fix(queries): align descriptionText to similar queries across differe…

…nt platforms (#5446)

* fix(queries): align descriptionText to similar queries across different platforms

* align more descriptionText queries

* resolve comments

assets/queries/ansible/aws/ebs_volume_encryption_disabled/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "EBS Volume Encryption Disabled",
   "severity": "MEDIUM",
   "category": "Encryption",
-  "descriptionText": "EBS Encryption should be enabled",
+  "descriptionText": "EBS volumes should be encrypted",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_vol_module.html#parameter-encrypted",
   "platform": "Ansible",
   "descriptionID": "06f72385",

assets/queries/ansible/aws/efs_without_kms/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "EFS Without KMS",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "Elastic File System (EFS) must have KMS Key ID",
+  "descriptionText": "Amazon Elastic Filesystem should have filesystem encryption enabled using KMS CMK customer-managed keys instead of AWS managed-keys",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/efs_module.html#parameter-kms_key_id",
   "platform": "Ansible",
   "descriptionID": "a01870d5",

assets/queries/ansible/aws/iam_password_without_lowercase_letter/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Lowercase Letter",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "Check if IAM account password has at least one lowercase letter",
+  "descriptionText": "IAM Password should have at least one lowercase letter",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "e229f4bd",

assets/queries/ansible/aws/iam_password_without_minimum_length/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Minimum Length",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "Check if IAM account password has the required minimum length",
+  "descriptionText": "IAM password should have the required minimum length",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "b1066765",

assets/queries/ansible/aws/iam_password_without_uppercase_letter/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Uppercase Letter",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "Check if IAM account password has at least one uppercase letter",
+  "descriptionText": "IAM password should have at least one uppercase letter",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_password_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "ab3484ee",

assets/queries/ansible/aws/iam_policies_with_full_privileges/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Policies With Full Privileges",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "IAM policies that allow full administrative privileges (for all resources)",
+  "descriptionText": "IAM policies shouldn't allow full administrative privileges (for all resources)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "3827a620",

assets/queries/ansible/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services",
   "severity": "LOW",
   "category": "Access Control",
-  "descriptionText": "IAM role allows All services or principals to assume it",
+  "descriptionText": "IAM Policy should not grant 'AssumeRole' permission across all services.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "860cc010",

assets/queries/ansible/aws/iam_policy_grants_full_permissions/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Policy Grants Full Permissions",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "IAM policies allow all ('*') in a statement action",
+  "descriptionText": "Check if an IAM policy is granting full permissions to resources from the get-go, instead of granting permissions gradually as necessary.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/iam_managed_policy_module.html",
   "platform": "Ansible",
   "descriptionID": "97b2a82d",

assets/queries/ansible/aws/instance_with_no_vpc/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Instance With No VPC",
   "severity": "MEDIUM",
   "category": "Insecure Configurations",
-  "descriptionText": "Instance should be configured in VPC (Virtual Private Cloud)",
+  "descriptionText": "EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_module.html",
   "platform": "Ansible",
   "descriptionID": "27754eca",

assets/queries/ansible/aws/rds_with_backup_disabled/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "RDS With Backup Disabled",
   "severity": "MEDIUM",
   "category": "Backup",
-  "descriptionText": "RDS configured without backup",
+  "descriptionText": "Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/rds_instance_module.html#parameter-backup_retention_period",
   "platform": "Ansible",
   "descriptionID": "51f94eee",

assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_all_users/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket ACL Allows Read to All Users",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "It's not recommended to allow read access for all user groups.",
+  "descriptionText": "S3 Buckets should not be readable to all users",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission",
   "platform": "Ansible",
   "descriptionID": "446af0d8",

assets/queries/ansible/aws/s3_bucket_acl_allows_read_to_any_authenticated_user/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket ACL Allows Read to Any Authenticated User",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion",
+  "descriptionText": "S3 Buckets should not be readable to any authenticated user",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/aws_s3_module.html#parameter-permission",
   "platform": "Ansible",
   "descriptionID": "e9e4ca47",

assets/queries/ansible/aws/s3_bucket_allows_delete_action_from_all_principals/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket Allows Delete Action From All Principals",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.",
+  "descriptionText": "S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Delete, for all Principals.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html",
   "platform": "Ansible",
   "descriptionID": "7c11444e",

assets/queries/ansible/aws/s3_bucket_allows_get_action_from_all_principals/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket Allows Get Action From All Principals",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.",
+  "descriptionText": "S3 Buckets must not allow Get Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Get, for all Principals.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html",
   "platform": "Ansible",
   "descriptionID": "de0687eb",

