Parameters
None
KICS: SQS Queue Exposed
Checks if the SQS Queue is exposed
Parameters
None
KICS: SQS VPC Endpoint Without DNS Resolution
SQS VPC Endpoint should have DNS resolution enabled
Parameters
None
KICS: SQS With SSE Disabled
Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
Parameters
None
KICS: SSM Session Transit Encryption Disabled
SSM Session should be encrypted in transit
Parameters
None
KICS: SSO Permission With Inadequate User Session Duration
SSO permissions should be configured to limit user sessions to no longer than 1 hour. Allowing longer sessions can increase the risk of unauthorized access or session hijacking. This is a best practice for security and should be implemented in SSO permission settings.
Parameters
None
KICS: SSO Policy with full privileges
SSO policies should be configured to grant limited administrative privileges, rather than full access to all resources. This approach allows for better security and control over the resources being accessed.
Parameters
None
KICS: Stack Notifications Disabled
AWS CloudFormation should have stack notifications enabled to be notified when an event occurs
Parameters
None
KICS: Stack Retention Disabled
Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction
Parameters
None
KICS: Stack Without Template
AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body
Parameters
None
KICS: Unknown Port Exposed To Internet
AWS Security Group should not have an unknown port exposed to the entire Internet
Parameters
None
KICS: Unrestricted Security Group Ingress
Security groups allow ingress from 0.0.0.0:0 and/or ::/0
Parameters
None
KICS: Unscanned ECR Image
Checks if the ECR Image has been scanned
Parameters
None
KICS: User Data Contains Encoded Private Key
User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily
Parameters
None
KICS: User Data Shell Script Is Encoded
User Data Shell Script must be encoded
Parameters
None
KICS: User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:AddUserToGroup'
User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:CreateAccessKey'
User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:PutRolePolicy'
User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:PutUserPolicy'
User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
None
KICS: VPC Default Security Group Accepts All Traffic
Default Security Group attached to every VPC should restrict all traffic
Parameters
None
KICS: VPC FlowLogs Disabled
Every VPC resource should have an associated Flow Log
Parameters
None
KICS: VPC Peering Route Table with Unrestricted CIDR
VPC Peering Route Table should restrict CIDR
Parameters
None
KICS: VPC Subnet Assigns Public IP
VPC Subnet should not assign public IP
Parameters
None
KICS: VPC Without Network Firewall
VPC should have a Network Firewall associated
Parameters
None
KICS: Vulnerable Default SSL Certificate
CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.
Parameters
None
KICS: Workspaces Workspace Volume Not Encrypted
AWS Workspaces Workspace data stored in volumes should be encrypted
Parameters
None
AWS: Lambda: Prohibit publicly accessible Lambda functions
Requires AWS/Lambda Function Permissions to include an AWS account ID principal, principal_org_id, source_account AWS account ID, or source_arn resource ARN to prevent public access.
Parameters
None
AWS: Security Groups: Restrict Ingress from public IPs.
Require AWS/Security Groups to allow ingress from private IPv4 CIDRs only. Private IPv4 CIDR IP 'ranges:' "10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.168.0.0/16"
Parameters
None
AWS: Security Groups: Ingress Allow only whitelisted CIDR and Ports
Require AWS/Security Groups to have ingress from whitelisted CIDR blocks on whitelisted ports. To allow all, use wildcard entry '*'.
Parameters
Parameters:
allowed_cidr_ports: An object with allowed CIDR ports by address
- Type: object
- Unique: false
- Required: true
- Required Parameters: allowed_cidr_ports
AWS: Security Groups: Allow only whitelisted Ports for Public Ingress
Require AWS/Security Groups Ingresses for CIDR "0.0.0.0/0" use only whitelisted ports.
