Policy Library Rules
The AWS policies in Styra's Terraform Policy Library are currently tested against version 3 of the Terraform AWS provider. Version 4 of the provider introduced breaking changes for a number of AWS resources. AWS policies in the library which only apply to Terraform AWS provider v3 resources are noted in the policies below and may not result in accurate policy evaluation when used with provider v4.
AWS: Autoscaling Group: Deny public IP address in launch configuration
Prohibit creation of autoscaling group if the launch configuration used has public IP address enabled. Checks the resources with type 'aws_launch_configuration' for the value of 'associate_public_ip_address'.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without a default root object
Requires AWS/CloudFront distributions to be configured with a default root object. Checks resources with type 'aws_cloudfront_distribution'.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without access logging
Requires AWS/CloudFront distributions to be configured with access logging. Checks resources with type 'aws_cloudfront_distribution'.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without encrypted traffic to origin
Requires AWS/CloudFront distributions to be configured with encrypted traffic to origin. Prohibits 'origin_protocol_policy' set to 'http-only' and prohibits 'origin_protocol_policy' set to 'match-viewer' if 'viewer_protocol_policy' is set to 'allow-all'. Checks resources with type 'aws_cloudfront_distribution'.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without an HTTPS viewer protocol policy
Requires AWS/CloudFront distribution default and ordered cache behaviors to be configured with an 'https-only' or 'redirect-to-https' viewer_protocol_policy. Checks resources with type 'aws_cloudfront_distribution'.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without a WAF association
Requires AWS/CloudFront distributions to be configured with a WAF web ACL ID. Checks resources with type 'aws_cloudfront_distribution'.
Parameters
None
AWS: CloudTrail: Prohibit CloudTrails without server side encryption
Require AWS/Cloudtrail to have server side encryption using an AWS KMS key. Checks resources with type 'aws_cloudtrail'.
Parameters
None
AWS: CodeBuild Project: Prohibit if logging is not configured
Require CodeBuild Projects to have 'logs_config' with either s3_logs or 'cloudwatch_logs' enabled. Checks resources with type 'aws_codebuild_project'.
Parameters
None
AWS: Codebuild Project: Prohibit Privileged Mode enabled.
Require CodeBuild Projects to set 'privileged_mode' to false. Checks resources with type 'aws_codebuild_project'.
Parameters
None
AWS: DAX: Prohibit DAX clusters with disabled encryption at rest
Require AWS/DAX clusters to have enabled encryption at rest. Checks resources with type 'aws_dax_cluster'.
Parameters
None
AWS: DMS: Prohibit publicly accessible DMS replication instances
Require AWS/DMS replication instances to not be publicly accessible. Checks resources with type 'aws_dms_replication_instance'.
Parameters
None
AWS: EC2/EBS: Requires snapshot enabled.
Ensure individually created EBS volumes have snapshots enabled. Checks resources with type 'aws_ebs_volume'.
Parameters
None
AWS: EC2: Ensure the EBS volumes are encrypted.
Require individually created EBS volumes to be encrypted. Checks resources with type 'aws_ebs_volume'.
Parameters
None
AWS: EC2: Prohibit EC2 instances with a Public IP Address
Require AWS/EC2 instance to not have a Public IP Address. Checks resources with type 'aws_instance' and 'aws_launch_template'.
Parameters
None
AWS: EC2: Restrict volume deletion after instance termination
Prevent volume being deleted after the termination of EC2 instance.Retaining volumes until they are explicitly deleted can protect against adversaries deleting critical data, or evidence of an intrusion. Checks resources with type 'aws_instance'.
Parameters
None
AWS: EC2: Restrict instances with unapproved AMIs
Ensure EC2 instances are using an AMI from a pre-approved list. Checks resources with type 'aws_instance'.
Parameters
Parameters:
allowed_ami_ids
- Type: array
- Unique: true
- Required Parameters: allowed_ami_ids
AWS: EC2: Restrict instances with unapproved Regions
Ensure EC2 instances are deployed in a Region from a pre-approved list (due to plan format restrictions, this policy only works for Terraform 12 onward). Checks resources with type 'aws_instance'.
Parameters
Parameters:
allowed_regions
- Type: array
- Unique: true
- Required Parameters: allowed_regions
AWS: EC2: Restrict instances with unapproved subnets
Ensure EC2 instances are deployed in a subnet from a pre-approved list. Checks resources with type 'aws_instance'.
Parameters
Parameters:
allowed_subnets
- Type: array
- Unique: true
- Required Parameters: allowed_subnets
AWS: EC2: Restrict instances with unapproved Security Groups
Require AWS/EC2 to use Security Groups from a pre-approved list. Checks resources with type 'aws_instance'.
Parameters
Parameters:
allowed_security_groups
- Type: array
- Unique: true
- Required Parameters: allowed_security_groups
AWS: EC2: Ensure the instances use encrypted volume.
Require AWS/EC2 instances to use encrypted block storage volume. Checks resources with type 'aws_instance'.
Parameters
None
AWS: EC2: Restrict instances without IMDSv2
EC2 instances and EC2 Launch templates require Instance Metadata Service Version 2 (IMDSv2) enabled. Checks resources with type 'aws_instance' and 'aws_launch_template'.
Parameters
None
AWS: EC2: Prohibit EC2 instances without a VPC
Require AWS/EC2 instance to be deployed in a VPC. Checks resources with type 'aws_instance'.
Parameters
None
AWS: ECS: Prohibit ECS Service which has Assign Public IP enabled
Require AWS/ECS Service to have 'assign_public_ip' set as false in 'network_configuration'. Checks resources with type 'aws_ecs_service'.
Parameters
None
AWS: Elastic Beanstalk: Prohibit the Elastic beanstalk environments with disabled managed actions
Require AWS/Elastic Beanstalk environments to have the managed actions setting enabled. Checks resources with type 'aws_elastic_beanstalk_environment'.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains with disabled encryption at rest
Require AWS/Elasticsearch domains to have enabled encryption at rest. Checks resources with type 'aws_elasticsearch_domain'.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains not created in VPC
Require AWS/Elasticsearch domains to have subnets added in vpc_options. Checks resources with type 'aws_elasticsearch_domain'.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains which does not use TLS 1.2 and have https enforced.
Require AWS/Elasticsearch domains to have https enforced and use TLS 1.2. Checks resources with type 'aws_elasticsearch_domain'.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains with disabled node to node encryption
Require AWS/Elasticsearch domains to have enabled node to node encryption. Checks resources with type 'aws_elasticsearch_domain'.
Parameters
None
AWS: ELB: Prohibit Elastic Load Balancers with listener's lb_protocol not set to SSL/HTTPS.
Requires AWS/ELB listeners to be configured with lb_protocol as either SSL or HTTPS. Checks resources with type 'aws_elb'.
Parameters
None
AWS: ELB: Prohibit Elastic Load Balancers with connection draining not set to true.
Requires AWS/ELB listeners to be configured with connection_draining as true. Checks resources with type 'aws_elb'.
Parameters
None
AWS: GuardDuty: Block GuardDuty organization with disabled GuardDuty detector
Require GuardDuty Detector to be enabled for a GuardDuty Organiztion. Checks resources with type 'aws_guardduty_organization_configuration' along with 'aws_guardduty_detector'.
Parameters
None
AWS: IAM: Ensure IAM account has Complex and Unique password policy
Require AWS/IAM account to have complex and unique password policy. As recommended by https://attack.mitre.org/techniques/T1110/ the standards here are based off of those established in https://pages.nist.gov/800-63-3/sp800-63b.html#appA and https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6234434 Checks resources with type 'aws_iam_account_password_policy'.
Parameters
None
AWS: IAM: Ensure IAM account password policy meets AWS Foundational Security Best Practices
Require AWS/IAM account to have complex and unique password policy. As recommended by https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html Checks resources with type 'aws_iam_account_password_policy'.
Parameters
None
AWS: IAM: Restrict Attaching AdministratorAccess Policy.
Restricts attaching Managed AdministratorAccess policy to user, role and group. Checks resources with type 'aws_iam_user_policy_attachment', 'aws_iam_role_policy_attachment' and 'aws_iam_group_policy_attachment'.
Parameters
None
AWS: IAM: Restrict Access Key Actions in IAM policies
Require AWS/IAM user/group/role policies to not have Create/Update/List/Delete AccessKeys permissions and allow all ('iam:' or '') in 'Action'. Checks resources with type 'aws_iam_user_policy', 'aws_iam_role_policy', 'aws_iam_group_policy' and 'aws_iam_policy'.
Parameters
None
AWS: IAM: Restrict hardcoded secret credentials.
Hardcoding of AWS 'access_key' and 'secret_key' in Terraform files is restricted. Due to plan format restrictions, this policy only works for Terraform 12 onward.
Parameters
None
AWS: IAM: Prohibit IAM policies directly being attached to IAM users
Requires AWS/IAM policies not to be attached directly to IAM users. Checks resources with type 'aws_iam_user_policy_attachment'.
Parameters
None
AWS: IAM: Prohibit IAM policies providing admin access
Require AWS/IAM policy statements to not allow all actions ('') on all resources (''). Checks resources with type 'aws_iam_policy' and data sources with type 'aws_iam_policy_document'.
Parameters
None
AWS: IAM: Prohibit Policies containing an Asterisk
Require AWS/IAM policies not have an asterisk ("") in Actions and asterisk("") without prefix in Resources. Checks resources with type 'aws_iam_policy'.
Parameters
None
KICS: ALB Deletion Protection Disabled
Application Load Balancer should have deletion protection enabled
Parameters
- Parameters:
KICS: ALB Is Not Integrated With WAF
All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service
Parameters
- Parameters:
KICS: ALB Listening on HTTP
AWS Application Load Balancer (alb) should not listen on HTTP
Parameters
- Parameters:
KICS: ALB Not Dropping Invalid Headers
It's considered a best practice when using Application Load Balancers to drop invalid header fields
Parameters
- Parameters:
KICS: AmazonMQ Broker Encryption Disabled
AmazonMQ Broker should have Encryption Options defined
Parameters
- Parameters:
KICS: AMI Not Encrypted
AWS AMI Encryption is not enabled
Parameters
- Parameters:
KICS: API Gateway Access Logging Disabled
API Gateway should have Access Log Settings defined
Parameters
- Parameters:
KICS: API Gateway Deployment Without Access Log Setting
API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.
