Cloudformation Rules
IaC rules for Cloudformation that identify insecure configurations in infrastructure and cloud resources.
Cloudformation Rule Catalog
| ID | Title | Severity |
|---|---|---|
IAC-0058 | AWS EBS volumes are not encrypted | HIGH |
IAC-0074 | AWS S3 bucket ACL grants READ permission to everyone | HIGH |
IAC-0082 | DynamoDB PITR is disabled | HIGH |
IAC-0100 | EC2 user data exposes secrets | HIGH |
IAC-0110 | AWS S3 Bucket has an ACL defined which allows public WRITE access | HIGH |
IAC-0113 | AWS IAM role allows all services or principals to be assumed | HIGH |
IAC-0114 | AWS IAM policy allows all principals used by any AWS service from target account to assume role | HIGH |
IAC-0116 | AWS IAM policy documents allow * (asterisk) as a statement's action | HIGH |
IAC-0132 | AWS EC2 instance not configured with Instance Metadata Service v2 (IMDSv2) | HIGH |
IAC-0141 | AWS EC2 instances with public IP and associated with security groups have Internet access | HIGH |
IAC-0147 | Glue Data Catalog encryption is not enabled | HIGH |
IAC-0149 | Not all data stored in Aurora is securely encrypted at rest | HIGH |
IAC-0150 | EFS volumes in ECS task definitions do not have encryption in transit enabled | HIGH |
IAC-0152 | AWS Glue security configuration encryption is not enabled | HIGH |
IAC-0153 | AWS EKS node group have implicit SSH access from 0.0.0.0/0 | HIGH |
IAC-0154 | Neptune logging is not enabled | HIGH |
IAC-0156 | AWS Load Balancer is not using TLS 1.2 | HIGH |
IAC-0212 | ECR image scan on push is not enabled | HIGH |
IAC-0240 | WAF enables message lookup in Log4j2 | HIGH |
IAC-0339 | MSK nodes are not private | HIGH |
IAC-0057 | AWS Elastic Load Balancer v2 (ELBv2) listener that allow connection requests over HTTP | MEDIUM |
IAC-0060 | AWS Elasticsearch does not have node-to-node encryption enabled | MEDIUM |
IAC-0071 | AWS RDS database instance is publicly accessible | MEDIUM |
IAC-0080 | AWS SNS topic has SSE disabled | MEDIUM |
IAC-0086 | AWS Private ECR repository policy is overly permissive | MEDIUM |
IAC-0087 | AWS KMS Key policy overly permissive | MEDIUM |
IAC-0088 | AWS CloudFront viewer protocol policy is not configured with HTTPS | MEDIUM |
IAC-0098 | Neptune storage is not securely encrypted | MEDIUM |
IAC-0099 | Lambda function's environment variables expose secrets | MEDIUM |
IAC-0106 | AWS S3 Buckets has block public access setting disabled | MEDIUM |
IAC-0107 | AWS S3 Bucket BlockPublicPolicy is not set to True | MEDIUM |
IAC-0108 | AWS S3 bucket IgnorePublicAcls is not set to True | MEDIUM |
IAC-0109 | AWS S3 bucket RestrictPublicBucket is not set to True | MEDIUM |
IAC-0111 | AWS EKS cluster does not have secrets encryption enabled | MEDIUM |
IAC-0127 | DocumentDB is not encrypted at rest | MEDIUM |
IAC-0131 | CodeBuild project encryption is disabled | MEDIUM |
IAC-0135 | Athena workgroup does not prevent disabling encryption | MEDIUM |
IAC-0136 | AWS Elasticsearch domain is not configured with HTTPS | MEDIUM |
IAC-0137 | AWS Elasticsearch domain logging is not enabled | MEDIUM |
IAC-0138 | AWS DocumentDB logging is not enabled | MEDIUM |
IAC-0143 | DocDB TLS is disabled | MEDIUM |
IAC-0163 | IAM policies allow privilege escalation | MEDIUM |
IAC-0182 | ALB does not drop HTTP headers | MEDIUM |
IAC-0204 | Workspace user volumes are not encrypted | MEDIUM |
IAC-0205 | Workspace root volumes are not encrypted | MEDIUM |
IAC-0209 | Timestream database is not encrypted with KMS CMK | MEDIUM |
IAC-0210 | RDS database does not have IAM authentication enabled | MEDIUM |
IAC-0213 | AWS Transfer Server is publicly exposed | MEDIUM |
IAC-0214 | Dynamodb point in time recovery is not enabled for global tables | MEDIUM |
IAC-0215 | Backup Vault is not encrypted at rest using KMS CMK | MEDIUM |
IAC-0219 | QLDB ledger permissions mode is not set to STANDARD | MEDIUM |
IAC-0306 | AWS Lambda function URL AuthType set to NONE | MEDIUM |
IAC-0413 | AWS Cognito identity pool allows unauthenticated guest access | MEDIUM |
IAC-0417 | AWS SageMaker model does not use network isolation | MEDIUM |
IAC-0418 | AWS SageMaker Notebook Instance allows for IMDSv1 | MEDIUM |
IAC-0501 | AWS SageMaker notebook instance IAM policy is overly permissive | MEDIUM |
IAC-0059 | AWS Elasticsearch domain Encryption for data at rest is disabled | LOW |
IAC-0070 | AWS RDS DB cluster encryption is disabled | LOW |
IAC-0073 | AWS S3 buckets do not have server side encryption | LOW |
IAC-0075 | AWS S3 Object Versioning is disabled | LOW |
IAC-0077 | Not every Security Group rule has a description | LOW |
IAC-0081 | AWS SQS Queue not configured with server side encryption | LOW |