Parameters
Parameters:
allowed_ports: Ports allowed for ingress traffic from cidr '0.0.0.0/0' (e.g., 80 443)
- Type: set_of_strings
- Unique: false
- Required: true
- Required Parameters: allowed_ports
AWS: OpenSearch: Prohibit OpenSearch Domains with disabled encryption at rest
Require AWS/OpenSearch domains to have enabled encryption at rest.
Parameters
None
AWS: Opensearch: Prohibit Opensearch Domains with disabled node to node encryption
Require AWS/Opensearch domains to have enabled node to node encryption.
Parameters
None
AWS: Opensearch: Prohibit Opensearch Domains not created in VPC
Require AWS/Opensearch domains to have subnets added in vpc_options.
Parameters
None
AWS: RDS: Prohibit RDS instance with disabled automatic minor version upgrade
Require AWS/RDS instances to have automatic minor version upgrade enabled.
Parameters
None
AWS: RDS: Prohibit RDS instances with disabled IAM database authentication
Require AWS/RDS instances to have IAM authentication enabled.
Parameters
None
AWS: RDS: Prohibit publicly accessible RDS instances
Require AWS/RDS instances to not be publicly accessible.
Parameters
None
AWS: RDS: Prohibit RDS clusters with disabled IAM authentication
Require AWS/RDS clusters to have IAM authentication enabled.
Parameters
None
AWS: RDS: Prohibit RDS instances with disabled CloudWatch log exports
Require AWS/RDS instances to have CloudWatch log exports enabled.
Parameters
None
AWS: Redshift: Prohibit Redshift cluster with disabled enhanced VPC routing
Require AWS/Redshift cluster to have enhanced VPC routing enabled.
Parameters
None
AWS: Redshift: Prohibit publicly accessible Redshift cluster
Require AWS/Redshift cluster to not be publicly accessible.
Parameters
None
AWS: S3: Ensure Logging is Enabled in S3 Buckets
Require AWS/S3 buckets to have logging enabled.
Parameters
None
AWS: S3: Prohibit Bucket Policies containing An Asterisk In Actions
Require AWS/S3 bucket policy to not use asterisk in 'Action'.
Parameters
None
AWS: S3: Prohibit Unencrypted Buckets
Require AWS/S3 buckets to be encrypted.
Parameters
None
AWS: S3: Prohibit Unencrypted Bucket Object
Require AWS/S3 bucket object to be server side encrypted
Parameters
None
AWS: S3: Ensure Versioning is Enabled for S3 Buckets
Require AWS/S3 buckets to have versioning enabled.
Parameters
None
AWS: S3: Restrict S3 buckets with unapproved ACL
Require AWS/S3 to use Canned ACL from a pre-approved list.
Parameters
Parameters:
allowed_acls: A list of ACLs
- Type: set_of_strings
- Unique: false
- Required: true
- Required Parameters: allowed_acls
AWS: S3: Allow ingress only from whitelisted IP's
Require AWS/S3 bucket policy with whitelisted source IP's. To allow all, use wildcard entry '*'.
Parameters
Parameters:
allowed_ips: A list of allowed IPs
- Type: set_of_strings
- Unique: false
- Required: true
- Required Parameters: allowed_ips
AWS: SageMaker: Prohibit SageMaker Notebook instance with direct internet access enabled
Require AWS/SageMaker instance to have direct internet access disabled.
Parameters
None
AWS: SSM: Prohibit publicly accessible SSM documents
AWS/SSM Document not to be publicly accessible.
Parameters
None
Azure: IAM: Prohibit assignment of Owner role
Require Azure/IAM role assignment to not have owner role assigned to any principal.