Parameters
- Parameters:
KICS: API Gateway Deployment Without API Gateway UsagePlan Associated
API Gateway Deployment should have API Gateway UsagePlan defined and associated.
Parameters
- Parameters:
KICS: API Gateway Endpoint Config is Not Private
The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet
Parameters
- Parameters:
KICS: API Gateway Method Does Not Contains An API Key
An API Key should be required on a method request.
Parameters
- Parameters:
KICS: API Gateway Method Settings Cache Not Encrypted
API Gateway Method Settings Cache should be encrypted
Parameters
- Parameters:
KICS: API Gateway Stage Without API Gateway UsagePlan Associated
API Gateway Stage should have API Gateway UsagePlan defined and associated.
Parameters
- Parameters:
KICS: API Gateway With CloudWatch Logging Disabled
AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation
Parameters
- Parameters:
KICS: API Gateway With Invalid Compression
API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.
Parameters
- Parameters:
KICS: API Gateway With Open Access
API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.
Parameters
- Parameters:
KICS: API Gateway Without Configured Authorizer
API Gateway REST API should have an API Gateway Authorizer
Parameters
- Parameters:
KICS: API Gateway Without Security Policy
API Gateway should have a Security Policy defined and use TLS 1.2.
Parameters
- Parameters:
KICS: API Gateway Without SSL Certificate
SSL Client Certificate should be enabled
Parameters
- Parameters:
KICS: API Gateway without WAF
API Gateway should have WAF (Web Application Firewall) enabled
Parameters
- Parameters:
KICS: API Gateway X-Ray Disabled
API Gateway should have X-Ray Tracing enabled
Parameters
- Parameters:
KICS: Athena Workgroup Not Encrypted
Athena Workgroup query results should be encrypted, for all queries that run in the workgroup
Parameters
- Parameters:
KICS: Auto Scaling Group With No Associated ELB
AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.
Parameters
- Parameters:
KICS: Automatic Minor Upgrades Disabled
RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.
Parameters
- Parameters:
KICS: Autoscaling Groups Supply Tags
Autoscaling groups should supply tags to configurate
Parameters
- Parameters:
KICS: AWS Password Policy With Unchangeable Passwords
Unchangeable passwords in AWS password policy
Parameters
- Parameters:
KICS: Batch Job Definition With Privileged Container Properties
Batch Job Definition should not have Privileged Container Properties
Parameters
- Parameters:
KICS: CA Certificate Identifier Is Outdated
The CA certificate Identifier must be 'rds-ca-2019'.
Parameters
- Parameters:
KICS: CDN Configuration Is Missing
Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.
Parameters
- Parameters:
KICS: CloudFront Logging Disabled
AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined
Parameters
- Parameters:
KICS: Cloudfront Viewer Protocol Policy Allows HTTP
Checks if the connection between CloudFront and the viewer is encrypted
Parameters
- Parameters:
KICS: CloudFront Without Minimum Protocol TLS 1.2
CloudFront Minimum Protocol version should be at least TLS 1.2
Parameters
- Parameters:
KICS: CloudFront Without WAF
All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service
Parameters
- Parameters:
KICS: CloudTrail Log File Validation Disabled
CloudTrail log file validation should be enabled to determine whether a log file has not been tampered
Parameters
- Parameters:
KICS: CloudTrail Log Files Not Encrypted With KMS
Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail
Parameters
- Parameters:
KICS: CloudTrail Logging Disabled
Checks if logging is enabled for CloudTrail.
Parameters
- Parameters:
KICS: CloudTrail Multi Region Disabled
CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled
Parameters
- Parameters:
KICS: CloudTrail Not Integrated With CloudWatch
CloudTrail should be integrated with CloudWatch
Parameters
- Parameters:
KICS: CloudTrail SNS Topic Name Undefined
Check if SNS topic name is set for CloudTrail
Parameters
- Parameters:
KICS: CloudWatch AWS Config Configuration Changes Alarm Missing
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Parameters
- Parameters:
KICS: CloudWatch AWS Organizations Changes Missing Alarm
Ensure a log metric filter and alarm exist for AWS organizations changes
Parameters
- Parameters:
KICS: CloudWatch Changes To NACL Alarm Missing
Ensure a log metric filter and alarm exist for changes to NACL
Parameters
- Parameters:
KICS: Cloudwatch Cloudtrail Configuration Changes Alarm Missing
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Parameters
- Parameters:
KICS: CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK
Parameters
- Parameters:
KICS: CloudWatch IAM Policy Changes Alarm Missing
Ensure a log metric filter and alarm exist for IAM policy changes
Parameters
- Parameters:
KICS: CloudWatch Log Group Without KMS
AWS CloudWatch Log groups should be encrypted using KMS
Parameters
- Parameters:
KICS: CloudWatch Logging Disabled
Check if CloudWatch logging is disabled for Route53 hosted zones
Parameters
- Parameters:
KICS: CloudWatch Logs Destination With Vulnerable Policy
CloudWatch Logs destination policy should avoid wildcard in 'principals' and 'actions'
Parameters
- Parameters:
KICS: CloudWatch Management Console Auth Failed Alarm Missing
Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
Parameters
- Parameters:
KICS: CloudWatch Console Sign-in Without MFA Alarm Missing
Ensure a log metric filter and alarm exist for management console sign-in without MFA
Parameters
- Parameters:
KICS: CloudWatch Metrics Disabled
Checks if CloudWatch Metrics is Enabled
Parameters
- Parameters:
KICS: CloudWatch Network Gateways Changes Alarm Missing
Ensure a log metric filter and alarm exist for network gateways changes
Parameters
- Parameters:
KICS: CloudWatch Root Account Use Missing
Ensure a log metric filter and alarm exist for root acount usage
Parameters
- Parameters:
KICS: CloudWatch Route Table Changes Alarm Missing
Ensure a log metric filter and alarm exist for route table changes
Parameters
- Parameters:
KICS: CloudWatch S3 policy Change Alarm Missing
Ensure a log metric filter and alarm exist for S3 bucket policy changes
Parameters
- Parameters:
KICS: Cloudwatch Security Group Changes Alarm Missing
Ensure a log metric filter and alarm exist for security group changes
Parameters
- Parameters:
KICS: CloudWatch Unauthorized Access Alarm Missing
Ensure a log metric filter and alarm exist for unauthorized API calls
Parameters
- Parameters:
KICS: CloudWatch VPC Changes Alarm Missing
Ensure a log metric filter and alarm exist for VPC changes
Parameters
- Parameters:
KICS: CloudWatch Without Retention Period Specified
AWS CloudWatch Log groups should have retention days specified
Parameters
- Parameters:
KICS: CMK Is Unusable
AWS Key Management Service (KMS) must only possess usable Customer Master Keys (CMK), which means the CMKs must have the attribute 'is_enabled' set to true
Parameters
- Parameters:
KICS: CMK Rotation Disabled
Customer Master Keys (CMK) must have rotation enabled, which means the attribute 'enable_key_rotation' must be set to 'true' when the key is enabled.
Parameters
- Parameters:
KICS: Cognito UserPool Without MFA
AWS Cognito UserPool should have MFA (Multi-Factor Authentication) defined to users
Parameters
- Parameters:
KICS: Configuration Aggregator to All Regions Disabled
AWS Config Configuration Aggregator All Regions must be set to True
Parameters
- Parameters:
KICS: Config Rule For Encrypted Volumes Disabled
Check if AWS config rules do not identify Encrypted Volumes as a source.
Parameters
- Parameters:
KICS: Cross-Account IAM Assume Role Policy Without ExternalId or MFA
Cross-Account IAM Assume Role Policy should require external ID or MFA to protect cross-account access
Parameters
- Parameters:
KICS: DAX Cluster Not Encrypted
AWS DAX Cluster should have server-side encryption at rest
Parameters
- Parameters:
KICS: DB Instance Publicly Accessible
RDS must not be defined with public interface, which means the field 'publicly_accessible' should not be set to 'true' (default is 'false').
Parameters
- Parameters:
KICS: DB Instance Storage Not Encrypted
AWS DB Instance should have its storage encrypted by setting the parameter to 'true'. The storage_encrypted default value is 'false'.
Parameters
- Parameters:
KICS: DB Security Group Has Public Interface
The CIDR IP should not be a public interface
Parameters
- Parameters:
KICS: DB Security Group Open To Large Scope
The IP address in a DB Security Group must not have more than 256 hosts.
Parameters
- Parameters:
KICS: DB Security Group With Public Scope
The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' (IPv6). If so, any IP can access it
Parameters
- Parameters:
KICS: Default Security Groups With Unrestricted Traffic
Check if default security group does not restrict all inbound and outbound traffic.
Parameters
- Parameters:
KICS: DOCDB Cluster Not Encrypted
AWS DOCDB Cluster storage should be encrypted
Parameters
- Parameters:
KICS: DOCDB Cluster Without KMS
AWS DOCDB Cluster should be encrypted with a KMS encryption key
Parameters
- Parameters:
KICS: DocDB Logging Is Disabled
DocDB logging should be enabled
Parameters
- Parameters:
KICS: DynamoDB Table Not Encrypted
AWS DynamoDB Tables should have server-side encryption
Parameters
- Parameters:
KICS: DynamoDB Table Point In Time Recovery Disabled
It's considered a best practice to have point in time recovery enabled for DynamoDB Table
Parameters
- Parameters:
KICS: EBS Default Encryption Disabled
EBS Encryption should be enabled
Parameters
- Parameters:
KICS: EBS Volume Encryption Disabled
EBS volumes should be encrypted
Parameters
- Parameters:
KICS: EBS Volume Snapshot Not Encrypted
The value on AWS EBS Volume Snapshot Encryptation must be true
Parameters
- Parameters:
KICS: EC2 Instance Has Public IP
EC2 Instance should not have a public IP address.
Parameters
- Parameters:
KICS: EC2 Instance Monitoring Disabled
EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods
Parameters
- Parameters:
KICS: EC2 Instance Using Default Security Group
EC2 instances should not use default security group(s)
Parameters
- Parameters:
KICS: EC2 Instance Using Default VPC
EC2 Instances should not be configured under a default VPC network
Parameters
- Parameters:
KICS: EC2 Not EBS Optimized
It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance
Parameters
- Parameters:
KICS: ECR Image Tag Not Immutable
ECR should have an image tag be immutable. This prevents image tags from being overwritten.
