Plain HTTP is used | GG_IAC_0001 | HIGH | NETWORK |
Unrestricted egress traffic might lead to remote code execution | GG_IAC_0002 | HIGH | NETWORK |
Unrestricted ingress traffic leaves assets exposed to remote attacks | GG_IAC_0003 | HIGH | NETWORK |
Unrestricted ingress traffic leave assets exposed to remote attacks | GG_IAC_0005 | HIGH | NETWORK |
Some internal services might be listening to remote requests | GG_IAC_0006 | HIGH | NETWORK |
Exposing a sensitive environment variable in the configuration can lead to credentials leak | GG_IAC_0007 | CRITICAL | SECRET |
Unencrypted S3 bucket can lead to data leak | GG_IAC_0008 | HIGH | PERMISSION |
Leaving remote access accessible from the internet increases the attack surface | GG_IAC_0009 | CRITICAL | NETWORK |
Giving sudo rights to a user allows privilege escalation attacks | GG_IAC_0010 | CRITICAL | PERMISSION |
Using the default service account on a compute instance allows an attacker to spread through the network | GG_IAC_0011 | CRITICAL | PERMISSION |
Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server | GG_IAC_0012 | HIGH | NETWORK |
Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server | GG_IAC_0013 | HIGH | NETWORK |
Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server | GG_IAC_0014 | HIGH | NETWORK |
Not setting deny as a default rule for a storage account's network access can lead to data leaks | GG_IAC_0015 | HIGH | NETWORK |
Unrestricted egress traffic might lead to remote code execution | GG_IAC_0016 | HIGH | NETWORK |
A DigitalOcean spaces bucket has public read Access Control List which can lead to private data exposure | GG_IAC_0017 | CRITICAL | DATA, PERMISSION |
A GCP persistent disk is encrypted with a key specified in plain text | GG_IAC_0018 | CRITICAL | DATA, SECRET |
An AWS CloudFront distribution allows unencrypted communications over HTTP | GG_IAC_0019 | CRITICAL | DATA, NETWORK |
Defining a GCP BigQuery dataset as publicly accessible can lead to data exposure | GG_IAC_0020 | CRITICAL | DATA, PERMISSION |
Unrestricted ingress traffic leave assets exposed to remote attacks | GG_IAC_0021 | HIGH | NETWORK |
Leaving public access open exposes your service to the internet | GG_IAC_0022 | MEDIUM | NETWORK |
Leaving public access open exposes your service to the internet | GG_IAC_0024 | HIGH | NETWORK |
An AWS CloudFront distribution does not have a WAF (Web Application Firewall) in front | GG_IAC_0025 | HIGH | NETWORK |
An AWS CloudFront distribution uses a deprecated version of SSL/TLS | GG_IAC_0026 | HIGH | NETWORK |
Cloudtrail logs are not encrypted using AWS KMS-managed keys | GG_IAC_0027 | HIGH | DATA, PERMISSION |
Cloudtrail logs validation is not enabled | GG_IAC_0028 | HIGH | PERMISSION |
CodeBuild build artifacts encryption should not be disabled | GG_IAC_0029 | HIGH | DATA, PERMISSION |
Using outdated TLS policies can allow an attacker to decrypt traffic or impersonate a server | GG_IAC_0030 | HIGH | NETWORK |
Not encrypting Athena query results can lead to data leak | GG_IAC_0031 | HIGH | DATA |
Not enforcing Workgroup configuration in Athena can allow clients to disable encryption settings | GG_IAC_0032 | HIGH | DATA |
EC2 instances use unencrypted block device | GG_IAC_0033 | HIGH | DATA |
Assigning public IP addresses expose your instances to public internet | GG_IAC_0034 | HIGH | NETWORK |
The Instance Metadata Service should not be available through IMDSv1 | GG_IAC_0035 | HIGH | DATA, PERMISSION |