Parameters
None
KICS: AD Admin Not Configured For SQL Server
The Active Directory Administrator is not configured for a SQL server
Parameters
None
KICS: Admin User Enabled For Container Registry
Admin user is enabled for Container Registry
Parameters
None
KICS: AKS Disk Encryption Set ID Undefined
Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk
Parameters
None
KICS: AKS Network Policy Misconfigured
Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined
Parameters
None
KICS: AKS Private Cluster Disabled
Azure Kubernetes Service (AKS) API should not be exposed to the internet
Parameters
None
KICS: AKS RBAC Disabled
Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled
Parameters
None
KICS: AKS Uses Azure Policies Add-On Disabled
Azure Container Service (AKS) should use Azure Policies Add-On
Parameters
None
KICS: App Service Authentication Disabled
Azure App Service authentication settings should be enabled
Parameters
None
KICS: App Service FTPS Enforce Disabled
Azure App Service should only enforce FTPS when 'ftps_state' is enabled
Parameters
None
KICS: App Service HTTP2 Disabled
App Service should have 'http2_enabled' enabled
Parameters
None
KICS: App Service Managed Identity Disabled
Azure App Service should have managed identity enabled
Parameters
None
KICS: App Service Not Using Latest TLS Encryption Version
Ensure App Service is using the latest version of TLS encryption
Parameters
None
KICS: App Service Without Latest PHP Version
Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.
Parameters
None
KICS: App Service Without Latest Python Version
Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.
Parameters
None
KICS: Azure Active Directory Authentication
Azure Active Directory must be used for authentication for Service Fabric
Parameters
None
KICS: Azure App Service Client Certificate Disabled
Azure App Service client certificate should be enabled
Parameters
None
KICS: Azure Cognitive Search Public Network Access Enabled
Public Network Access should be disabled for Azure Cognitive Search
Parameters
None
KICS: Azure Container Registry With No Locks
Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'
Parameters
None
KICS: Azure Front Door WAF Disabled
Azure Front Door WAF should be enabled
Parameters
None
KICS: Cosmos DB Account Without Tags
Cosmos DB Account must have a mapping of tags.
Parameters
None
KICS: CosmosDB Account IP Range Filter Not Set
The IP range filter should be defined to secure the data stored
Parameters
None
KICS: Dashboard Is Enabled
Check if the Kubernetes Dashboard is enabled.
Parameters
None
KICS: Default Azure Storage Account Network Access Is Too Permissive
Default Azure Storage Account network access should be set to Deny
Parameters
None
KICS: Default Network Access is Allowed
Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'
Parameters
None
KICS: Email Alerts Disabled
Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact
Parameters
None
KICS: Encryption On Managed Disk Disabled
Ensure that the encryption is active on the disk
Parameters
None
KICS: Firewall Rule Allows Too Many Hosts To Access Redis Cache
Check if any firewall rule allows too many hosts to access Redis Cache
Parameters
None
KICS: Function App Authentication Disabled
Azure Function App authentication settings should be enabled
Parameters
None
KICS: Function App Client Certificates Unrequired
Azure Function App should have 'client_cert_mode' set to required
Parameters
None
KICS: Function App FTPS Enforce Disabled
Azure Function App should only enforce FTPS when 'ftps_state' is enabled
Parameters
None
KICS: Function App HTTP2 Disabled
Function App should have 'http2_enabled' enabled
Parameters
None
KICS: Function App Managed Identity Disabled
Azure Function App should have managed identity enabled
Parameters
None
KICS: Function App Not Using Latest TLS Encryption Version
Ensure Function App is using the latest version of TLS encryption
Parameters
None
KICS: Geo Redundancy Is Disabled
Make sure that on PostgreSQL Geo Redundant Backups is enabled
Parameters
None
KICS: Key Expiration Not Set
Make sure that for all keys the expiration date is set
Parameters
None
KICS: Key Vault Secrets Content Type Undefined
Key Vault Secrets should have set Content Type
Parameters
None
KICS: Log Retention Is Not Set
Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'
Parameters
None
KICS: MariaDB Server Public Network Access Enabled
MariaDB Server Public Network Access should be disabled
Parameters
None
KICS: MariaDB Server Geo-redundant Backup Disabled
MariaDB Server Geo-redundant Backup should be enabled
Parameters
None
KICS: MSSQL Server Auditing Disabled
Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'
Parameters
None
KICS: MSSQL Server Public Network Access Enabled
MSSQL Server public network access should be disabled
Parameters
None
KICS: MySQL Server Public Access Enabled
MySQL Server public access should be disabled
Parameters
None
KICS: MySQL SSL Connection Disabled
Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled
Parameters
None
KICS: Network Interfaces With Public IP
Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)
Parameters
None
KICS: Network Interfaces IP Forwarding Enabled
Network Interfaces IP Forwarding should be disabled
Parameters
None
KICS: Network Watcher Flow Disabled
Check if enable field in the resource azurerm_network_watcher_flow_log is false.