Parameters
- Parameters:
KICS: ECR Repository Is Publicly Accessible
Amazon ECR image repositories shouldn't have public access
Parameters
- Parameters:
KICS: ECR Repository Not Encrypted With CMK
ECR repositories should be encrypted with customer-managed keys to meet stricter security and compliance requirements on access control, monitoring, and key rotation
Parameters
- Parameters:
KICS: ECR Repository Without Policy
ECR Repository should have Policies attached to it
Parameters
- Parameters:
KICS: ECS Cluster with Container Insights Disabled
ECS Cluster should enable container insights
Parameters
- Parameters:
KICS: ECS Service Admin Role Is Present
ECS Services must not have Admin roles, which means the attribute 'iam_role' must not be an admin role
Parameters
- Parameters:
KICS: ECS Service Without Running Tasks
ECS Service should have at least 1 task running
Parameters
- Parameters:
KICS: ECS Task Definition Network Mode Not Recommended
Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations
Parameters
- Parameters:
KICS: ECS Task Definition Volume Not Encrypted
AWS ECS Task Definition EFS data in transit between AWS ECS host and AWS EFS server should be encrypted
Parameters
- Parameters:
KICS: ECS Task Definition Container With Plaintext Password
It's not recommended to use plaintext environment variables for sensitive information, such as credential data.
Parameters
- Parameters:
KICS: EFS Not Encrypted
Elastic File System (EFS) must be encrypted
Parameters
- Parameters:
KICS: EFS With Vulnerable Policy
EFS (Elastic File System) policy should avoid wildcard in 'Action' and 'Principal'.
Parameters
- Parameters:
KICS: EFS Without KMS
Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys
Parameters
- Parameters:
KICS: EKS Cluster Encryption Disabled
EKS Cluster should be encrypted
Parameters
- Parameters:
KICS: EKS Cluster Has Public Access
Amazon EKS public endpoint shoud be set to false
Parameters
- Parameters:
KICS: EKS Cluster Has Public Access CIDRs
Amazon EKS public endpoint is enables and accessible to all: 0.0.0.0/0"
Parameters
- Parameters:
KICS: EKS cluster logging is not enabled
Amazon EKS control plane logging is not enabled
Parameters
- Parameters:
KICS: EKS node group remote access disabled
EKS node group remote access is disabled when 'SourceSecurityGroups' is missing
Parameters
- Parameters:
KICS: ElastiCache Nodes Not Created Across Multi AZ
ElastiCache Nodes should be created across multi az, which means 'az_mode' should be set to 'cross-az' in multi nodes cluster
Parameters
- Parameters:
KICS: ElastiCache Redis Cluster Without Backup
ElastiCache Redis cluster should have 'snapshot_retention_limit' higher than 0
Parameters
- Parameters:
KICS: ElastiCache Replication Group Not Encrypted At Rest
ElastiCache Replication Group encryption should be enabled at Rest
Parameters
- Parameters:
KICS: ElastiCache Replication Group Not Encrypted At Transit
ElastiCache Replication Group encryption should be enabled at Transit
Parameters
- Parameters:
KICS: ElastiCache Using Default Port
ElastiCache should not use the default port (an attacker can easily guess the port). For engine set to Redis, the default port is 6379. The Memcached default port is 11211
Parameters
- Parameters:
KICS: ElastiCache Without VPC
ElastiCache should be launched in a Virtual Private Cloud (VPC)
Parameters
- Parameters:
KICS: Elasticsearch Domain Not Encrypted Node To Node
Elasticsearch Domain encryption should be enabled node to node
Parameters
- Parameters:
KICS: Elasticsearch Domain With Vulnerable Policy
Elasticsearch Domain policy should avoid wildcard in 'Action' and 'Principal'.
Parameters
- Parameters:
KICS: ElasticSearch Encryption With KMS Disabled
Check if any ElasticSearch domain isn't encrypted with KMS.
Parameters
- Parameters:
KICS: Elasticsearch Log Disabled
AWS Elasticsearch should have logs enabled
Parameters
- Parameters:
KICS: ElasticSearch Not Encrypted At Rest
Check if ElasticSearch encryption is disabled at Rest
Parameters
- Parameters:
KICS: Elasticsearch Without IAM Authentication
AWS Elasticsearch should ensure IAM Authentication
Parameters
- Parameters:
KICS: ElasticSearch Without Slow Logs
Ensure that AWS Elasticsearch enables support for slow logs
Parameters
- Parameters:
KICS: ELB Access Log Disabled
ELB should have logging enabled to help on error investigation
Parameters
- Parameters:
KICS: ELB Using Insecure Protocols
ELB Predefined or Custom Security Policies must not use insecure protocols, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of insecure protocols.
Parameters
- Parameters:
KICS: ELB Using Weak Ciphers
ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'name' of 'policy_attributes' must not coincide with any of a predefined list of weak ciphers.
Parameters
- Parameters:
KICS: EMR Without VPC
Elastic MapReduce Cluster (EMR) should be launched in a Virtual Private Cloud (VPC)
Parameters
- Parameters:
KICS: Global Accelerator Flow Logs Disabled
Global Accelerator should have flow logs enabled
Parameters
- Parameters:
KICS: Glue Data Catalog Encryption Disabled
Glue Data Catalog Encryption Settings should have 'connection_password_encryption' and 'encryption_at_rest' enabled
Parameters
- Parameters:
KICS: Glue Security Configuration Encryption Disabled
Glue Security Configuration Encryption should have 'cloudwatch_encryption', 'job_bookmarks_encryption' and 's3_encryption' enabled
Parameters
- Parameters:
KICS: Glue With Vulnerable Policy
Glue policy should avoid wildcard in 'principals' and 'actions'
Parameters
- Parameters:
KICS: GuardDuty Detector Disabled
Make sure that Amazon GuardDuty is Enabled
Parameters
- Parameters:
KICS: Hardcoded AWS Access Key In Lambda
Lambda access/secret keys should not be hardcoded
Parameters
- Parameters:
KICS: HTTP Port Open To Internet
The HTTP port is open to the internet in a Security Group
Parameters
- Parameters:
KICS: IAM Access Key Is Exposed
IAM Access Key should not be active for root users
Parameters
- Parameters:
KICS: IAM Database Auth Not Enabled
IAM Database Auth Enabled should be configured to true when using compatible engine and version
Parameters
- Parameters:
KICS: IAM Group Without Users
IAM Group should have at least one user associated
Parameters
- Parameters:
KICS: IAM Password Without Lowercase Letter
IAM Password should have at least one lowercase letter
Parameters
- Parameters:
KICS: IAM Password Without Minimum Length
IAM password should have the required minimum length
Parameters
- Parameters:
KICS: IAM Password Without Symbol
IAM password should have the required symbols
Parameters
- Parameters:
KICS: IAM Password Without Uppercase Letter
IAM password should have at least one uppercase letter
Parameters
- Parameters:
KICS: IAM Policies Attached To User
IAM policies should be attached only to groups or roles
Parameters
- Parameters:
KICS: IAM Policies With Full Privileges
IAM policies shouldn't allow full administrative privileges (for all resources)
Parameters
- Parameters:
KICS: IAM Policy Grants 'AssumeRole' Permission Across All Services
IAM Policy should not grant 'AssumeRole' permission across all services.
Parameters
- Parameters:
KICS: IAM Policy Grants Full Permissions
IAM policy should not grant full permissions to resources from the get-go, instead of granting permissions gradually as necessary.
Parameters
- Parameters:
KICS: IAM Role Allows All Principals To Assume
IAM role allows all services or principals to assume it
Parameters
- Parameters:
KICS: IAM Role Policy passRole Allows All
Using the iam:passrole action with wildcards (*) in the resource can be overly permissive because it allows iam:passrole permissions on multiple resources
Parameters
- Parameters:
KICS: IAM Role With Full Privileges
IAM role policy that allow full administrative privileges (for all resources)
Parameters
- Parameters:
KICS: IAM User Policy Without MFA
Check if the root user is authenticated with MFA
Parameters
- Parameters:
KICS: Instance With No VPC
EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
Parameters
- Parameters:
KICS: Kinesis Not Encrypted With KMS
AWS Kinesis Streams and metadata should be protected with KMS
Parameters
- Parameters:
KICS: Kinesis SSE Not Configured
AWS Kinesis Server data at rest should have Server Side Encryption (SSE) enabled
Parameters
- Parameters:
KICS: KMS Key With No Deletion Window
AWS KMS Key should have a valid deletion window
Parameters
- Parameters:
KICS: KMS Key With Vulnerable Policy
Checks if the policy is vulnerable and needs updating.
Parameters
- Parameters:
KICS: Lambda Function With Privileged Role
It is not advisable for AWS Lambda Functions to have privileged permissions.
Parameters
- Parameters:
KICS: Lambda Functions Without X-Ray Tracing
AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'
Parameters
- Parameters:
KICS: Lambda IAM InvokeFunction Misconfigured
Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'
Parameters
- Parameters:
KICS: Lambda Permission Misconfigured
Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'
Parameters
- Parameters:
KICS: Lambda Permission Principal Is Wildcard
Lambda Permission Principal should not contain a wildcard.
Parameters
- Parameters:
KICS: Lambda With Vulnerable Policy
The attribute 'action' should not have wildcard
Parameters
- Parameters:
KICS: Launch Configuration Is Not Encrypted
Launch Configuration EBS should have the data in the volumes encrypted. To encrypt the data, the 'encrypted' argument should be set to true in each volume block
Parameters
- Parameters:
KICS: Misconfigured Password Policy Expiration
No password expiration policy
Parameters
- Parameters:
KICS: Missing Cluster Log Types
Amazon EKS control plane logging don't enabled for all log types
Parameters
- Parameters:
KICS: MQ Broker Is Publicly Accessible
Check if any MQ Broker is not publicly accessible
Parameters
- Parameters:
KICS: MQ Broker Logging Disabled
Check if MQ Brokers don't have logging enabled in any of the two options possible (audit and general).
