Supported IaC Flaw detectors :: Xygeni Documentation

AWS CloudFormation

Detectors that analyze CloudFormation templates for Amazon Web Services (AWS) assets.

ALB

DocDB

DynamoDB

Ensure DynamoDB Point-In-Time Recovery (PITR) is enabled

EBS

Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)

EC2 Instance

Ensure no hard-coded secrets exist in EC2 user data

EFS

Ensure EFS is securely encrypted

ElastiCache

Elasticsearch

IAM

Kinesis

Ensure Kinesis Stream is securely encrypted

Neptune

Ensure Neptune storage is securely encrypted

Redshift

Ensure Redshift uses SSL

S3

SNS

Ensure all data stored in the SNS topic is encrypted

Secrets Manager

Timestream

Ensure that Timestream database is encrypted with KMS CMK

WorkSpace

Ansible

General Security

Ansible / AWS

Ansible detectors for AWS IaC Playbooks.

Backup Recovery

Backup recovery

RDS with backup disabled

Convention

Lambda function has no tags

Encryption

IAM

Logging

Network

Other

Secrets

ECS Task definition has secrets in the container environment in plain text

Ansible / Azure

Ansible detectors for Azure IaC Playbooks.

Backup Recovery

The Key Vault is not soft delete

Encryption

IAM

Logging

Network

Other

CosmosDB without tags

Ansible / Gcp

AIM

APPLICATION SECURITY

Cluster Master Authentication Disabled

Application Security

Encryption

VM disks for critical VMs must be encrypted with Customer-Supplied Encryption Keys (CSEK) or Customer-Managed Encryption Keys (CMEK)

General Security

Management Kubernetes nodes must have auto upgrades set to true

IAM

Logging

NETWORK

Netwok

Google Compute SSL Policy Weak Chyper Suits is Enabled

Network

Observability

Secret Management

VM Instance should block project-wide SSH keys

Secrets

KMS encryption keys should be rotated every 90 days or less

Docker

Detectors that analyze Docker assets, like Dockerfile and docker-compose.yml.

Application Security

Container runs as root

Base image

Unpinned version for base image

Networking

Kubernetes

Detectors that analyze Kubernetes assets.

General Security

PodSecurityPolicy

Host network namespace sharing is allowed

RBAC

etcd

kube-apiserver

kube-controller-manager

kube-scheduler

Scheduler service bound to loop-back insecure address

kubelet

Multi-Framework / AWS

Multi-Framework detectors for AWS IaC templates (CloudFormation and Terraform).

AppSync

Aurora

Data stored in Aurora is unencrypted at rest

CodeBuild

CodeBuild Project encryption is disabled

DAX

Ensure DAX encryption at rest is not disabled

DMS Replication Instance

Ensure DMS replication instance is not publicly accessible

EBS

EC2 Instance

EC2 instance should not have public IP

ECR

ECR image scan on push is disabled

EFS

Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions

EKS

Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0

ElastiCache

AWS ElastiCache Redis cluster with encryption for data at rest is disabled

Glue

IAM

MSK Cluster

MSK Cluster encryption at rest or in transit is disabled

Neptune

Ensure Neptune logging is enabled

Networking

RDS

AWS RDS DB cluster encryption is disabled

Redshift

S3

SQS

AWS SQS server side encryption is not enabled

Multi-Framework / Azure

Multi-Framework detectors for Azure IaC templates (ARM and Terraform).

App Service

App Service Authentication

Ensure that standard pricing tier is selected

Application Gateway

Azure application gateway does not have WAF enabled

Azure Defender

Azure Instance Authentication

Azure linux instance with password authentication

Azure Key Vault

Blob Containers

Ensure public access level for Blob Containers is set to private

Data Factory

Azure Data factory public network access enabled

Data Lake Store

Unencrypted Data Lake Store accounts

Front Door

Azure front door does not have WAF enabled

IAM

Ensure Azure subscriptions with custom roles have minimum permissions

Key Vault

Kubernetes

Azure Kubernetes Cluster without RBAC enabled

MSSQL Server

MSSQL server

MariaDB Server

MySQL Server

MySQL is not using the latest version of TLS encryption servers

Networking

SQL server

Security Center

VM

VM Disk

Azure VM data disk is encrypted with the default encryption key instead of ADE/CMK

WAF

Terraform / AWS

Detectors for Terraform (.tf) IaC templates for Amazon Web Services (AWS) assets.

AWS IAM

Ensure IAM policy documents do not allow * as a statement’s action

Amazon DynamoDB

Ensure DynamoDB point in time recovery is enabled

Amazon Neptune

Amazon Sagemaker Endpoints

Ensure SageMaker Endpoint is encrypted

Amazon Sagemaker Notebook

Ensure SageMaker Notebook is encrypted at rest using KMS CMK

Amazon Simple Queue Service (SQS)

Ensure SQS policy does not allow ALL (*) actions

CloudFront

CloudFront distribution without strict security headers policy

EKS (Amazon Elastic Kubernetes Service)

Ensure AWS EKS cluster security group is not overly permissive to all traffic

GuardDuty

GuardDuty is not enabled at organization level

IAM

Ensure AWS IAM policy does not allow assume role permission across all services

IAM (AWS Identity and Access Management)

Ensure AWS IAM password policy does not allow password reuse

Networking

Public facing ALB not protected by WAF

RDS

RDS cluster without backup plan

Terraform / Github

Terraform (Github Actions)

Ensure GitHub Actions secrets are encrypted

Supported IaC Flaw detectors

AWS CloudFormation

ALB

AWS Lambda

Athena

CloudFront

CloudTrail

Code Artifact

DB

DocDB

DynamoDB

EBS

EC2 Instance

EFS

ElastiCache

Elasticsearch

IAM

Kinesis

Neptune

Redshift

S3

SNS

Secrets Manager

Timestream

WorkSpace

Ansible

General Security

Ansible / AWS

Backup Recovery

Backup recovery

Convention

Encryption

IAM

Logging

Network

Other

Secrets

Ansible / Azure

Backup Recovery

Encryption

IAM

Logging

Network

Other

Ansible / Gcp

AIM

APPLICATION SECURITY

Application Security

Encryption

General Security

IAM

Logging

NETWORK

Netwok

Network

Observability

Secret Management

Secrets

Docker

Application Security

Base image

Networking

Kubernetes

General Security

PodSecurityPolicy

RBAC

etcd

kube-apiserver

kube-controller-manager

kube-scheduler

kubelet

Multi-Framework / AWS

AppSync

Aurora

CodeBuild

DAX

DMS Replication Instance

EBS

EC2 Instance

ECR