Parameters
None
KICS: PostgreSQL Log Checkpoints Disabled
Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'
Parameters
None
KICS: PostgreSQL Log Connections Not Set
Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'
Parameters
None
KICS: PostgreSQL Log Duration Not Set
Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'
Parameters
None
KICS: PostgreSQL Server Infrastructure Encryption Disabled
PostgreSQL Server Infrastructure Encryption should be enabled
Parameters
None
KICS: PostgreSQL Server Without Connection Throttling
Ensure that Connection Throttling is set for the PostgreSQL server
Parameters
None
KICS: PostgreSQL Log Disconnections Not Set
Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'
Parameters
None
KICS: PostgreSQL Server Threat Detection Policy Disabled
PostgreSQL Server Threat Detection Policy should be enabled
Parameters
None
KICS: Public Storage Account
Storage Account should not be public to grant the principle of least privileges
Parameters
None
KICS: RDP Is Exposed To The Internet
Port 3389 (Remote Desktop) is exposed to the internet
Parameters
None
KICS: Redis Cache Allows Non SSL Connections
Redis Cache resources should not allow non-SSL connections
Parameters
None
KICS: Redis Entirely Accessible
Firewall rule allowing unrestricted access to Redis from the Internet
Parameters
None
KICS: Redis Not Updated Regularly
Redis Cache is not configured to be updated regularly with security and operational updates
Parameters
None
KICS: Redis Publicly Accessible
Firewall rule allowing unrestricted access to Redis from other Azure sources
Parameters
None
KICS: Role Assignment Not Limit Guest User Permissions
Role Assignment should limit guest user permissions
Parameters
None
KICS: Role Assignment Of Guest Users
There is a role assignment for guest user
Parameters
None
KICS: Role Definition Allows Custom Role Creation
Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)
Parameters
None
KICS: Secret Expiration Not Set
Make sure that for all secrets the expiration date is set
Parameters
None
KICS: Security Center Pricing Tier Is Not Standard
Make sure that the 'Standard' pricing tiers were selected.
Parameters
None
KICS: Security Contact Email
Security Contact Email should be defined
Parameters
None
KICS: Security Group is Not Configured
Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty
Parameters
None
KICS: Sensitive Port Is Exposed To Entire Network
A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
Parameters
None
KICS: Sensitive Port Is Exposed To Small Public Network
A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol
Parameters
None
KICS: Sensitive Port Is Exposed To Wide Private Network
A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol
Parameters
None
KICS: Small Activity Log Retention Period
Ensure that Activity Log Retention is set 365 days or greater
Parameters
None
KICS: Small Flow Logs Retention Period
Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches
Parameters
None
KICS: Small MSSQL Server Audit Retention
Make sure for SQL Servers that Auditing Retention is greater than 90 days
Parameters
None
KICS: Small MSSQL Audit Retention Period
Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days
Parameters
None
KICS: Small PostgreSQL DB Server Log Retention Period
Check if PostgreSQL Database Server retains logs for less than 3 Days
Parameters
None
KICS: SQL Database Audit Disabled
Ensure that 'Threat Detection' is enabled for Azure SQL Database
Parameters
None
KICS: SQL Server Alert Email Disabled
SQL Server alert email should be enabled
Parameters
None
KICS: SQL Server Auditing Disabled
Make sure that for SQL Servers, 'Auditing' is set to 'On'
Parameters
None
KICS: SQLServer Ingress From Any IP
Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.