Parameters
- Parameters:
KICS: MSK Broker Is Publicly Accessible
Public AWS MSK allows anyone to interact with the Apache Kafka broker, therefore increasing the opportunity for malicious activity. To prevent such a scenario, it is recommended for AWS MSK to not be publicly accessible
Parameters
- Parameters:
KICS: MSK Cluster Encryption Disabled
Ensure MSK Cluster encryption in rest and transit is enabled
Parameters
- Parameters:
KICS: MSK Cluster Logging Disabled
Ensure MSK Cluster Logging is enabled
Parameters
- Parameters:
KICS: Neptune Cluster Instance is Publicly Accessible
Neptune Cluster Instance should not be publicly accessible
Parameters
- Parameters:
KICS: Neptune Cluster With IAM Database Authentication Disabled
Neptune Cluster should have IAM Database Authentication enabled
Parameters
- Parameters:
KICS: Neptune Database Cluster Encryption Disabled
Neptune database cluster storage should have encryption enabled
Parameters
- Parameters:
KICS: Neptune Logging Is Disabled
Neptune logging should be enabled
Parameters
- Parameters:
KICS: Network ACL With Unrestricted Access To RDP
'RDP' (TCP:3389) should not be public in AWS Network ACL
Parameters
- Parameters:
KICS: Network ACL With Unrestricted Access To SSH
'SSH' (TCP:22) should not be public in AWS Network ACL
Parameters
- Parameters:
KICS: No Password Policy Enabled
IAM password policies should be set through the password minimum length and reset password attributes
Parameters
- Parameters:
KICS: No Stack Policy
AWS CloudFormation Stack should have a stack policy in order to protect stack resources from update actions
Parameters
- Parameters:
KICS: Password Without Reuse Prevention
Check if IAM account password has the reuse password configured with 24
Parameters
- Parameters:
KICS: Policy Without Principal
All policies, except IAM identity-based policies, should have the 'Principal' element defined
Parameters
- Parameters:
KICS: Public Lambda via API Gateway
Allowing to run lambda function using public API Gateway
Parameters
- Parameters:
KICS: RDS Associated with Public Subnet
RDS should not run in public subnet
Parameters
- Parameters:
KICS: RDS Database Cluster not Encrypted
RDS Database Cluster Encryption should be enabled
Parameters
- Parameters:
KICS: RDS Storage Not Encrypted
RDS Storage should be encrypted, which means the attribute 'storage_encrypted' should be set to 'true'
Parameters
- Parameters:
KICS: RDS Using Default Port
RDS should not use the default port (an attacker can easily guess the port). For engines related to Aurora, MariaDB or MySQL, the default port is 3306. PostgreSQL default port is 5432, Oracle default port is 1521 and SQL Server default port is 1433
Parameters
- Parameters:
KICS: RDS With Backup Disabled
Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup
Parameters
- Parameters:
KICS: RDS Without Logging
RDS does not have any kind of logger
Parameters
- Parameters:
KICS: Redis Disabled
ElastiCache should have Redis enabled, since it covers Compliance Certifications such as FedRAMP, HIPAA, and PCI DSS. For more information, take a look at 'https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SelectEngine.html'
Parameters
- Parameters:
KICS: Redis Not Compliant
Check if the redis version is compliant with the necessary AWS PCI DSS requirements
Parameters
- Parameters:
KICS: Redshift Cluster Logging Disabled
Make sure Logging is enabled for Redshift Cluster
Parameters
- Parameters:
KICS: Redshift Cluster Without VPC
Redshift Cluster should be configured in VPC (Virtual Private Cloud)
Parameters
- Parameters:
KICS: Redshift Not Encrypted
AWS Redshift Cluster should be encrypted. Check if 'encrypted' field is false or undefined (default is false)
Parameters
- Parameters:
KICS: Redshift Publicly Accessible
AWS Redshift Clusters must not be publicly accessible. Check if 'publicly_accessible' field is true or undefined (default is true)
Parameters
- Parameters:
KICS: Redshift Using Default Port
Redshift should not use the default port (5439) because an attacker can easily guess the port
Parameters
- Parameters:
KICS: Remote Desktop Port Open To Internet
The Remote Desktop port is open to the internet in a Security Group
Parameters
- Parameters:
KICS: Resource Not Using Tags
AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
Role with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:AddUserToGroup'
Role with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
Role with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:AttachRolePolicy'
Role with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:AttachUserPolicy'
Role with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:CreateAccessKey'
Role with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:CreateLoginProfile'
Role with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
Role with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
Role with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
Role with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
Role with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
Role with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:PutGroupPolicy'
Role with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:PutRolePolicy'
Role with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:PutUserPolicy'
Role with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
Role with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
Role with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
Role with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Role With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
Role with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: Root Account Has Active Access Keys
The AWS Root Account must not have active access keys associated, which means if there are access keys associated to the Root Account, they must be inactive.
Parameters
- Parameters:
KICS: Route53 Record Undefined
Check if Record is set
Parameters
- Parameters:
KICS: S3 Bucket Access to Any Principal
S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when there are All Principals
Parameters
- Parameters:
KICS: S3 Bucket ACL Allows Read Or Write to All Users
S3 Buckets should not be readable and writable to all users
Parameters
- Parameters:
KICS: S3 Bucket ACL Allows Read to Any Authenticated User
S3 Buckets should not be readable to any authenticated user
Parameters
- Parameters:
KICS: S3 Bucket ACL Grants WRITE_ACP Permission
S3 Buckets should not allow WRITE_ACP permission to the S3 Bucket Access Control List in order to prevent AWS accounts or IAM users to modify access control permissions to the bucket.
Parameters
- Parameters:
KICS: S3 Bucket Allows Delete Action From All Principals
S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.
Parameters
- Parameters:
KICS: S3 Bucket Allows Get Action From All Principals
S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.
Parameters
- Parameters:
KICS: S3 Bucket Allows List Action From All Principals
S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.
Parameters
- Parameters:
KICS: S3 Bucket Allows Public ACL
S3 bucket allows public ACL
Parameters
- Parameters:
KICS: S3 Bucket Allows Put Action From All Principals
S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.
Parameters
- Parameters:
KICS: S3 Bucket Object Not Encrypted
S3 Bucket Object should have server-side encryption enabled
Parameters
- Parameters:
KICS: S3 Bucket Policy Accepts HTTP Requests
S3 Bucket policy should not accept HTTP Requests
Parameters
- Parameters:
KICS: S3 Bucket With All Permissions
S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is '*', for all Principals.
Parameters
- Parameters:
KICS: S3 Bucket Allows Public Policy
S3 bucket allows public policy
Parameters
- Parameters:
KICS: S3 Bucket with Unsecured CORS Rule
If the CORS (Cross-Origin Resource Sharing) rule is defined in an S3 bucket, it should be secure
Parameters
- Parameters:
KICS: S3 Bucket Without Ignore Public ACL
S3 bucket without ignore public ACL
Parameters
- Parameters:
KICS: S3 Bucket Without Restriction Of Public Bucket
S3 bucket without restriction of public bucket
Parameters
- Parameters:
KICS: S3 Bucket Without Versioning
S3 bucket should have versioning enabled
Parameters
- Parameters:
KICS: S3 Static Website Host Enabled
Checks if any static websites are hosted on buckets. Even static websites can be a liability when poorly configured.
Parameters
- Parameters:
KICS: Sagemaker Endpoint Configuration Encryption Disabled
Sagemaker endpoint configuration should encrypt data
Parameters
- Parameters:
KICS: Sagemaker Notebook Instance Without KMS
AWS SageMaker should encrypt model artifacts at rest using Amazon S3 server-side encryption with an AWS KMS
Parameters
- Parameters:
KICS: Secrets Manager With Vulnerable Policy
Secrets Manager policy should avoid wildcard in 'Principal' and 'Action'
Parameters
- Parameters:
KICS: Secretsmanager Secret Without KMS
AWS Secretmanager should use AWS KMS customer master key (CMK) to encrypt the secret values in the versions stored in the secret
Parameters
- Parameters:
KICS: Secure Ciphers Disabled
Check if secure ciphers aren't used in CloudFront
Parameters
- Parameters:
KICS: Security Group Rule Without Description
It's considered a best practice for all rules in AWS Security Group to have a description
Parameters
- Parameters:
KICS: Security Group With Unrestricted Access To SSH
'SSH' (TCP:22) should not be public in AWS Security Group
Parameters
- Parameters:
KICS: Security Group Rule Without Description
It's considered a best practice for AWS Security Group to have a description
Parameters
- Parameters:
KICS: Security Group Not Used
Security group must be used or not declared
Parameters
- Parameters:
KICS: Sensitive Port Is Exposed To Entire Network
A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
Parameters
- Parameters:
KICS: Sensitive Port Is Exposed To Small Public Network
A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol
Parameters
- Parameters:
KICS: Sensitive Port Is Exposed To Wide Private Network
A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol
Parameters
- Parameters:
KICS: Service Control Policies Disabled
Check if the Amazon Organizations ensure that all features are enabled to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs).
Parameters
- Parameters:
KICS: SES Policy With Allowed IAM Actions
SES policy should not allow IAM actions to all principals
Parameters
- Parameters:
KICS: Shield Advanced Not In Use
AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks
Parameters
- Parameters:
KICS: SNS Topic is Publicly Accessible
SNS Topic Policy should not allow any principal to access
Parameters
- Parameters:
KICS: SNS Topic Not Encrypted
SNS (Simple Notification Service) Topic should be encrypted
Parameters
- Parameters:
KICS: SNS Topic Publicity Has Allow and NotAction Simultaneously
SNS topic Publicity should not have 'Effect: Allow' and argument 'NotAction' at the same time. If it has 'Effect: Allow', the argument stated should be 'Action'.
Parameters
- Parameters:
KICS: SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.