assets/queries/ansible/aws/s3_bucket_allows_list_action_from_all_principals/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket Allows List Action From All Principals",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.",
+  "descriptionText": "S3 Buckets must not allow List Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is List, for all Principals.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html",
   "platform": "Ansible",
   "descriptionID": "8232deb2",

assets/queries/ansible/aws/s3_bucket_allows_put_action_from_all_principals/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket Allows Put Action From All Principals",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion.",
+  "descriptionText": "S3 Buckets must not allow Put Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data tampering / deletion. This means the 'Effect' must not be 'Allow' when the 'Action' is Put, for all Principals.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html",
   "platform": "Ansible",
   "descriptionID": "772b17ca",

assets/queries/ansible/aws/security_group_with_unrestricted_access_to_ssh/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Security Group With Unrestricted Access To SSH",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "SSH' (TCP:22) should not be public in AWS Security Group",
+  "descriptionText": "'SSH' (TCP:22) should not be public in AWS Security Group",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/ec2_group_module.html",
   "platform": "Ansible",
   "descriptionID": "ea2f2c57",

assets/queries/ansible/aws/sqs_policy_with_public_access/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "SQS Policy With Public Access",
   "severity": "MEDIUM",
   "category": "Access Control",
-  "descriptionText": "SQS policy with public access",
+  "descriptionText": "Checks for dangerous permissions in Action statements in an SQS Queue Policy. This is deemed a potential security risk as it would allow various attacks to the queue",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html",
   "platform": "Ansible",
   "descriptionID": "dd40b568",

assets/queries/ansible/aws/sqs_with_sse_disabled/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "SQS with SSE disabled",
   "severity": "MEDIUM",
   "category": "Encryption",
-  "descriptionText": " SQS Queue should be protected with CMK encryption",
+  "descriptionText": "Amazon Simple Queue Service (SQS) queue is not protecting the contents of their messages using Server-Side Encryption (SSE)",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/sqs_queue_module.html#ansible-collections-community-aws-sqs-queue-module",
   "platform": "Ansible",
   "descriptionID": "7825cf30",

assets/queries/ansible/azure/trusted_microsoft_services_not_enabled/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Trusted Microsoft Services Not Enabled",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "Ensure Trusted Microsoft Services have Storage Account access.",
+  "descriptionText": "Trusted Microsoft Services should be enabled for Storage Account access",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_storageaccount_module.html#parameter-network_acls/bypass",
   "platform": "Ansible",
   "descriptionID": "e86db9c1",

assets/queries/ansible/gcp/rdp_access_is_not_restricted/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "RDP Access Is Not Restricted",
   "severity": "MEDIUM",
   "category": "Networking and Firewall",
-  "descriptionText": "Check if the Google compute firewall allows unrestricted RDP access.",
+  "descriptionText": "Check if the Google compute firewall allows unrestricted RDP access. Allowed ports should not contain RDP port 3389",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_compute_firewall_module.html",
   "platform": "Ansible",
   "descriptionID": "23f68cd6",

assets/queries/cloudFormation/aws/alb_listening_on_http/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "ALB Listening on HTTP",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "All Application Load Balancers (ALB) should block connection requests over HTTP",
+  "descriptionText": "AWS Application Load Balancer (alb) should not listen on HTTP",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-listener.html#cfn-ec2-elb-listener-protocol",
   "platform": "CloudFormation",
   "descriptionID": "55f05412",

assets/queries/cloudFormation/aws/api_gateway_with_open_access/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "API Gateway With Open Access",
   "severity": "MEDIUM",
   "category": "Insecure Configurations",
-  "descriptionText": "API Gateway Method should restrict an authorization type, except for the HTTP OPTIONS method.",
+  "descriptionText": "API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-method.html",
   "platform": "CloudFormation",
   "descriptionID": "d8d6ab46",

assets/queries/cloudFormation/aws/api_gateway_xray_disabled/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "API Gateway X-Ray Disabled",
   "severity": "MEDIUM",
   "category": "Observability",
-  "descriptionText": "X-Ray Tracing is not enabled",
+  "descriptionText": "API Gateway should have X-Ray Tracing enabled",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-tracingenabled",
   "platform": "CloudFormation",
   "descriptionID": "7db1d7b0",

assets/queries/cloudFormation/aws/cdn_configuration_is_missing/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "CDN Configuration Is Missing",
   "severity": "LOW",
   "category": "Best Practices",
-  "descriptionText": "Content Delivery Network (CDN) service is used within AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.",
+  "descriptionText": "Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html",
   "platform": "CloudFormation",
   "descriptionID": "6a8090b9",

assets/queries/cloudFormation/aws/default_security_groups_with_unrestricted_traffic/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Default Security Groups With Unrestricted Traffic",
   "severity": "HIGH",
   "category": "Networking and Firewall",
-  "descriptionText": "Security Groups set as default must be denied traffic.",
+  "descriptionText": "Check if default security group does not restrict all inbound and outbound traffic.",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html",
   "platform": "CloudFormation",
   "descriptionID": "50b0269e",