Parameters
None
KICS: SQL Server Predictable Active Directory Account Name
Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict
Parameters
None
KICS: SQL Server Predictable Admin Account Name
Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict
Parameters
None
KICS: SSH Is Exposed To The Internet
Port 22 (SSH) is exposed to the internet
Parameters
None
KICS: SSL Enforce Disabled
Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'
Parameters
None
KICS: Storage Account Not Forcing HTTPS
Storage Accounts should enforce the use of HTTPS
Parameters
None
KICS: Storage Account Not Using Latest TLS Encryption Version
Ensure Storage Account is using the latest version of TLS encryption
Parameters
None
KICS: Storage Container Is Publicly Accessible
Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage
Parameters
None
KICS: Storage Share File Allows All ACL Permissions
Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).
Parameters
None
KICS: Storage Table Allows All ACL Permissions
Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).
Parameters
None
KICS: Trusted Microsoft Services Not Enabled
Trusted Microsoft Services should be enabled for Storage Account access
Parameters
None
KICS: Unrestricted SQL Server Access
Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.
Parameters
None
KICS: Vault Auditing Disabled
Ensure that logging for Azure KeyVault is 'Enabled'
Parameters
None
KICS: Virtual Network with DDoS Protection Plan disabled
Virtual Network should have DDoS Protection Plan enabled
Parameters
None
KICS: VM Not Attached To Network
No Network Security Group is attached to the Virtual Machine
Parameters
None
KICS: WAF Is Disabled For Azure Application Gateway
Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.
Parameters
None
KICS: Web App Accepting Traffic Other Than HTTPS
Web app should only accept HTTPS traffic in Azure Web App Service.
Parameters
None
Azure: MariaDB: Prohibit backup disabled MariaDB database
Require Azure/MariaDB database to have Geo-redundant backup enabled.
Parameters
None
Azure: MySQL: Prohibit backup disabled MySQL database
Require Azure/MySQL database to have Geo-redundant backup enabled.
Parameters
None
Azure: Security Groups: Block port 22 for '0.0.0.0/0'
Azure/Network Security Groups should block Inbound traffic on port 22 for "0.0.0.0/0", "Internet", or "*".
Parameters
None
Azure: Postgres: Prohibit backup disabled Postgres database
Require Azure/Postgres database to have Geo-redundant backup enabled.
Parameters
None
Azure: Storage Account: Deny Unencrypted transit
Azure/Storage Account should accept requests from secure connections (https) only.
Parameters
None
GCP: Service Account: Prohibit using default Service Account
Requires custom service account.
Parameters
None
GCP: BigQuery Dataset: Prohibit Dataset accessible to all authenticated users
Restrict public accessibilty to BigQuery Datasets
Parameters
None
GCP: IAM: Prohibit service account with admin privileges
Restrict service account to have admin privileges
Parameters
None
KICS: BigQuery Dataset Is Public
BigQuery dataset is anonymously or publicly accessible
Parameters
None
KICS: Client Certificate Disabled
Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true
Parameters
None
KICS: Cloud DNS Without DNSSEC
DNSSEC must be enabled for Cloud DNS
Parameters
None
KICS: Cloud Storage Anonymous or Publicly Accessible
Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'
Parameters
None
KICS: Cloud Storage Bucket Is Publicly Accessible
Cloud Storage Bucket is anonymously or publicly accessible
Parameters
None
KICS: Cloud Storage Bucket Logging Not Enabled
Cloud storage bucket should have logging enabled
Parameters
None
KICS: Cloud Storage Bucket Versioning Disabled
Cloud Storage Bucket should have versioning enabled
Parameters
None
KICS: Cluster Labels Disabled
Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined
Parameters
None
KICS: Cluster Master Authentication Disabled
Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty
Parameters
None
KICS: COS Node Image Not Used
The node image should be Container-Optimized OS(COS)
Parameters
None
KICS: Disk Encryption Disabled
VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined
Parameters
None
KICS: DNSSEC Using RSASHA1
DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.