Parameters
- Parameters:
KICS: SQS Policy Allows All Actions
SQS policy allows ALL (*) actions
Parameters
- Parameters:
KICS: SQS Policy With Public Access
Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue
Parameters
- Parameters:
KICS: SQS Queue Exposed
Checks if the SQS Queue is exposed
Parameters
- Parameters:
KICS: SQS With SSE Disabled
Amazon Simple Queue Service (SQS) queue should protect the contents of their messages using Server-Side Encryption (SSE)
Parameters
- Parameters:
KICS: SSM Session Transit Encryption Disabled
SSM Session should be encrypted in transit
Parameters
- Parameters:
KICS: Stack Notifications Disabled
AWS CloudFormation should have stack notifications enabled to be notified when an event occurs
Parameters
- Parameters:
KICS: Stack Retention Disabled
Make sure that retain_stack is enabled to keep the Stack and it's associated resources during resource destruction
Parameters
- Parameters:
KICS: Stack Without Template
AWS CloudFormation should have a template defined through the attribute template_url or attribute template_body
Parameters
- Parameters:
KICS: Unknown Port Exposed To Internet
AWS Security Group should not have an unknown port exposed to the entire Internet
Parameters
- Parameters:
KICS: Unrestricted Security Group Ingress
Security groups allow ingress from 0.0.0.0:0
Parameters
- Parameters:
KICS: Unscanned ECR Image
Checks if the ECR Image has been scanned
Parameters
- Parameters:
KICS: User Data Contains Encoded Private Key
User Data should not contain a base64 encoded private key. If so, anyone can decode the private key easily
Parameters
- Parameters:
KICS: User Data Shell Script Is Encoded
User Data Shell Script must be encoded
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'glue:UpdateDevEndpoint'
User with privilege escalation by actions 'glue:UpdateDevEndpoint' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:AddUserToGroup'
User with privilege escalation by actions 'iam:AddUserToGroup' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:AttachGroupPolicy'
User with privilege escalation by actions 'iam:AttachGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:AttachRolePolicy'
User with privilege escalation by actions 'iam:AttachRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:AttachUserPolicy'
User with privilege escalation by actions 'iam:AttachUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:CreateAccessKey'
User with privilege escalation by actions 'iam:CreateAccessKey' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:CreateLoginProfile'
User with privilege escalation by actions 'iam:CreateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:CreatePolicyVersion'
User with privilege escalation by actions 'iam:CreatePolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'cloudformation:CreateStack' And 'iam:PassRole'
User with privilege escalation by actions 'cloudformation:CreateStack' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'ec2:RunInstances' And 'iam:PassRole'
User with privilege escalation by actions 'ec2:RunInstances' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'glue:CreateDevEndpoint' And 'iam:PassRole'
User with privilege escalation by actions 'glue:CreateDevEndpoint' and 'iam:PassRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'lambda:CreateFunction' And 'iam:PassRole' And 'lambda:InvokeFunction'
User with privilege escalation by actions 'lambda:CreateFunction' and 'iam:PassRole' and 'lambda:InvokeFunction' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:PutGroupPolicy'
User with privilege escalation by actions 'iam:PutGroupPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:PutRolePolicy'
User with privilege escalation by actions 'iam:PutRolePolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:PutUserPolicy'
User with privilege escalation by actions 'iam:PutUserPolicy' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:SetDefaultPolicyVersion'
User with privilege escalation by actions 'iam:SetDefaultPolicyVersion' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:UpdateAssumeRolePolicy' And 'sts:AssumeRole'
User with privilege escalation by actions 'iam:UpdateAssumeRolePolicy' and 'sts:AssumeRole' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'iam:UpdateLoginProfile'
User with privilege escalation by actions 'iam:UpdateLoginProfile' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: User With Privilege Escalation By Actions 'lambda:UpdateFunctionCode'
User with privilege escalation by actions 'lambda:UpdateFunctionCode' and Resource set to '*'. For more information see https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.
Parameters
- Parameters:
KICS: VPC Default Security Group Accepts All Traffic
Default Security Group attached to every VPC should restrict all traffic
Parameters
- Parameters:
KICS: VPC FlowLogs Disabled
Every VPC resource should have an associated Flow Log
Parameters
- Parameters:
KICS: VPC Subnet Assigns Public IP
VPC Subnet should not assign public IP
Parameters
- Parameters:
KICS: VPC Without Network Firewall
VPC should have a Network Firewall associated
Parameters
- Parameters:
KICS: Vulnerable Default SSL Certificate
CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.
Parameters
- Parameters:
KICS: Workspaces Workspace Volume Not Encrypted
AWS Workspaces Workspace data stored in volumes should be encrypted
Parameters
- Parameters:
AWS: Lambda: Prohibit publicly accessible Lambda functions
Requires AWS/Lambda Function Permissions to include an AWS account ID principal, principal_org_id, source_account AWS account ID, or source_arn resource ARN to prevent public access. Checks resources with type 'aws_lambda_permission'.
Parameters
None
AWS: Security Groups: Restrict Ingress from public IPs.
Require AWS/Security Groups to allow ingress from private IPv4 CIDRs only. Private IPv4 CIDR IP range: "10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.168.0.0/16" Checks resources with type 'aws_security_group'.
Parameters
None
AWS: Security Groups: Ingress Allow only whitelisted CIDR and Ports
Require AWS/Security Groups to have ingress from whitelisted CIDR blocks on whitelisted ports. To allow all, use wildcard entry '*' Checks resources with type 'aws_security_group'.
Parameters
Parameters:
allowed_cidr_ports
- Type: object
- Unique: false
- Required Parameters: allowed_cidr_ports
AWS: Security Groups: Ingress Allow only whitelisted Ports
Require AWS/Security Groups with whitelisted ports only for CIDR "0.0.0.0/0". Checks resources with type 'aws_security_group'.
Parameters
Parameters:
allowed_ports
- Type: array
- Unique: true
- Required Parameters: allowed_ports
AWS: OpenSearch: Prohibit OpenSearch Domains with disabled encryption at rest
Require AWS/OpenSearch domains to have enabled encryption at rest. Checks resources with type 'aws_opensearch_domain'.
Parameters
None
AWS: Opensearch: Prohibit Opensearch Domains with disabled node to node encryption
Require AWS/Opensearch domains to have enabled node to node encryption. Checks resources with type 'aws_opensearch_domain'.
Parameters
None
AWS: Opensearch: Prohibit Opensearch Domains not created in VPC
Require AWS/Opensearch domains to have subnets added in vpc_options. Checks resources with type 'aws_opensearch_domain'.
Parameters
None
AWS: RDS: Prohibit RDS instance with disabled automatic minor version upgrade
Require AWS/RDS instances to have automatic minor version upgrade enabled. Checks resources with type 'aws_db_instance'.
Parameters
None
AWS: RDS: Prohibit RDS instances with disabled IAM database authentication
Require AWS/RDS instances to have IAM authentication enabled. Checks resources with type 'aws_db_instance'.
Parameters
None
AWS: RDS: Prohibit publicly accessible RDS instances
Require AWS/RDS instances to not be publicly accessible. Checks resources with type 'aws_db_instance'.
Parameters
None
AWS: RDS: Prohibit RDS clusters with disabled IAM authentication
Require AWS/RDS clusters to have IAM authentication enabled. Checks resources with type 'aws_rds_cluster'.
Parameters
None
AWS: RDS: Prohibit RDS instances with disabled CloudWatch log exports
Require AWS/RDS instances to have CloudWatch log exports enabled. Checks resources with type 'aws_db_instance'.
Parameters
None
AWS: Redshift: Prohibit Redshift cluster with disabled enhanced VPC routing
Require AWS/Redshift cluster to have enhanced VPC routing enabled. Checks resources with type 'aws_redshift_cluster'.
Parameters
None
AWS: Redshift: Prohibit publicly accessible Redshift cluster
Require AWS/Redshift cluster to not be publicly accessible. Checks resources with type 'aws_redshift_cluster'.
Parameters
None
AWS: S3: Block All Public Access to Buckets
Require AWS/S3 buckets to have blocked all public access. Checks resources with type 'aws_s3_bucket' along with 'aws_s3_bucket_public_access_block'.
Parameters
None
AWS: S3: Ensure Logging is Enabled in S3 Buckets
Require AWS/S3 buckets to have logging enabled. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.
Parameters
None
AWS: S3: Prohibit Bucket Policies containing An Asterisk In Actions
Require AWS/S3 bucket policy to not use asterisk in 'Action'. Checks resources with type 'aws_s3_bucket_policy'.
Parameters
None
AWS: S3: Prohibit Unencrypted Buckets
Require AWS/S3 buckets to be encrypted. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.
Parameters
None
AWS: S3: Prohibit Unencrypted Bucket Object
Require AWS/S3 bucket object to be server side encrypted Checks resources with type 'aws_s3_bucket_object'. This policy is only compatible with v3 of the Terraform AWS provider.
Parameters
None
AWS: S3: Ensure Versioning is Enabled for S3 Buckets
Require AWS/S3 buckets to have versioning enabled. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.
Parameters
None
AWS: S3: Restrict S3 buckets with unapproved ACL
Require AWS/S3 to use Canned ACL from a pre-approved list. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.
Parameters
Parameters:
allowed_acls
- Type: array
- Unique: true
- Required Parameters: allowed_acls
AWS: S3: Allow ingress only from whitelisted IP's
Require AWS/S3 bucket policy with whitelisted source IP's. To allow all, use wildcard entry '*'. Checks resources with type 'aws_s3_bucket_policy'.
Parameters
Parameters:
allowed_ips
- Type: array
- Unique: true
- Required Parameters: allowed_ips
AWS: SageMaker: Prohibit SageMaker Notebook instance with direct internet access enabled
Require AWS/SageMaker instance to have direct internet access disabled. Checks resources with type 'aws_sagemaker_notebook_instance'.
Parameters
None
AWS: SSM: Prohibit publicly accessible SSM documents
Require AWS/SSM Document not to be publicly accessible. Checks resources with type 'aws_ssm_document'.
Parameters
None
Azure: IAM: Prohibit assignment of Owner role
Require Azure/IAM role assignment to not have owner role assigned to any principal. Checks resources with type 'azurerm_role_assignment'.