DocumentDB cluster encryption should not be disabled | GG_IAC_0036 | HIGH | DATA, PERMISSION |
DAX cluster and tables encryption should be enabled | GG_IAC_0037 | HIGH | DATA, PERMISSION |
EBS volume encryption should not be disabled | GG_IAC_0038 | HIGH | DATA, PERMISSION |
ECR image scanning should be enabled | GG_IAC_0039 | HIGH | SECRET |
ECR registry with mutable tags can lead to code injection | GG_IAC_0040 | HIGH | OTHER |
ECR registry with public access can lead to code and data leak | GG_IAC_0041 | HIGH | PERMISSION |
Not encrypting EFS mount can lead to data leak | GG_IAC_0042 | HIGH | DATA |
Not encrypting data at rest can lead to data leak | GG_IAC_0043 | HIGH | DATA |
Encrypting EKS secrets with AWS KMS adds another layer of security | GG_IAC_0044 | HIGH | SECRET |
ElasticSearch should use node-to-node encryption | GG_IAC_0045 | HIGH | DATA, NETWORK, PERMISSION |
ElastiCache data should be encrypted at rest | GG_IAC_0046 | HIGH | DATA, PERMISSION |
Elasticsearch data should be encrypted at rest | GG_IAC_0047 | HIGH | DATA, PERMISSION |
ElastiCache should use in-transit encryption | GG_IAC_0048 | HIGH | DATA, NETWORK, PERMISSION |
ELB load balancers should drop invalid headers | GG_IAC_0049 | HIGH | NETWORK |
ELB load balancers should be internal | GG_IAC_0050 | HIGH | NETWORK |
IAM policies should avoid using wildcards | GG_IAC_0051 | HIGH | PERMISSION |
Kinesis should use in-transit encryption | GG_IAC_0052 | HIGH | DATA, NETWORK, PERMISSION |
MQ brokers should not be publicly accessible | GG_IAC_0053 | HIGH | NETWORK |
MSK clusters should use in-transit encryption | GG_IAC_0054 | HIGH | DATA, NETWORK, PERMISSION |
Allowing public exposure of a S3 bucket can lead to data leakage | GG_IAC_0055 | HIGH | DATA |
Not restricting public access on a S3 bucket can lead to data leakage | GG_IAC_0056 | HIGH | DATA |
Granting public ACL rights on a bucket can lead to data leakage | GG_IAC_0057 | HIGH | DATA |
AWS RDS Performance Insights should be encrypted | GG_IAC_0058 | HIGH | DATA, PERMISSION |
AWS RDS Aurora cluster should be encrypted | GG_IAC_0059 | HIGH | DATA, PERMISSION |
AWS RDS DB instance should be encrypted | GG_IAC_0060 | HIGH | DATA, PERMISSION |
AWS SNS topic should be encrypted | GG_IAC_0061 | HIGH | DATA, PERMISSION |
AWS SQS queue should be encrypted | GG_IAC_0062 | HIGH | DATA, PERMISSION |
Neptune storage should be encrypted at rest | GG_IAC_0063 | HIGH | DATA, PERMISSION |
Redshift clusters should be encrypted at rest | GG_IAC_0064 | HIGH | DATA, PERMISSION |
SQS policy documents should avoid using wildcards | GG_IAC_0065 | HIGH | PERMISSION |
AWS Elasticsearch domain endpoints should not use a deprecated version of SSL/TLS | GG_IAC_0066 | HIGH | NETWORK |
Root and User Workspaces volumes should be encrypted | GG_IAC_0067 | HIGH | DATA, PERMISSION |
Redshift cluster should use a specific VPC | GG_IAC_0068 | HIGH | PERMISSION |
Neptune storage encryption should use KMS keys | GG_IAC_0069 | LOW | DATA, PERMISSION |
A CloudTrail bucket has public read Access Control List which can lead to private data exposure | GG_IAC_0071 | CRITICAL | DATA |
EMR clusters should be encrypted at rest | GG_IAC_0072 | HIGH | DATA, PERMISSION |
EMR clusters should use in-transit encryption | GG_IAC_0073 | HIGH | DATA, NETWORK, PERMISSION |
HTTP data block can be used to leak secrets or variables outside of the organization | GG_IAC_0074 | CRITICAL | SECRET |