Parameters
None
KICS: GKE Basic Authentication Enabled
GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty
Parameters
None
KICS: GKE Legacy Authorization Enabled
Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true
Parameters
None
KICS: GKE Using Default Service Account
Kubernetes Engine Clusters should not be configured to use the default service account
Parameters
None
KICS: Google Compute Network Using Default Firewall Rule
Google Compute Network should not use default firewall rule
Parameters
None
KICS: Google Compute Network Using Firewall Rule that Allows All Ports
Google Compute Network should not use a firewall rule that allows all ports
Parameters
None
KICS: Google Compute Network Using Firewall Rule that Allows Port Range
Google Compute Network should not use a firewall rule that allows port range
Parameters
None
KICS: Google Compute SSL Policy Weak Cipher In Use
This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers
Parameters
None
KICS: Google Compute Subnetwork Logging Disabled
This query checks if logs are enabled for a Google Compute Subnetwork resource.
Parameters
None
KICS: Google Compute Subnetwork with Private Google Access Disabled
Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true
Parameters
None
KICS: Google Container Node Pool Auto Repair Disabled
Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.
Parameters
None
KICS: Google Project Auto Create Network Disabled
Verifies if the Google Project Auto Create Network is Disabled
Parameters
None
KICS: Google Project IAM Binding Service Account has Token Creator or Account User Role
Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated
Parameters
None
KICS: Google Project IAM Member Service Account Has Admin Role
Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated
Parameters
None
KICS: Google Project IAM Member Service Account has Token Creator or Account User Role
Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated
Parameters
None
KICS: Google Storage Bucket Level Access Disabled
Google Storage Bucket Level Access should be enabled
Parameters
None
KICS: High Google KMS Crypto Key Rotation Period
KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.
Parameters
None
KICS: IAM Audit Not Properly Configured
Audit Logging Configuration is defective
Parameters
None
KICS: IP Aliasing Disabled
Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE
Parameters
None
KICS: IP Forwarding Enabled
Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true
Parameters
None
KICS: KMS Admin and CryptoKey Roles In Use
Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member
Parameters
None
KICS: KMS Crypto Key is Publicly Accessible
KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'
Parameters
None
KICS: Network Policy Disabled
Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false
Parameters
None
KICS: Node Auto Upgrade Disabled
Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters
Parameters
None
KICS: Not Proper Email Account In Use
Gmail accounts are being used instead of corporate credentials
Parameters
None
KICS: OSLogin Disabled
Verifies that the OSLogin is enabled
Parameters
None
KICS: OSLogin Is Disabled For VM Instance
Check if any VM instance disables OSLogin
Parameters
None
KICS: Pod Security Policy Disabled
Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true
Parameters
None
KICS: Private Cluster Disabled
Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true
Parameters
None
KICS: Project-wide SSH Keys Are Enabled In VM Instances
VM Instance should block project-wide SSH keys
Parameters
None
KICS: RDP Access Is Not Restricted
Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389
Parameters
None
KICS: Service Account with Improper Privileges
Service account should not have improper privileges like admin, editor, owner, or write roles
Parameters
None
KICS: Shielded VM Disabled
Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true
Parameters
None
KICS: SQL DB Instance Backup Disabled
Checks if backup configuration is enabled for all Cloud SQL Database instances
Parameters
None
KICS: SQL DB Instance Publicly Accessible
Cloud SQL instances should not be publicly accessible.