Parameters
None
KICS: AD Admin Not Configured For SQL Server
The Active Directory Administrator is not configured for a SQL server
Parameters
- Parameters:
KICS: Admin User Enabled For Container Registry
Admin user is enabled for Container Registry
Parameters
- Parameters:
KICS: AKS Disk Encryption Set ID Undefined
Azure Container Service (AKS) should use Disk Encryption Set ID in supported types of disk
Parameters
- Parameters:
KICS: AKS Network Policy Misconfigured
Azure Kubernetes Service should have the proper network policy configuration to ensure the principle of least privileges, which means that 'network_profile.network_policy' should be defined
Parameters
- Parameters:
KICS: AKS Private Cluster Disabled
Azure Kubernetes Service (AKS) API should not be exposed to the internet
Parameters
- Parameters:
KICS: AKS RBAC Disabled
Azure Container Service (AKS) instance should have role-based access control (RBAC) enabled
Parameters
- Parameters:
KICS: AKS Uses Azure Policies Add-On Disabled
Azure Container Service (AKS) should use Azure Policies Add-On
Parameters
- Parameters:
KICS: App Service Authentication Disabled
Azure App Service authentication settings should be enabled
Parameters
- Parameters:
KICS: App Service FTPS Enforce Disabled
Azure App Service should only enforce FTPS when 'ftps_state' is enabled
Parameters
- Parameters:
KICS: App Service HTTP2 Disabled
App Service should have 'http2_enabled' enabled
Parameters
- Parameters:
KICS: App Service Managed Identity Disabled
Azure App Service should have managed identity enabled
Parameters
- Parameters:
KICS: App Service Not Using Latest TLS Encryption Version
Ensure App Service is using the latest version of TLS encryption
Parameters
- Parameters:
KICS: App Service Without Latest PHP Version
Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.
Parameters
- Parameters:
KICS: App Service Without Latest Python Version
Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.
Parameters
- Parameters:
KICS: Azure Active Directory Authentication
Azure Active Directory must be used for authentication for Service Fabric
Parameters
- Parameters:
KICS: Azure App Service Client Certificate Disabled
Azure App Service client certificate should be enabled
Parameters
- Parameters:
KICS: Azure Cognitive Search Public Network Access Enabled
Public Network Access should be disabled for Azure Cognitive Search
Parameters
- Parameters:
KICS: Azure Container Registry With No Locks
Azurerm Container Registry should contain associated locks, which means 'azurerm_management_lock.scope' should be associated with 'azurerm_container_registry'
Parameters
- Parameters:
KICS: Azure Front Door WAF Disabled
Azure Front Door WAF should be enabled
Parameters
- Parameters:
KICS: Cosmos DB Account Without Tags
Cosmos DB Account must have a mapping of tags.
Parameters
- Parameters:
KICS: CosmosDB Account IP Range Filter Not Set
The IP range filter should be defined to secure the data stored
Parameters
- Parameters:
KICS: Dashboard Is Enabled
Check if the Kubernetes Dashboard is enabled.
Parameters
- Parameters:
KICS: Default Azure Storage Account Network Access Is Too Permissive
Default Azure Storage Account network access should be set to Deny
Parameters
- Parameters:
KICS: Default Network Access is Allowed
Default Network Access rule for Storage Accounts must be set to deny, which means the attribute 'default_action' must be 'Deny'
Parameters
- Parameters:
KICS: Email Alerts Disabled
Make sure that alerts notifications are set to 'On' in the Azure Security Center Contact
Parameters
- Parameters:
KICS: Encryption On Managed Disk Disabled
Ensure that the encryption is active on the disk
Parameters
- Parameters:
KICS: Firewall Rule Allows Too Many Hosts To Access Redis Cache
Check if any firewall rule allows too many hosts to access Redis Cache
Parameters
- Parameters:
KICS: Function App Authentication Disabled
Azure Function App authentication settings should be enabled
Parameters
- Parameters:
KICS: Function App Client Certificates Unrequired
Azure Function App should have 'client_cert_mode' set to required
Parameters
- Parameters:
KICS: Function App FTPS Enforce Disabled
Azure Function App should only enforce FTPS when 'ftps_state' is enabled
Parameters
- Parameters:
KICS: Function App HTTP2 Disabled
Function App should have 'http2_enabled' enabled
Parameters
- Parameters:
KICS: Function App Managed Identity Disabled
Azure Function App should have managed identity enabled
Parameters
- Parameters:
KICS: Function App Not Using Latest TLS Encryption Version
Ensure Function App is using the latest version of TLS encryption
Parameters
- Parameters:
KICS: Geo Redundancy Is Disabled
Make sure that on PostgreSQL Geo Redundant Backups is enabled
Parameters
- Parameters:
KICS: Key Expiration Not Set
Make sure that for all keys the expiration date is set
Parameters
- Parameters:
KICS: Key Vault Secrets Content Type Undefined
Key Vault Secrets should have set Content Type
Parameters
- Parameters:
KICS: Log Retention Is Not Set
Make sure that for PostgreSQL Database, server parameter 'log_retention' is set to 'ON'
Parameters
- Parameters:
KICS: MariaDB Server Public Network Access Enabled
MariaDB Server Public Network Access should be disabled
Parameters
- Parameters:
KICS: MariaDB Server Geo-redundant Backup Disabled
MariaDB Server Geo-redundant Backup should be enabled
Parameters
- Parameters:
KICS: MSSQL Server Auditing Disabled
Make sure that for MSSQL Servers, that 'Auditing' is set to 'On'
Parameters
- Parameters:
KICS: MSSQL Server Public Network Access Enabled
MSSQL Server public network access should be disabled
Parameters
- Parameters:
KICS: MySQL Server Public Access Enabled
MySQL Server public access should be disabled
Parameters
- Parameters:
KICS: MySQL SSL Connection Disabled
Make sure that for MySQL Database Server, 'Enforce SSL connection' is enabled
Parameters
- Parameters:
KICS: Network Interfaces With Public IP
Network Interfaces should not be exposed with a public IP address. If configured, additional security baselines should be followed (https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/virtual-network-security-baseline, https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/public-ip-security-baseline)
Parameters
- Parameters:
KICS: Network Interfaces IP Forwarding Enabled
Network Interfaces IP Forwarding should be disabled
Parameters
- Parameters:
KICS: Network Watcher Flow Disabled
Check if enable field in the resource azurerm_network_watcher_flow_log is false.
Parameters
- Parameters:
KICS: PostgreSQL Log Checkpoints Disabled
Make sure that for Postgre SQL Database Server, parameter 'log_checkpoints' is set to 'ON'
Parameters
- Parameters:
KICS: PostgreSQL Log Connections Not Set
Make sure that for PostgreSQL Database, server parameter 'log_connections' is set to 'ON'
Parameters
- Parameters:
KICS: PostgreSQL Log Duration Not Set
Make sure that for PostgreSQL Database, server parameter 'log_duration' is set to 'ON'
Parameters
- Parameters:
KICS: PostgreSQL Server Infrastructure Encryption Disabled
PostgreSQL Server Infrastructure Encryption should be enabled
Parameters
- Parameters:
KICS: PostgreSQL Server Without Connection Throttling
Ensure that Connection Throttling is set for the PostgreSQL server
Parameters
- Parameters:
KICS: PostgreSQL Log Disconnections Not Set
Make sure that for PostgreSQL Database, server parameter 'log_disconnections' is set to 'ON'
Parameters
- Parameters:
KICS: PostgreSQL Server Threat Detection Policy Disabled
PostgreSQL Server Threat Detection Policy should be enabled
Parameters
- Parameters:
KICS: Public Storage Account
Storage Account should not be public to grant the principle of least privileges
Parameters
- Parameters:
KICS: RDP Is Exposed To The Internet
Port 3389 (Remote Desktop) is exposed to the internet
Parameters
- Parameters:
KICS: Redis Cache Allows Non SSL Connections
Redis Cache resources should not allow non-SSL connections
Parameters
- Parameters:
KICS: Redis Entirely Accessible
Firewall rule allowing unrestricted access to Redis from the Internet
Parameters
- Parameters:
KICS: Redis Not Updated Regularly
Redis Cache is not configured to be updated regularly with security and operational updates
Parameters
- Parameters:
KICS: Redis Publicly Accessible
Firewall rule allowing unrestricted access to Redis from other Azure sources
Parameters
- Parameters:
KICS: Role Assignment Not Limit Guest User Permissions
Role Assignment should limit guest user permissions
Parameters
- Parameters:
KICS: Role Assignment Of Guest Users
There is a role assignment for guest user
Parameters
- Parameters:
KICS: Role Definition Allows Custom Role Creation
Role Definition should not allow custom role creation (Microsoft.Authorization/roleDefinitions/write)
Parameters
- Parameters:
KICS: Secret Expiration Not Set
Make sure that for all secrets the expiration date is set
Parameters
- Parameters:
KICS: Security Center Pricing Tier Is Not Standard
Make sure that the 'Standard' pricing tiers were selected.
Parameters
- Parameters:
KICS: Security Contact Email
Security Contact Email should be defined
Parameters
- Parameters:
KICS: Security Group is Not Configured
Azure Virtual Network subnet must be configured with a Network Security Group, which means the attribute 'security_group' must be defined and not empty
Parameters
- Parameters:
KICS: Sensitive Port Is Exposed To Entire Network
A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
Parameters
- Parameters:
KICS: Sensitive Port Is Exposed To Small Public Network
A sensitive port, such as port 23 or port 110, is open for small public network in either TCP or UDP protocol
Parameters
- Parameters:
KICS: Sensitive Port Is Exposed To Wide Private Network
A sensitive port, such as port 23 or port 110, is open for wide private network in either TCP or UDP protocol
Parameters
- Parameters:
KICS: Small Activity Log Retention Period
Ensure that Activity Log Retention is set 365 days or greater
Parameters
- Parameters:
KICS: Small Flow Logs Retention Period
Flow logs enable capturing information about IP traffic flowing in and out of the network security groups. Network Security Group Flow Logs must be enabled with retention period greater than or equal to 90 days. This is important, because these logs are used to check for anomalies and give information of suspected breaches
Parameters
- Parameters:
KICS: Small MSSQL Server Audit Retention
Make sure for SQL Servers that Auditing Retention is greater than 90 days
Parameters
- Parameters:
KICS: Small MSSQL Audit Retention Period
Make sure that for MSSQL Server, the Auditing Retention is greater than 90 days
Parameters
- Parameters:
KICS: Small PostgreSQL DB Server Log Retention Period
Check if PostgreSQL Database Server retains logs for less than 3 Days
Parameters
- Parameters:
KICS: SQL Database Audit Disabled
Ensure that 'Threat Detection' is enabled for Azure SQL Database
Parameters
- Parameters:
KICS: SQL Server Alert Email Disabled
SQL Server alert email should be enabled
Parameters
- Parameters:
KICS: SQL Server Auditing Disabled
Make sure that for SQL Servers, 'Auditing' is set to 'On'
Parameters
- Parameters:
KICS: SQLServer Ingress From Any IP
Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.