EMR cluster local storage should be encrypted to prevent sensitive data leaks | GG_IAC_0075 | HIGH | DATA |
EC2 subnet instance should not expose public IP | GG_IAC_0076 | HIGH | NETWORK |
Key vault has no network ACL specified | GG_IAC_0077 | CRITICAL | NETWORK |
Data Factory should not be publicly exposed | GG_IAC_0078 | CRITICAL | DATA |
Image should not have 'root' user | GG_IAC_0079 | HIGH | PERMISSION |
Default network exposes the project to external attacks | GG_IAC_0080 | HIGH | NETWORK |
Enabling local data loading may allow attackers to read server files | GG_IAC_0081 | HIGH | DATA |
Traffic to /0. allowed in firewall outbound rule | GG_IAC_0082 | CRITICAL | NETWORK |
Traffic from /0. allowed in firewall inbound rule | GG_IAC_0083 | CRITICAL | NETWORK |
Cloud Storage bucket is anonymously or publicly accessible | GG_IAC_0084 | HIGH | PERMISSION |
No SSL connection on SQL database might lead to data exposure | GG_IAC_0085 | HIGH | DATA, NETWORK |
SQL database should not be publicly exposed | GG_IAC_0086 | HIGH | DATA |
Instance should not expose public IP | GG_IAC_0087 | HIGH | NETWORK |
No IP-forwarding | GG_IAC_0088 | HIGH | NETWORK |
GKE Control Plane should not be publicly accessible | GG_IAC_0089 | HIGH | NETWORK |
Stale CryptoKeys make encrypted data insecure | GG_IAC_0090 | HIGH | SECRET |
Node should be shielded | GG_IAC_0091 | HIGH | DATA |
GKE metadata is not concealed | GG_IAC_0092 | HIGH | SECRET |
Too many Service account permissions may compromise services | GG_IAC_0093 | HIGH | PERMISSION |
Master authorized networks are not configured | GG_IAC_0094 | HIGH | NETWORK |
Legacy metadata endpoints should not be explicitly enabled | GG_IAC_0095 | HIGH | DATA |
Legacy authentication should not be used | GG_IAC_0096 | HIGH | PERMISSION |
Use RBAC permissions rather than ABAC | GG_IAC_0097 | HIGH | PERMISSION |
TLS version is outdated | GG_IAC_0098 | HIGH | NETWORK |
Container should not have privileged rights | GG_IAC_0099 | HIGH | PERMISSION |
Tiller Helm component is deployed | GG_IAC_0100 | CRITICAL | OTHER |
SYS_ADMIN capability should not be added to the container | GG_IAC_0101 | HIGH | PERMISSION |
Containers should not use the host IPC namespace | GG_IAC_0102 | HIGH | PERMISSION |
Containers should not use the host network namespace | GG_IAC_0103 | HIGH | PERMISSION |
Containers should not use the host PID namespace | GG_IAC_0104 | HIGH | PERMISSION |
Docker socket should not be mounted into containers | GG_IAC_0105 | HIGH | NETWORK |
Do not allow public ingress via network policies | GG_IAC_0106 | HIGH | NETWORK |
Pod ports should not be exposed through host ports | GG_IAC_0107 | HIGH | PERMISSION |
Do not grant public access on storage containers | GG_IAC_0108 | HIGH | NETWORK |
Storage account should disallow insecure transfers | GG_IAC_0109 | HIGH | NETWORK |
Database is publicly accessible | GG_IAC_0110 | HIGH | NETWORK |
Data at rest should be encrypted | GG_IAC_0111 | HIGH | DATA |
Disk encryption should be enabled | GG_IAC_0112 | HIGH | DATA |
Password authentication should be disabled on virtual machines | GG_IAC_0113 | HIGH | PERMISSION |
Role-based access control should be enabled on clusters | GG_IAC_0114 | HIGH | PERMISSION |
AKS cluster should have Network Policy configured | GG_IAC_0115 | HIGH | NETWORK |
Conditions should be set on workload identity pool providers | GG_IAC_0116 | HIGH | PERMISSION, SECRET |
Open access allowed in firewall inbound rule | GG_IAC_0117 | CRITICAL | NETWORK |