Parameters
None
KICS: SQL DB Instance With SSL Disabled
Cloud SQL Database Instance should have SLL enabled
Parameters
None
KICS: SSH Access Is Not Restricted
Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges
Parameters
None
KICS: Stackdriver Logging Disabled
Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'
Parameters
None
KICS: Stackdriver Monitoring Disabled
Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'
Parameters
None
KICS: User with IAM Role
As a best practice, it is better to assign an IAM Role to a group than to a user
Parameters
None
KICS: Using Default Service Account
Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.
Parameters
None
KICS: Serial Ports Are Enabled For VM Instances
Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone
Parameters
None
KICS: VM With Full Cloud Access
A VM instance is configured to use the default service account with full access to all Cloud APIs
Parameters
None
GCP: Network: Prohibit firewall allowing SSH access over internet
Network firewall resource should not allow ingress from '0.0.0.0/0' to port 22.
Parameters
None
GCP: Storage Bucket: Prohibit buckets without versioning
Requires versioning to be enabled for google_storage_bucket resource.
Parameters
None
KICS: Cluster Admin Rolebinding With Superuser Permissions
Ensure that the cluster-admin role is only used where required (RBAC)
Parameters
None
KICS: Cluster Allows Unsafe Sysctls
A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.
Parameters
None
KICS: Container Host Pid Is True
Minimize the admission of containers wishing to share the host process ID namespace
Parameters
None
KICS: Container Is Privileged
Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false
Parameters
None
KICS: Container Resources Limits Undefined
Kubernetes container should have resource limitations defined such as CPU and memory
Parameters
None
KICS: Container Runs Unmasked
Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.
Parameters
None
KICS: Containers With Added Capabilities
Containers should not have extra capabilities allowed
Parameters
None
KICS: Containers With Sys Admin Capabilities
Containers should not have CAP_SYS_ADMIN Linux capability
Parameters
None
KICS: CPU Limits Not Set
CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
Parameters
None
KICS: CPU Requests Not Set
CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node
Parameters
None
KICS: CronJob Deadline Not Configured
Cronjobs must have a configured deadline, which means the attribute 'starting_deadline_seconds' must be defined
Parameters
None
KICS: Default Service Account In Use
Default service accounts should not be actively used
Parameters
None
KICS: Deployment Has No PodAntiAffinity
Check if Deployment resources don't have a podAntiAffinity policy, which prevents multiple pods from being scheduled on the same node.
Parameters
None
KICS: Deployment Without PodDisruptionBudget
Deployments should be assigned with a PodDisruptionBudget to ensure high availability
Parameters
None
KICS: Docker Daemon Socket is Exposed to Containers
Sees if Docker Daemon Socket is not exposed to Containers
Parameters
None
KICS: HPA Targets Invalid Object
The Horizontal Pod Autoscaler must target a valid object
Parameters
None
KICS: Image Pull Policy Of The Container Is Not Set To Always
Image Pull Policy of the container must be defined and set to Always
Parameters
None
KICS: Image Without Digest
Images should be specified together with their digests to ensure integrity
Parameters
None
KICS: Incorrect Volume Claim Access Mode ReadWriteOnce
Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'
Parameters
None
KICS: Ingress Controller Exposes Workload
Ingress Controllers should not expose workload in order to avoid vulnerabilities and DoS attacks
Parameters
None
KICS: Invalid Image
Image must be defined and not be empty or equal to latest.
Parameters
None
KICS: Liveness Probe Is Not Defined
In case of an unresponsive container, a Liveness Probe can help your application become more available since it restarts the container. However, it can lead to cascading failures. Define one if you really need it
Parameters
None
KICS: Memory Limits Not Defined
Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory
Parameters
None
KICS: Memory Requests Not Defined
Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes
Parameters
None
KICS: Metadata Label Is Invalid
Check if any label in the metadata is invalid.