Parameters
- Parameters:
KICS: SQL Server Predictable Active Directory Account Name
Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict
Parameters
- Parameters:
KICS: SQL Server Predictable Admin Account Name
Azure SQL Server's Admin account login must avoid using names like 'Admin', that are too predictable, which means the attribute 'administrator_login' must be set to a name that is not easy to predict
Parameters
- Parameters:
KICS: SSH Is Exposed To The Internet
Port 22 (SSH) is exposed to the internet
Parameters
- Parameters:
KICS: SSL Enforce Disabled
Make sure that for PosgreSQL, the 'Enforce SSL connection' is set to 'ENABLED'
Parameters
- Parameters:
KICS: Storage Account Not Forcing HTTPS
Storage Accounts should enforce the use of HTTPS
Parameters
- Parameters:
KICS: Storage Account Not Using Latest TLS Encryption Version
Ensure Storage Account is using the latest version of TLS encryption
Parameters
- Parameters:
KICS: Storage Container Is Publicly Accessible
Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage
Parameters
- Parameters:
KICS: Storage Share File Allows All ACL Permissions
Azure Storage Share File should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).
Parameters
- Parameters:
KICS: Storage Table Allows All ACL Permissions
Azure Storage Table should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).
Parameters
- Parameters:
KICS: Trusted Microsoft Services Not Enabled
Trusted Microsoft Services should be enabled for Storage Account access
Parameters
- Parameters:
KICS: Unrestricted SQL Server Access
Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' must be less than 256. Additionally, both ips must be different from '0.0.0.0'.
Parameters
- Parameters:
KICS: Vault Auditing Disabled
Ensure that logging for Azure KeyVault is 'Enabled'
Parameters
- Parameters:
KICS: Virtual Network with DDoS Protection Plan disabled
Virtual Network should have DDoS Protection Plan enabled
Parameters
- Parameters:
KICS: VM Not Attached To Network
No Network Security Group is attached to the Virtual Machine
Parameters
- Parameters:
KICS: WAF Is Disabled For Azure Application Gateway
Check if Web Application Firewall is disabled or not configured for Azure's Application Gateway.
Parameters
- Parameters:
KICS: Web App Accepting Traffic Other Than HTTPS
Web app should only accept HTTPS traffic in Azure Web App Service.
Parameters
- Parameters:
Azure: MariaDB: Prohibit backup disabled MariaDB database
Require Azure/MariaDB database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_mariadb_server'.
Parameters
None
Azure: MySQL: Prohibit backup disabled MySQL database
Require Azure/MySQL database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_mysql_server'.
Parameters
None
Azure: Security Groups: Block port 22 for '0.0.0.0/0'
Azure/Network Security Groups should block Inbound traffic on 22 port for "0.0.0.0/0" or "*". Checks resources with type 'azurerm_network_security_group'.
Parameters
None
Azure: Postgres: Prohibit backup disabled Postgres database
Require Azure/Postgres database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_postgresql_server'.
Parameters
None
Azure: Storage Account: Deny Unencrypted transit
Azure/Storage Account should accept requests from secure connections (https) only. Checks resources with type 'azurerm_storage_account'.
Parameters
None
GCP: Service Account: Prohibit using default Service Account
Requires custom service account for google_compute_instance resource. Checks resources with type 'google_compute_instance'.
Parameters
None
GCP: Bigquery Dataset: Prohibit Dataset accessible to all authenticated users
Restrict public accessibilty for google_bigquery_dataset resource. Checks resources with type 'google_bigquery_dataset'.
Parameters
None
GCP: IAM: Prohibit service account with admin privileges
Restrict service account to have admin privileges while adding google_project_iam_member resource. Checks resources with type 'google_project_iam_member'.
Parameters
None
KICS: BigQuery Dataset Is Public
BigQuery dataset is anonymously or publicly accessible
Parameters
- Parameters:
KICS: Client Certificate Disabled
Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true
Parameters
- Parameters:
KICS: Cloud DNS Without DNSSEC
DNSSEC must be enabled for Cloud DNS
Parameters
- Parameters:
KICS: Cloud Storage Anonymous or Publicly Accessible
Cloud Storage Buckets must not be anonymously or publicly accessible, which means the attribute 'members' must not possess 'allUsers' or 'allAuthenticatedUsers'
Parameters
- Parameters:
KICS: Cloud Storage Bucket Is Publicly Accessible
Cloud Storage Bucket is anonymously or publicly accessible
Parameters
- Parameters:
KICS: Cloud Storage Bucket Logging Not Enabled
Cloud storage bucket should have logging enabled
Parameters
- Parameters:
KICS: Cloud Storage Bucket Versioning Disabled
Cloud Storage Bucket should have versioning enabled
Parameters
- Parameters:
KICS: Cluster Labels Disabled
Kubernetes Clusters must be configured with labels, which means the attribute 'resource_labels' must be defined
Parameters
- Parameters:
KICS: Cluster Master Authentication Disabled
Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty
Parameters
- Parameters:
KICS: COS Node Image Not Used
The node image should be Container-Optimized OS(COS)
Parameters
- Parameters:
KICS: Disk Encryption Disabled
VM disks for critical VMs must be encrypted with Customer Supplied Encryption Keys (CSEK) or with Customer-managed encryption keys (CMEK), which means the attribute 'disk_encryption_key' must be defined and its sub attributes 'raw_key' or 'kms_key_self_link' must also be defined
Parameters
- Parameters:
KICS: DNSSEC Using RSASHA1
DNSSEC should not use the RSASHA1 algorithm, which means if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.
Parameters
- Parameters:
KICS: GKE Basic Authentication Enabled
GCP - Google Kubernetes Engine (GKE) Basic Authentication must be disabled, which means the username and password provided in the master_auth block must be empty
Parameters
- Parameters:
KICS: GKE Legacy Authorization Enabled
Kubernetes Engine Clusters must have Legacy Authorization set to disabled, which means the attribute 'enable_legacy_abac' must not be true
Parameters
- Parameters:
KICS: GKE Using Default Service Account
Kubernetes Engine Clusters should not be configured to use the default service account
Parameters
- Parameters:
KICS: Google Compute Network Using Default Firewall Rule
Google Compute Network should not use default firewall rule
Parameters
- Parameters:
KICS: Google Compute Network Using Firewall Rule that Allows All Ports
Google Compute Network should not use a firewall rule that allows all ports
Parameters
- Parameters:
KICS: Google Compute Network Using Firewall Rule that Allows Port Range
Google Compute Network should not use a firewall rule that allows port range
Parameters
- Parameters:
KICS: Google Compute SSL Policy Weak Cipher In Use
This query confirms if Google Compute SSL Policy Weak Chyper Suits is Enabled, to do so we need to check if TLS is TLS_1_2, because other version have Weak Chypers
Parameters
- Parameters:
KICS: Google Compute Subnetwork Logging Disabled
This query checks if logs are enabled for a Google Compute Subnetwork resource.
Parameters
- Parameters:
KICS: Google Compute Subnetwork with Private Google Access Disabled
Google Compute Subnetwork should have Private Google Access enabled, which means 'private_ip_google_access' should be set to true
Parameters
- Parameters:
KICS: Google Container Node Pool Auto Repair Disabled
Google Container Node Pool Auto Repair should be enabled. This service periodically checks for failing nodes and repairs them to ensure a smooth running state.
Parameters
- Parameters:
KICS: Google Project Auto Create Network Disabled
Verifies if the Google Project Auto Create Network is Disabled
Parameters
- Parameters:
KICS: Google Project IAM Binding Service Account has Token Creator or Account User Role
Verifies if Google Project IAM Binding Service Account doesn't have an Account User or Token Creator Role associated
Parameters
- Parameters:
KICS: Google Project IAM Member Service Account Has Admin Role
Verifies that Google Project IAM Member Service Account doesn't have an Admin Role associated
Parameters
- Parameters:
KICS: Google Project IAM Member Service Account has Token Creator or Account User Role
Verifies if Google Poject IAM Member Service Account doesn't have a Account User or Token Creator associated
Parameters
- Parameters:
KICS: Google Storage Bucket Level Access Disabled
Google Storage Bucket Level Access should be enabled
Parameters
- Parameters:
KICS: High Google KMS Crypto Key Rotation Period
KMS encryption keys should be rotated every 90 days or less. A short lifetime of encryption keys reduces the potential blast radius in case of compromise.
Parameters
- Parameters:
KICS: IAM Audit Not Properly Configured
Audit Logging Configuration is defective
Parameters
- Parameters:
KICS: IP Aliasing Disabled
Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE
Parameters
- Parameters:
KICS: IP Forwarding Enabled
Instances must not have IP forwarding enabled, which means the attribute 'can_ip_forward' must not be true
Parameters
- Parameters:
KICS: KMS Admin and CryptoKey Roles In Use
Google Project IAM Policy should not assign a KMS admin role and CryptoKey role to the same member
Parameters
- Parameters:
KICS: KMS Crypto Key is Publicly Accessible
KMS Crypto Key should not be publicly accessible. In other words, the KMS Crypto Key policy should not set 'allUsers' or 'allAuthenticatedUsers' in the attribute 'member'/'members'
Parameters
- Parameters:
KICS: Network Policy Disabled
Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false
Parameters
- Parameters:
KICS: Node Auto Upgrade Disabled
Kubernetes nodes must have auto upgrades set to true, which means Node 'auto_upgrade' should be enabled for Kubernetes Clusters
Parameters
- Parameters:
KICS: Not Proper Email Account In Use
Gmail accounts are being used instead of corporate credentials
Parameters
- Parameters:
KICS: OSLogin Disabled
Verifies that the OSLogin is enabled
Parameters
- Parameters:
KICS: OSLogin Is Disabled For VM Instance
Check if any VM instance disables OSLogin
Parameters
- Parameters:
KICS: Pod Security Policy Disabled
Kubernetes Clusters must have Pod Security Policy controller enabled, which means there must be a 'pod_security_policy_config' with the 'enabled' attribute equal to true
Parameters
- Parameters:
KICS: Private Cluster Disabled
Kubernetes Clusters must be created with Private Clusters enabled, meaning the 'private_cluster_config' must be defined and the attributes 'enable_private_nodes' and 'enable_private_endpoint' must be true
Parameters
- Parameters:
KICS: Project-wide SSH Keys Are Enabled In VM Instances
VM Instance should block project-wide SSH keys
Parameters
- Parameters:
KICS: RDP Access Is Not Restricted
Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389
Parameters
- Parameters:
KICS: Service Account with Improper Privileges
Service account should not have improper privileges like admin, editor, owner, or write roles
Parameters
- Parameters:
KICS: Shielded VM Disabled
Compute instances must be launched with Shielded VM enabled, which means the attribute 'shielded_instance_config' must be defined and its sub attributes 'enable_secure_boot', 'enable_vtpm' and 'enable_integrity_monitoring' must be set to true
Parameters
- Parameters:
KICS: SQL DB Instance Backup Disabled
Checks if backup configuration is enabled for all Cloud SQL Database instances
Parameters
- Parameters:
KICS: SQL DB Instance Publicly Accessible
Cloud SQL instances should not be publicly accessible.