IAC-0083 | AWS ElastiCache Redis cluster with encryption for data at rest disabled | LOW |
IAC-0084 | AWS ElastiCache Redis cluster with in-transit encryption disabled (Replication group) | LOW |
IAC-0085 | AWS ElastiCache Redis cluster with Redis AUTH feature disabled | LOW |
IAC-0090 | AWS CloudTrail log validation is not enabled in all regions | LOW |
IAC-0094 | AWS IAM policy attached to users | LOW |
IAC-0096 | AWS Elastic File System (EFS) with encryption for data at rest is disabled | LOW |
IAC-0097 | AWS Kinesis streams are not encrypted using Server Side Encryption | LOW |
IAC-0105 | ECR image tags are not immutable | LOW |
IAC-0112 | AWS API gateway methods are publicly accessible | LOW |
IAC-0117 | AWS Redshift instances are not encrypted | LOW |
IAC-0118 | AWS ECS cluster with container insights feature disabled | LOW |
IAC-0119 | AWS CloudWatch Log groups not configured with definite retention days | LOW |
IAC-0122 | AWS MQ is publicly accessible | LOW |
IAC-0126 | API Gateway does not have X-Ray tracing enabled | LOW |
IAC-0129 | API Gateway does not have access logging enabled | LOW |
IAC-0142 | AWS DMS replication instance is publicly accessible | LOW |
IAC-0148 | AWS API Gateway V2 has Access Logging is disabled | LOW |
IAC-0157 | DocDB does not have audit logs enabled | LOW |
IAC-0158 | AWS Redshift does not have require_ssl configured | LOW |
IAC-0160 | Credentials exposure actions return credentials in an API response | LOW |
IAC-0161 | Data exfiltration allowed without resource constraints | LOW |
IAC-0162 | Resource exposure allows modification of policies and exposes resources | LOW |
IAC-0164 | Write access allowed without constraint | LOW |
IAC-0168 | AWS Lambda function is not configured for function-level concurrent execution Limit | LOW |
IAC-0169 | AWS Lambda function is not configured for a DLQ | LOW |
IAC-0170 | AWS Lambda Function is not assigned to access within VPC | LOW |
IAC-0171 | AWS Amazon RDS instances Enhanced Monitoring is disabled | LOW |
IAC-0173 | AWS API Gateway caching is disabled | LOW |
IAC-0176 | VPC endpoint service is not configured for manual acceptance | LOW |
IAC-0186 | Unencrypted ECR repositories | LOW |
IAC-0199 | AWS Secrets Manager secret not encrypted by Customer Managed Key (CMK) | LOW |
IAC-0203 | Redshift is deployed outside of a VPC | LOW |
IAC-0206 | RDS instances do not have Multi-AZ enabled | LOW |
IAC-0207 | AWS CloudWatch Log groups encrypted using default encryption key instead of KMS CMK | LOW |
IAC-0211 | AWS RDS cluster not configured with IAM authentication | LOW |
IAC-0221 | AWS QLDB ledger has deletion protection is disabled | LOW |
IAC-0222 | AWS Lambda encryption settings environmental variable is not set properly | LOW |
IAC-0223 | AWS CloudFront web distribution using insecure TLS version | LOW |
IAC-0241 | AWS AppSync's logging is disabled | LOW |
IAC-0243 | AWS Glue component is not associated with a security configuration | LOW |
IAC-0308 | AWS security groups allow ingress from 0.0.0.0/0 to port 80 | LOW |
IAC-0414 | AWS Sagemaker data quality job not encrypting model artifacts with KMS | LOW |
IAC-0415 | AWS Sagemaker Data Quality Job not using KMS to encrypt data on attached storage volume | LOW |
IAC-0416 | AWS Sagemaker Data Quality Job not encrypting communications between instances used for monitoring jobs | LOW |
IAC-0419 | AWS SageMaker Flow Definition does not use KMS for output configurations | LOW |
IAC-0061 | AWS Customer Master Key (CMK) rotation is not enabled | INFO |
IAC-0062 | AWS EC2 Auto Scaling Launch Configuration is not using encrypted EBS volumes | INFO |
IAC-0072 | AWS Access logging not enabled on S3 buckets | INFO |
IAC-0078 | AWS Security Group allows all traffic on SSH port (22) | INFO |
IAC-0079 | AWS Security Group allows all traffic on RDP port (3389) | INFO |
IAC-0089 | AWS CloudTrail logs are not encrypted using Customer Master Keys (CMKs) | INFO |
IAC-0101 | AWS DAX cluster not configured with encryption at rest | INFO |
IAC-0120 | AWS CloudTrail is not enabled with multi trail and not capturing all management events | INFO |
IAC-0121 | AWS CloudFront web distribution with AWS Web Application Firewall (AWS WAF) service disabled | INFO |
IAC-0124 | AWS Redshift database does not have audit logging enabled | INFO |
IAC-0139 | AWS CloudFront distribution with access logging disabled | INFO |
IAC-0144 | AWS Elastic Load Balancer v2 (ELBv2) with access log disabled | INFO |
IAC-0145 | AWS Elastic Load Balancer (Classic) with access log disabled | INFO |
IAC-0242 | AWS AppSync has field-level logging disabled | INFO |
Total Rules: 121
Click on any rule ID to view detailed information, examples, and remediation guidance.