Parameters
None
KICS: Missing App Armor Config
Containers should be configured with AppArmor for any application to reduce its potential attack
Parameters
None
KICS: NET_RAW Capabilities Disabled for PSP
Containers need to have NET_RAW or All as drop capabilities
Parameters
None
KICS: NET_RAW Capabilities Not Being Dropped
Containers should drop 'ALL' or at least 'NET_RAW' capabilities
Parameters
None
KICS: Network Policy Is Not Targeting Any Pod
Check if any network policy is not targeting any pod.
Parameters
None
KICS: No Drop Capabilities for Containers
Sees if Kubernetes Drop Capabilities exists to ensure containers security context
Parameters
None
KICS: Non Kube System Pod With Host Mount
A non kube-system workload should not have hostPath mounted
Parameters
None
KICS: Not Limited Capabilities For Pod Security Policy
Limit capabilities for a Pod Security Policy
Parameters
None
KICS: Permissive Access to Create Pods
The permission to create pods in a cluster should be restricted because it allows privilege escalation.
Parameters
None
KICS: Pod or Container Without Security Context
A security context defines privilege and access control settings for a Pod or Container
Parameters
None
KICS: Privilege Escalation Allowed
Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process
Parameters
None
KICS: PSP Allows Containers To Share The Host Network Namespace
Check if Pod Security Policies allow containers to share the host network namespace.
Parameters
None
KICS: PSP Allows Privilege Escalation
PodSecurityPolicy should not allow privilege escalation
Parameters
None
KICS: PSP Allows Sharing Host IPC
Pod Security Policy allows containers to share the host IPC namespace
Parameters
None
KICS: PSP Set To Privileged
Do not allow pod to request execution as privileged.
Parameters
None
KICS: PSP With Added Capabilities
PodSecurityPolicy should not have added capabilities
Parameters
None
KICS: RBAC Roles with Read Secrets Permissions
Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys
Parameters
None
KICS: Readiness Probe Is Not Configured
Check if Readiness Probe is not configured.
Parameters
None
KICS: Role Binding To Default Service Account
No role nor cluster role should bind to a default service account
Parameters
None
KICS: Root Container Not Mounted As Read-only
Check if the root container filesystem is not being mounted as read-only.
Parameters
None
KICS: Root Containers Admitted
Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden
Parameters
None
KICS: Seccomp Profile Is Not Configured
Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
Parameters
None
KICS: Secrets As Environment Variables
Container should not use secrets as environment variables
Parameters
None
KICS: Service Account Allows Access Secrets
Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs
Parameters
None
KICS: Service Account Name Undefined Or Empty
A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.
Parameters
None
KICS: Service Account Token Automount Not Disabled
Service Account Tokens are automatically mounted even if not necessary
Parameters
None
KICS: Service Type is NodePort
Service type should not be NodePort
Parameters
None
KICS: Service With External Load Balancer
Service has an external load balancer, which may cause accessibility from other networks and the Internet
Parameters
None
KICS: Shared Host IPC Namespace
Container should not share the host IPC namespace
Parameters
None
KICS: Shared Host Network Namespace
Container should not share the host network namespace
Parameters
None
KICS: Shared Service Account
A Service Account token is shared between workloads
Parameters
None
KICS: StatefulSet Requests Storage
A StatefulSet requests volume storage.
Parameters
None
KICS: StatefulSet Without PodDisruptionBudget
StatefulSets should be assigned with a PodDisruptionBudget to ensure high availability
Parameters
None
KICS: StatefulSet Without Service Name
StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.
Parameters
None
KICS: Tiller (Helm v2) Is Deployed
Check if Tiller is deployed.
Parameters
None
KICS: Using Default Namespace
The default namespace should not be used
Parameters
None
KICS: Volume Mount With OS Directory Write Permissions
Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.
Parameters
None
KICS: Workload Host Port Not Specified
Verifies if Kubernetes workload's host port is specified
Parameters
None
KICS: Workload Mounting With Sensitive OS Directory
Workload is mounting a volume with sensitive OS Directory
Parameters
None