Parameters
- Parameters:
KICS: SQL DB Instance With SSL Disabled
Cloud SQL Database Instance should have SLL enabled
Parameters
- Parameters:
KICS: SSH Access Is Not Restricted
Google Firewall should not allow SSH access (port 22) from the Internet (public CIDR block) to ensure the principle of least privileges
Parameters
- Parameters:
KICS: Stackdriver Logging Disabled
Kubernetes Engine Clusters must have Stackdriver Logging enabled, which means the attribute 'logging_service' must be defined and different from 'none'
Parameters
- Parameters:
KICS: Stackdriver Monitoring Disabled
Kubernetes Engine Clusters must have Stackdriver Monitoring enabled, which means the attribute 'monitoring_service' must be defined and different than 'none'
Parameters
- Parameters:
KICS: User with IAM Role
As a best practice, it is better to assign an IAM Role to a group than to a user
Parameters
- Parameters:
KICS: Using Default Service Account
Instances should not be configured to use the Default Service Account, that has full access to all Cloud APIs, which means the attribute 'service_account' and its sub attribute 'email' must be defined. Additionally, 'email' must not be empty and must also not be a default Google Compute Engine service account.
Parameters
- Parameters:
KICS: Serial Ports Are Enabled For VM Instances
Google Compute Engine VM instances should not enable serial ports. When enabled, anyone can access your VM, if they know the username, project ID, SSH key, instance name and zone
Parameters
- Parameters:
KICS: VM With Full Cloud Access
A VM instance is configured to use the default service account with full access to all Cloud APIs
Parameters
- Parameters:
GCP: Network: Prohibit firewall allowing SSH access over internet
Network firewall resource should not allow ingress from '0.0.0.0/0' to port 22. Checks resources with type 'google_compute_firewall'.
Parameters
None
GCP: Storage Bucket: Prohibit buckets without versioning
Requires versioning to be enabled for google_storage_bucket resource. Checks resources with type 'google_storage_bucket'.
Parameters
None
KICS: Cluster Admin Rolebinding With Superuser Permissions
Ensure that the cluster-admin role is only used where required (RBAC)
Parameters
- Parameters:
KICS: Cluster Allows Unsafe Sysctls
A Kubernetes Cluster must not allow unsafe sysctls, to prevent a pod from having any influence on any other pod on the node, harming the node's health or gaining CPU or memory resources outside of the resource limits of a pod. This means the 'spec.security_context.sysctl' must not have an unsafe sysctls and that the attribute 'allowed_unsafe_sysctls' must be undefined.
Parameters
- Parameters:
KICS: Container Host Pid Is True
Minimize the admission of containers wishing to share the host process ID namespace
Parameters
- Parameters:
KICS: Container Is Privileged
Privileged containers lack essential security restrictions and should be avoided by removing the 'privileged' flag or by changing its value to false
Parameters
- Parameters:
KICS: Container Resources Limits Undefined
Kubernetes container should have resource limitations defined such as CPU and memory
Parameters
- Parameters:
KICS: Container Runs Unmasked
Check if a container has full access (unmasked) to the host’s /proc command, which would allow to retrieve sensitive information and possibly change the kernel parameters in runtime.
Parameters
- Parameters:
KICS: Containers With Added Capabilities
Containers should not have extra capabilities allowed
Parameters
- Parameters:
KICS: Containers With Sys Admin Capabilities
Containers should not have CAP_SYS_ADMIN Linux capability
Parameters
- Parameters:
KICS: CPU Limits Not Set
CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
Parameters
- Parameters:
KICS: CPU Requests Not Set
CPU requests should be set to ensure the sum of the resource requests of the scheduled Containers is less than the capacity of the node
Parameters
- Parameters:
KICS: Default Service Account In Use
Default service accounts should not be actively used
Parameters
- Parameters:
KICS: Docker Daemon Socket is Exposed to Containers
Sees if Docker Daemon Socket is not exposed to Containers
Parameters
- Parameters:
KICS: HPA Targets Invalid Object
The Horizontal Pod Autoscale must target a valid object
Parameters
- Parameters:
KICS: Image Without Digest
Images should be specified together with their digests to ensure integrity
Parameters
- Parameters:
KICS: Incorrect Volume Claim Access Mode ReadWriteOnce
Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'
Parameters
- Parameters:
KICS: Invalid Image
Image must be defined and not be empty or equal to latest.
Parameters
- Parameters:
KICS: Memory Limits Not Defined
Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than the designated amount of memory
Parameters
- Parameters:
KICS: Memory Requests Not Defined
Memory requests should be defined for each container. This allows the kubelet to reserve the requested amount of system resources and prevents over-provisioning on individual nodes
Parameters
- Parameters:
KICS: Metadata Label Is Invalid
Check if any label in the metadata is invalid.
Parameters
- Parameters:
KICS: Missing App Armor Config
Containers should be configured with AppArmor for any application to reduce its potential attack
Parameters
- Parameters:
KICS: NET_RAW Capabilities Disabled for PSP
Containers need to have NET_RAW or All as drop capabilities
Parameters
- Parameters:
KICS: NET_RAW Capabilities Not Being Dropped
Containers should drop 'ALL' or at least 'NET_RAW' capabilities
Parameters
- Parameters:
KICS: No Drop Capabilities for Containers
Sees if Kubernetes Drop Capabilities exists to ensure containers security context
Parameters
- Parameters:
KICS: Non Kube System Pod With Host Mount
A non kube-system workload should not have hostPath mounted
Parameters
- Parameters:
KICS: Not Limited Capabilities For Pod Security Policy
Limit capabilities for a Pod Security Policy
Parameters
- Parameters:
KICS: Permissive Access to Create Pods
The permission to create pods in a cluster should be restricted because it allows privilege escalation.
Parameters
- Parameters:
KICS: Pod or Container Without Security Context
A security context defines privilege and access control settings for a Pod or Container
Parameters
- Parameters:
KICS: Privilege Escalation Allowed
Containers should not run with allowPrivilegeEscalation in order to prevent them from gaining more privileges than their parent process
Parameters
- Parameters:
KICS: PSP Allows Containers To Share The Host Network Namespace
Check if Pod Security Policies allow containers to share the host network namespace.
Parameters
- Parameters:
KICS: PSP Allows Privilege Escalation
PodSecurityPolicy should not allow privilege escalation
Parameters
- Parameters:
KICS: PSP Allows Sharing Host IPC
Pod Security Policy allows containers to share the host IPC namespace
Parameters
- Parameters:
KICS: PSP Set To Privileged
Do not allow pod to request execution as privileged.
Parameters
- Parameters:
KICS: PSP With Added Capabilities
PodSecurityPolicy should not have added capabilities
Parameters
- Parameters:
KICS: RBAC Roles with Read Secrets Permissions
Roles and ClusterRoles with get/watch/list RBAC permissions on Kubernetes secrets are dangerous and should be avoided. In case of compromise, attackers could abuse these roles to access sensitive data, such as passwords, tokens and keys
Parameters
- Parameters:
KICS: Role Binding To Default Service Account
No role nor cluster role should bind to a default service account
Parameters
- Parameters:
KICS: Root Container Not Mounted As Read-only
Check if the root container filesystem is not being mounted as read-only.
Parameters
- Parameters:
KICS: Root Containers Admitted
Containers must not be allowed to run with root privileges, which means the attributes 'privileged' and 'allow_privilege_escalation' must be set to false, 'run_as_user.rule' must be set to 'MustRunAsNonRoot', and adding the root group must be forbidden
Parameters
- Parameters:
KICS: Seccomp Profile Is Not Configured
Containers should be configured with a secure Seccomp profile to restrict potentially dangerous syscalls
Parameters
- Parameters:
KICS: Secrets As Environment Variables
Container should not use secrets as environment variables
Parameters
- Parameters:
KICS: Service Account Allows Access Secrets
Kubernetes_role and Kubernetes_cluster_role when binded, should not use get, list or watch as verbs
Parameters
- Parameters:
KICS: Service Account Name Undefined Or Empty
A Kubernetes Pod should have a Service Account defined so to restrict Kubernetes API access, which means the attribute 'service_account_name' should be defined and not empty.
Parameters
- Parameters:
KICS: Service Account Token Automount Not Disabled
Service Account Tokens are automatically mounted even if not necessary
Parameters
- Parameters:
KICS: Service Type is NodePort
Service type should not be NodePort
Parameters
- Parameters:
KICS: Service With External Load Balancer
Service has an external load balancer, which may cause accessibility from other networks and the Internet
Parameters
- Parameters:
KICS: Shared Host IPC Namespace
Container should not share the host IPC namespace
Parameters
- Parameters:
KICS: Shared Host Network Namespace
Container should not share the host network namespace
Parameters
- Parameters:
KICS: Shared Service Account
A Service Account token is shared between workloads
Parameters
- Parameters:
KICS: StatefulSet Without Service Name
StatefulSets should have an existing headless 'serviceName'. The headless service labels should also be implemented on StatefulSets labels.
Parameters
- Parameters:
KICS: Tiller (Helm v2) Is Deployed
Check if Tiller is deployed.
Parameters
- Parameters:
KICS: Using Default Namespace
The default namespace should not be used
Parameters
- Parameters:
KICS: Volume Mount With OS Directory Write Permissions
Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries.
Parameters
- Parameters:
KICS: Workload Mounting With Sensitive OS Directory
Workload is mounting a volume with sensitive OS Directory
Parameters
- Parameters: