| Plain HTTP is used | GG_IAC_0001 | HIGH | NETWORK |
| Unrestricted egress traffic might lead to remote code execution | GG_IAC_0002 | HIGH | NETWORK |
| Unrestricted ingress traffic leaves assets exposed to remote attacks | GG_IAC_0003 | HIGH | NETWORK |
| Unrestricted ingress traffic leave assets exposed to remote attacks | GG_IAC_0005 | HIGH | NETWORK |
| Some internal services might be listening to remote requests | GG_IAC_0006 | HIGH | NETWORK |
| Exposing a sensitive environment variable in the configuration can lead to credentials leak | GG_IAC_0007 | CRITICAL | SECRET |
| Unencrypted S3 bucket can lead to data leak | GG_IAC_0008 | HIGH | PERMISSION |
| Leaving remote access accessible from the internet increases the attack surface | GG_IAC_0009 | CRITICAL | NETWORK |
Giving sudo rights to a user allows privilege escalation attacks | GG_IAC_0010 | CRITICAL | PERMISSION |
| Using the default service account on a compute instance allows an attacker to spread through the network | GG_IAC_0011 | CRITICAL | PERMISSION |
| Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server | GG_IAC_0012 | HIGH | NETWORK |
| Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server | GG_IAC_0013 | HIGH | NETWORK |
| Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server | GG_IAC_0014 | HIGH | NETWORK |
| Not setting deny as a default rule for a storage account's network access can lead to data leaks | GG_IAC_0015 | HIGH | NETWORK |
| Unrestricted egress traffic might lead to remote code execution | GG_IAC_0016 | HIGH | NETWORK |
| A DigitalOcean spaces bucket has public read Access Control List which can lead to private data exposure | GG_IAC_0017 | CRITICAL | DATA, PERMISSION |
| A GCP persistent disk is encrypted with a key specified in plain text | GG_IAC_0018 | CRITICAL | DATA, SECRET |
| An AWS CloudFront distribution allows unencrypted communications over HTTP | GG_IAC_0019 | CRITICAL | DATA, NETWORK |
| Defining a GCP BigQuery dataset as publicly accessible can lead to data exposure | GG_IAC_0020 | CRITICAL | DATA, PERMISSION |
| Unrestricted ingress traffic leave assets exposed to remote attacks | GG_IAC_0021 | HIGH | NETWORK |
| Leaving public access open exposes your service to the internet | GG_IAC_0022 | MEDIUM | NETWORK |
| Leaving public access open exposes your service to the internet | GG_IAC_0024 | HIGH | NETWORK |
| An AWS CloudFront distribution does not have a WAF (Web Application Firewall) in front | GG_IAC_0025 | HIGH | NETWORK |
| An AWS CloudFront distribution uses a deprecated version of SSL/TLS | GG_IAC_0026 | HIGH | NETWORK |
| Cloudtrail logs are not encrypted using AWS KMS-managed keys | GG_IAC_0027 | HIGH | DATA, PERMISSION |
| Cloudtrail logs validation is not enabled | GG_IAC_0028 | HIGH | PERMISSION |
| CodeBuild build artifacts encryption should not be disabled | GG_IAC_0029 | HIGH | DATA, PERMISSION |
| Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server | GG_IAC_0030 | HIGH | NETWORK |
| Not encrypting Athena query results can lead to data leak | GG_IAC_0031 | HIGH | DATA |
| Not enforcing Workgroup configuration in Athena can allow clients to disable encryption settings | GG_IAC_0032 | HIGH | DATA |
| EC2 instances use unencrypted block device | GG_IAC_0033 | HIGH | DATA |
| Assigning public IP addresses expose your instances to public internet | GG_IAC_0034 | HIGH | NETWORK |
| The Instance Metadata Service should not be available through IMDSv1 | GG_IAC_0035 | HIGH | DATA, PERMISSION |
| DocumentDB cluster encryption should not be disabled | GG_IAC_0036 | HIGH | DATA, PERMISSION |
| DAX cluster and tables encryption should be enabled | GG_IAC_0037 | HIGH | DATA, PERMISSION |
| EBS volume encryption should not be disabled | GG_IAC_0038 | HIGH | DATA, PERMISSION |
| ECR image scanning should be enabled | GG_IAC_0039 | HIGH | SECRET |
| ECR registry with mutable tags can lead to code injection | GG_IAC_0040 | HIGH | OTHER |
| ECR registry with public access can lead to code and data leak | GG_IAC_0041 | HIGH | PERMISSION |
| Not encrypting EFS mount can lead to data leak | GG_IAC_0042 | HIGH | DATA |
| Not encrypting data at rest can lead to data leak | GG_IAC_0043 | HIGH | DATA |
| Encrypting EKS secrets with AWS KMS adds another layer of security | GG_IAC_0044 | HIGH | SECRET |
| ElasticSearch should use node-to-node encryption | GG_IAC_0045 | HIGH | DATA, NETWORK, PERMISSION |
| ElastiCache data should be encrypted at rest | GG_IAC_0046 | HIGH | DATA, PERMISSION |
| Elasticsearch data should be encrypted at rest | GG_IAC_0047 | HIGH | DATA, PERMISSION |
| ElastiCache should use in-transit encryption | GG_IAC_0048 | HIGH | DATA, NETWORK, PERMISSION |
| ELB load balancers should drop invalid headers | GG_IAC_0049 | HIGH | NETWORK |
| ELB load balancers should be internal | GG_IAC_0050 | HIGH | NETWORK |
| IAM policies should avoid using wildcards | GG_IAC_0051 | HIGH | PERMISSION |
| Kinesis should use in-transit encryption | GG_IAC_0052 | HIGH | DATA, NETWORK, PERMISSION |
| MQ brokers should not be publicly accessible | GG_IAC_0053 | HIGH | NETWORK |
| MSK clusters should use in-transit encryption | GG_IAC_0054 | HIGH | DATA, NETWORK, PERMISSION |
| Allowing public exposure of a S3 bucket can lead to data leakage | GG_IAC_0055 | HIGH | DATA |
| Not restricting public access on a S3 bucket can lead to data leakage | GG_IAC_0056 | HIGH | DATA |
| Granting public ACL rights on a bucket can lead to data leakage | GG_IAC_0057 | HIGH | DATA |
| AWS RDS Performance Insights should be encrypted | GG_IAC_0058 | HIGH | DATA, PERMISSION |
| AWS RDS Aurora cluster should be encrypted | GG_IAC_0059 | HIGH | DATA, PERMISSION |
| AWS RDS DB instance should be encrypted | GG_IAC_0060 | HIGH | DATA, PERMISSION |
| AWS SNS topic should be encrypted | GG_IAC_0061 | HIGH | DATA, PERMISSION |
| AWS SQS queue should be encrypted | GG_IAC_0062 | HIGH | DATA, PERMISSION |
| Neptune storage should be encrypted at rest | GG_IAC_0063 | HIGH | DATA, PERMISSION |
| Redshift clusters should be encrypted at rest | GG_IAC_0064 | HIGH | DATA, PERMISSION |
| SQS policy documents should avoid using wildcards | GG_IAC_0065 | HIGH | PERMISSION |
| AWS Elasticsearch domain endpoints should not use a deprecated version of SSL/TLS | GG_IAC_0066 | HIGH | NETWORK |
| Root and User Workspaces volumes should be encrypted | GG_IAC_0067 | HIGH | DATA, PERMISSION |
| Redshift cluster should use a specific VPC | GG_IAC_0068 | HIGH | PERMISSION |
| Neptune storage encryption should use KMS keys | GG_IAC_0069 | LOW | DATA, PERMISSION |
| A CloudTrail bucket has public read Access Control List which can lead to private data exposure | GG_IAC_0071 | CRITICAL | DATA |
| EMR clusters should be encrypted at rest | GG_IAC_0072 | HIGH | DATA, PERMISSION |
| EMR clusters should use in-transit encryption | GG_IAC_0073 | HIGH | DATA, NETWORK, PERMISSION |
| HTTP data block can be used to leak secrets or variables outside of the organization | GG_IAC_0074 | CRITICAL | SECRET |
| EMR cluster local storage should be encrypted to prevent sensitive data leaks | GG_IAC_0075 | HIGH | DATA |
| EC2 subnet instance should not expose public IP | GG_IAC_0076 | HIGH | NETWORK |
| Key vault has no network ACL specified | GG_IAC_0077 | CRITICAL | NETWORK |
| Data Factory should not be publicly exposed | GG_IAC_0078 | CRITICAL | DATA |
| Image should not have 'root' user | GG_IAC_0079 | HIGH | PERMISSION |
| Default network exposes the project to external attacks | GG_IAC_0080 | HIGH | NETWORK |
| Enabling local data loading may allow attackers to read server files | GG_IAC_0081 | HIGH | DATA |
| Traffic to /0. allowed in firewall outbound rule | GG_IAC_0082 | CRITICAL | NETWORK |
| Traffic from /0. allowed in firewall inbound rule | GG_IAC_0083 | CRITICAL | NETWORK |
| Cloud Storage bucket is anonymously or publicly accessible | GG_IAC_0084 | HIGH | PERMISSION |
| No SSL connection on SQL database might lead to data exposure | GG_IAC_0085 | HIGH | DATA, NETWORK |
| SQL database should not be publicly exposed | GG_IAC_0086 | HIGH | DATA |
| Instance should not expose public IP | GG_IAC_0087 | HIGH | NETWORK |
| No IP-forwarding | GG_IAC_0088 | HIGH | NETWORK |
| GKE Control Plane should not be publicly accessible | GG_IAC_0089 | HIGH | NETWORK |
| Stale CryptoKeys make encrypted data insecure | GG_IAC_0090 | HIGH | SECRET |
| Node should be shielded | GG_IAC_0091 | HIGH | DATA |
| GKE metadata is not concealed | GG_IAC_0092 | HIGH | SECRET |
| Too many Service account permissions may compromise services | GG_IAC_0093 | HIGH | PERMISSION |
| Master authorized networks are not configured | GG_IAC_0094 | HIGH | NETWORK |
| Legacy metadata endpoints should not be explicitly enabled | GG_IAC_0095 | HIGH | DATA |
| Legacy authentication should not be used | GG_IAC_0096 | HIGH | PERMISSION |
| Use RBAC permissions rather than ABAC | GG_IAC_0097 | HIGH | PERMISSION |
| TLS version is outdated | GG_IAC_0098 | HIGH | NETWORK |
| Container should not have privileged rights | GG_IAC_0099 | HIGH | PERMISSION |
| Tiller Helm component is deployed | GG_IAC_0100 | CRITICAL | OTHER |
| SYS_ADMIN capability should not be added to the container | GG_IAC_0101 | HIGH | PERMISSION |
| Containers should not use the host IPC namespace | GG_IAC_0102 | HIGH | PERMISSION |
| Containers should not use the host network namespace | GG_IAC_0103 | HIGH | PERMISSION |
| Containers should not use the host PID namespace | GG_IAC_0104 | HIGH | PERMISSION |
| Docker socket should not be mounted into containers | GG_IAC_0105 | HIGH | NETWORK |
| Do not allow public ingress via network policies | GG_IAC_0106 | HIGH | NETWORK |
| Pod ports should not be exposed through host ports | GG_IAC_0107 | HIGH | PERMISSION |
| Do not grant public access on storage containers | GG_IAC_0108 | HIGH | NETWORK |
| Storage account should disallow insecure transfers | GG_IAC_0109 | HIGH | NETWORK |
| Database is publicly accessible | GG_IAC_0110 | HIGH | NETWORK |
| Data at rest should be encrypted | GG_IAC_0111 | HIGH | DATA |
| Disk encryption should be enabled | GG_IAC_0112 | HIGH | DATA |
| Password authentication should be disabled on virtual machines | GG_IAC_0113 | HIGH | PERMISSION |
| Role-based access control should be enabled on clusters | GG_IAC_0114 | HIGH | PERMISSION |
| AKS cluster should have Network Policy configured | GG_IAC_0115 | HIGH | NETWORK |
| Conditions should be set on workload identity pool providers | GG_IAC_0116 | HIGH | PERMISSION, SECRET |
| Open access allowed in firewall inbound rule | GG_IAC_0117 | CRITICAL | NETWORK |