assets/queries/cloudFormation/aws/ecr_image_tag_not_immutable/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "ECR Image Tag Not Immutable",
   "severity": "MEDIUM",
   "category": "Insecure Configurations",
-  "descriptionText": "ECR should have an image tag be immutable",
+  "descriptionText": "ECR should have an image tag be immutable. This prevents image tags from being overwritten.",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html",
   "platform": "CloudFormation",
   "descriptionID": "a4ed2a4f",

assets/queries/cloudFormation/aws/efs_not_encrypted/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "EFS Not Encrypted",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "Amazon Elastic Filesystem should have filesystem encryption enabled",
+  "descriptionText": "Elastic File System (EFS) must be encrypted",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-efs-filesystem.html",
   "platform": "CloudFormation",
   "descriptionID": "e168cb44",

assets/queries/cloudFormation/aws/guardduty_detector_disabled/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "GuardDuty Detector Disabled",
   "severity": "MEDIUM",
   "category": "Observability",
-  "descriptionText": "Make sure that Amazon GuardDuty is Enabled.",
+  "descriptionText": "Make sure that Amazon GuardDuty is Enabled",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-detector.html",
   "platform": "CloudFormation",
   "descriptionID": "cae19394",

assets/queries/cloudFormation/aws/iam_password_without_lowercase_letter/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Lowercase Letter",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "IAM user resource Login Profile Password should have lowercase letter",
+  "descriptionText": "IAM Password should have at least one lowercase letter",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user",
   "platform": "CloudFormation",
   "descriptionID": "b98bf93c",

assets/queries/cloudFormation/aws/iam_password_without_minimum_length/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Minimum Length",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "IAM user resource Login Profile Password should have at least 14 characters",
+  "descriptionText": "IAM password should have the required minimum length",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user",
   "platform": "CloudFormation",
   "descriptionID": "46859482",

assets/queries/cloudFormation/aws/iam_password_without_symbol/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Symbol",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "IAM user resource Login Profile Password should have at least one symbol",
+  "descriptionText": "IAM password should have the required symbols",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user",
   "platform": "CloudFormation",
   "descriptionID": "7ec4df0d",

assets/queries/cloudFormation/aws/iam_password_without_uppercase_letter/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Password Without Uppercase Letter",
   "severity": "MEDIUM",
   "category": "Best Practices",
-  "descriptionText": "IAM user resource Login Profile Password should have at least one uppercase letter",
+  "descriptionText": "IAM password should have at least one uppercase letter",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-iam.html#scenario-iam-user",
   "platform": "CloudFormation",
   "descriptionID": "9d55d1e4",

assets/queries/cloudFormation/aws/iam_policies_with_full_privileges/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Policies With Full Privileges",
   "severity": "HIGH",
   "category": "Access Control",
-  "descriptionText": "IAM policies shouldn't allow full administrative privileges",
+  "descriptionText": "IAM policies shouldn't allow full administrative privileges (for all resources)",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html",
   "platform": "CloudFormation",
   "descriptionID": "faa72156",

assets/queries/cloudFormation/aws/iam_policy_grants_assumerole_permission_across_all_services/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "IAM Policy Grants 'AssumeRole' Permission Across All Services",
   "severity": "LOW",
   "category": "Access Control",
-  "descriptionText": "Check if any IAM Policy grants 'AssumeRole' permission across all services.",
+  "descriptionText": "IAM Policy should not grant 'AssumeRole' permission across all services.",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html",
   "platform": "CloudFormation",
   "descriptionID": "eba1aa1b",

assets/queries/cloudFormation/aws/kms_key_with_vulnerable_policy/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "KMS Key With Vulnerable Policy",
   "severity": "HIGH",
   "category": "Insecure Configurations",
-  "descriptionText": "Checks if the policy is vulnerable and needs updating",
+  "descriptionText": "Checks if the policy is vulnerable and needs updating.",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keypolicy",
   "platform": "CloudFormation",
   "descriptionID": "1f88b704",

assets/queries/cloudFormation/aws/lambda_permission_misconfigured/metadata.json

@@ -3,7 +3,7 @@
   "queryName": "Lambda Permission Misconfigured",
   "severity": "LOW",
   "category": "Best Practices",
-  "descriptionText": "Lambda permission may be misconfigured if the action field is not filled in by 'lambda: InvokeFunction'",
+  "descriptionText": "Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'",
   "descriptionUrl": "https://docs.aws.amazon.com/pt_br/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html",
   "platform": "CloudFormation",
   "descriptionID": "dec6dd24",